The present CEN Workshop Agreement (CWA) provides GDPR-compliance guidelines for Traditional Micro-SMEs (see 3.11) acting as controllers for low-risk processing (see 3.10) operations. It provides practical guidance on the key GDPR (see 3.6) requirements to be considered by such Micro-SMEs and translates these into the practical recommendations they should comply with, to be GDPR compliant.
The document focusses on legal provisions applicable to such low-risk processing. It does not consider in depth the GDPR provisions applicable to high-risk processing (environments), such as on data protection impact assessments, data protection officers and provisions on automated-decision making and profiling.
NOTE 1 It should be taken into account that provisions applicable to high-risk processing are relevant for Traditional Micro-SMEs when they would be involved in high-risk processing.
This CWA offers guidance only on the most relevant and common e-Privacy rules for Micro-SMEs’ (see 3.8) processing activities that are applicable across EU member-states.
NOTE 2 CWA users should always check the implementation of the e-Privacy Directive in national law in the relevant Member State.
This CWA is applicable to Traditional Micro-SMEs. It is mainly addressed to the Micro-SMEs’ service providers who assess them or support them to become GDPR compliant (e.g., consultants, trainers, accountants, lawyers, ICT providers, etc.). Due to the limited general legal knowledge present in Traditional Micro-SMEs and their general lack of time and resources to organise GDPR implementation projects themselves, this CWA is primarily and foremost addressed to their service providers.
The use of this CWA will be beneficial to:
- citizens: their rights to privacy and data protection will be safeguarded, even when their data is processed by Traditional Micro-SMEs;
- Traditional Micro-SMEs: being compliant is important from different perspectives, such as regulatory, reputational and economic; the CWA will help them avoiding data breaches and avoiding administrative fines that may be imposed when they’re in breach of data protection legislation.