GDPR in a Nutshell: Business Entities Under the Sword of Damocles!



People increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life.  People further facilitate the free flow of personal data within many states and transfer their personal to third countries and global companies.

These developments require a strong and more coherent data protection framework, backed by strong enforcement, given the importance of creating necessary trust that will allow the digital economy to develop across global markets. Hence, it becomes crucial for every state to ensure a high level of protection of personal data. Countries should take necessary measures to provide a sufficient level of protection of personal data. Pursuant to the following purpose, the EU has adopted an instrument called “GDPR” as a result of which, there are a number of new or enhanced data subject rights and data protection guarantees incorporated in the foregoing regulation.



Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “General Data Protection Regulation” or “GDPR”) has brought new challenges for the protection of Personal Data due to the fact that the scope of the collection and sharing of personal data has significantly and rapidly increased. Thus, GDPR is a legal framework that requires businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states. It covers all companies that deal with the data of EU citizens, specifically banks, insurance companies, and other financial and IT companies.



The term “Personal Data” should apply to any information concerning an identified or identifiable[1] natural person (GDPR uses the term “data subject”), e.g. name and surname, home address, email address, identification card number, social security number, Internet Protocol (IP) address, cookie ID, etc.[2]



Extraterritorial Scope of the GDPR

In terms of territorial scope, GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.

Moreover, the GDPR applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the Union, where the processing activities are related to:

  • offering of goods and services or irrespective of whether a payment of the data subject is required, to such data subjects in the Union (e.g. the organization has an official website and/or online platform which gives accessibility to EU individuals for signing up for the proposed services etc.); or
  • monitoring of the behavior of data subjects as far as their behavior takes place within the EU (e.g. when the organization tracks EU individuals by the cookies or IP addresses etc.).

The regulations under the GDPR are wider as these do not actually make any reference to citizenship. That is, the protection afforded by the GDPR should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. Hence, it applies to any data subject in the EU, i.e. a person living in the EU.


Special Permission (Definite Consent) of Data Subject

Processing shall be lawful only if the data subject has given consent to the processing of his or her personal data for one or more specific purposes. The exceptions of this rule are provided under the GDPR and are much stricter. Namely, processing shall be necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract, or processing shall be necessary in order to protect the vital interests of the data subject or of another natural person, etc. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data (a declaration of consent) should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms.


Right to be Informed (Accountability)

In order to provide necessary and adequate transparency and accountability of data protection, the data controller and/or processor shall provide the data subject with the following information:

  • the identity and the contact details of the controller
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing
  • the categories of personal data concerned
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
  • from which source the personal data originates, and if applicable, whether it came from publicly accessible sources
  • other information that are mandatory under the GDPR

In addition to the obligation of data processor/controller mentioned above, the data subject shall be entitled to the right of accessibility towards the information provided hereunder at any time.


Existence of Legitimate and Certain Purposes (Purpose Limitation)

According to this principle, the personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In other words, it should be deduced that processing of personal data shall be necessary for the purposes of the legitimate interests pursued by the controller or by a third party (when the data subject has contractual obligation under loan or other agreement, etc.). However, more complicated requirements are met if the data processor is dealt with special categories of personal data.


Right to Erasure (“Right to be Forgotten”)

The right implies that the data subject shall have the right to obtain from the controller the erasure of personal data concerning him/her without undue delay and the controller shall have the obligation to erase personal data without undue delay if the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed, or the personal data has been unlawfully processed. This exclusive and inalienable right shall not be applicable in “extraordinary” cases stipulated under the GDPR.


Personal Data Portability

According to this new approach, the data subject shall be entitled to transmit personal data to another controller without hindrance from the controller to which the personal data has been provided. It should be noted, nevertheless, that this right is not binding for data processors or controllers as the GDPR envisages that the discussed opportunity shall be provided in cases when the processing is carried out by automated means and when such transmission of personal data is technically feasible.


Appointment of Data Protection Officer (DPO)

In order to arrange and properly manage the procedure in respect of personal data processing, the GDPR imposes that the controller and the processor shall designate a data protection officer if the core activities of the latter consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.

Furthermore, the DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection laws and practices and the ability to fulfil the tasks referred to in sections of the GDPR.


Adoption of Internal Rules for Compliance

In order to have full compliance with GDPR rules, each controller and/or processor shall have internal regulations and procedures for every aspect of processing and controlling of personal data, such as a code of conduct, guidelines on processing of sensitive personal data, consent management guidelines and procedures with respect to transfer of personal data to 3rd parties.


Notification of Personal Data Breach

In the case of a personal data breach, the controller shall without undue delay and, where feasible, no later than 72 hours after having become aware of it, notify the personal data breach to the competent authority. Moreover, where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.


Administrative Fines/Penalties 

The penalties under the GDPR are essentially higher. Under the GDPR, the maximum fines for infringement of certain important provisions (not having sufficient customer consent to process data or not compliance with the mandatory requirements promulgated under the GDPR) can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). Fines for violations of lower gravity (not having personal data records in order, not notifying the supervising/competent authority and data subject about a breach or not conducting impact assessment) can amount to up to €10m or 2% of a company's worldwide annual turnover (whichever is greater).

Some factors, such as nature, gravity, duration, as well as the number of data subjects affected and the level of damage suffered by them, the intentional or negligent character of the infringement, any actions taken by the controller or processor to mitigate the damage suffered by data subjects shall be taken into consideration as well.



Summarizing the main features of the GDPR, it should be noted, that entities involved in personal data processing and controlling should pay exclusive attention to personal data issues in order to avoid any negative impacts that may arise due to the breach of the requirements mentioned previously. Taking into consideration the extraterritorial applicability of the GDPR, it is beyond any reasonable doubt, that many non-EU entities subsequently will be subject to administrative fines and penalties envisaged under the foregoing regulation despite the fact that the respective national legislation does not provide adequate and sufficient procedures and rules in relation to the protection of personal data as the GDPR does.

Our team has extensive experience in helping clients in the GDPR and local data protection legislation compliance. We can help you put together efficient data protection policies and procedures in line with the existing regulatory environment. So please, do get in touch when you want to get sophisticated advice.

[1] Personal data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.

[2] According to the provisions of GDPR, the principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.