GDPR: The new era

Please click here to get your GDPR 10 STEPS Guide


After a long preparation and following the Google Spain v AEPD and Mario Costeja Gonzalez case where the “right to be forgotten” was established, the GDPR was finally approved by the EU Parliament in an attempt to modernize the Data Protection Directive of 1995.

The GDPR (General Data Protection Regulation) generally aims to provide a “bulletproof” shield of protection to all natural persons whose personal data is either exposed or processed on a daily basis and to harmonize the rules and regulations applied by the Data Protection Authorities (DPAs) of Member States. 

The GDPR will apply to the processing of personal data by controllers and processors in the EU irrespective of whether the processing takes place in the EU or not and irrespective of whether the processor or controller is established in the EU, where the activities relate to:

  • Offering of goods or services to EU citizens, irrespective of whether a payment from data subjects is required or

  • Monitoring of behavior that takes place within the EU.

To that end, the GDPR binds all companies that offer goods or services to EU data subjects regardless of whether their operations take place in the EU or not.


What changes under the GDPR

  • If data processors are not established in the EU, they will have to appoint a representative in the EU.

  • It will be mandatory for the controller to report to the DPA within 72 hours any breaches that could result “in a risk for the rights and freedoms of individuals.”

  • The data processors will also be required to notify the controllers, “without undue delay” after first becoming aware of a data breach.

  • Registration of data processing activities to each local DPA and approval for transfers of data based on Model Contract Clauses will be abolished.

  • Internal record keeping of the data processing activities will now be required by the controllers and processors and must be readily available upon request by the relevant DPA.

  • Appointment of a Data Protection Officer (DPO) with specific skills who will report directly to the highest levels of management will be mandatory for those controllers and processors whose core activities consist of operations requiring regular and systematic monitoring of data subjects of a large scale or of data subjects belonging to special categories inter alia criminal convictions and offences, visit website.

  • Safeguarding data transfer mechanisms accepted in all Member States via

  1. Approved codes of conduct and certifications

  2. Simplified procedures for binding corporate rules

  • All the data controllers and processors will mandatorily have to include the same data protection clauses in their terms and conditions. These clauses will be the same in all Member States.

  • One stop shop:  The supervision of data processing will fall under only one DPA instead of the current practice which requires supervision by the DPA of each Member State the data is processed in.

  • Fines of up to 20 million Euro or 4% of the total worldwide annual turnover of the preceding financial year.


The Right to be forgotten

The GDPR enhances the rights of data subjects by granting them the right to request from the data controller access to their data (must be sent to them in a machine readable format within one month from the date of the request) as well as the right of erasure of their personal data even in cases where the personal data was made public.

In view of the above changes which will automatically enter into force on the 25th May 2018, our office will be happy to assist you in all the changes your business needs to undergo in order to comply with the new era of the GDPR.

Marian A. Chronides

Associate-Corporate Lawyer