Important changes on Data Privacy Law

31 July 2017

The new EU Data Protection Regulation (GDPR) will enter into force on 25 May 2018 and is the most important change in personal data within the EU.

GDPR will aim at harmonizing privacy laws across Europe, protecting the privacy of EU citizens and reforming the way companies which are active in the EU process personal data. It will apply not only to companies established in the EU but also to enterprises outside the EU that offer goods or services in the EU market. It will also apply to all companies processing and holding personal data of EU citizens, irrespective of the company’s registered location/offices.

According to GDPR, any information relating to a natural person that may be used for its identification (directly or not) is considered personal data. The processing of such data is prohibited except for the reasons provided in Article 6 GDPR. In addition, GDPR refers to a “closed” category of personal data (it is the counterpart “sensitive” personal data category of Law 2472/1997 in Greece. These may not be collected except as provided in Article 9 GDPR.

Companies that do not comply with the GDPR will be fined up to 4% of their global annual turnover or get a fine of up to 20 million euros. It is noted that these fines will apply to both data protection controllers and processors.

“Controller” is the natural person or legal entity, public authority, service or other entity that defines the purposes and manner of processing personal data. “Processor” is the natural person or legal entity, public authority, service or other entity processing personal data on behalf of the controller. The controller and processor designate a Data Protection Officer (“DPO”). A DPO may be a member of the staff of the controller or processor or perform his duties under a contract.

In conclusion, a consent of the person whose data are collected is required. The request for consensus to that person must clearly state that his/her consent is given for data processing purposes. Finally, explicit consent will only be required for the processing of the closed category of personal data. For mere personal data, a simple consent shall be sufficient.

For more information on personal data please contact Partner Haris Meidanis on hmeidanis@hmlaw.gr.