Papantoniou & Papantoniou LLC > News & Insights  > GENERAL DATA PROTECTION REGULATION (GDPR)


Personal Data misuse and breaches in recent times have affected millions of Individuals and organisations. If an organization is found to have breached either, deliberately negligently or by an innocent mistake the personal data of a data subject then that organization could face with significant injury to its reputation and can affect its business.

On the other way around, fundamental detriment can be suffered by the individual that her/ his personal details are being unlawfully exposed as well, and its constitutional right of privacy might be undermined.

According to the GDPR “General Data Protection Regulation”, all organisations handling any personal data must comply with the GDPR regulation, otherwise they may face penalties of up to €20 million or 4% of the global annual turnover of the organisation for the previous financial year. As it is an EU Regulation, it has direct effect and it is binding and applicable to all Member States without any need of national legislation enactment.

The new regulation is a landmark and represents a challenge for organisations that process personal data, as they should review their current Data Protection and Privacy Programs, identify the gaps and take all necessary measures to meet compliance with GDPR.

Organizations should implement appropriate technical and organisational measures, have in place the appropriate system agreements, procedures and policies, as well as the documentation required for proving their compliance with GDPR, as well as ensure that their staff understands the GDPR obligations.

Where does the GDPR apply?

The GDPR applies to individuals, companies or public or private law organisations (the “controllers”) who collect, process, register, organise, store, distribute “personal data” relating to natural persons within the European Union, either the processing takes place within the European Union or outside. Where the processing takes place outside the European Union, the GDPR applies when processing activities relate to the supply of goods or services to persons in the European Union or the monitoring of behaviour of individuals, only to the extent that such behaviour takes place within the European Union.

What is “personal data”?

“Personal data” includes any information relating to a natural person (the “data subject”) through which the identity of that person can be identified, directly or indirectly. This information includes the name, identity number, location data, online identity card or one or more factors relevant to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

Rights of the “data subject”

The data subjects are considered the individuals that their personal data is being processed. The GDPR regulation offers a variety of rights for those persons to enforce and protect their personal date use and processing.  Enhanced rights provide individuals with more control over their personal data through the right to withdraw the consent of the person concerned (when it is given), easier access to his / her personal data, rights of rectification, erasure, the right to object, the right to request restriction of processing and the right of data portability

Obligations of “controllers”

The GDPR sets a series of restrictions and new obligations on businesses regarding the processing of personal data throughout their life cycle, from their collection to their destruction, the possibility of their transfer on to other countries, protecting the rights of natural persons, security (privacy, integrity, availability) of personal data and disclosure actions that the business should pursue in the event of a breach. The GDPR also establishes the obligation for data controllers to provide transparent, comprehensive and easily accessible information by ‘data subjects’ as regards the processing of their personal data.

Appointment of a Data Protection Officer

For companies and public authorities performing data processing operations, the GDPR establishes the obligation to appoint a Data Protection Officer in three cases:

–        where the processing is carried out by a public authority or a public body (irrespective of the type of data being processed),

–        where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or, and

–        where the core activities of the controller or the processor consist of processing on large scale of special categories of personal data or data relating to criminal convictions and offences.


Every organisation and every industry sector is different. We are able to help you achieve GDPR compliance by offering a tailored plan for your business. We are also cooperating with IT experts in order to provide you with comprehensive solutions requiring both legal and IT specialisation.

We can also offer our services separately, such as:

  • GAP Analysis
  • Data Inventory and Mapping
  • Data Protection Impact Assessment (DPIA)
  • Training and Awareness
  • Drafting of Internal Policies and Manuals  regarding processing of Personal Data 
  • DPO Support (Support to the Data Protection Officer in carrying out his duties)
  • Legal Advice on amending existing contracts and on specific issues
  • Drafting and reviewing Legal Agreements such as Processor Agreement
  • Joint Controller Agreements
  • Client Representation to the Supervisory Authority
  • GDPR Litigation

For any further information and/or clarifications please contact us at or contact number +35722817711.


Each case is unique and specialist advice should be sought.

Please note that this newsletter is produced for clearly informative purposes and under no circumstance shall be construed as professional advice.