European requirement the enforcement for Personal Data Protection. New compliance rules (Regulation 2016/679)
Preamble: What Does Non-Compliance Mean
It is true that any new obligation created for a company burdens its operating costs. But could anyone suggest non-compliance with the obligations under this Regulation for Personal Data Protection?
To this case we could not remain indifferent. European Regulation (2016/679) is in force without the need for ratification by the Greek legislator.
Sanctions threatened? Unsustainable! Without going into the details of criminal sanctions, the maximum penalties (fines) amount to € 10.000.000 or € 20.000.000 and at a percentage of 2% or 4% respectively of the infringer’s worldwide turnover (if the above amounts are below the respective percentages on its worldwide turnover!)
Things are NOT simple …
The Existing Institutional Framework
The need to protect individuals from the constantly evolving (due to the rapid developments in technology) exposure of their Personal Data and the creation of a secure modus operandi of the data processors is underlined by the European Regulation 679 of 27 April 2016, which shall be in full effect for all Member States (among which our country, of course) on 25.5.2018.
In accordance with Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data (and its revisions), the Greek legislator has incorporated the European Directive 95/46 / EC “On the protection of individuals with regard to the processing of personal data and the free movement of such data”.
The key foundations for the Protection of Personal Data that had already been set twenty years ago referred to the identification of:
(a) the basic concepts such as “record”, “data subject”, “simple data”, “sensitive data”, “controller”, “processor”
(b) the rights of the Subjects of Processing (each of us)
(c) the obligations of Personal Data Controllers (natural and legal persons, bodies and organizations with whom we are required to have transactions in our daily lives from our employer to the Register of a Taxation); and
(d) the establishment of the Personal Data Protection Authority, which would then function independently, as a supervising body and as an institutional guarantor for verifying compliance with the European requirements.
The Personal Data Protection Authority has been set up and operating since then, it undertakes vigorous action while its decisions have become a serious item in the agenda of not only the legal world bit also of the public opinion, as for example in the case of identifying religion in identities.
The European Parliament chooses in this Regulation a more dynamic position than the previous Directive, since the former is a law of increased formal validity (it raises upward the laws of each member – state) and is (unlike the Directive) directly applicable horizontally (its incorporation by the national legislator is not required).
The Tightening For The Protection Of Personal Data In The Context Of The European Regulation
The Regulation strengthens the protection framework and in particular:
(a) the Controller is required to choose the most secure, organizational and technical measures both at the time when the data collection and processing measures are defined and at the time of processing.
The obligations of the Controller and the Processor expanded (: record-keeping – specifications – processing activities) and acquire specific responsibility to receive and be able to demonstrate that it has taken all necessary measures to ensure that processing is carried out in accordance with the Regulation.
(b) The rights of the Subjects are enhanced, including: (i) the right of access, (ii) the right of correction (or completion) (iii) the right to be forgotten (conditionally, the right to erase data), (iv) the right to object (v) the portability of data.
(c) It is specifically provided for cases of systematic, extensive and large-scale assessment of personal data or systematic monitoring on a large scale of public places, an obligation to carry out an impact assessment of potential risks and consequences for the rights and freedoms of individuals arising from the type, the framework, the scope and the purpose of processing.
(d) the Controller is required to immediately inform the authority of any breach of the system security (within 72 hours as from the moment he becomes aware of such)
(e) the Controller (in cases explicitly mentioned in the Regulation, indicatively large-scale processing of data and / or sensitive data) appoints a Data Protection Officer, an internal supervisor (employee or external partner) (such as a security technician) who will ensure compliance with the regulatory framework (in conjunction with any specific regulation, if any, envisaged by the national legislator in the scope of his discretion) and has direct contact, cooperation with and reporting obligation for any violation to the Personal Data Protection Authority.
(f) There are provided considerably stricter sanctions than the existing administrative and criminal penalties, with fines of between € 10.000.000 or € 20.000.000, and a percentage of the company’s turnover, as the case and the offender may be (if that percentage exceeds the above amounts).
A significant difference with the current legal framework is that no disclosure to the Authority is foreseen, rather than the availability of the material (: processing file) at the direct request of the Authority. However, each national legislator may specify his requirements and request for Disclosures or Licenses, especially in cases related to processing of sensitive personal data. In order to examine the possible adoption of legislative measures for the implementation of the Regulation, a Legislative Committee has been already set up (Government Gazette 1913 / 27.6.2016) whose work we expect to be completed before the implementation of the Regulation.
It is imperative that each Controller reviews (with the appropriate collaborators) the security status of his technical systems and of its organizational structure so that he is ready to comply with the requirements of the Regulation.
However, Is There, Any Time?
As already mentioned, the date the new European Regulation comes into effect is 25.5.2018 – i.e. at first reading, we have enough time to act. Still, is that the case?
Many factors are to be evaluated in order to provide the answer: “Okay, we have a lot of time”.
The kind of business activity, compliance with the current institutional framework, the concentration (and / or handling) of sensitive, apart from simple, personal data, and so on.
Let us not rush to answer that “we do not have sensitive personal data”. Do we ask for criminal records for some of our employees? Do we have a record of the health status of some of them? Do we have security cameras for the security of our company?
While we expect what (also) the national legislator will impose, the institutional framework for the protection of personal data has already become more complex. Threatened sanctions not only are significant but also, in fact, dramatically high.
Preparing the company, most of the time, is neither easy nor quick.
The need for more detailed information, a first assessment and for the first procedural steps, is present.