In honour of last week’s European Data Protection Day on the 28th of January, which marks the anniversary of the Council of Europe’s Convention 108, the first binding legal act recognizing individuals’ rights to the protection of their personal data, we take a closer look at the significance of data privacy.

Our article explores the evolution of data protection laws, the impact of the General Data Protection Regulation (GDPR), individuals’ rights under the regulation, and the responsibilities of organizations in ensuring compliance.

Introduction

Over the past years, rapid technological developments led to the urgent need for the protection of natural persons in regard to the processing of their personal data which takes place on an unprecedented scale.

The European Lawmakers, having understood the need for protection of the sensitive personal information of individuals, have created and implemented a set of principles and rules which are applicable to natural persons irrespective of their nationality and residence.

Let there be Law

The collective efforts around the Union, let us to the adoption of one of the most popular legislative acts, the Regulation 2016/679 on the protection of natural persons with regarding to the processing of personal data and on the free movement of such data (the ‘GDPR’). The said Regulation does not govern the processing of data relating to legal persons and as such, data concerning the name, form and the contact details of the legal persons falls outside of the scope of GDPR.

In respect to the territorial scope, it is worth noting that the Regulation applies to the processing of personal data in the context of the activities of a controller or a processor within the Union, regardless of whether the processing takes place in the Union or not.

In addition, the legal act and in extend the protection, applies to the processing of personal information of data subjects who are located in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Lastly, the Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Exemptions

The Regulation does not apply to the processing of personal data:

• In the course of an activity which falls outside the scope of the Union law
• By the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty of the European Union regarding the external actions and specific provisions of common foreign and security policy
• By a natural person during a purely personal or household activity
• By competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

What do we mean by Personal Data

Personal data is any information that refers to an identified or identifiable natural person whose identity is known or can be ascertained directly or indirectly, in particular on the basis of an identity number or on the basis of one or more specific elements. Examples of such information is ID numbers, passport numbers, names, dates of birth, place of birth, nationality, postal address contact information, marital status.

Our Rights

Under the Regulation, individuals have several rights such as:

• Right to be informed: Individuals have the right to request and obtain information on how their personal data will be processed.
• Right to access: Individuals have the right to gain access to the personal data held about them.
• Right to rectification: Individuals may ask for incorrect, inaccurate or incomplete personal data to be corrected.
• Right to erasure: Individuals may ask for their personal data to be erased when it’s no longer needed or if processing is unlawful.
• Right to restriction of processing: Individuals may ask the restriction of the processing of their personal data in certain cases.
• Right to portability: Individuals can receive their personal data in a machine-readable format.
• Right to object: Individuals may object to the processing of their personal data for marketing purposes or on grounds relating to their particular situation.
• Rights regarding automated decision-making and profiling: Individuals may ask that decisions based on their personal data are made by natural persons, not only by computers.

Consent in Data Protection

A key element of the data processing and protection of the said data is consent by the data subjects.

The consent must be given freely, and a consent request must be presented in a clear way, using language which is easy to understand. The request for consent should, at all times, be clearly distinguishable from other pieces of information presented to data subjects.

Organizations processing Personal Data

Companies processing and maintaining personal data during the course of their business activities are subject to the Regulation and full compliance with their legal obligations is unquestionable.

It is essential that all processors and controllers identify the type of data they are in possession of, and they establish such mechanisms to ensure that the personal data is treated in accordance with the Regulation’s deriving obligations.

In the unfortunate event of a breach, organizations must have in place such policies and procedures that will allow them to identify and address the breach as soon as possible, mitigate their exposure and proceed immediately with the relevant notifications.

At AGPLAW we are delighted to offer dedicated services relating to Data Protection compliance, including but not limited to:

• Appointment of Data Protection Officer
• Legal training of employees to matters relating to GDPR matters
• Provision of data protection audits and reports
• Provision of legal advice regarding matters relating to GDPR
• Preparation of internal Data Protection Manuals (including Incident Response Procedures) and Privacy Policies.

For all enquiries related to Data Protection, please contact our team of experts at agp@agplaw.com 

The information provided by AGPLAW | A.G. Paphitis & Co. LLC is for general informational purposes only and should not be construed as professional or formal legal advice. While every effort has been made to ensure the accuracy and reliability of the information contained herein, the author, publisher, or any related parties make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability of the information. In no event will the author, publisher, or any related parties be liable for any loss or damage, including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this document/article. You should not act or refrain from acting based on any information provided above without obtaining legal or other professional advice.