The new Regulation that is here to stay
On 27.04.2016 the EU Regulation 2016/679 on the protection of individuals with regard to the processing of their personal data and on the free movement of such data was adopted in an attempt to take a broader, deeper and more uniform approach to protecting individuals’ data within the digital era. The Regulation, which is named as “General Data Protection Regulation” (GDPR), came into force on 25.05.2018 and resulted in the automatic cancellation/repeal of Directive 95/46/EC.
The entry into force of the Regulation is immediate and does not require any adoption/voting procedure to take place for its incorporation into Greek Law. Nevertheless, the Regulation in certain cases, gives to the Member-States the possibility of introducing national measures on specific issues («escape clauses»).
As mentioned above, the GDPR came into force on the 25th May 2018, requiring all government agencies and public bodies as well as the private sector of the EU Member-States to be harmonized and to comply with the new provisions as well as the level of protection of personal data.
Several undertakings, others in smaller and others in a larger extent, have already begun their efforts to comply with the provisions of the Regulation, but due to the complexity of the newly provisions and the significant changes introduced by the Regulation, particularly as regards the obligations of the parties involved in the processing of personal data, it is not expected that they will be fully harmonized any time soon.
The existing national legal framework
The protection of personal data has always been a fundamental issue and a necessity of the society, which had to be fulfilled.
In Greece, the personal data is protected to date with the Law 2472/1997 (About the Individual Protection of the Processing of Personal Data), which adopted the (now repealed) Directive 95/46/EC (for the protection of individuals with regard to the processing character and the free movement of such data).
The protection of personal data after the Regulation (EU) 679/2016
After the entry into force of the Regulation 679/2016, the scope of the protection of Personal Data becomes tighter as – among others – it provides for the following new key issues/concepts:
• Accountability of the controller and processor,
• Data collected strictly for specific purposes,
• privacy requirements from the design of information systems (“privacy by design”)
• written policies for the collection, management and security protection,
• expansion of the rights of the data subjects and transparent policies to meet the new rights of the data subjects,
• carrying out of Data Protection Impact Assessment for the potential risks and consequences that may be caused by the processing of personal data,
• stricter criminal and administrative sanctions with increased fines based on the company’s turnover,
• existence of a Data Protection Officer as an internal body which shall act independently and shall ensure the compliance with the provisions of the Regulation in the context of the firm / company.
• notification procedures of the competent data protection Authority (within 72 hours) and of the individuals (where applicable) for each case of violation of personal data
In summary, we could say that the new Regulation creates new obligations for each company. Most of those obligations already existed, but very often were not taken seriously. But now, the need to avoid unpleasant consequences resulting from the ignorance and negligence of the parties involved, has rendered the adaptation to the provisions and requirements of the new Regulation inevitable.