November 23, 2020
The law which governs the collection and processing of data concerning identified or identifiable individuals (“personal data”) is about to change. The General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, known as “GDPR”) will become applicable throughout the EU, including Cyprus, on 25 May 2018. It will replace the current national regimes of the EU member states, which are based on Directive 95/46/EC (which is repealed by the GDPR with effect on the same date).
The GDPR has been described by the European Commission as an essential step to strengthen the citizen’s fundamental rights in the digital age and to facilitate business by simplifying the rules for companies in the digital single market. Perceived benefits for companies include enhanced legal certainty and cost savings. Companies will now have to comply with a single pan-European law of personal data protection, consistently applied across the internal market, and to deal with a single supervisory authority in the member state where the company’s main (or only) establishment is located.
At the same time, companies will need to familiarise themselves with the requirements of the GDPR and ensure that they are in a position to comply by 25 May 2018. Although the GDPR is based on the same basic data protection principles as the current regime, compliance with the GDPR will probably require a thorough review of company policies and procedures, given that personal data protection should be an essential feature of all relevant company operations.
- The GDPR espouses the principle of data protection by design and by default which essentially means that data protection safeguards should be built into company processes, products and services from the earliest stage of development so that, by default, personal data collection and processing are minimised (in terms of the amount of data collected, the extent of their processing, the period of their retention and their accessibility).
- The GDPR also introduces the principle of accountability which requires companies to be in a position to demonstrate that they comply with the GDPR if requested to do by the data protection authority.
Failure to comply with the GDPR may lead to the imposition of administrative fines which are greatly increased. The GDPR enables data protection authorities to impose fines of up to €20 million or 4% of a company’s global annual turnover. Companies may also be liable to compensate any individual who suffers damage as a result of processing that infringes the GDPR. Rules on criminal penalties for infringement of the GDPR may also be adopted by each member state and these are expected to be set out in national legislation by 25 May 2018.
Key issues for companies
Companies will be subject to the GDPR if they collect, use and otherwise process personal data by automated or non-automated means, provided that the GDPR will apply to non-automated processing if the data will be kept in a structured filing system and will be accessible according to specific criteria. The GDPR imposes obligations on companies that process data for their own purposes as data controllers and companies that process data on behalf of others as data processors.
The issues that companies should consider in preparation for the new data protection regime include the following:
1. Does the company have appropriate policies and procedures in place to ensure that the collection and processing of personal data within the company is compliant with the GDPR?
2. Are company employees who handle personal data familiar with the company’s policies and procedures and do they understand the significance of data protection and their related obligations?
3. Is the collection and processing of personal data by the company lawful:
- are the data collected limited to what is relevant and necessary for the company’s legitimate purposes which are clearly specified?
- are the data maintained by the company only for as long as necessary for those purposes and what happens to them afterwards?
- are the data accurate and kept up to date?
- are sensitive data (such as biometric data or data concerning health or revealing racial origin, political opinions, religious beliefs or trade union membership) collected and are the relevant GDPR requirements complied with?
- are appropriate technical and organisational security measures in place (which may include encryption or pseudonymisation) to safeguard the integrity and confidentiality of the data and prevent unauthorised processing, dissemination, alteration or loss of data?
4. Is the company in a position to demonstrate that it has obtained the freely given, specific and informed consent of the individuals concerned (the “data subjects”) to the processing of their data where consent is required by the GDPR? Is such consent in the form of a statement or clear affirmative action? Is it clear to the data subjects that they have the right to withdraw their consent at any time?
5. Does the company need to revise the information it provides to data subjects in relation to the processing of their data, to ensure that the company complies with the principle of transparency and that the data subjects are made aware, in clear and plain language, of the rules, risks and rights in relation to the processing of their data by the company?
6. Does the company need to appoint a data protection officer in view of the fact that the core activities of the company consist of processing on a large scale which:
- involves sensitive data or data relating to criminal convictions and offences?
- requires regular and systematic monitoring of data subjects?
7. Does the company have procedures which ensure that whenever a new service, product or process is to be introduced, issues of data protection are taken into account at the earliest stage of development and design of the new service, product or process? Does the company need to revisit its existing services, products and processes to ensure that data processing is minimised and data security features are improved?
8. Do company policies provide for a data protection impact assessment before the commencement of a type of processing which is likely to result in a high risk to the rights of data subjects, in order to assess the origin, nature, likelihood and severity of the risk and identify best practices to mitigate it (and consult with the data protection authority in appropriate cases)? Are the company’s processing activities likely to result in such high risk to the rights of data subjects:
- do they involve large volumes of sensitive or other data or affect a large number of data subjects?
- might they give rise to discrimination or damage to reputation or other significant economic or social disadvantage for data subjects?
- do they involve systematic and extensive automated decision-making, including profiling, (i.e. an evaluation via automatic processing of personal aspects of the data subjects concerning matters such as their performance at work, economic situation, health, personal preferences, interests or behaviour) to make decisions that produce legal effects or similarly significantly affect the data subjects?
- do they involve systematic monitoring of a publicly accessible areas on a large scale?
9. Does the company transfer data to countries outside the EU that do not benefit from a European Commission adequacy decision? Are appropriate arrangements in place to safeguard the rights of the data subjects (for example, through standard contractual clauses adopted by the European Commission or approved binding corporate rules)? Have any necessary authorisations been obtained?
10. Is the company in a position to comply with the GDPR requirement for promptly reporting a personal data breach (i.e. a breach of security leading to the accidental or unlawful destruction, loss, alteration, disclosure of or access to personal data) to the data protection authority and, where the breach is likely to result in a high risk to their rights, to the data subjects?
11. Does the company have appropriate procedures in place for responding to requests by the data subjects regarding the exercise of data subject rights under the GDPR and in particular:
- the right to obtain access to, rectification, restriction or erasure of their data;
- the right to object to the processing of their data, including for direct marketing purposes;
- the right to data portability, i.e. the right to receive the personal data they have provided to the company in a structured, commonly used and machine-readable format and to have such data transmitted, where technically feasible, to another company?
12. Does the company have appropriate contracts in place with any third parties that process personal data for the company? Do these contracts need to be amended to ensure compliance with the GDPR? Do the third party processors have the necessary expert knowledge, reliability and resources to fulfil their data protection obligations?
13. Does the company itself process data on behalf of third parties? If so, is an appropriate contract in place with those third parties and does the company implement appropriate technical and organisational measures to ensure that it complies with its GDPR obligations as a data processor?
14. Is any data processing conducted for purposes and by means which are determined jointly by the company and another party? If so, is an arrangement in place regarding the responsibilities of each party for GDPR compliance and have the data subjects been informed of the essence of this arrangement?
15. Is the company in a position to demonstrate to the data protection authority, if requested to do so, that the company’s policies and procedures and handling of personal data are in compliance with the GDPR? Is an appropriate record of processing activity maintained as required by the GDPR (in particular, where the company has at least 250 employees or the processing is likely to result in a risk to the rights of data subjects or includes sensitive data or is not occasional)?
Download this note in PDF format here.
Georgiades & Pelides LLC
* This note, prepared in December 2017, is intended to highlight issues and not to be comprehensive, nor to provide legal advice. Should you have any questions on issues reported here or require any legal advice, please contact us at info@cypruslaw.com.cy.