Mr. Max Schrems:

I will try to be as short as possible. My answer will probably surprise the committee. I feel the same. That is one fundamental problem of the GDPR. It does not differentiate exactly. I come from a family in which my mother has a small business and I am now running a NGO with 15 people. We have the same red tape issues as many SMEs. This came, however, from the lobbying of industry. The industry wanted a one size fits all law that does not differentiate to a certain extent. It came especially from the conservative side in the European Parliament. I advocated at the time for the need to differentiate. Big tech companies, in particular, wanted to have a one size fits all law because it means they will be under the same law as a local business. The hope was that the bar would go down for them but the bar is now too high for a smaller business.

The way to solve it is basically how most data processing agreements deal with it. There is amicable resolution in most countries of which I am aware. This usually means when a company gets an angry letter from the Data Protection Commission and the company complies and answers the access request, then the case is simply ended with a notice and warning. That is it. Oftentimes we have fines of €500, €200 and so on. That is reasonable in these situations. With a small SME I have a right to get a copy of my data, so I do not think there is much of a difference. It can be done in enforcement and can be applied. The GDPR foresees this to be reasonable under Article 83, if I am not mistaken.