~ General Data Protection Regulation 2016/679 is a European Regulation that got formed as a legislation in 2016 and came on power on the 25th of May 2018. It constitutes an effort of the European Union to establish a strong legal framework to protect the Personal Data of each individual / person living in the European Union against any violation no matter the violation’s origin, either European or abroad.
From the moment that GDPR is a legislation that more or less affects every individual’s life in a very crucial aspect it is more than useful to clarify the main principles.
~ What do we actually mean by the term Personal Data, what part of us and in what manner is protected by law?
From the first effort to protect Personal Data back in the 1990’s the importance of what was the field that the Law shall actually protect became very obvious. After years of relevant European Directives, their domestic implementation and the European Court of Justice (ECJ) ruling the following:
1/Any information relating to an identified or identifiable living person
2/ HR records
3/ CCTV images of an employee
4/ Photograph of employees
5/ Email with cc’d
6/ Confidential opinions written about myself and other people (i.e., my manager)
7/ Anonymised Equality monitoring data
In the implementation proceedings a closer scrutiny took place by the domestic and European Authorities and pointed out that an additional sensitive category should be established, this is the category of the now known “Special Category Personal Data”.
Data as the following are included in this Special Category:
1/ Racial / ethnic origin
2/ Political opinions
3/ Religious / Philosophical beliefs
4/ Trade Union membership
5/ Genetic or biometric data
6/ Health
7/ Sex life / sexual orientation
8/ IBAN – PERSONAL TAX NUMBER etc.
~ Another issue that was important to be solved was the liability and responsibility factor, in other words when a breach, a default, an illegal action takes place whom is the Law supposed to hold responsible? Who shall bear the duty to pay extra attention and protect proactively our Personal Data?
The Regulation followed the notion of providing a proactive and precautious safety net by adopting responsibilities and duties of protection in advance and not a method of penalties and fines based on the aftermath of the breach. Hence, the Directive clarifies that any person that becomes aware of any Personal Data has the legal duty to handle it with extra caution in advance. In addition, the Directive offered specific terminology in order to clarify the necessary terms as an aid to the implementation process that each Member State of the Union followed. Additionally, specific criminal offences / convictions are not included and expanded yet but separated out and extra safeguards are put in place at relevant Articles of the Regulation.
- Processors – Controllers – DPO
• Processor acts on controller’s behalf, actually any person dealing with data
• Controller says how and why personal data is processed
• DPO – the Data Protection Officer
• Supervisory Authority in each individual Member State that is supervising the implementation and when necessary intervenes and sets the necessary sanctions in accordance with the Regulation’s provisions.
• Basically, includes any activity in reference to personal data processing, including:
• Collecting
• Storing
• Using
• Sharing
• Deleting
~ Additionally, in order to safeguard the level of implementation, harmonisation and integration among the Member States the Regulation established a solid legal framework and provided fundamental Principles, such as:
- All Data shall be:
- Processed lawfully, fairly and transparently
- Lawful – mustn’t be in breach of other laws Lawful in accordance with specific Articles of the Regulation – Lawfulness of processing
- Fair & transparent – data subjects must be aware and must ‘feel’ that process is fair
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation)
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization)
- Accurate and, where necessary, kept up to date (accuracy)
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation)
- Processed with appropriate security, including protection against Unauthorised or unlawful processing Accidental loss, destruction or damage (Integrity and confidentiality)
~ While studying the Regulation it may be stated that a major issue that is of importance is the term “Consent”, that is the person / subject of the personal data must agree, must allow, must provide the consent to the processor in order to be able to process the personal data provided. Specifically, the Regulation requests that:
• Consent of the Person is a must. In addition, consent must be unambiguous, freely given, after being fully informed, specific and not a general one and when necessary demonstrable.
• Consent is absolutely necessary for any kind of contract to be formed between any controller and any data subject / personal information.
• Consent constitutes a straight Legal Obligation – without consent any further process is against GDPR provisions.
However, there are exceptions in the Regulation under which “Consent” is not such a strict prerequisite, situations like:
• Law requirement must be met necessarily – i.e., in the field of employment, CV’s or Recommendation Letters for example, or in the field of social security, medical records or personal reports for example, but always within strict and solid safeguards in accordance with GDPR principles.
• Vital interests (such as terrorism) or lawful authority (such as Tax Office or Police) or public interest / health (such as Pandemic or threat) issues usually prevail GDPR provisions as long as the prerequisites and safeguards are adopted and followed during the process.
• Data made manifestly public by the subject / person i.e., social media.
• Data used for Archiving, scientific or historical research that is unanimously processed.
~ In order to provide guidelines to the IT officers and technical approach and compliance to the legislation, GDPR established a strict Principal of Accountability for any person that processes any Personal Data either as a processor or as a controller. Thus, in order to follow the Regulation’s provisions either as a person or as a company, it is important to:
• Implement appropriate technical & organisational measures to ensure and demonstrate compliance (e.g., training, policies, audits etc.)
• Maintain relevant documentation (controller info, Purposes of processing, categories of data subjects / personal data, recipients of data, transfers to 3rd countries, retention schedules, security measures.)
• Implement data protection by design (e.g. minimisation, pseudonymisation, transparency, security)
• Use Data Protection Impact Assessments / Risk Assessments
• Appoint a Data Protection Officer (DPO), when it is either compulsory by Law or potential upon the discretion of the processor and/ or controller.
• Adopt an Information Lifecycle Management
1. Information Asset Registers (IAR)
2. Data Flow Mapping (DFM)
3. Risk Assessment(s)
4. Privacy Notice(s)
5. System Level Security Policy (SLSP)
~ It must be stressed that one of the most important innovations that GDPR has brought is the expansion of the Rights that the Data Subject / Person processes.
• New rights:
• Right of erase – right to be forgotten
• Data portability
• Be informed of the Data (transparency)
• Data Access of the subject / person
• Restrict / divide processing
• Object – to whom may the Data be forwarded furtherly
• Restrictions to automated decision making / profiling
~ Relevantly, the Regulation established a solid Data Protection responsibility framework to the Processing / Controlling and Protecting the Data personnel, regardless if we refer to automated or/and manual filing systems. The Regulation has made a remarkable effort to clarify that the Personal Data once legally entrusted and confided by the subject / person into the processor’s sphere of information must stay safe, secured and protected. If any kind of failure or breach of this protection framework occurs the responsibility automatically is born to the processor and the controller under whose supervise the processor executes the processing of the Data.
Hence, a mechanism of Data Protection and management of a breach event is established and carries a number of responsibilities to the Personal Data bearer / processor, such as the following:
• Breach Reporting
• Personal data breach is a breach of security leading to the destruction, alteration, unauthorized disclosure or access to, personal data.
• Need to notify the AUTHORITY where it is likely to result in a risk to the rights and freedoms of individuals (within 72 hours of being aware of the breach)
• Need to notify individual/ subject/ person where it is likely to result in a high risk to the rights and freedoms of individuals
Likewise, a number of restrictions is also imposed by the Regulation in reference to the Transfers of Personal Data, such as the following:
• GDPR imposes restrictions on the transfer of personal data outside the EEA, to third countries or international organizations.
• The commission may designate non-EEA countries as having adequate level of data protection
• In any case the subjects and processors must ensure appropriate safeguards
• Private sector’s agreements, contracts, correspondence and cooperation must include standard clauses for GDPR compliance
• Requirements around ‘data share’ agreements of any kind are vital to be foreseen and clarified prior to the beginning of the trade or business transactions (i.e., controller – controller or controller – processor) and perhaps under a Data Protection Officee surveillance / guideship.
• EU-US Privacy shield became stronger
Consequently, new roles have appeared with specific job / occupational descriptions in order to provide an additional prevention safety net, minimize the risk of a fault and manage the crisis if a fault actually takes place. For instance, we may state the following:
• Senior Information Risk Owner (SIRO)
• Information Asset Owner (IAO)
• Information Asset Managers / Administrators
• GDPR compliance IT officer
• GDPR compliance Legal support
Finally, it is easily concluded that in an era where cyber and internet issues are actually “on the air” terms as cybercrime, hacking, cracking, Data Protection and malicious (or not) breach of their protection should not stay “on open air” unprotected and without adequate crisis management. For more information please contact us in contact@kstlaw.gr
