~ General Data Protection Regulation 2016/679 is a European Regulation that got formed as a legislation in 2016 and came on power on the 25^th of May 2018. It constitutes an effort of the European Union to establish a strong legal framework to protect the Personal Data of each individual / person living in the European Union against any violation no matter the violation’s origin, either European or abroad. 

From the moment that GDPR is a legislation that more or less affects every individual’s life in a very crucial aspect it is more than useful to clarify the main principles. 

~ What do we actually mean by the term Personal Data, what part of us and in what manner is protected by law?  

From the first effort to protect Personal Data back in the 1990’s the importance of what was the field that the Law shall actually protect became very obvious. After years of relevant European Directives, their domestic implementation and the European Court of Justice (ECJ) ruling the following:   

1/Any information relating to an identified or identifiable living person

2/ HR records

3/ CCTV images of an employee

4/ Photograph of employees

5/ Email with cc’d

6/ Confidential opinions written about myself and other people (i.e., my manager)

7/ Anonymised Equality monitoring data

In the implementation proceedings a closer scrutiny took place by the domestic and European Authorities and pointed out that an additional sensitive category should be established, this is the category of the now known “Special Category Personal Data”.

Data as the following are included in this Special Category: 

1/ Racial / ethnic origin

2/ Political opinions

3/ Religious / Philosophical beliefs

4/ Trade Union membership

5/ Genetic or biometric data

6/ Health

7/ Sex life / sexual orientation

8/ IBAN – PERSONAL TAX NUMBER etc. 

~ Another issue that was important to be solved was the liability and responsibility factor, in other words when a breach, a default, an illegal action takes place whom is the Law supposed to hold responsible? Who shall bear the duty to pay extra attention and protect proactively our Personal Data? 

The Regulation followed the notion of providing a proactive and precautious safety net by adopting responsibilities and duties of protection in advance and not a method of penalties and fines based on the aftermath of the breach. Hence, the Directive clarifies that any person that becomes aware of any Personal Data has the legal duty to handle it with extra caution in advance. In addition, the Directive offered specific terminology in order to clarify the necessary terms as an aid to the implementation process that each Member State of the Union followed. Additionally, specific criminal offences / convictions are not included and expanded yet but separated out and extra safeguards are put in place at relevant Articles of the Regulation. 

• Processors – Controllers – DPO 

• Processor acts on controller’s behalf, actually any person dealing with data

• Controller says how and why personal data is processed

• DPO – the Data Protection Officer 

• Supervisory Authority in each individual Member State that is supervising the implementation and when necessary intervenes and sets the necessary sanctions in accordance with the Regulation’s provisions. 

• Processing

• Basically, includes any activity in reference to personal data processing, including:

• Collecting

• Storing

• Using

• Sharing

• Deleting

~ Additionally, in order to safeguard the level of implementation, harmonisation and integration among the Member States the Regulation established a solid legal framework and provided fundamental Principles, such as:     

• All Data shall be:
• Processed lawfully, fairly and transparently
• Lawful – mustn’t be in breach of other laws Lawful in accordance with specific Articles of the Regulation – Lawfulness of processing
• Fair & transparent – data subjects must be aware and must ‘feel’ that process is fair
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation) 
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization)
• Accurate and, where necessary, kept up to date (accuracy)
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation)
• Processed with appropriate security, including protection against Unauthorised or unlawful processing Accidental loss, destruction or damage (Integrity and confidentiality)

~ While studying the Regulation it may be stated that a major issue that is of importance is the term “Consent”, that is the person / subject of the personal data must agree, must allow, must provide the consent to the processor in order to be able to process the personal data provided. Specifically, the Regulation requests that:  

• Consent of the Person is a must. In addition, consent must be unambiguous, freely given, after being fully informed, specific and not a general one and when necessary demonstrable.

• Consent is absolutely necessary for any kind of contract to be formed between any controller and any data subject / personal information. 

 • Consent constitutes a straight Legal Obligation – without consent any further process is against GDPR provisions. 

However, there are exceptions in the Regulation under which “Consent” is not such a strict prerequisite, situations like: 

• Law requirement must be met necessarily – i.e., in the field of employment, CV’s or Recommendation Letters for example, or in the field of social security, medical records or personal reports for example, but always within strict and solid safeguards in accordance with GDPR principles.    

• Vital interests (such as terrorism) or lawful authority (such as Tax Office or Police) or public interest / health (such as Pandemic or threat) issues usually prevail GDPR provisions as long as the prerequisites and safeguards are adopted and followed during the process.  

• Data made manifestly public by the subject / person i.e., social media. 

• Data used for Archiving, scientific or historical research that is unanimously processed. 

~ In order to provide guidelines to the IT officers and technical approach and compliance to the legislation, GDPR established a strict Principal of Accountability for any person that processes any Personal Data either as a processor or as a controller. Thus, in order to follow the Regulation’s provisions either as a person or as a company, it is important to:  

• Implement appropriate technical & organisational measures to ensure and demonstrate compliance (e.g., training, policies, audits etc.)

• Maintain relevant documentation (controller info, Purposes of processing, categories of data subjects / personal data, recipients of data, transfers to 3rd countries, retention schedules, security measures.)

• Implement data protection by design (e.g. minimisation, pseudonymisation, transparency, security)

• Use Data Protection Impact Assessments / Risk Assessments 

• Appoint a Data Protection Officer (DPO), when it is either compulsory by Law or potential upon the discretion of the processor and/ or controller.

• Adopt an Information Lifecycle Management

1. Information Asset Registers (IAR)

2. Data Flow Mapping (DFM)

3. Risk Assessment(s)

4. Privacy Notice(s)

5. System Level Security Policy (SLSP)

~ It must be stressed that one of the most important innovations that GDPR has brought is the expansion of the Rights that the Data Subject / Person processes.  

• New rights:

• Right of erase – right to be forgotten 

• Data portability

• Be informed of the Data (transparency)

• Data Access of the subject / person 

• Restrict / divide processing

• Object – to whom may the Data be forwarded furtherly

• Restrictions to automated decision making / profiling

~ Relevantly, the Regulation established a solid Data Protection responsibility framework to the Processing / Controlling and Protecting the Data personnel, regardless if we refer to automated or/and manual filing systems. The Regulation has made a remarkable effort to clarify that the Personal Data once legally entrusted and confided by the subject / person into the processor’s sphere of information must stay safe, secured and protected. If any kind of failure or breach of this protection framework occurs the responsibility automatically is born to the processor and the controller under whose supervise the processor executes the processing of the Data.   

Hence, a mechanism of Data Protection and management of a breach event is established and carries a number of responsibilities to the Personal Data bearer / processor, such as the following:  

• Breach Reporting

• Personal data breach is a breach of security leading to the destruction, alteration, unauthorized disclosure or access to, personal data.

• Need to notify the AUTHORITY where it is likely to result in a risk to the rights and freedoms of individuals (within 72 hours of being aware of the breach)

• Need to notify individual/ subject/ person where it is likely to result in a high risk to the rights and freedoms of individuals

Likewise, a number of restrictions is also imposed by the Regulation in reference to the Transfers of Personal Data, such as the following: 

• GDPR imposes restrictions on the transfer of personal data outside the EEA, to third countries or international organizations.

• The commission may designate non-EEA countries as having adequate level of data protection

• In any case the subjects and processors must ensure appropriate safeguards

• Private sector’s agreements, contracts, correspondence and cooperation must include standard clauses for GDPR compliance

• Requirements around ‘data share’ agreements of any kind are vital to be foreseen and clarified prior to the beginning of the trade or business transactions (i.e., controller – controller or controller – processor) and perhaps under a Data Protection Officee surveillance / guideship. 

• EU-US Privacy shield became stronger

Consequently, new roles have appeared with specific job / occupational descriptions in order to provide an additional prevention safety net, minimize the risk of a fault and manage the crisis if a fault actually takes place. For instance, we may state the following: 

• Senior Information Risk Owner (SIRO)

• Information Asset Owner (IAO)

• Information Asset Managers / Administrators

• GDPR compliance IT officer

• GDPR compliance Legal support   

Finally, it is easily concluded that in an era where cyber and internet issues are actually “on the air” terms as cybercrime, hacking, cracking, Data Protection and malicious (or not) breach of their protection should not stay “on open air” unprotected and without adequate crisis management. For more information please contact us in contact@kstlaw.gr

It is a fact that during this multi transitional period various investment opportunities appear and provide a safe ground to put money in. Actually, acquisition of property and tangible assets has always been considered as a safe and stable method of financially secured investment. Furthermore, a follow up of global prices’ ups and downs usually is a precious guide which shows were a promising opportunity may exist.     

Land & property investments

Recently, I was addressed again with the inquiry whether or not Greece (Hellas) may be a good opportunity for property acquisition. Instantly the answer is affirmative for various and important reasons. Besides, the presence of big investment Funds constituted by people or companies from various global nationalities is an actual fact. It is also a fact that steadily Companies with main scope “land & property” investments appear and put money in the local market. However, a simple answer is not enough since a close scrutiny may provide the reasoning for such a thought and presumably the next step and action. 

“Golden Visa”

First things first, Greece is one of the few European Union Member States that provide a so called “Golden Visa”, that is a method, a legal procedure to acquire an official permit from the Greek public Authorities and consequently hold a European Union access key. This procedure is available to investors that are willing to either to buy property estimated 250.000 euro and over or invest 400.000 euro and over to intangible property / assets for example shares, mutual funds and other.  

Even more, the answer may be provided by numerous European and Third Country people and families who not only possess property in Greece but also actually state that it was one of the best choices they have made. Is it only the atmosphere and the sea or the nine months, at least, of sunshine that justify this statement? Or other reasons and issues justify the cause? 

It is a fact that financial crisis and hardship has hit and influenced land and its prices in Greece. High End suburbs, specific famous or even notorious Islands, crashed by tourism summer resorts and places, were really overestimated and overpriced few years ago. A small or big fortune was the price to be paid in order to acquire a ‘good / decent piece of land’. Nowadays, opportunities exist even in such ‘tough choices’ and with patience and the aid of specialized professional counselors such a task is easier than in the past. 

Professional aid

Specialized and specific professional aid and advice is the most important key since it will protect the investor from various mistakes and difficulties, it will safeguard the investment, it will make things clear and fair and of course shall make the investor’s life easier and safer. Thus, the procedure will get formed in a manner of a safe highway and not in a peculiar and obscure pathway. The correct advice and the realistic contribution start from the deep understanding of the investor’s real need, dream, ability, financial competence and adequacy in order to be able to provide a feasible and accurate proposal. It is important to be around the market and the opportunities sources in order to haver the knowledge, the information but also the basis to value and to choose the tailor-made solution to each investor’s profile. 

Procedure

Then, an accurate check and scrutiny to the property’s deeds and actual legal status of land lordship shall taker place in order to determine whether any easements or burdens or other legal problems exist upon the property we are interested in. Provided that this legal inspection provides us with a ‘green light’, the contribution of a public notary is mandatory and of a civil engineer lays upon the discretion of the investor and the difficulty that we may face in reference to the Civil Building Plans or any other similar question. Afterwards, a series of certificates and documents must be issued and given to the public Notary for the drafting of the acquisition deed. Naturally, the investor may be a person or a legal entity, such as a Company of any kind (Ltd, SA etc.). Taxation in Greece for property acquisition and investment is not a significant stop and can be managed in various accounting ways to become even more tolerable. The acquisition procedure is fulfilled when the deeds are signed and the new owner of the property is subscribed into the Land Registration Office and the property is officially under this land lord’s name. 

Nevertheless, we must state that foreign investors are not obliged to justify the source and the manner of the investment’s capital acquisition and also, they may use the technique of merges and acquisitions of existing companies with property in order to get the land with much more simple and quick procedures and expand the investments’ & businesses plans – such as hotels, agricultural or industrial use land and so on.    

For further information and detailed communication please contact our firm by using contact@kstlaw.gr