• Ελληνικα Ελληνικα Greek gr
  • English English English en
+30 210 3822218 / info@energygroup.gr
Energy Financial Group
  • Home
  • About Us
  • Services
    • GDPR
      • GDPR & Hotels
    • INTERNATIONAL OPEN TENDERS
  • News & Articles
  • Trust Us
  • Contact
  • Search

GDPR – General Data Protection Regulation

25/05/2018

New European Regulation GDPR 2016/679

A few words about the regulation

The GDPR was voted by the European Parliament on 16 April 2016.

From May 25, 2018, it will be implemented as a law of direct application by all the member states of the European Union. Since then, the previous regulatory framework for the protection of personal data has been abolished and many aspects have been amended.

The Regulation is of general application, binding in all its elements and directly applicable in all the Member States of the European Union. To a large extent, it concerns the security procedures and the risk management of a company-organization.

It is understandable that it was created to allow citizens to have more control over their personal data and to encourage businesses – organizations to move towards the strong protection of personal data they hold.

To see GDPR Rules click here

The Regulation regulates the rights of individuals

The new European Regulation GDPR 679/2016 replaces Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The Regulation regulates the rights of individuals to:

  • their personal data,
  • the processing of their personal data,
  • the free and unhindered movement and transfer of their personal data within the borders of the European Union,
  • procedures for the transfer of personal data outside the European Union.

Other critical points that affect the firm’s reputation and liquidity include:

  • the obligation to inform the Authorities and customers within a certain period of time,
  • the publication of personal data leakages,
  • damages to the Data subjects that have suffered damage.

The concept of personal data

Personal data is any information related to an individual or a data subject that can be used for his or her direct or indirect identification. Personal data is the name, photo, email address, bank account details, social networking posts, medical information, or computer IP address.

Key steps you can take to align with the GDRP

  • Identify where your personal data is in your business or organization.
  • Create policies that clearly describe how and why your business collects and processes personal data.
  • Set up a risk management program to protect your data.
  • Compliance with the standards of the Regulation on transparency, accountability and record keeping. Performing data requests and maintaining the required documentation.

The requirements of the Regulation

The range of requirements for businesses and organizations that collect or process personal data is broad, with the six basic principles presented below:

  • Transparency, objectivity and legitimacy in the handling and use of personal data.
  • Restrict the processing of personal data for defined, explicit, and legitimate purposes.
  • Collect and store the minimum volume of personal data required for a purpose.
  • Ensure the accuracy of data, including the possibility of deleting and editing them.
  • Limit the period of storage of personal data.
  • Ensuring the security, integrity and confidentiality of personal data.

Businesses need to be aligned with the following

  • Process legally, fairly and transparently the personal data of their customers
  • Should only collect personal data for specified, explicit and legitimate purposes
  • The treatment must be limited to cases where it is necessary
  • The treatment must be carried out accurately
  • The processing must not extend beyond the necessary time frame
  • The treatment is legitimate when appropriate safeguards to ensure the protection of personal Data

Key changes introduced by GDPR

The GDPR imposes a series of new obligations on controllers, stemming from the basic principles, and in particular the enhanced transparency principle in the way data collection, processing and keeping, and the new principle of accountability, according to which the controller is responsible for and is able to demonstrate compliance with all the principles governing the processing of personal data. New rights are also introduced for data subjects such as the right to privacy, the right to data portability.

The sanctions provided

The sanctions provided by the new Regulation are extremely high and amount to up to EUR 20,000,000 or up to 4% of the total annual turnover of the previous financial year (whichever is the higher).

This is the maximum fine that can be imposed for the most serious offenses [e.g. failure to obtain the consent of the customer for data processing in a lawful manner, or violation of the privacy by design policy.

There is escalation to threatened fines.

For example, an enterprise may be threatened with a fine of 2% in cases of unlawful keeping of its records, late notification to the data protection supervisor and to the data subject if it detects a data breach, or when omits to carry out impact assessments.

Consequently, non-compliance with the new arrangements involves the risk of a fine being imposed by the supervisory authority which may indicate the economic disaster of the organization / company.

Violations of data liable to compromise data subjects shall be notified to the competent data protection authority within 72 hours. In addition, it is necessary to update the data subjects without undue delay

Bodies that need to be in harmony with GDPR

Αll public / private sector bodies / organisations that process personal data as part of their activity must comply with τhe GDPR.

Any company, organisation, government agency that collects, records, stores, discloses a transmission, associates, deletes, destroys information relating to an identified or identifiable natural person is obliged to apply the new regulation.

Steps to comply with the Regulation for every business / organization

  • Strategic planning to address potential risks to processed personal data through technical and organisational measures

  • Record keeping of processing activities

  • Ensuring valid consent from the data subjects for legitimate processing

  • Ex ante impact assessment of the effects on risk occurrence for individual rights and freedoms of individuals

  • Revision and update of data security policies by providing for new appropriate procedures to meet new rights: right to data portability, the right to delete, etc.

  • Data Protection Officer

  • Prediction procedures for identifying, investigating the personal data security breaches and incidents for immediate notification of a breach to the supervisory authority.

The "GDPR" and activities will be most affected

As we have seen, all businesses that maintain or process personal data of European citizens are affected by the implementation of the new regulation. However, some activities will be more affected by their nature.

Hotel Services – Health Services – Financial Services – Human Resources Services – Hospitality & Travel Services – Internet / Personalized Sales Services – Telecommunication Services – Energy Services – State Sector – Data of Schools

Schools data

H ENERGY FINANCIAL GROUP offers specialized services in compliance GDPR concerning educational units (public and private schools, language schools, language centers, etc).

Being aware of the responsibility for the processing of minors’ personal data and recognizing the importance of the mission of the training units, we will propose solutions that combine protection from the processing of personal data with their free and safe movement.

Sports Associations Data

The Energy Financial Group has handled cases athletes, gyms and sports clubs. Its members have been athletes and associates as consultants in sports federations.

Furthermore, the experience in organizing sports events and activities contribute to the rapid and effective drafting a privacy policy.

E-Commerce Data

E-Commerce is a daily reality that is constantly gaining ground but increasing the risk of phishing customer theft of personal data.

The forced co-operation of e-shops with IT outside of the business and often large-scale processing adds to the need for contact with lawyers and IT that deal exclusively with e-shops. These include a lawyer and an IT partner. Knowing how data is trafficked to these businesses allows us to reduce the cost of providing our services.

Data of Municipalities and Regions

ENERGY FINANCIAL GROUP offers specialized GDPR compliance services for legal entities governed by public law such as Municipalities and Regions. The new regime has to comply not only with private companies but also with government agencies processing personal data.

The team includes lawyers with public law studies who will accurately provide all the effective tools that will help each public body to function properly in accordance with all obligations under the Regulation.

Tourism Business Data

ENERGY FINANCIAL GROUP offers specialized GDPR compliance services for tourism businesses (hotels, catering, travel agencies, etc.).

In a country where tourism is its “heavy industry”, it is extremely crucial to adapt all stakeholders to the new regulatory regime of personal data law as well as to the proper functioning of every tourist business.

Energy Financial Group has the IT capability with experience in managing and exchanging tourist data so that adaptation to the new regulation can be made in a very short time. In addition, profiling and data transfer to and from abroad makes hotels and tourist agencies a complaints-sensitive data controller.

Diagnostic Health Centers

Energy Financial Group is aware of the operation and contractual obligations of diagnostic centers and their legal particularities.

Its experience in health data makes EFG a reliable partner in transferring and sharing your customer data.

Genetic Data and Medical Assisted Reproduction Unit Data

Banks of genetic material such as stem cells, semen and ova manage data that concerns not only the subjects of these data but also their offspring.

Donor anonymity is not the only thing that a Medical Assisted Reproduction Unit should protect. Hematological examinations, mother surrogate data, social parents, relatives and other illnesses are an important part of the data being handled by MIAAs.

Hospitals

All kind of secondary and tertiary health care institutions, by definition, process large-scale health data.

The compliance obligations of hospitals with the GDPR are all the more pressing in cases of underage patients or patients coming from abroad, both inside and outside the European Union.

Energy Financial Group is actively involved in the compliance of organizations and businesses that manage personal health data and undertakes the full range of relevant actions and processes

Psychiatric Data

Psychiatric data is the definition of sensitive data to the extent that it is questionable whether it is permissible and to which exceptions access to it by the patient itself.

The principle of necessity and convenience finds a wide scope in that, as it is consistent with the case law of the Personal Data Protection Authority, the export of medical data from psychiatric units must be done sparingly and succinctly in formalities.

Energy Financial Group has extensive experience and scientific excellence (publications and speeches) on issues of psychiatric confidentiality, involuntary imprisonment, and how to maintain psychiatric unit data. It manages the data protection policy of not only private psychiatric units but also of Mental Health Units.

  1. Data Privacy Impact Assessment – Data protection impact assessment to identify the most important risks
  2. Compliance Action Plan, with proposals for the necessary measures, support and guidance for their implementation.
  3. Develop all required privacy policies and procedures, in a Unified Personal Data Management System with ISO 27001 or independently of that, in another appropriate Privacy Seal.
  4. Create the personal data processing file.
  5. Information and participation of Managers and staff involved in the process of harmonizing the company with the GDPR Regulation (what are its requirements and how it affects the operation of the Directorates – Departments and the whole company).
  6. Development, where required by GDPR, of data leakage and / or security breach procedures.
  7. Outsourcing Data Protection Officer (DPO)
  8. Legal Services GDPR
  9. IT Services GDPR
  10. Cyber ​​Security Insurance Services.

DPO (DATA PROTECTION OFFICER)

The Data Protection Officer (DPO) is a leading security role in each company on the field of security required by the General Data Protection Regulation (GDPR).

Data Protection Officers are responsible for overseeing data protection strategy and implementation in order to ensure compliance of a business or organization with the GDPR requirements.

The Data Protection Officer is appointed on the basis of professional qualifications and in particular on the basis of his experience and knowledge in the field of data protection law and practices.

DPO may be a member of the Personnel of the Processor or Processor or perform his / her duties under an Outsourcing DPO. The Processing Manager or the Processor publishes the contact details of the Data Protection Officer and notifies them to the Supervisory Authority.

Inform and advise the processor

Inform and advise the processor and officials processed their obligations under this Regulation and other Union legislation or the Member State on data protection

Monitor compliance with this Regulation

Monitor compliance with this Regulation, other Union provisions or national legislation on data protection and the policies of the controller or processor in relation to the protection of personal data, including the delegation of awareness and training of staff involved in the processing operations and related controls.

Provide advice on impact assessment

It provides advice, when requested, in terms of impact assessment regarding data protection and monitor its implementation in accordance with Article 35

Collaborates with the Supervisory Authority,

Act as a contact point with the supervisor authority

Act as a contact point for the supervisory authority on issues related to the treatment, including prior consultation referred to in Article 36, and shall consult, as appropriate, on any other matter

Data Leak Risk Control

In the performance of his duties, the Data Protection Officer shall take due account of the risk associated with the processing operations, taking into account the nature, scope, context and purposes of the processing.

CERTIFICATES RELATING TO GDPR

Energy Financial Group has set up task groups to undertake the study of your  organizational structure, documentation and preparation of proposals for the final certification of your organization with the following quality systems:

  1. Certified specialization in the field of personal data protection through his / her employment in internationally certified businesses
  2. ISO 27001, the main international standard for information security
  3. PCI, the international standard for businesses that manage payment card data
  4. ISO 27018, the international standard for the protection of personal data in the cloud
  5. ISO 27017, the international standard for data security in cloud services
  6. ISO 27799, the international standard for the safety of health data ISO 27011, the international standard for data security in telecommunication organizations
  7. ISO 27015, the international standard for data security in financial services

Specialized Services for the Harmonization of Hotels with GDPR

  • Energy Financial Group has staffed a team of Legal Advisors specializing in Personal Data Protection Law and how to harmonize Hotels with GDPR
  • Engineering Software (IT) of Energy Financial Group specializing in Reservation Software and Management of Hotels and Travel Agencies
  • Study and documentation team aiming at ensuring, harmonizing and certifying hotels
  • DPO outsourcing services so that a Certified Data Management Officer (member of our team) undertakes the work of a fixed duration of harmonization with the GDPR

For more information on GDPR and its application in Tourism click here

COMPANY

Energy Financial Group has an excellent knowledge of the peculiarities and needs of both the public and the private sector, through its long experience in the development, management and provision of numerous projects and services.

Usefull Links

Hellenic Chamber of Hotels
Technical Chamber of Greece
EFEPAE
Operational Programme Competitiveness, Entrepreneurship and Innovation
Ministry of Ecenomy & Development
ESPA 2014-2020


ΕΣΠΑ

Contact Info

Energy Financial Group
37 Marathonos Ave.
15351, Pallini

Tel: +30 210 3822218
FAX: +30 210 3822213
E-mail: info@energygroup.gr
ENERGY FINANCIAL GROUP © 2020
  • Facebook
  • Twitter
  • Linkedin
Scroll to top