Executive Summary
The present memo serves as an informative note on the provisions of Regulation EU 2016/679 – the General Data Protection Regulation (GDPR)-, which goes into full effect on the 25th of May, 2018. It includes the main changes/novelties introduced by GDPR in comparison with the previous legal framework on data protection, the issue of the data subject consent under the new regulation and in accordance with WP29 comments as well as the current provisions of Greek law on the use of electronic means of communication for purposes of direct marketing and the issue of cross-border transfer. It further describes the core obligations of the data controller and processor, the rights of the data subjects and the consequences for non-compliance. Finally it provides a roadmap to ensure compliance with the new Regulation.
1. Introduction
1.1. The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/EC effective on the 25th of May, 2018 and is directly applicable to each member state. It brings some notable changes with respect to the existing framework regarding the protection of personal data, notably new ways of protection for EU data subjects, and threatens significant fines and penalties for non-compliant data controllers and processors.
1.2. It is critical to understand the GDPR’s principles and set up the necessary infrastructure and processes to ensure compliance. Indeed, organizations of any size and regardless of whether they are located outside the EU (extra-territorial applicability), if they offer goods or services to, or monitor the behavior of, EU data subjects fall within the scope of the GDPR.
1.3. Just like the EU Data Protection Directive 95/46/EC, the GDPR distinguishes between data controllers and data processors. Under the GDPR, controllers ultimately “determine the purposes and means of the processing of personal data” (Article 4(7) of the GDPR). By contrast, the GDPR defines processor as the person or entity “which processes personal data on behalf of the controller” (Article 4(8) of the GDPR).
2. Novelties of GDPR
2.1. A “One-Stop Shop” mechanism for controllers and processors established in multiple Member States is introduced to enable the former deal with one supervisory authority only. The “lead” supervisory authority for cross-border processing is the authority of the main establishment of the controller or processor and the other Member States’ supervisory authorities will be competent for complaints affecting data subjects or establishments in that Member State (Article 56 of the GDPR).
2.2. In contrast to the previous legal framework (where the controller was solely liable), the GDPR introduces statutory obligations on processors, who, if they fail to comply, shall be held directly liable. In cases where both a controller and a processor are involved in the same processing activities and are responsible for any damage caused, each of the controller and the processor can be liable for the entire damage (Article 82(4) of the GDPR).
2.3. The provisions regarding the data subject’s consent for the processing of the data are further enhanced.
3. Consent of Data Subjects
3.1. General Provisions for data processing
3.1.1. The GDPR sets the main principles for data processing that need to be followed by the data controllers and processors. Indeed, the provisions of articles 5 (basic principles), 6 (lawfulness of the processing), 7 (conditions for consent) and 9 (processing of special categories of personal data- which falls out of the scope of the present case) of the GDPR need to be abided by.
i) More specifically, personal data must be:
- Processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
- Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (the “purpose limitation principle”);
- Adequate, relevant and limited to what is necessary in relation to the purpose (the “data minimization principle”);
- Accurate and where necessary kept up to date (the “accuracy principle”);
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the data are processed (the “storage limitation principle”);
- Processed in accordance with appropriate safeguards to ensure security of the personal data (the “integrity and confidentiality principle”);
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability principle”).
ii) Personal data can only be processed in the following circumstances:
- When the consent of the data subject is obtained;
- Where there is a contractual obligation;
- Where there is a legal obligation under EU or national legislation;
- Where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
- To protect the vital interests of an individual;
- For the legitimate interests, pursued by the controller or by a third party, but only after having checked that the fundamental rights and freedoms of the person whose data are being processed are not seriously impacted. If the person’s rights override the controller’s interests, then processing cannot be carried out based on legitimate interest.
iii) Under the GDPR, consent as a legal basis for processing becomes more difficult to obtain. The conditions of consent have been strengthened, as companies are no longer able to utilize long illegible terms and conditions full of legal jargon, since the request for consent must be given in an intelligible and easily accessible form, stating the exact purpose for data processing. In accordance also with the WP29 comments, the consent must be freely given, specific, informed, unambiguous, clear and distinguishable from other matters. The burden of proof for valid consent explicitly remains on the controller who relies on this as a legal basis for processing (Article 7(1) of the GDPR).
3.1.2. It must be as easy to withdraw consent as it is to give it.
3.1.3. Further, it must be noted that sending promotional material directly to consumers is a common business practice. However, in order for such communication to be possible, it is necessary for the advertiser to have access to the data (telephone, email or address) of the recipient.
3.1.4. Greek law 2472/1997 together with law 3471/2006 require prior consent of the data subject in case of uses of electronic means of communication for the purposes of direct marketing.
3.1.5. The said legal framework sets out certain conditions for obtaining and maintaining such data which depends on the advertising method is used. Specifically:
a. Formal promotional material via traditional mail
Prior consent of the recipient is required. However, if the data are obtained from public directories (e.g. telephone directories, Yellow Pages) or derive from a pre-existing customer or business relationship or if the recipient himself has disclosed the data for a similar purpose, no prior consent of the data subject is required. In these cases only the data that are absolutely necessary (name, address, profession) can be obtained. The recipient needs to be informed about the source of the provision of the data.
To stop promotional material, the data subject can notify either the advertiser or the Data Protection Authority in order to be included in the Register of those who do not want the data to be processed for advertising purposes (Article 13 list).
b. Telephone calls for advertising purposes
Again prior consent of the call recipient is required. However, law clearly identifies two categories for automated calling systems:
i) systems with human intervention (fixed or mobile telephones) and;
ii) systems without human intervention (automatic calling machines) and provides for the opt-out regime with respect to the use of automated calling machines with human intervention and the opt-in regime for the use of automated calling systems without human intervention (meaning prior express consent of the subject is required).
iii) Email, SMS, and MMS
Τhe opt-in system applies unless there is a customer relationship or previous business contact, and communication takes place in form of email, SMS etc.
4. Cross-border data transfers
4.1. Data Transfer to third countries
4.1.1. The GDPR permits personal data transfers to a third country subject to compliance with set conditions. Where the Commission deems that a country’s legal regime provides adequate level of personal data protection no special permission is required. The GDPR introduces set of elements that the Commission must consider when assessing whether a foreign system adequately protects personal data (Art. 45 of the GDPR).
4.1.2. However, where there is no adequacy decision, the GDPR provides for specific mechanisms such as binding corporate rules, standard contractual clauses, codes of conduct and certification mechanisms (Art. 46 of the GDPR).
4.2. Data Transfer within the EU
4.2.1. Under law 2472/1997 (Art.9) cross border transfer within the EU is free, meaning that no prior notification or approval from the Hellenic Data Protection Authority is required. However, free transfer does not release the controllers/processors from their obligation to comply with the legal provisions (such as the provisions regarding consent and the rights of data subjects) and principles with respect to the processing of personal data (such as the purpose limitation principle and the data minimization principle).
4.2.2. It is advisable that fresh consent of the data subjects is obtained. The data subject should be informed on the following:
- The updated regulatory framework on data protection;
- Who the company is (contact details, and those of the Data Protection Officer if any);
- Why the company will be using the personal data of the data subjects (stating all processing purposes);
- The categories of personal data concerned;
- The legal justification for the data processing;
- For how long the data will be kept;
- Who else might receive it;
- Whether the personal data will be transferred to a recipient outside the EU;
- The right to a copy of the data (i.e. right to access personal data), the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object;
- The right to lodge a complaint with a Data Protection Authority;
- The right to withdraw consent at any time;
- Where applicable, the right not to be subject to a decision based solely on automated processing, including profiling.
5. Obligations of controllers and processors
5.1. A processor’s responsibilities under the GDPR are considerably more extensive. For example, processors must maintain written records of their processing activities (Article 30(2) of the GDPR), to appoint a Data Protection Officer – DPO (Article 37 of the GDPR), to implement technical and organizational measures to ensure data security (Article 32 of the GDPR) and to notify the controller of all data breaches (Article 33(2) of the GDPR).
5.2. The GDPR does away with the requirement to notify Data Protection Authorities regarding an organization’s processing activities (Art.30 of the GDPR).
5.3. The controllers and processors have a general accountability obligation to implement appropriate technical and organizational measures to be able to demonstrate that processing is performed in accordance with the GDPR, which include the following:
- Record keeping. Each controller (and its representative, if any) must keep records of the controller’s processing activities (Article 30 of the GDPR), including:
i) The contact details of the controller/representative/ Data Protection Officer;
ii) The purposes of the processing;
iii) The categories of data subjects and personal data processed;
iv) The categories of recipients of the data;
v) Information regarding Cross-Border Data Transfers;
vi) How long the data are kept; and
vii) A description of the security measures implemented in respect of the processed data.
Upon request, these records must be disclosed to Data Protection Authorities.
- Data Protection Officer (DPO). Controllers and processors must designate a Data Protection Officer where necessary as the result of the scale of their processing of personal data (including sensitive data) or where required by EU or a Member State law (Article 37 of the GDPR). Under the GDPR, data protection officers are actively required to monitor compliance with the GDPR (Article 39 of the GDPR).
- Impact assessment. Controllers must carry out an impact assessment of the envisaged processing operations where the processing activities are likely to result in a high risk to the rights and freedoms of data subjects (Article 35 of the GDPR).
- Data protection by design / Data protection by default. Controllers will need to ensure that data protection requirements are considered when setting the means of processing the data (Article 25 of the GDPR). Additionally, controllers must implement technical and organizational measures to ensure that, by default, only personal data necessary for the specific activity undertaken is processed and retained (“data protection by default”). Companies are expected to introduce strategies taking into consideration the GDPR requirements and to implement technical and organizational measures at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the beginning (“data protection by design”).
- Notification of data breaches. In the event of a personal data breach, controllers must notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach (Article 33(1) of the GDPR). Processors must also notify the controller without undue delay after becoming aware of such breach (Article 33(2) of the GDPR). Where the breach is likely to result in a high risk to individuals’ rights and freedoms, controllers must inform the data subjects of the breach, subject to limited exceptions (Article 34(1) of the GDPR).
5.4. The GDPR obliges controllers to engage only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk” (Art. 32 of the GDPR) including, for example:
i) The pseudonymization and encryption of personal data;
ii) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
iii) The ability to restore the availability and access to personal data in a timely fashion in case of an incident;
iv) A complete process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
6. Rights of data subjects
6.1. The current rights of data subjects (rights of access (Article 15 of the GDPR), rectification (Article 16 of the GDPR), to object (Article 21 of the GDPR) and to lodge complaints (Article 77 of the GDPR) remain the same.
6.2. However, the rights to notice and access are enhanced. The GDPR increases a controller’s obligations regarding the information it is required to provide to data subjects. Among the items that must be disclosed at the time personal data is collected are the following: the purposes of the processing, any recipients of the data, whether the data will be transferred internationally and under what legal grounds, and how long the data will be stored. Additionally, controllers must inform data subjects of their rights to request access to the data or lodge a complaint with a supervisory authority.
6.3. Further, the GDPR introduces additional rights for data subjects. These additional rights include:
i) The Right to Be Forgotten
The right to be forgotten (right to erasure) (Art. 17 of the GDPR) stipulates that controllers must erase personal data upon the request of the data subject to which it pertains or when “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.”
ii) The right to data portability.
The GDPR provides data subjects with the right to receive their personal data in a structured, commonly used and machine-readable format and transfer this data to another controller (Article 20 of the GDPR).
iii) The Right to Object to profiling
Data subjects have the right to object to their personal data being processed for direct marketing purposes and related profiling (Art. 21 of the GDPR).
7. Consequences in case of non-compliance.
7.1. If there is suspicion that a company in an EU country does not respect the new data protection rules, the national Data Protection Authority analyses the case. If it concludes that that the company respects the rules then it takes no action. If it identifies an infringement, the Data Protection Authority can either adopt a decision but not impose a fine (e.g. suspension of data flows to a recipient in third country, reprimand to company, temporary or definitive ban on processing of data) or depending on infringement (taking into consideration the nature of the infringement done by company under articles 5, 6, 8, 9 of the GDPR, the actions taken by company to mitigate the damage suffered and relevant previous infringement done by the same company) it may impose a fine of up to 4% of company’s worldwide annual turnover, or up to 20 million EUR, whichever is higher (Art. 83 (5) of the GDPR).
7.2. Further, any person who has suffered “material or non-material damage” as a result of a breach of GDPR has the right to receive compensation (Article 82 (1) of the GDPR) from the controller or the processor.
8. Roadmap to compliance with GDPR
Here below follows a proposed course of action in order to ensure compliance with the GDPR. The affected companies shall:
- set a specific budget for the implementation of measures to ensure compliance under GDPR;
- formulate a specific policy for personal data protection and provision for intra-group procedures regarding the collection, processing and potential violation of personal data;
- review of data flows and the legal basis of the processing of personal data. It would be advisable also to check whether other grounds, other than consent, for lawful data processing (such as “necessary for the performance of a contract to which the data subject is a party” or for the purposes of legitimate interests) can be relied upon.
- draft or review of existing circulars informing the data subjects of their rights, whether their data are being processed, how, for what purpose and whether they are transferred within or outside the EU;
- make sure that the competent departments of the company are aware of the changes of the GDPR;
- set a complete and detailed procedure for compliance which includes RIA (Risk Impact Assessment), regular checks, policy review on human resources etc.
- provide informative seminars for the human dynamic regarding the upcoming changes in the data protection framework and the consequences thereof in case of non-compliance;
- document the personal data held in terms of sources of data acquisition and data sharing;
- check existing procedures and ensure that they comply with individual rights requirements under the GDPR (including procedures for the deletion of the data and electronic sharing);
- update procedures on how to timely handle access requests;
- review the procedure for obtaining consent of data subjects and update consent forms;
- review existing IT procedures (privacy by default, privacy by design);
- implement or review existing procedures for detection, reposting and investigation of personal data breach.
- establish Incident Response Plans.
9. Conclusion
GDPR is the most significant change in data privacy regulation in 20 years. GDPR was introduced with the purpose to unify data protection regulation within the EU, to protect and empower all EU citizens’ data privacy and to force public and private organizations redesign their approach on the collection, storing and processing of personal data. The new obligations on data subject consent, data anonymization and transparency and privacy by design and by default, call for the implementation of comprehensive policies and incident response procedures with respect to a broad spectrum of factors, among which, the processing of the data from collection to destruction, confidentiality, data portability, breach notification and appointment of Data Protection Officers. “Controllers” and “processors” of data need to abide by the GDPR provisions or risk facing heavy fines if they fail to do so.