Almost five years since the European Commission submitted a first proposal on the reformation of the data protection landscape, a new General Data Protection Regulation (GDPR) has been finally adopted, bound for fortifying data protection harmonization across EU Member States. The GDPR shall be directly applicable in all Member States as of May 25, 2018, having, meanwhile, all interested businesses on a race against time to observe all compliance obligations imposed thereunder.
Starting from its scope, the GDPR expands the territorial reach of the current Data Protection Directive 95/46/EC, bringing in together EU and non-EU established data controllers and processors. Although the condition ofanEU establishment created an initial confusion as to whether it would require the set-up of a legal entity or a mere operational presence in any Member State, GDPR’s recitals could be interpreted towards the presence of a simple representative being a sufficient criterion for the fulfillment of the respective condition. On the other side, data controllers and processors outside the EU fall within the territorial scope of the GDPR, as long as they target data subjects within the EU through the offering of goods or services or monitor their behavior through online tracking methods.
A newly added somewhat confusing provision relates to the appointment of a Data Protection Officer (DPO). Although the initial GDPR approach referred to a mandatory DPO appointment only for companies exceeding 250 employees, the final legislative text requires that all companies are required to appoint a DPO in any of the cases that the data processing is conducted by a public authority or refers to the regular and systematic monitoring of data subjects on a large scale as part of the company’s main business activities or concerns the processing on a large scale of special categories of data. The GDPR allows for any employee of the data controller or the processor to serve as a DPO, providing also companies with the opportunity to outsource such services to a third party consulting firm.
The GDPR inserts a brand new breach notification procedure, which, however, turned out to be one of the most debatable provisions of the text and an actual trouble for the parties involved. In the event that a personal data breach is identified, data controllers are required to notify the competent supervisory authority – that is DPA in Greece – on the breach within 72 hours following the time they became aware of such breach. The GDPR provides for a more flexible timeframe in cases where the delay in notifying the supervisory authority is accompanied by reasonable justification and exempts situations where the breach identified is not likely to result in a risk for the rights and freedoms of the data subjects. However, companies appear to be baffled as to the exact steps they need to follow in case of breaches falling into the scope of the respective GDPR provision, with many of them complaining that thenew framework forces them to re-examine their internal processes and be equipped with costly advanced technology administration systemsthat will comply with the first-time introduced breach notification standards. An additional controversy is created as to the definition of those breaches that could result in a risk for the rights of the data subjects, with many analysts believing that such exemption could be constantly invoked by data controllers as a comfortable excuse, cancelling out the purpose of the notification necessity.
In general terms and despite any – for the time being – uncharted waters, the GDPR comes as a comprehensive legislative text that aims at defining a secure and harmonized framework of data protection and imposes significant fines and penalties – at times reaching high percentages of the breaching company’s annual turnover – in order to ensure a smooth implementation.
Senior Associate, Greece