The new legal framework about personal data protection in the EU, an in particular the new General Data Protection Regulation (GDPR) has been published in the Official EU Gazette on May 04, 2016
The said Regulation changes radically the European Laws regarding the personal data protection, due to the way it is meant to effect drastically the processes according to which organizations shall be collecting, handling, processing and storing information that entail personal data
The need to comply with GDPR is compulsory for all organizations, due to the fact that the protection of all natural persons against personal data processing is fundamental in essence. Article 8 paragraph 1 of the Charter of Fundamental Rights of the European Union and article 16 paragraph of the Treaty on the Functioning of the EU (TFEU) state that every person is entitled to protection regarding their own personal data
It is only natural that the following question comes to mind: Which is the data considered to be personal data?
Not only data regarding identification, phone number or house address, but also any other information which is used in order for a third party to be informed on someone’s preferences, health condition, physical, genetic, psychological, financial, cultural, political, gender or social identity is considered to be Personal Data.
Compliance to GDPR relates to all businesses (both private and public ones) that in any way happen to manage personal data of employees, associates, clients, or other natural persons. It practically relates to all businesses that happen to manage the data of EU citizens either within or without the EU given that such citizen operates in a country where a members-state’s laws are applicable
In order to ensure compliance with GDPR there is a competent independent administrative authority, namely Independent Authority Of Personal Data Protection, which operates as a constitutionally based independent authority. Conducting administrative checks as well as reviewing relevant complaints, lawsuits and queries regarding the law’s implementation, while protecting the applicants’ rights when those are in question due to data procession, form part of the supervisory duties of the Authority. In case of non-compliance with all such provisions the following are to be imposed:
Administrative fines up to 10.000, 00€ or, in case of businesses, up to 2% of the global annual turnover of previous year, depending on which of those two leads to a higher fine:
- Breaching of duties by the Data Controller or, the Data Processor (articles 8, 11, 25 until 39, while also 42 and 43e of Regulation 679/ 2016)
- Breaching of duties by the organization set to certify businesses (article 42 and 43 of Regulation 679/ 2016)
- Breaching of duties by the organization meant to certify accordingly (article 41 of Regulation 679/ 2016)
Administrative fines up to 20.000.000, 00€ or, in case of businesses up to 4% of the total annual global turnover, depending on which of these two criteria would lead to a higher fine:
- Breaching fundamental principles regarding process (articles 5, 6, 7 and 9 of Regulation 679/ 2016)
- Breaching rights of data subjects (articles 12 to 22 Regulation 679/ 2016)
- Breaching provisions regarding the transfer of data of employees to a recipient in a third country or an international organization (articles from 44 to 49 of Regulation 679/ 2016)
- Breaching of any other duties deriving from a member state’s laws
- Non-compliance as per the order or the temporary or final restriction of processing or, as per the revocation of data circulation as imposed by the supervisory authority provided by article 58 paragraph 2 or, no option to access according to article 58 paragraph 1 of Regulation 679/ 2016)
lawyers gdpr law general_data_protection_regulation global_law_firm state_law legal_services european_union state_law european_laws personal_data european_citizens human_rights independent_authority_of_personal_data_protection european_regulation fundamental_rights_of_the_european_union