TSMA Yearbook 2019

36 2019 Yearbook er amount of administrative burden at company level and the question must be allowed, whether the Brussels authorities did not (once again….) overstretch their legislative powers to substantially increase the amount of red tape bureaucracy and hence make business live even harder, in particular for SMEs. The EU Commission and Parliament was targeting Amazon, Google, Facebook & Co., but has actually hit the many small and medium-sized players. In particular those companies and brands, who are handling big numbers of personal data of consumers like the ones pro- ducing wearables and are collecting physical fitness up to personal health data, are mostly affected. These types of commercial players face quite frequently major difficulties to localize, document and structure their vast portfolio of data, to obtain a GDPR-compliant declaration of consent from all users and their customers and to meet the rigid deletion requirements of the new EU law. Individual data are in many cases wide-spread in a highly fragmented man- ner over numerous departments involving many staff members, external service providers and may cover the whole supply chain plus distribution of sporting goods including e.g. the production, suppliers, business intelligence, marketing, customer relationship management and so on. The task to localize these data alone is already very cumbersome and sometimes also quite costly, not to talk about their documentation and to have them readily available if individuals (including the employees in a European company) are knocking at the door to learn which data are stored about them. From a purely strict legal point of view, one would even need e.g. to obtain the explicit (and subsequently provable) consent from a person handing over a business card at a trade fair to store and process the individual data shown on such business card (!!). Needless to say that in real life this of course goes far too far. The European media have been primarily focusing prior to May 25 and thereafter on the draconic fines, EU and national authorities are empowered to impose on any violators of the GDPR provisions. These fines amount to up to 4% of the annual global turnover or up to 20 Million EUR . Many journalists did however neglect the danger that such law could create a new ‘industry’ of cease & desist letter senders asking for damage compensation, lawyers’ fees, etc. by systematically crawling through websites of commercial operators to detect