GDPR - Personal Data Protection Consulting Services

Introduction

The entry into force of the General Data Protection Regulation 2016/679 (EU), also known as “GDPR”, in conjunction with the national law 4624/2019 and the Directives, Decisions and Opinions of the Data Protection Authority, constitute the existing legal framework with which every company that collects and processes personal data, during the exercise of its business activities, must comply.

“Personal Data” is considered any information relating to an identified or identifiable natural person. For example, personal data is considered the first name, last name, home address, age, occupation, Tax ID, etc. of a natural person and businesses, typically, collect personal data of their clients, associates and employees.

Personal data protection legislation introduces new, increased requirements and obligations for companies and organizations in order to comply with the new era.  Compliance with the data protection legislation is a matter of paramount importance, as its violation may lead to the imposition of heavy administrative fines of up to 10 or 20 million euros (depending on the gravity of the violation), criminal sanctions, damages, litigation, etc., to the detriment of the company’s reputation, and the distrust of the consumer public, regarding the legal and secure processing of his/her personal data.

Personal data protection legislation concerns any undertaking or body, public or private which, either maintains an establishment within the European Union (EU), or processes personal data within the Union for the supply of goods and services or the monitoring of their behavior.

Because the activities, the turnover, the implementation costs, the processing of personal data and the corresponding risks that arise, differ based on the specific characteristics and needs of each client, Revival offers the following alternatives, as described in detail below:

A) Full Compliance Project - GDPR Compliance

B) Key Deliverables of Compliance Project - GDPR Compliance

C) Online (Web) Compliance

D) Data Protection Impact Assessment (DPIA)

 

Α) Full Compliance Project - GDPR Compliance

1. Record of Data Processing Activities (Data Inventory)

The Record of Data Processing Activities is compiled, following the conduct of interviews-meetings with the executives or the individual Departments of the Client, in order to fulfil the mapping of personal data collected and record the purposes, the legal basis of the processing, the recipients, the existing security measures, etc. The compilation of the Data Processing Activities Record, in addition to a legal obligation, allows the client to have a concise picture of the data flows, but also to identify any security gaps when processing personal data. In this case, the following actions are implemented:

  • Conducting interviews to conduct the Data Processing Activities Record.
  • Offering advice for the constant updating of the Data Processing Activities Record.

2. Gap Analysis – Plan of Proposed (Technical and Organizational) Measures

According to the Data Processing Activities Record, the discrepancies and “gaps” of the company, in relation to the requirements of the data protection, will be investigated in order to launch the required compliance actions. Then, the GAP ANALYSIS – Plan of Proposed (Technical and Organizational) Measures is prepared, in which, the gaps identified for each processing activity are analyzed and the respective proposals for their treatment are formulated. The proposals formulated are based on the specific needs of each Client and relate to technical and organizational measures, which are provided in the data protection legislation and / or best practices in the relevant scientific field.

3. Risk Assessment

Once the gaps are identified, a risk assessment is performed. The risk assessment is based on the assessment of the probability of occurrence of a security incident, in relation to personal data, considering the severity of the occurrence of such an incident’s consequences.

4. Data Protection Impact Assessment (DPIA)

In cases where the Risk Assessment identifies processing activities that may pose a high risk to the rights and freedoms of natural persons, a Data Protection Impact Assessment (DPIA) is carried out, in accordance with Article 35 of the GDPR, the relevant European Data Protection Council’s Guidelines (former Working Party of Article 29) and the relevant list of the European Data Protection Board.

5. Employees

Regarding the personal data processing of the company’s employees (as an employer), the following actions are implemented:

  • Adding a Contractual Term in the Employment Contract for the protection of personal data,
  • Conducting a Non-Disclosure Agreement (NDA) and Protection of Personal Data,
  • Informing employees about the collection and processing of their personal data,
  • Informing prospective employees about the collection and processing of their personal data.

6. Control/Modification of Contracts with third parties/suppliers

Settlement of the Company’s contractual relations with third parties, under the scope of data protection legislation, namely:

  • Contractual Term for the protection of personal data,
  • Additional Data Processing Agreements on a case-by-case basis (Data Controller- Data Processors and Joint Controllers Agreement,
  •  Non-Disclosure Agreements (NDAs)

7. Development of Policies and Procedures for the Protection of Personal Data

Within the framework of the compliance project, the required Policies and Procedures for Personal Data Protection are established, which serve the new Accountability Principle. More specifically, the Policies and Procedures prepared on behalf of each Client are the following:

  • Privacy Policy: This Policy sets out the lines or the protection of personal data within the Client’s company/organization. This Policy, which is communicated internally, establishes general rules, to which all staff is subject, while at the same time formulating the general principles of personal data protection which, in turn, are further specified by the Client. 
  • Personal Data Protection Compliance Policy: Through this Policy, the general definition of the framework for the retention and destruction of documents / files, which contain personal data, is attempted. This Policy sets out general rules, which are recommended to be further specified by the Client, based on the needs of each department on the one hand and the current legal framework on the other.
  • Data Subject Rights Management Policy and Procedure: Through the specific deliverables, a Data Subject’s Right Management procedure is followed to satisfy their rights regarding their personal data. The procedure is determined based on the needs of each Client and aims to ensure its timely response to the requests of natural persons, within the short deadlines provided by the GDPR. At the same time, clear directions are provided, so that the Client, complying with the Accountability Principle, is at any time able to prove compliance with the obligations established by the data protection legislation regarding the satisfaction of the Data Subjects’ rights.
  • Security Policies: This is a set of Policies that establish general rules, governing the use of the Client’s systems and applications. Each Policy is based on data security, which is further analyzed on the principles of data confidentiality, integrity and availability.

8. Technical and Organizational Measures for Video Surveillance

The use of the CCTV system constitutes the collection and processing of personal data of employees, clients, associates, etc. For the lawful operation of this CCTV system, the following actions are implemented:

  • CCTV Policy for the operation of the closed video surveillance system (CCTV), which refers to the location of the cameras, the duration of use of the video surveillance equipment and the cases of its transmission to third parties, in accordance with the requirements of the relevant legislation.
  • Preparation of updated information boards-signs, which shall inform the natural persons that they are passing through a monitored area and shall include further information on the processing of their personal data when using a closed video surveillance system (CCTV).
  • Conduction of CCTV assessment where the legal use and installation of each camera is examined separately and the respective corrective measures are proposed, if required.

9. Privacy Notices and Consent Forms

After the identification of categories of Data Subjects to which the processing activities relate, the following is carried out:

  • Privacy Notices, based on the requirements of the General Data Protection Regulation (GDPR) and Law 4624/2019.
  • Consent Forms, based on the requirements of the General Data Protection Regulation (GDPR) and Law 4624/2019.
  • Safeguard measures to ensure the limited collection of personal data.

10. Transfers of Personal Data outside the EU / ΕΕΑ

In cases where a company transfers personal data to third countries or organizations outside the EU / EEA, it is checked whether the conditions for legal transmission are met, according to the fifth chapter (Chapter V) of the GDPR (eg. Adequacy Decision, Standard Contractual Clauses, Binding Corporate Rules, etc.). The necessary technical and organizational measures are then proposed, including regulatory texts, in order to ensure an adequate level of data protection, transmitted to third countries or international organizations.

11. Reporting Procedure for Data Breaches:

After taking into account the operating processes of the Client, the notification process is planned towards the competent supervisory authority of any personal data breach case. In this particular deliverable, the procedure to be followed by the Client is recorded on a step-by-step basis, so that the latter is able to notify the Data Protection Authority about a data breach within 72 hours, if this is possible, from the moment she/he will be informed about it (the personal data breach incident).

12. Training

Staff training, which processes personal data on behalf of the Client, is one of the most important organizational measures to form a “data protection culture” and the compliance of the Client with the legislation regarding the personal data protection. In the context of the project, employees are trained in order to provide guidance for the implementation of appropriate procedures and methodologies for the safe collection and processing of personal data.

13. Online (Web) Compliance

To ensure the legal operation of the Client’s website, according to the requirements of the data protection legislation, the E-Privacy Directive, the Law 3471/2006 etc. and the Decisions and Opinions of the Personal Data Protection Authority, the following actions are implemented:

  • Site Review: Evaluation of the website in the light of the data protection legislation and suggestion of the required corrective actions.
  • Privacy Policy: The Privacy Policy aims to inform the users of the website about what personal data is collected and processed, what is the purpose, the legal basis, the way of processing, the potential recipients of such personal data, the security measures, the duration of the data retention as well as the rights of users regarding their personal data. The Privacy Policy, in addition to the Client’s legal obligation, enhances the user’s sense of security and trust.
  • Cookies Policy: The Cookies Policy aims to inform the users of the website about which Cookies are installed on the specific website, what personal data is collected, for how long and for which recipients. Users are informed clearly and accurately, so that they can make a conscious choice about which Cookies they accept and which they do not, while browsing.
  • Cookie Banner template: The Cookie Banner appears during the user’s visit to the platform and provides him/her with sufficient information as well as with the appropriate fields that will redirect him to the legal process of selecting the cookies that she/he accepts.
  • Cookie Banner design instructions: according to the requirements set by the EU and national legislation and case law.
  • Disclaimer-checkboxes if necessary: The addition of appropriate disclaimers-checkboxes is necessary in registration forms, contact forms, Newsletter registration forms, CV submission forms, etc.  

14. DPO Αppointment Assessment

In the final stages of the project, a substantiated view is expressed regarding the Client’s need/obligation to appoint a Data Protection Officer (DPO). In particular, considering the nature and conditions of the processing activities carried out by the Client, it is checked the compliance with the mandatory DPO appointment conditions, as set out by in the GDPR and the relevant guidelines of the European Data Protection Council (former Article 29 Working Party). Then, the importance of voluntary DPO appointment is assessed based on the needs of each Client.  

15. Insurance Coverage Cost-Benefit Assessment

A substantiated opinion is expressed regarding the need for “Cyber Insurance”. For the assessment of that need, the results of the Risk Assessment and Data Protection Impact Assessment (DPIA), if they have been carried out, are taken into account, depending on the cost of the insurance coverage.

Alfred - 360°