What will we see in this post?

The General Data Protection Regulation (GDPR) also known as EU Regulation 2016/679, is a crucial part of the personal data protection legislation. Since its enforcement on 25/5/2018, it has been safeguarding privacy rights. Its core purpose is to shield both companies and users from unwarranted breaches of personal data (find out more in our post about personal data, as well as our post about data breaches).

The eight basic terms of the GDPR — GDPR Overview

The GDPR, therefore, applies to any business that processes personal information and is based in an EU Member State, regardless of whether the processing actually takes place within the Union. It follows from Article 288 of the Treaty on the Functioning of the EU (TFEU) that countries are obliged to take the necessary measures to adapt their national legislation. Thus, Law 4624/2019 (Government Gazette A’137) defines the measures for the implementation of the GDPR, while in Cyprus Law 125(I)/2018 was voted and published for its more effective implementation.

Other cases where the GDPR applies are :

companies based outside the EU but their benefits relate to the use of data by persons within it.
their services presuppose the investigation of consumer behaviour, in so far as this behaviour is manifested within the Union.

The appointment of an EU representative by the company is deemed necessary in these circumstances. For example, Bjørn Gulden is the CEO at the moment of Adidas in Germany and therefore the main representative of the company in the country.

Some examples:

businesses must report personal data breaches within 72 hours
users will enjoy guaranteed access to their data
given the possibility of correcting the data on the part of users and the right to object
entitlement to erasure, the so-called right to be forgotten, in some cases (learn more about the user’s rights in our article “Rights of the data subject”)
obligation to notify users affected by violations
many businesses will need to appoint a Data Protection Officer

If:

the data subject has died
the controller of the business acts for his own benefit (outside the professional field) or if he as a natural person manages personal data in the context of his personal life.
the data is collected by competent authorities in the context of the verification of information for the prosecution of criminal offences

Failure to comply with this legislative framework results in severe fines. At the same time, the additional imposition of corrective measures is at the discretion of the Data Protection Authority.

Example of a breach: the company’s refusal to delete users’ personal data at their request, data transfer within the EU without complying with the necessary protocols and procedures, disobedience to the orders of the Data Protection Authority.

It is characteristic that under Article 85 (5) of the GDPR, the amount of the fine can reach up to 20 million or even exceed it if it is a large company. Specifically, France fined Amazon 35 million in 2020.

So, don’t forget…

As a business, you must be able to prove at all times the full application of the GDPR in the relevant actions of your company. Even more, this becomes imperative upon request or during an inspection by the Data Protection Authority.

Keeping analytical records is the best method to achieve this goal. Such files/data may indicatively be:

name and contact details of the business involved in the data processing
reasons for processing this personal information
description of security measures observed during data management

By embracing GDPR compliance wholeheartedly, you create a secure environment for your customers and your business. Prove your commitment through meticulous record-keeping and a culture that prioritizes data protection. Be ready for any inspection, and together, we’ll build a safer, more trustworthy digital world.