General Data Protection Regulation (GDPR) in Cyprus
OOn 8 April 2016 the EU has adopted the General Data Protection Regulation (in short GDPR) which will come into effect on the 25th of May 2018 repealing the Data Protection Directive 95/43/EC. Its aims are (1) to protect natural persons in relation to the processing of their personal data, (rec 1) (2) to allow natural persons greater control over their data, (rec 7) (3) harmonize the law and remove uncertainty in relation to data protection (rec 9 and 10) (4) to provide for greater protection and strengthen the rights of data subjects, impose obligations to data processors and increase monitoring abilities and sanctions by Member States (rec 11) and (5) to allow for fair and lawful processing of personal data (rec 39). The GDPR will all in all, strengthen the internal market, strengthen the enforcement of rules and set global data protection standards.
The Benefits to Individuals
Under the GDPR, the data subjects (i.e. the individuals benefiting from the Regulation) will be able to:
- Firstly, access their data more easily in the sense that they will be able to know from the beginning of giving their consent, the uses that the data will go through.
- Secondly, they will have the right to delete the data that a data-controller keeps. Termed as the “right to be forgotten”, article 17 of the GDPR aims to allow for an individual to have his data deleted if he/she does not want such data to be processed (provided that there are no legitimate grounds for the data controller to retain it).
- Thirdly, under article 25 of the Regulation, data protection is included by design and by default. Data protection by design means that the controller must implement appropriate technical and organisational measures in order to integrate the safeguards necessary in order to meet the requirements of the GDPR and protect the rights of data subjects. Data protection by default means that the controller must implement appropriate measures in order to ensure that by default, only personal data necessary for each specific purpose of the processing are processed, and at the same time ensure, that by default, personal data cannot be made accessible without the individual’s intervention.
- Fourthly, the individual has the right to know if and when a security breach has occurred whenever his data have been hacked. The GDPR creates an obligation on the data-controller not only to notify the supervisory authority of the breach (and this must be within 72 hours) but it also creates the obligation to communicate to the data subject a personal data breach, describing the nature of the breach as well as recommendations for the natural person concerned to mitigate any potential adverse effects.
Who and what Data is covered?
The GDPR covers personal data which are processed. Processing need not be automatic. Manual processing is covered by the Regulation’s ambit. It does not however cover files or set of files not structured according to specific criteria (rec 15).
Under the definitions of the Regulation, personal data mean information relating to an identified or identifiable natural person. Such persons are persons who can be identified directly or indirectly by reference to a name, identification number, location data, online identifier etc. For example a photograph or an IP address can count as personal data.
It is of great importance that the GDPR does not apply to legal entities (Rec 14) or natural persons who have passed away (Rec 27).
The entities affected need not be resident in the EU. It is for this reasons that the changes have wide reaching effects stemming from the desire of the EU to place obligations on anyone (even from a Third Country) offering goods or services or who monitors the behaviour of data subjects within the EU (Rec 22. 23 and 24).
Who is a data controller and who is a data processor?
Article 4 of the GDPR defines a data controller as a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. A data processor on the other hand is a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
For example, a data controller could be the Ministry of Health of a member state, which requires digital records to be kept regarding patients treated in public hospitals. The controller defines that the purpose for data to be collected is the effective treatment of patients. On the other hand, a data processor could be the private legal entity which has obtained a contract with the Ministry to create, update and handle the database of patients’ records.
Who is a data protection officer?
In certain cases, data controllers and data processors must designate a person as a data protection officer. These cases are listed in article 37 of the GDPR and they are the following: (1) where the processing is carried out by a public authority or body, (2) the core activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; (3) or the core activities of the controller or the processor consist of processing on a large scale of special categories of data.
The data protection officer’s duties include the provision of information and advice to the controller, processor and employees in relation to data processing, the monitoring of compliance with the Regulation, the provision of advice where requested as regards the data protection impact assessment, and finally, the cooperation/acting as a point of contact with the supervisory authority (article 39 of the GDPR).
One stop shop:
One of the main aims of the Regulation is to act as a one-stop-shop. This has an impact on organisations situated in different Member States (i.e. MNEs). Where the MNE would normally be subject to the regulation of the supervisory authority of each of the Member States in which it is situated under the GDPR, a supervisory authority situated in one Member State may act as the lead supervisory authority, thus reducing the administrative burden within the MNE. It is then for the lead authority to coordinate with other governmental authorities in order to apply the Regulation on the specific organisation.
The specific purposes for which personal data are processed should be made explicit and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. For this reason the period for which the personal data are stored is limited to a “strict minimum” (Rec 39). This means that the data must be processed in accordance with the consent of the data subject. Exceptions however are made in cases where the basis on which the data is processed is some other legitimate basis laid by the Law. (Rec 40) These include cases where it is necessary to protect an interest essential for the life of a natural person including the data subject (Rec. 46)
Under recital 32, consent is given:
“By a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.”
For the consent to be informed it is necessary that it is not subject to any unfair terms or include extra imposed obligations to the data subject (if for example there is no genuine or free choice or when the data subject is unable to refuse or withdraw his/her consent without detriment).
Furthermore, the data subject must be aware of the identity of the controller and the purposes for which the personal data will be processed. (rec 42) Under recital 43:
“Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”
One of the very beneficial features of the Regulation is that of data portability. Data portability is a right granted to data-subjects which allows them to request and receive personal data concerning themselves from the data controller or have the data controller transmit those data to another controller. The requirements are that (1) the data-subject provided the controller with the data, (2) the data is structured, commonly used in machine-readable format (3) where the data processing is based on consent or the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract and (4) where the processing is carried out by automated means.
Data portability can be used for example in situations where a data subject wishes to transfer his business from competitor A to competitor B. In such cases, competitor A has an obligation under the Regulation not to hinder or make it difficult for the data subject to make this transition. Another example which data portability can be of help is when an individual uses specific services which compare his/her data with those of other consenting individuals in order to provide the individual with comparisons or suggestions in relation to best value. For this reason, data portability has wide ranging effects as it brings competitiveness to the market by forestalling tactics which may hinder competition from entering the market and by providing a transparent environment for consumers.
In cases of breach of the provisions included in the GDPR, the Supervisory Authorities can issue written warning and impose fines in accordance with the type, recurrence and extent of the breach. Under article 83 of the Regulation, the fines may reach up to 20 mil EUR or 4% of the total worldwide turnover of the preceding financial year, whichever is higher. This makes the GDPR one of the most important Regulations which need to be taken into account whenever a business is involved with data processing of individuals.
What should you do:
Companies dealing with personal data of individuals should be wary of the changes introduced by the GDPR and they should start taking steps in order to avoid any unwanted consequences which may find them in breach of the Regulation. The heavy fines which may be imposed for breaches of the Regulation means that the GDPR is a matter of serious discussion at the board level of any company.
At D. Hadjinestoros & Co LLC we can help you with the transition through a detailed analysis of the current legal framework and the new obligations set by the Regulation. Furthermore, we can provide legal advice on evaluating your current personal data protection systems and how to proceed with all the necessary measures including drafting the required legal documentation in order for you to prepare before the implementation deadline.
This article is given for information purposes only and it does not constitute legal advice. Please give us a call if you would like to book a consultation with a specialist in this area from our office. We will be happy to assist you.