Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα
 

LOGO


General Data Protection Regulation (GDPR)

Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) applies as of 25 May 2018. It repeals Directive 95/46/EC.

The regulation is an essential step to strengthen individuals' fundamental rights in the digital age and facilitate business by clarifying rules for companies and public bodies in the digital single market.

The text of the GDPR is available in all EU languages on the European Commission website and in pdf format in English by clicking here.

The cross-references between the articles and the recitals in the preamble can be found at: http://www.privacy-regulation.eu/en/index.htm

KEY POINTS

Citizens’ rights

The GDPR strengthens existing rights, provides for new rights and gives citizens more control over their personal data. These include:
  • easier access to their data — including providing more information on how that data is processed and ensuring that that information is available in a clear and understandable way;
  • a newright to data portability — making it easier to transmit personal data between service providers;
  • a clearer right to erasure (‘right to be forgotten’) — when an individual no longer wants their data processed and there is no legitimate reason to keep it, the data will be deleted;
  • right to know when their personal data has been hacked — companies and organisations will have to inform individuals promptly of serious data breaches. They will also have to notify the relevant data protection supervisory authority.

Rules for businesses

The GDPR is designed to create business opportunities and stimulate innovation through a number of steps including:
  • a single set of EU-wide rules — a single EU-wide law for data protection is estimated to make savings of €2.3 billion per year;
  • a data protection officer, responsible for data protection, will be designated by public authorities and by businesses which process data on a large scale;
  • one-stop-shop — businesses only have to deal with one single supervisory authority (in the EU country in which they are mainly based);
  • EU rules for non-EU companies — companies based outside the EU must apply the same rules when offering services or goods, or monitoring behaviour of individuals within the EU;
  • innovation-friendly rules — a guarantee that data protection safeguards are built into products and services from the earliest stage of development (data protection by design and by default);
  • privacy-friendly techniques such as pseudonymisation (when identifying fields within a data record are replaced by one or more artificial identifiers) and encryption (when data is coded in such a way that only authorised parties can read it);
  • removal of notifications — the new data protection rules will scrap most notification obligations and the costs associated with these. One of the aims of the data protection regulation is to remove obstacles to free flow of personal data within the EU. This will make it easier for businesses to expand;
  • impact assessments — businesses will have to carry out impact assessments when data processing may result in a high risk for the rights and freedoms of individuals;
  • record-keeping — SMEs are not required to keep records of processing activities, unless the processing is regular or likely to result in a risk to the rights and freedoms of the person whose data is being processed.

Review

The European Commission must submit a report on the evaluation and review of the regulation by 25 May 2020.

What changes after 28 May 2018

Are repealed:
  • The obligation to notify to the Commissioner the establishment and operation of a filing system or the commencement of processing. This obligation is, however, replaced by the obligation to maintain a record of activities. For more information about the record of activities click here.
  • The obligation to obtain a licence from the Commissioner for the processing of sensitive data (currently specific categories of personal data) in the field of labor law.
  • The obligation to obtain a licence from the Commissioner for the combination of filing systems. The combination of filing systems by public authorities or bodies is allowed under the conditions provided for in article 10 of the Law 125(I)/2018.
  • The Commissioner’s decisions to waive the obligation to inform the data subjects.
  • The payment of a fee of € 17 by the data subjects when exercising of the right of access, rectification and to object. The exercise of the rights should be free of charge (with very few exceptions provided under article 12 of the GDPR).
Are changed:
  • The conditions for the transfer of data to third countries. The GDPR sets out a revised framework for the transfer of data to third countries. Among other things, the Commissioner shall approve the legal basis for the transfer of, for example, standard contractual clauses, binding corporate rules, codes of conduct and certification mechanism. For more information on the transfer of data to third countries, click here.
  • The Commissioner may restrict the processing of genetic, biometric and health data in accordance with the provisions of articles 17 and 18 of the Law 125(I)/2018.

Guidance and recommendations

The European Data Protection Board (EDPB) issues general guidance to promote a common understanding of European data protection laws, both across the European Union and around the world. All the documents are available on the website of the EDPB.





Κατεβάστε το αρχείο τύπου Acrobat Regulation 2016-679_ENG.pdf


Back To Top