M E D I A   L A W   

      I N T E R N A T I O N A L   ®


Copyright © Media Law International 2018. All Rights Reserved.

Specialist Guide to the

Global Leaders in Media Law Practice

Similarly, businesses will have to ensure that consent notices and relevant documentation are examined closely and adapted to the new framework to ensure compliance with the tightened consent conditions.

Key Points


The Regulation will affect organisations that process data of EU citizens, including employers etc. The Regulation will not only apply to controllers or processors established in the EU, but will also apply to those based outside the EU that offer goods or services to data subjects in the EU or monitor the behaviour of data subjects in the EU.

Principles Relating to Processing of Personal Data

The Regulation lays down the principles applicable to the processing of personal data, namely lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability. By way of example, personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation).

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation) and must be kept in a form which permits identification of

data subjects for no longer than is necessary for the purposes of which the personal data are processed (storage limitation).

Data Subjects’ Rights

Data subjects’ rights are enhanced and new rights are established. Individuals have, inter alia, the right to access their personal data, rectify inaccuracies, object to the processing of personal data for direct marketing purposes, but they also have the right to be “forgotten”, the right to restrict processing and the right to data portability.


With respect to obtaining valid consent of the data subject, consent must be freely given, specific, informed and unambiguous. The request for consent shall be presented in a manner that is clearly distinguishable from other matters. The consent may not be considered as freely given when the supply of services is made contingent on consent to the processing of personal data that is not necessary for the performance of a contract. Data subjects can withdraw their consent at any time.


The Regulation imposes direct responsibilities to processors, inter alia, an obligation to appoint a Data Protection Officer in certain cases, maintain processing records and notify the controller in the case of a data breach. Contracts between processors and controllers will have to contain minimum provisions specified by the Regulation.

Privacy Notices

The Regulation requires extensive information to be included in the privacy notices. The information has to be provided in a concise, intelligible and easily accessible form.

Data Breach Notification Obligation

Data breaches should be notified, under certain circumstances, to the Data Protection Authority within 72 hours and/or to the affected individuals without undue delay.

Record Keeping

Businesses will have to keep records of data processing, except for businesses employing fewer than 250 employees (unless their processing activities are risky, frequent or include sensitive personal data/ special categories of data).

Data Protection Officers (DPOs)

Data controllers and data processors will have to appoint a Data Protection Officer, inter alia, when their core activities consist of processing which requires regular and systematic monitoring of data subjects on a large scale or when the core activities consist of processing on a large scale of special categories of data. The DPO will monitor internal compliance with the Regulation. The DPO shall be independent and have expert knowledge of data protection law.


Data protection authorities may impose heavy non-compliance penalties of up to EUR 20 Million, or in the case of an undertaking, up to 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher. Supervisory authorities will also have investigating and auditing powers. Individuals will have the right to ask for compensation both for material and non-material damage.

This Briefing contains information about the GDPR and is for general guidance only. It does not constitute legal advice that can be relied upon by recipients and should not be treated as such. This Briefing is not intended to cover all aspects of the GDPR. The implementation of the GDPR is highly fact-specific. For legal advice regarding your specific circumstances, please contact:

Eleni Tsoukala, Managing Partner  

Tsoukala & Partners Law Firm

7 Solonos Street, 10671 Athens, Greece

Tel.   +30 (210) 3614340

E-mail: eleni.tsoukala@stlawfim.gr

The New EU General Data Protection Regulation: A Briefing

Written by Ioanna Moumtzoglou and Athanasia Chra,

Tsoukala & Partners Law Firm

The General Data Protection Regulation (GDPR) will take effect on 25 May 2018 and will be directly applicable in all EU Member States. The Regulation intends to strengthen individuals’ rights to protection of personal data by laying down a single set of rules for processing personal data, establishing methods for compliance and the scope of sanctions for those in breach of the rules. Businesses are called on to understand their new obligations under the GDPR and update their compliance programs accordingly.

 Featured Articles

 Firm Profiles


 Middle East and North Africa

 North America


 Western Europe

 Central and Eastern Europe

 Firm Rankings

 Order a Copy

 Enhance Your Profile



Athanasia Chra forms part of the corporate, commercial and tax teams. She advises clients on corporate governance rules, commercial agreements and M&A transactions. Ms Chra has considerable experience in cross-border tax planning and advice, including intra-group transactions, corporate taxation, taxation of dividends, capital gains taxes, real estate taxes, etc. She is also active in banking and finance, assisting in several cases of corporate-financing, securitisation and debt restructuring. Ms Chra has also in-depth experience advising clients of TMT sector on regulatory issues, fin-tech legislation and data protection. Prior to joining the firm, she worked at the DG Justice of the European Commission dealing with cross-border insolvency and pre-bankruptcy procedures and at a Big 4 Consulting Firm advising on EU civil and commercial law.


Ioanna Moumtzoglou forms part of the corporate, commercial and banking and finance teams. Within the aforementioned areas, she also provides extensive tax advice with a particular focus on cross-border structuring matters. Ms Moumtzoglou has in-depth experience advising major domestic and international corporations, banks and financial services companies on banking and finance transactions, private equity transactions and real estate and hotel transactions. Her extensive expertise in the corporate/ commercial sector spans across all types of transactions including M&A and due diligences, private equity and joint ventures. Ms Moumtzoglou banking and finance experience covers both debt and equity capital markets, all types of facility agreements and bond issuances covering all industry sectors (such as hotel and real estate, foods and beverages, energy and financial services). She is also highly experienced in advising the clients in the TMT industry on finance, fin-tech legislation and data protection and privacy laws (including the GDPR). Prior to joining the firm, Ms Moumtzoglou worked at other reputable Greek law firms and at Leigh Day & Co Solicitors, a reputable UK law firm, as well as in international organisations, including the United Nations Development Programme (UNDP).