Keeping Personal Data Safe: A Legal Overview

Recommended contact person

Andrea Hadjigeorgiou Andrea Hadjigeorgiou Partner | Regulatory & Advisory

Keeping Personal Data Safe: A Legal Overview

The protection of personal data constitutes an important legal milestone aimed at safeguarding a fundamental yet often overlooked human right, an effort reflected in European Data Protection Day, observed annually on 28 January  

The first binding legal act recognizing individuals’ rights to protection of their personal data was the Council of Europe’s Convention 108, where it took place back in the 1981, and it was a preliminary step to the identification of such right and in extend its protection.

Fast forward in 2018 (May 25th), and as a result of the collective efforts of all European Member states, the Union has adopted one of the most popular legislative acts, the Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the ‘GDPR’).

It is important to be noted that the Regulation does not govern the processing of data relating to legal persons thus, data concerning the name, form and the contact details of the legal persons are not protected under the GDPR.

The Regulation composes of a number of principles and rules which are applicable to natural persons irrespective of their nationality and residence.

In addition, the protection of data has an extensive territorial scope and as such, it applies to the processing of personal data in the context of the activities of a controller or a processor within the Union, regardless of whether the processing takes place in the Union or not.

On the other hand, the protection applies to the processing of personal information of data subjects who are located in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Lastly, the Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

 

But one may ask: what is considered as personal data?

The Regulation explains that personal data is any information that refers to an identified or identifiable natural person whose identity is known or can be ascertained directly or indirectly, in particular on the basis of an identity number or on the basis of one or more specific elements.

Some examples are: ID numbers, passport numbers, names, dates of birth, place of birth, nationality, postal address contact information, marital status.

Exemptions

Like all legislative acts, some exemptions apply. The Regulation does not apply to the processing of personal data:

  1. in the course of an activity which falls outside the scope of the Union law
  2. by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty of the European Union regarding the external actions and specific provisions of common foreign and security policy
  3. by a natural person during a purely personal or household activity
  4. by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

 

What are the data subjects’ rights?

Under the Regulation, individuals have several rights such as:

  • Right to be informed: Individuals have the right to request and obtain information on how their personal data will be processed.
  • Right to access: Individuals have the right to gain access to the personal data held about them.
  • Right to rectification: Individuals may ask for incorrect, inaccurate or incomplete personal data to be corrected.
  • Right to erasure: Individuals may ask for their personal data to be erased when it’s no longer needed or if processing is unlawful.
  • Right to restriction of processing: Individuals may ask the restriction of the processing of their personal data in certain cases.
  • Right to portability: Individuals can receive their personal data in a machine-readable format.
  • Right to object: Individuals may object to the processing of their personal data for marketing purposes or on grounds relating to their particular situation.
  • Rights regarding automated decision-making and profiling: Individuals may ask that decisions based on their personal data are made by natural persons, not only by computers.

Organizations processing Personal Data

All companies processing and maintaining personal data during the course of their business activities are governed by the Regulation. In fact, companies or other legal entities that process large amounts of data, or sensitive data, may be required to appoint a Data Protection Officer.

Where a breach is identified, companies must have in place such policies and procedures that will allow them to a) identify and b) address the breach as soon as possible, mitigate their exposure and proceed immediately with the relevant notifications.  In particular, companies must report the breaches to the relevant authority (in Cyprus the Commissioner for Personal Data Protection) within 72 hours after having become aware of it. When the breach is likely to result in a high risk to the rights of natural persons, the companies must also communicate the breach to the data subjects immediately.

At AGPLAW we are delighted to offer dedicated services relating to Data Protection compliance, including but not limited to:

  • Appointment of Data Protection Officer
  • Legal training of employees to matters relating to GDPR matters
  • Provision of data protection audits and reports
  • Provision of legal advice regarding matters relating to GDPR
  • Preparation of internal Data Protection Manuals (including Incident Response Procedures) and Privacy Policies.

For all enquiries related to Data Protection, please contact our team of experts at agp@agplaw.com

The information provided by AGP Law | A.G. Paphitis & Co. LLC is for general informational purposes only and should not be construed as professional or formal legal advice. While every effort has been made to ensure the accuracy and reliability of the information contained herein, the author, publisher, or any related parties make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability of the information. In no event will the author, publisher, or any related parties be liable for any loss or damage, including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this document/article. You should not act or refrain from acting based on any information provided above without obtaining legal or other professional advice.