“Common EU rules have been established to ensure that your personal data enjoys a high standard of protection everywhere in the EU. You have the right to complain and obtain redress if your data is misused anywhere within the EU” (europa.eu - European Commission)
The new EU data protection regulation (2016/679) titled the General Data Protection Regulation (GDPR) shall apply from the 25th May 2018, replacing the current Directive (95/46/EC). The GDPR shall introduce and impose a number of obligations (and onerous fines) to all EU organisations which undoubtedly forces such organisations to strictly abide. Organisations are expected to prepare frameworks and undertake appropriate regulatory measures which need to be implemented prior to the applicable date.
At Eraklis N. Kyriakides LLC, we offer client specific legal advice and guidance in relation to the new regulatory environment under the GDPR. We assist our clients with all implementation procedures required within their internal work practices while ensuring that they are aware of their obligations pursuant to the new GDPR regulation and particularly in relation to the data subjects’ rights. Specifically, we advise our clients on how and when to collect and manage (necessary) personal data (for a specific purpose), and how to ensure that the said data is protected from misuse.
A general guide of the list of services which our Firm provides to assist clients to adjust to the new regulatory environment include the following:
- One of the key changes of the GDPR is that for the first time, it places direct obligations on Data Processors. Our Firm offers legal assistance in determining whether the organisation in question is considered as a Data Processor or a Data Controller (or both) and advising of their accountability and responsibility obligations, which shall include both future and existing contractual obligations;
- Assistance in carrying out all relevant privacy Impact Assessments with an aim to assist our clients to evaluate the compliance gaps which exist between their current data protection internal framework and the standard imposed by the GDPR;
- Assistance in determining the legal basis on which the client uses personal data, in other words, considering the type of data processing undertaken (such as for example: whether obtainment of consent from the data subject is required or if the organisation in question has “legitimate grounds” to store personal data) and further advising on the regulatory obligations required pursuant to the GDPR;
- Preparation and drafting of all relevant processes and procedures, such as: Codes of Conduct, Privacy Policies, Consent Forms, Privacy Notices, Fair Processing Notices, Model Clauses and other data protection related documents particularly in order to prepare for data security breaches;
- Assistance in the appointment of a Data Protection Officer (where applicable) and offering legal advice in relation to the DPO’s legal responsibilities and obligations pursuant to the GDPR;
- Assistance in drafting and enforcing Binding Corporate Rules for the purposes of intra-group international data transfers;
- Advising on cross-border data transfers, which includes organisations who seek to process data outside the EU and particularly the regulatory frameworks which must be followed should such processing extend to countries without an “adequate level of protection”;
- Advising Data Controllers and/or Data Processors of their obligations when dealing with third party suppliers;
- Advising organisations as to how they should process and store special categories of data (i.e. sensitive data); and
- Providing well-rounded legal opinions in relation to multinational organisations with a basis outside the EU, undertaking business within Cyprus/EU, and/or targeting consumers within the EU including assistance in the appointment of an EU representative (where applicable).
Disclaimer: This Publication has been prepared for informational purposes only. None of the information should be construed as legal advice.