For our Checking In feature, we reach out to partners and heads of practice across CEE to learn how specific practice areas are faring in their jurisdictions. This time around we asked Data Protection experts: Overall, how compliant would you say economic agents are with relevant local regulations on data protection, and what are the main gaps that have yet to be addressed?
Austrian case law is evolving rapidly. Many individuals, consumer protection associations, and other stakeholders are testing what can be challenged under the GDPR. Claims and challenges have been put forth, such as whether the right to data access under Art 15 of the GDPR supports the right to receive documentation containing personal data or whether predictions based on probability calculations will be deemed personal data if they refer to individuals. Sometimes lower courts do not decide these questions homogeneously and the Data Protection regulator and Austrian courts make conflicting decisions. In response, the Austrian Supreme Court has recently shown an increased tendency to refer GDPR-related questions to the ECJ.
As to whether economic agents comply with local data protection regulations, it can be said that they are struggling to keep pace with these developments, no matter which industry they belong to. For instance, the question of whether Art 15 of the GDPR requires a controller to demonstrate the recipients or only the categories of recipients of its data (as this question has most recently been referred by the Austrian Supreme Court to the ECJ) impacts nearly every economic agent. So, while most agents have completed their GDPR entry lessons, such as establishing processing registers or data processing agreements, they must now comply with dynamic case law. Last year, the Austrian Data Protection regulator confirmed the protection of personal data of legal entities essentially by referring to Austrian constitutional law and to the GDPR by analogy. While this decision has not been supported by higher instance courts so far, it might advance the lingering discussion about whether Austria's constitution supports the protection of personal data of legal entities. If in similar cases the regulator's decision (which is currently final) leads to upper courts, they might -- and quite likely -- will take a different view. Economic agents who have so far focused their data protection ambitions on the data of individuals might have to broaden their mindset by considering the data of legal entities as well.
Gunther Leissler, Partner, Schoenherr Austria
In general, it should be noted that given the direct effect and application of the EU General Data Protection Regulation, economic agents have taken serious steps and made significant efforts to bring their actions in accordance with personal data protection rules. In addition to the requirements established by the GDPR, Bulgaria has implemented specific requirements regarding, for instance, data processing in the context of recruitment.
Under the Bulgarian Personal Data Protection Act, an employer or a recruiting body has to set a time limit for the retention of personal data of participants in a recruitment process. The personal data must not be processed for longer than six months unless the candidate has given his or her consent to the retention of the data for a longer period. The period of six months is relevant to documents such as autobiographies, cover letters, certificates regarding the candidate's qualification, etc.
According to our observations, in practice, sometimes personal data is stored for periods longer than six months without the consent of applicants or in cases where consent has been given without any proper record of it. Therefore, implementing a transparent procedure for collecting, processing, and storing personal data in the recruitment process should be helpful in compliance with data protection regulations.
Another issue deriving from the local regulations on data protection is the lack of an established deadline for the controller to notify the Bulgarian Commission for Personal Data Protection of the appointment of a Data Protection Officer (DPO). Although there is an obligation to make such a notification, the lack of a time limit within which this should be done deprives the regulator of the possibility to sanction a controller for failing to fulfill it. In addition, in the absence of a specific legal provision sanctioning the lack of DPO, when a penalty is imposed, the act imposing it will likely be revoked by the competent authority.
Yoanna Ivanova, Head of Intellectual Property and Data Protection Department, and Vilimira Murleva, Associate, Gugushev & Partners
Generally speaking, the majority of economic agents are expected to have already completed or at least have long-ago-initiated a compliance program to follow suit with the EU and Greek data protection legal frameworks, following, in particular, the GDPR enactment in May 2018.
However, such compliance is of a dynamic nature, requiring constant effort, even on a daily basis, and cannot be exhausted as a one-off project, especially taking into consideration the continuous developments in the field, mainly arising from the regulatory framework, as supplemented by instruments issued by the competent supervisory authorities (e.g. guidelines, recommendations).
It is necessary to have compliance programs evolve, moving from a baseline of compliance to a more mature level, including audits. Some businesses seem content enough with remaining at a limited compliance level, which they would have reached two or even three years ago. However, they fail to realize that the biggest challenge is the continuous monitoring of their compliance status, which, most likely, may now be incomplete and out of date.
Panagiotis Tampoureas, Senior Associate, Drakopoulos
The GPDR, directly applicable as of May 25, 2018, turned out to be a real game-changer in Hungary. Data controllers and processors struggled a lot to be ready for the application of the GDPR, however, this means more a regulatory development in their bylaws than an actual turn in their practice.
Besides the relevant guidelines, fines imposed by the Hungarian Data Protection Authority in specific cases could serve as an important compass in complying with the GDPR. Hungary turned out to be one of the strictest states in the EU, as the Hungarian DPA imposed among the highest number of fines among the member states.
In 2019, NAIH conducted more than double the data protection-related investigations that it did in 2018 (1,738 to 827). Most of the data breaches were reported in the banking and finance sector (32% out of 506). Popular subjects of investigations were: data processing in employment relationships, video-surveillance, assignment of claims, health data, and the rights of the data subjects. So far, the highest GDPR fine -- HUF 100 million (approximately EUR 270,000 -- was imposed in June 2020, following the discovery by a hacker of a vulnerability making it possible to reach databases containing personal data through the homepage of the controller.
Data controllers and processors may learn a lot from the decisions of the DPA. For example, the level of these fines may be indicative and the referred articles of the GDPR may be educational too. It is not enough to introduce rules and technology controls. Rather, corporate culture itself should facilitate the development of data processing. Meeting the GDPR's requirements is not merely a question of legal compliance and should not be limited to the modification of policies and statements, but requires a strategy harmonized at a company level.
Rita Parkanyi, Partner, and Adrienn Megyesi, Attorney at Law, KCG Partners
During the past few years, we have seen a clear improvement in the way the Romanian economic agents comply with data protection requirements. One of the reasons is, of course, the increase in the number of fines provided by the GDPR and applied by the Romanian data protection authority. Another reason is that the data subjects have become more aware of their rights, are filing more complaints with DPA, and even going to court to seek compensation.
However, things still do not look perfect. Full compliance frequently requires financial, HR, and logistic investments the economic agents are not always willing to make. For example, an important challenge for Romanian data controllers is to ensure the limited duration of personal data and to delete such data upon reaching the end of storage duration. This often means that the existing IT infrastructure needs to be upgraded, with relatively high costs. On the other hand, there is a need for a dedicated workforce to ensure the management of the data which is already stored in the company paper files and IT systems and to decide, on a case by case basis, what needs to be destroyed/deleted, and when. Specific challenges originate from the way the backup data is differentiated and erased, since, according to GDPR rules, such backup storage also qualifies as “processing.”
This comes hand-in-hand with the matter of duly and timely addressing data subject rights-related requests. You cannot provide an adequate response to an access right request if you are unable to extract from your system and your files the precise data which is subject to processing, within the deadline set forth by the GDPR,
This being said, we must admit that we see in the market a positive dynamic towards compliance and hope that things will continue getting better. Data protection compliance is an ongoing process.
Roxana Ionescu, Partner and Head of Data Protection Practice, and Iurie Cojocaru, Managing Associate, NNDKP
Non-Russian companies conducting business via the Internet and collecting personal data from the territory of Russia, even those not located in Russia, must comply both with GDPR and Russian privacy laws. This means that they must notify the Russian supervisory authority about their intention to process personal data, publish an internal policy on personal data, appoint a DPO, localize the personal data of Russian citizens, etc.
Generally, Russian law requirements for personal data processing have much in common with the GDPR, although differences still exist. e.g., Russian law does not provide for any formal requirements to DPO’s qualifications or experience, does not envisage any obligation of a company to inform the authority about a data breach, etc. A major issue that has no analogs in GDPR is the personal data localization requirement, which means that the personal data of Russian citizens may be transmitted abroad only after it has been localized in a Russian database in the course of the recording, arrangement, accumulation, storage, rectification (renewal, alteration) and/or retrieval.
In practice, ensuring legal grounds for collecting and processing personal data, including cross-border transfer (e.g., an agreement or a consent) is usually a high priority for companies, as certain violations may result in significant fines (for example, non-compliance with localization requirements may entail fines up to USD 240,000). However, to be totally compliant, a company must develop and adopt dozens of internal documents (policies, by-laws, etc.). In the absence of significant risks arising from minor instances of non-compliance, some of them find it more appropriate to apply a risk-based approach.
Alexey Nikitin, Specialist Partner, and Vera Zotova, Associate, Borenius Russia
The Serbian Data Protection Act became applicable as of August 21, 2019, but no formal government or private NGO research has been made on this subject.
The material issue here is awareness -- or rather a lack thereof, both in the private and government sector, from both legal and private entities, due to a complete lack of education on the matter across all institutions.
Unfortunately, there is no awareness that personal data is important and as such should be protected, nor that personal data has a value that can be frequently expressed in money. The habit of reading privacy policies on websites, or asking sellers why we must receive so many notifications and offers by email, or asking the employer about the processing of data or their cookies policies, simply does not exist.
Serbian banks commonly use existing templates, made by their foreign parent banks, and hotels commonly only consider the privacy of foreign guests, who as such possess a very high level of awareness on the issues of data protection and the importance of personal data. Unfortunately, there is a general sense that the compliance procedure should be approached only when it is a stumbling block to establishing cooperation with a foreign company that deems proper GDPR compliance as of high importance. Therefore, the general public must be educated as well.
Furthermore, even though the Serbian Data Protection Commissioner does supervise the implementation of the Act, he is unable to formally act or prevent breaches that occur, which further suppresses the importance of this area.
To conclude, as there is obviously no awareness of the importance of data protection in the general public, whose privacy is the subject of protection under the Act, then it is also not important to the economic agents in Serbia.
Katarina Zivkovic, Head of Data Protection Department, SOG / Samardzic, Oreski & Grbovic
Five years have passed since the enactment of the Turkish Personal Data Protection Law and it is still hard to say that most of the economic agents have fully completed their adaptation and compliance process. The Turkish Data Protection Authority continues to impose administrative fines against legal entities for not fulfilling their obligations arising out of Turkish data protection legislation. Recently the DPA has also, once again, postponed the deadline for registering with the Data Controllers Registry (VERBIS), this time until December 31, 2021, which reflects the lack of preparedness of many economic agents. The misperception that VERBIS registration is equal to full compliance under Turkish data protection legislation also still continues.
Currently, certain gaps in Turkish data protection legislation create challenges for economic agents in certain matters, particularly in terms of cross-border transfers. As Turkey is not within the jurisdiction of GDPR and the Turkish Data Protection Board has not yet announced the countries with an adequate level of protection for transfers, it is currently very challenging for economic agents to transfer personal data abroad as they would have to go through certain procedural steps such as undertakings or consent to lawfully transfer data abroad. Currently, the most challenging processes regulated under the Turkish Data protection legislation prove to be the cross-border transfer of personal data and VERBIS registration for economic agents.
To be able to address some of these challenges, the Turkish government has recently announced that steps will be taken to align Turkish data protection law, which is mainly based on Directive 95/46/EC, with the GDPR.
Gonenc Gurkaynak, Partner, and Ceren Yildiz, Partner, ELIG Gurkaynak