Although it is an EU Regulation, the GDPR gives to the member states the right to establish limitations on certain data processing activities and introduce restrictions on the rights of the individuals.
Law 4624/2019 has made use of the majority of the derogations provided for in the GDPR by setting forth specific rules on the processing of employees’ personal data, “sensitive” personal data and personal data in the sectors of health, insurance and media.
Also, the law introduces significant limitations on the rights of the individuals, such as the right of the individuals to be informed on the use of their personal data, their right to have access to their data and their right of erasure, whereas it provides for exemptions that release controllers from their obligation to communicate personal data breaches to the affected individuals.
Another key feature of the law is the different treatment on the lawfulness of and restrictions on the processing of personal data depending on whether the controller is classified as a public or a private entity.
Last but not least, besides the high administrative fines stipulated in the GDPR, the new law provides for severe criminal sanctions in case of violation of its provisions.
Enterprises will need to review and adapt their policies and procedures to ensure that these are in line with the new statutory provisions.
Article provided by: Mary Deligianni (Zepos & Yannopoulos, Greece)