Data Protection Compliance in CEE

CEELM’s Checking In feature editor, asked Data Protection experts the following question: Overall, how compliant would you say economic agents are with relevant local regulations on data protection, and what are the main gaps that have yet to be addressed?

Generally speaking, the majority of economic agents are expected to have already completed or at least have long-ago-initiated a compliance program to follow suit with the EU and Greek data protection legal frameworks, following, in particular, the GDPR enactment in May 2018.

However, such compliance is of a dynamic nature, requiring constant effort, even on a daily basis, and cannot be exhausted as a one-off project, especially taking into consideration the continuous developments in the field, mainly arising from the regulatory framework, as supplemented by instruments issued by the competent supervisory authorities (e.g. guidelines, recommendations).

It is necessary to have compliance programs evolve, moving from a baseline of compliance to a more mature level, including audits. Some businesses seem content enough with remaining at a limited compliance level, which they would have reached two or even three years ago. However, they fail to realize that the biggest challenge is the continuous monitoring of their compliance status, which, most likely, may now be incomplete and out of date.

In this context, the areas commonly arising as gaps in audits are website-related issues (e.g. the cookie bar and the cookie policy), especially in light of forthcoming E-Privacy Regulation; failure to keep updated records of processing activities; and failure to keep an updated registry of security incidents or breaches. The same applies to the registry of data subjects’ requests/ rights, while we also observe challenges in the consistent application of retention periods for each processing category.

Panagiotis Tampoureas, Senior Associate, DRAKOPOULOS