The E.U. General Data Protection Regulation (G.D.P.R.) is now officially applied throughout the European Union, introducing key changes in relation to the data systems of natural persons’ protection with regard to the processing of personal data and on the free movement of such data.

However, this new era has both aroused a great deal of misinterpretations and made the regulators’ extensive guidance necessary.

In particular, the substantial misinterpretations for the new G.D.P.R. regime, are analyzed as follows:

The individuals’ consent

Since 25 of May 2018 a huge number of e-mails “seeking” consent for different purposes was accumulated in any individual’s pc. However, this individual’s consent is not always necessary for personal data processing.

In particular, six bases for lawful personal data processing are provided in the G.D.P.R. This means that consent is one of those legal bases and, in many cases, each controller or/and processor shall be better relying on a different legal basis. Indicatively, the processing may be necessary for:

(i) a contract with an individual,

(ii) a controller’s or/and processor’s legal obligation,

(iii) a controller’s or/and processor’s legitimate interest which is not overridden by an individual’s interest.

The G.D.P.R. protects any citizen in European Union

Firstly, the G.D.P.R. applies to entities which are established in the EU regardless of the individual’s location or citizenship (e.g. an entity based in Portugal shall apply the G.D.P.R. to all individuals regardless of whether they live in Lisbon or Kenya).

Secondly, the G.D.P.R. also applies to entities established outside of the EU, if they offer goods or services to individuals in the EU or if they monitor the individuals’ behavior in the EU.

Thus, the question is whether the individuals are in the EU, not whether they are EU citizens. For example, if an EU citizen checks into a hotel in Kenya, this does not mean that the hotel is obliged to comply with the G.D.P.R.

The G.D.P.R. is a new legislation

The G.D.P.R. may introduce significant changes on the European data protection field, but its basic concepts of personal data, data controller and data processor are very alike to the Data Protection Directive 95/46/EC framework. This means that the G.D.P.R. is an evolution and not a revolution in data protection laws. For example and indicatively, the fair and lawful personal data processing, the specific purposes, the minimized, accurate, secure and not longer than necessary personal data’s use are still at the forefront.

In other words, if a controller or/and a processor is compliant with the repealed Data Protection Directive, the further measures for the requested G.D.P.R. compliance would not be too painful for the latter.

The G.D.P.R. provides a complete overview of data protection’s obligations

Although the G.D.P.R. set out a detailed privacy rules’ provision, each controller or/and processor shall take into account the Complementary to the G.D.P.R. framework Laws as, indicatively:

–              The Directive 2002/58/EC (ePrivacy Directive) which both requires individual’s consent to the use of certain cookies and forbids the sending of direct marketing e-mail if an individual’s consent has not been obtained or the products and services are not similar in order the related exemption to apply.

*Caution: The aforementioned Directive will be repealed by the Proposal for a Regulation with regards to the respect for private life and the protection of personal data in electronic communications (Regulation on Privacy and Electronic Communications – EPR), which was released as a draft in January 10th 2017.

–              The Directive 2016/1148 (the NIS Directive) which concerns measures for a high common level of security of network and information systems across the European Union.

–              The G.D.P.R. implementing laws by each EU Member State.

The huge fines in relation to G.D.P.R. provisions’ breach

The G.D.P.R. provides a risk of very significant administrative fines, as a simple breach of its provision may result in a fine of up to the greater of 4% of annual worldwide turnover or €20 million, which in cases such as Facebook and Google can be estimated to €1.3 billion and €3.7 billion, respectively.

However, most entities are not likely to face this level of penalties and, even then, only for the most significant of breaches. Consequently, the risks associated with non-compliance have increased, but there is no need to be afraid.

In any case, it is worth to be noted that our new personal data protected era may lead to a variety of misinterpretations but over the time and via their solution the new regime will be in our favor.


Edited by Dimitra Panagidi