Search for a law firm
October, 9 2018
September, 20 2018
The implementation of GDRP law in Cyprus and the day after
The European Union adopted the General Data Protection Regulation (GDPR) which was approved on the 14th April 2016 and will come into effect on the 25th of May 2018. It is the biggest data protection law in 20 years and it replaces Directive 95/46/EC on individual protection involving personal data processing and the free data movement which regulates personal data processing in the European Union.
Unlike the current directive, GDPR applies throughout the European Union without any need of national legislation for its implementation. However, certain issues such as the use of criminal records and consent age will be determined at national levels. GDPR objective is to ensure that all personal data processing companies are held accountable for protecting the fundamental rights of the people in regards to protecting their personal data. According to the directive the punishment for serious contravention the greater value fine between is determined at 4% of the total annual worldwide turnover and EUR 20 million.
Some of the main changes introduced by GDPR include the broadening of the personal data definition by bringing more types of data which reflect the increase of internet use. It will be mandatory for Organizations which process personal data in large scale to point a Data protection officer which will ensure that the organization complies with the data protection laws and accountability program. The directive also brings with its difficulty in proving and achieving consent. This includes parental consent on children’s services of the informational society. In addition, the GDPR introduces a one-stop shop principle which data controller will have to deal with one supervisory authority of the member state which the controller has the main establishment. Data subjects will have the right to require the controllers to erase their personal data. A controller who has made public the personal data must inform other controllers who process such personal data to erase replication, copies or links to the data. Non-EU which with personal data of the EU data subjects and carry out business in the EU must comply with GDPR. Data controllers must ensure that processing safeguards the rights of data subject by design by implementing appropriate organizational and technical measures. If there is a personal data breach the controller must notify the data subject within 72 hours unless the risk does put the rights and freedoms of natural persons into risk. The notification must be accompanied by an explanation past 72 hours. The directive also introduces new compliance measures.
It’s crucial to adapt to the regulations in advance in order to avoid any complications and finings once the GDRP law comes to effect. The collection of personal data has increased lately especially due to the internet developments and due to the market research various companies make. Let’s hope that the day after will increase our protection and that companies that maintains and uses personal information without our knowledge will get penalized.