Koumentakis

Tag: personal data

  • Employee e-mail, termination of employment contract and GDPR

    Employee e-mail, termination of employment contract and GDPR

    Issues related to personal data of employees have intensely concerned us in our previous articles. We have dealt, inter alia, with the use of visual recording systems in the workplace; teleworking and respect for the personal data of employees who work remotely; with the permissibility or not of the monitoring of the professional e-mail of the employees and the conflict of the employer-employee rights. However, all of these relate to issues that arise during the employment relationship. What happens during (and after) its dissolution? And, in this case, what is the fate of the professional e-mail address of an employee who leaves their job?

     

    The position of the Belgian Authority for the Protection of Personal Data

    In General

    The fate of the professional e-mail of an employer after they left their job occupied the Belgian Data Protection Authority (The Litigation Chamber of the Belgian DPA). Relatively recently (19.9.2020) its decision No. 64/2020 was issued. An important decision that has already caused concern and headaches in both Belgium and Europe. Of course, in our country as well.

     

    The facts of the case

    The case that the Belgian Data Protection Authority (“BDPA”) was called upon to handle regarded an (initially) family business. This business, several years after its founding, in November 2016, suddenly fired its CEO and the son of its founder. Subsequently, the employment relations of other members of the founder’s family who worked in it were terminated.

    In March 2019, three years after the first dismissal, it was found that the professional email addresses of the executives and employees who were fired were still in use. It should be noted here that the specific email addresses consisted of the name of the employees (as usual) and the name of the business.

    The former CEO demanded that the business stopped using their email addresses. The case was initially handled by the BDPA mediation division. In the relevant procedure (which, however, was unsuccessful) the business noted that these addresses had been deactivated, the incoming messages, however, were forwarded to a third email address of the business. The purpose of the above practice was, according to the business, to prevent the loss of important third-party e-mails, given the important position held by those who left (CEO and other executives).

    The conclusion of the above case was the decision of the judicial department of the BDPA, which imposed a fine of €15,000 on the specific business. But a fine that was not insignificant, given the business’s small size. The latter employed only thirteen employees.

    However, the significance of this decision lies in the directions it provides, scattered throughout its body, regarding the treatment of such cases.

     

    The guidelines of BDPA Decision No. 64/2020

    The directions provided by the BDPA with its specific decision, can be divided into two categories. The first refers to the management of the specific issue (: management of a professional e-mail of an employee) before the termination of the employment relationship. The second refers to the period after the dissolution of said relationship.

     

    Before the termination of the employment relationship

    Every employment relationship (like life, after all) will – inevitably -end at some point. An end that depends on the voluntary departure of the employee (: resignation), retirement, dismissal or death. In any case, the business must have taken care in advance (among other things) the fate of the professional e-mail of any employee. Therefore, according to the BDPA, each business should inform its employees about how it is going to manage their specific emails in case of the termination of the employment relationship. This information (entailed the relevant Policy), should state in detail the steps to be followed.

    Based on the above (: no. 64/2020) decision, during the phase of the (imminent) departure of the employee (of course, when it does not take place suddenly):

    (a) The employee should be able to collect or delete their private electronic communications. At the same time, however, if a part of their professional correspondence is necessary for the smooth operation of the business and must be recovered, this is required to be done before the employee leaves. Of course, in the employee’s presence.

    (b) The employee should also be informed of the “blocking” of their professional e-mail address. It should be noted, of course, that this decision does not require their, in a solemn way, special information. However, it does not specify whether the general information included in the Business Policy is sufficient, if any. But it would be more correct to accept that such general information is sufficient.

    (c) The business should, at the same time, before blocking the professional e-mail address, create an automated response to the e-mail senders. It is interesting that this decision also determines its content. The decision mentions that the response should: (i) state that the employee in question is no longer performing their duties in the business and (ii) inform third-party senders of the contact details of the person with whom they can communicate-instead of the one employee who left. Of course, a general (eg info @ ή. Or sales @….)  email can be provided, instead of a personalized / personal email address.

    BDPA favors the solution of the automated reply to the sender over the “manual” forwarding of the e-mails to another address. The reason is obvious: in the case of “manual” forwarding, the one who carries it out may become aware of sensitive information and data of the former employee.

    (d) The business must, at the latest by the day of the employee’s actual departure, have “blocked” their e-mail address.

     

    After the termination of the employment relationship

    The above decision gives, as already mentioned, clear directions (also) regarding the period that follows, in any way, the departure of the employee. Specifically, it points out that:

    (a) The automated response should be active and sent to third party senders for a period of one month. It accepts, of course, the possibility of extending this interval. However, its extension depends on the importance of the job held by the employee. At the same time, however, it sets specific conditions on which it should depend. In particular: (i) a possible extension should not exceed three months; (ii) the need for an automated response time extension should be justified; (iii) the former employee should be informed of any extension being considered, and it would be best (but not necessary) for them to be called to give their permission.

    (b) The professional e-mail address of the employee should, according to the above decision, be deleted after the expiration of the aforementioned month (or, by extension, of the three months -maximum). After the expiration of this period, neither sending nor receiving e-mails of an employee should be possible.

    In other words: the decision considers as a legal reason for not deleting such an e-mail (simultaneously with the departure of the employee), the need to ensure the proper operation of the business. It considers, however, that after the expiration of the time set for the sending of an automated response (1-3 months), this reason is no longer valid.

     

    The above decision of the Belgian Authority is of particular value as it is the first, at European level – as far as we know, with this subject. Also, because it comes to interpret, in this difficult matter, the European Regulation 679/2016 on personal data (better known as GDPR). This interpretation will be, without a doubt, “precedent” for the other European Authorities – of course for the Greek one as well.

    It is a given that this decision excessively (in the writer’s view) restricts business freedom. Especially with regard to the maximum period (: month or, at most, three months) that it evaluates as sufficient for informing the senders-third parties (eg customers and partners) of the business / employer. And how could one argue that such a horizontal arrangement would be just as adequate for a neighborhood retail store and a multinational one? For an employee and a CEO? And, furthermore, how harmful would this horizontal regulation be for a European business (which falls under the GDPR), as opposed to another (competitor) operating in a country not under the GDPR?

    In any case: the specific decision of the Belgian Authority is already a given. It is a fact – with whatever legal value it may have at a pan-European level. Let us hope, however, that it is reviewed by the respective Authorities of the individual EU Member States, which will certainly be called upon to deal with similar issues.

    Until then, the only encouragement to Greek companies (among others) can be: Hurry up!

    Stavros Koumentakis
    Managing Partner

     

    P.S. A brief version of this article has been published in MAKEDONIA Newspaper (April 18, 2021).

     

    Disclaimer: the information provided in this article is not (and is not intended to) constitute legal advice. Legal advice can only be offered by a competent attorney and after the latter takes into consideration all the relevant to your case data that you will provide them with. See here for more details.

  • Teleworking and Personal Data

    Teleworking and Personal Data

    Teleworking & Personal Data [: and the utopia (?) regarding their protection …]

    Telework is a special form of flexible employment, and it holds a special value. Its utilization has, in recent times, been impressive. Yet normal -thanks to the pandemic. It is true that safeguarding personal data has not been our priority. Would it, however, be unrealistic to try to protect them?

     

    Flexible forms of employment and telework: a familiar reality in today’s world.

    Flexible forms of employment are gaining ground in the job market. To some extent, they seem to have been demonized by some people. They are, however, a reality. Probably not unpleasant for the vast majority of employees who enjoy the benefits that come with them.

    Distance working and (its most common form) teleworking have begun to slowly gain ground, in our country’s labor market. These B.P. (: before the pandemic). We have analyzed common telework  in a previous article.

    The national legislature has addressed telework in the past. The relevant legislative effort, however, has gaps. However, the application of this form of work had remained at the discretion of both parties involved. Employer and employee had to agree to apply telework.

    The need of businesses to utilize the service of their employees is always a given. And this does not change at the time of the pandemic.

    The extraordinary circumstances created by coronavirus (SARS-CoV-2) resulted in the adoption of emergency measures. Among them is the employer’s ability to (unilaterally) determine “… that the work provided by the employee in the workplace under an individual contract, will be carried out with the system of remote work” (art. 4 par. 2 of LD/ 11.03.2020).

    Working remotely has, in our minds, become identified with teleworking. The latter (: teleworking) has become the necessary means to ensure continuity in the provision of services to a large number of businesses. To continue to employ a large number of employees.
    The vast majority of businesses already enjoy its benefits.

    As a result (among others of emergency measures), telework has been established-even temporarily. This event is a good omen for its further use and development. And A.P. (: in the era after the Pandemic).

    However, the turn to telework for the temporary handling of some emergencies, was not organized. Many businesses appear, even today, poorly prepared: They have to face the challenges as they come. These businesses (and not only them) are exposed to significant risks. Among the most important risks: the risk for the security of personal data.

     

    The risk relating to personal data

    Teleworking often involves remote processing of personal data. A processing that does not offer the protection that, as a rule, a corporate network offers. Employees who have remote access to the employer’s infrastructure are not protected by the (cyber) security measures that (usually) cover the business’s facilities. The risk of unauthorized access to personal data appears – and is – increased. Loss, unauthorized use or destruction of relevant data by employees, associates and customers may also occur.

    This danger is not unprecedented. It had already been identified by the Working Party (of Article 29) (Opinion 2 / 08.06.2017 on the processing of data at work).

    A lot has happened since then. Extraordinary conditions, mass and “knee-jurk” turn to teleworking, the need to raise awareness and inform the controllers, processors, employees regarding the obligations arising from the GDPR and law 4624/2019, were some of those things. All that, among other things, led the Personal Data Protection Authority (DPA) to issue Guidelines. Specifically, in the “Guidelines of the Protection Authority for taking security measures in the context of teleworking”.

     

    The Guidelines of the DPA

    The DPA draws attention to the seriousness of the risks posed by remote work. It emphasizes the need for adequate information of employees and valuable assistance of the Controller (DPO-when deemed necessary of such to exist by law). It also points to the obligation of businesses to protect the personal data of their employees. A protection that is particularly important in the case of teleworking. The reason; The blurring of the boundaries between professional and private life. The need to protect the latter. Reasonably, as “the employee, due to the fact that they at home, has a higher expectation for the protection of their private life.”

    In addition, the DPA recommends taking specific measures when applying telework. These measures regard: (a) Internet access, (b) the use of e-mail/messaging applications, (c) the use of terminals/storage devices, (d) teleconferencing.

    Specifically:

    • Regarding the Internet access

    Ensuring safe remote access to the business’s information system is considered vital. The DPA recommends the use of a virtual private network. A network in which data is encrypted and users are authenticated (eg IPSec VPN). The business must determine and limit the resources to which remote access is allowed. To the absolutely necessary, depending on the duties of each teleworker.

    Teleworkers, in turn, need to use a secure WPA2 (Wi-Fi Protected Access II) secure protocol with a strong password when connected to the Internet over a wireless network (Wi-Fi). They should also avoid storing files with personal data on online storage services (eg Dropbox, One Drive). Unless the appropriate conditions are ensured and the appropriate guarantees (eg encryption) …

    • Regarding the use of e-mail applications / messaging

    When addressing e-mails, the DPA points out the need to avoid the use of personal e-mail addresses when teleworking. Receipt and sending of messages, which may contain personal data, must be done through the professional e-mail address of the business. However, there is also the case of technical inability to use the professional e-mail address. In this case, the Authority recommends the need for appropriate encryption of the content of personal data messages. It even reminded that the use of personal data in the subject of the e-mail message should be avoided.

    In addition (although it goes without saying) the Authority recommends avoiding the use of messaging applications (text and / or video) for the purposes of teleworking, when these messages contain personal data, the leakage of which would pose a risk.

    • Regarding the use of a terminal device / storage media

    The DPA also emphasizes the special care that the employee must take – always according to the employer’s directions – for the devices (eg computer, laptop, etc.) through which telework is provided.

    Indicatively: These devices must have installed and regularly updated antivirus programs. In addition, they must have the latest updates of the software of the applications and operating system installed. Internet browsing programs (eg Firefox, Chrome, etc.) used by teleworkers should also be updated to the most resent versions available. It is also advisable for teleworkers to either use anonymous browsing or delete their browsing history that is related to telework at the end of each task. They must also separate the files that contain personal data (related to their work) from their personal files. It is possible (at least not unlikely) that third parties (members of, for example, the employee’s family) have access to the computers used. For this reason, the devices, but especially the specific files and work environments, must be “locked” (: protected) with strong passwords.

    Correspondingly, however, businesses must support teleworkers with appropriate encryption procedures of files that contain personal data. Especially when such files are stored in a portable / detachable storage medium (eg usb stick). Businesses also need to support the backup process. In particular, with regard to personal data files, which are processed in the context of teleworking activities.

    • With regard to teleconferences

    The pandemic was the cause for a significant, further, exploitation of teleconferences and the facilities they offer. However, in terms of teleconferencing, satisfactory measures must be taken to ensure the security of personal data.

    In particular, according to the DPA, the use of platforms that support security services (encryption) is mentioned as a requirement for the conduct of teleconferences. In addition, in cases of scheduled teleconferences, the relevant link should not be made public (eg on social media). Finally, businesses that utilize teleconferences must carefully study the terms of use and the terms of personal data protection when selecting the appropriate teleconferencing platform.

     

    The risk of businesses of taking disproportionate measures to protect personal data

    In an effort to mitigate the risk of personal data, businesses may be exposed to another risk. A danger lurking on the opposite side. That of obtaining disproportionate, and ultimately illegal, means of personal data protection. In particular, they may consider it justified to use software that has the ability, for example, to record the sequence of keyboard characters and mouse movements, to record screenshots (either randomly or at regular intervals), to record the applications used (and their time of use) and, on compatible devices, activating webcams and collecting recorded material.

    These technologies are widely available. However, the Working Party of Article 29 (Opinion 2 / 08.06.2017) has already ruled on them. In particular, it considered that the processing carried out in the context of these technologies is disproportionate. The employer cannot substantiate the legal basis of their legal interest. Such practices are prohibited. Employers must not adopt them (obviously not even) in the context of telework. A pandemic cannot be an excuse.

     

    Teleworking (continues to be) an important tool in dealing with some of the consequences of the pandemic.

    Concepts, connection and communication protocols, platforms previously unknown to the general public have already become widely known. To a great extent: familiar. Sometimes even: necessary work tools.

    We already know very well that technology tools expand horizons and capabilities. But they also increase risks. Some of the risks increased are related to the management and protection of personal data.

    The DPA reminds us of those risks.

    In any case: Teleworking is not at any risk from the care for personal data. On the contrary, personal data are at risk from the (careless) use of telework. Their protection, in the context of telework, is not a utopia.

    Let us concern with their protection. But not because the “Authority says so”.

    The risks we face from their misuse are real.

    And closer than we think.

    And serious.

    And economically measurable.

    stavros-koumentakis

    Stavros Koumentakis
    Senior Partner

     

    Disclaimer: the information provided in this article is not (and is not intended to) constitute legal advice. Legal advice can only be offered by a competent attorney and after the latter takes into consideration all the relevant to your case data that you will provide them with. See here for more details.

  • GDPR: The next day: Biometric data and employment

    GDPR: The next day: Biometric data and employment

    The GDPR has been in place since May 25, 2018, and every day we reveal that adjusting to its requirements affects the philosophy and operation of a business. One such issue is the entry – control of employees by taking biometric data (e.g. fingerprints). Why is that so? Because while I can “clock on, on behalf of my colleague” so that my colleague “has a little bit more of morning sleep”, I cannot deceive the smart machine that “reads the fingerprints or the iris”. The GDPR sets strict barriers to such choices.

    Pursuant to Article 9 par.1 of the Regulation, the processing of biometric data is generally forbidden for the purpose of undeniably identifying a person. Such processing is permitted, exceptionally, with the explicit consent of the Subject and in any case in accordance with the consensus guidelines No. 259 / 28.11.2017, adopted by the European Data Protection Board. It is a crystallized position of the Working Party 29 that there can be no question of free consent in the case of a “power imbalance”, as is the case for the employer-employee relationship.

    Already since the application of Law 2472/1997, the Data Protection Authority has issued decisions on the processing of biometric data in the workplace. In these decisions, the position of the Greek Authority is developed that such processing is not necessary to achieve the employees’ time schedule compliance monitoring. As a result, such records constitute an excess, the abusive nature of which is not waived by any employee’s consent.

    The Decision 56/2009 of the DPA in a relevant case, is Indicative of the scope of the exception. According to this decision, the Authority did not find it illegal to use fingerprint recognition equipment because it concerned specific employees who would have special access to a particular site, which could be classified as the highest security due to compliance with “Certification Authority Keys” namely on the basis of the public interest. In fact, this decision deals with the issue in terms of authorization, substance, and legitimacy and not technical, as the specifications had already been met: (a) data encryption, (b) non-maintenance of data, and (c) non-connection to a central system.

     

    The decision 50/2007 is indicative of DPA’s consistent position

    The Decision 50/2007 for another case is indicative of the Authority’s consistent position. Although the company’s argument was based on the fact that “the system is based on the method of finger’s geometry and the data collected from it are recorded and stored in a file that is encrypted while fingerprints are neither collected nor stored”, the DPA has overtaken the specific arguments and insisted that “the introduction and use of biometric data is a processing of personal data of employees which is not necessary for the purposes of monitoring the entry and/ or exit to premises/buildings and observance of their entering and leaving hours and is therefore illegal”.

    Ultimately, receiving biometric data at a working environment is only possible by way of exception. Balancing the needs of the company and the requirements of the Regulation undoubtedly leads to choices that will also prevent the company from being harmed and employees’ rights not be affected.

    Petrini Naidou
    Senior Associate

    P.S. A brief version of this article has been published in Greek in MAKEDONIA Newspaper (February 24, 2019).

     

  • GDPR: The Next Day. The Regulation in the context of employment

    GDPR: The Next Day. The Regulation in the context of employment

    [vc_row][vc_column][vc_column_text] The European Regulation “on the protection of natural persons with regard to the processing of personal data”, adopted on 27 April 2016, is directly and across the board applicable (throughout Europe) since 25.5.2018.

     

    Basic declarations

    It is a “convenient” myth that we (should) expect for the Greek legislation to decide on how we adapt. There is a draft law (its consultation was completed in March 2018), but it has not yet been adopted nor is necessary to be. The Regulation applies as is.

    It is accurate and not a (malicious) exaggeration that all businesses process personal data. Sometimes even “sensitive”: Like those of their employees. Thus, businesses need to adapt according to their strengths and (in particular) depending on the potential impact of the data leakage they process, that is, depending on the number and degree of “sensitivity” of the data.

    It is also accurate that the Regulation is not entirely clear on all points. However, we have been armed with the relevant interpretative tools. Such as, for example, the views of the Working Party of the 29-member Group of Member States’ Data Protection Authorities.

     

    The role of GDPR in employment relationships

    What is the role that GDPR plays in the relationship between the Employer and the Employee and which are the main obligations of a business?

    1. To train the Employees on the processing of third-party data it processes in the context of the provision of its services, in the wide sense of awareness and cultivation of new habits.
    2. To re-approach the employment contracts with the addition of the employee’s obligations with regard to the development of a new corporate culture. (Which is) The adaptation of a new modus operandi, as such is required as mandatory by the Regulation.
    3. First of all, to inform employees on the processing of their data. In particular: for the categories of their data to be collected, their retention time, the purpose and the legitimate basis for their processing, their possible transmission to other organizations (or other countries), and above all for their rights as identified in Articles 15 to 22 of the General Regulation.

     

    The consent

    It is thus very important to be noted that the employers are obligated to inform their employees on the processing of their personal data which are necessary, thus, not to obtain their consent. Such consent would be contrary to the spirit (objective) of the Regulation for the following two reasons:

    (a) Consent must be the “last resort” of a legitimate base for processing as it presupposes true freedom of choice and is revocable. It would be misleading make an employee think that if he/she does not give or withdraw his/her consent, it is possible for the employer not to ask for or delete the necessary personal data of his/hers: In fact, the labor and insurance legislation as well as the performance of the employment contract impose the processing of specific personal data of the employee.

    (b) Consent must be given freely. The relationship between the employee with the business is characterized by a certain imbalance of powers, leading to a “forced” and therefore to an illegal consent.

     

    GDPR is a cumbersome Regulation which, however, carries a significant gift: Extrusion into a change of mentality.

    Petrini Naidou
    Senior Associate

    P.S. This article has been published in Greek in MAKEDONIA Newspaper (December 23, 2018)

  • Personal Data Protection And Companies

    Personal Data Protection And Companies

    [vc_row][vc_column][vc_column_text] European requirement the enforcement for Personal Data Protection. New compliance rules (Regulation 2016/679)

     

    Preamble: What Does Non-Compliance Mean

    It is true that any new obligation created for a company burdens its operating costs. But could anyone suggest non-compliance with the obligations under this Regulation for Personal Data Protection?

    To this case we could not remain indifferent. European Regulation (2016/679) is in force without the need for ratification by the Greek legislator.

    Sanctions threatened? Unsustainable! Without going into the details of criminal sanctions, the maximum penalties (fines) amount to € 10.000.000 or € 20.000.000 and at a percentage of 2% or 4% respectively of the infringer’s worldwide turnover (if the above amounts are below the respective percentages on its worldwide turnover!)

    Things are NOT simple …

     

    The Existing Institutional Framework

    The need to protect individuals from the constantly evolving (due to the rapid developments in technology) exposure of their Personal Data and the creation of a secure modus operandi of the data processors is underlined by the European Regulation 679 of 27 April 2016, which shall be in full effect for all Member States (among which our country, of course) on 25.5.2018.  

    In accordance with Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data (and its revisions), the Greek legislator has incorporated the European Directive 95/46 / EC “On the protection of individuals with regard to the processing of personal data and the free movement of such data”.

    The key foundations for the Protection of Personal Data that had already been set twenty years ago referred to the identification of:

    (a) the basic concepts such as “record”, “data subject”, “simple data”, “sensitive data”, “controller”, “processor”

    (b) the rights of the Subjects of Processing (each of us)

    (c) the obligations of Personal Data Controllers (natural and legal persons, bodies and organizations with whom we are required to have transactions in our daily lives from our employer to the Register of a Taxation); and

    (d) the establishment of the Personal Data Protection Authority, which would then function independently, as a supervising body and as an institutional guarantor for verifying compliance with the European requirements.

    The Personal Data Protection Authority has been set up and operating since then, it undertakes vigorous action while its decisions have become a serious item in the agenda of not only the legal world bit also of the public opinion, as for example in the case of identifying religion in identities.

    The European Parliament chooses in this Regulation a more dynamic position than the previous Directive, since the former is a law of increased formal validity (it raises upward the laws of each member – state) and is (unlike the Directive) directly applicable horizontally (its incorporation by the national legislator is not required).

     

    The Tightening For The Protection Of Personal Data In The Context Of The European Regulation

    The Regulation strengthens the protection framework and in particular:

    (a) the Controller is required to choose the most secure, organizational and technical measures both at the time when the data collection and processing measures are defined and at the time of processing.

    The obligations of the Controller and the Processor expanded (: record-keeping – specifications – processing activities) and acquire specific responsibility to receive and be able to demonstrate that it has taken all necessary measures to ensure that processing is carried out in accordance with the Regulation.

    (b) The rights of the Subjects are enhanced, including: (i) the right of access, (ii) the right of correction (or completion) (iii) the right to be forgotten (conditionally, the right to erase data), (iv) the right to object (v) the portability of data.

    (c) It is specifically provided for cases of systematic, extensive and large-scale assessment of personal data or systematic monitoring on a large scale of public places, an obligation to carry out an impact assessment of potential risks and consequences for the rights and freedoms of individuals arising from the type, the framework, the scope and the purpose of processing.

    (d) the Controller is required to immediately inform the authority of any breach of the system security (within 72 hours as from the moment he becomes aware of such)

    (e) the Controller (in cases explicitly mentioned in the Regulation, indicatively large-scale processing of data and / or sensitive data) appoints a Data Protection Officer, an internal supervisor (employee or external partner) (such as a security technician) who will ensure compliance with the regulatory framework (in conjunction with any specific regulation, if any, envisaged by the national legislator in the scope of his discretion) and has direct contact, cooperation with and reporting obligation for any violation to the Personal Data Protection Authority.

    (f) There are provided considerably stricter sanctions than the existing administrative and criminal penalties, with fines of between € 10.000.000 or € 20.000.000, and a percentage of the company’s turnover, as the case and the offender may be (if that percentage exceeds the above amounts).

    A significant difference with the current legal framework is that no disclosure to the Authority is foreseen, rather than the availability of the material (: processing file) at the direct request of the Authority. However, each national legislator may specify his requirements and request for Disclosures or Licenses, especially in cases related to processing of sensitive personal data. In order to examine the possible adoption of legislative measures for the implementation of the Regulation, a Legislative Committee has been already set up (Government Gazette 1913 / 27.6.2016) whose work we expect to be completed before the implementation of the Regulation.

    It is imperative that each Controller reviews (with the appropriate collaborators) the security status of his technical systems and of its organizational structure so that he is ready to comply with the requirements of the Regulation.

     

    However, Is There, Any Time?

    As already mentioned, the date the new European Regulation comes into effect is 25.5.2018 – i.e. at first reading, we have enough time to act. Still, is that the case?

    Many factors are to be evaluated in order to provide the answer: “Okay, we have a lot of time”.

    The kind of business activity, compliance with the current institutional framework, the concentration (and / or handling) of sensitive, apart from simple, personal data, and so on.

    Let us not rush to answer that “we do not have sensitive personal data”. Do we ask for criminal records for some of our employees? Do we have a record of the health status of some of them? Do we have security cameras for the security of our company?

     

    Conclusion

    While we expect what (also) the national legislator will impose, the institutional framework for the protection of personal data has already become more complex. Threatened sanctions not only are significant but also, in fact, dramatically high.

    Preparing the company, most of the time, is neither easy nor quick.

    The need for more detailed information, a first assessment and for the first procedural steps, is present.

    Today!

     

    [/vc_column_text][/vc_column][/vc_row]

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.