The European Commission decided to refer Greece and Spain to the Court of Justice of the EU for failing to make the EU rules on personal data protection into a law (the Data Protection Law Enforcement Directive, Directive (EU) 2016/680). In April 2016, the Council and the European Parliament agreed the Directive had to be transposed into national law by 6 May 2018.
Regarding Greece, the Commission is calling on the Court of Justice of the EU to impose financial sanctions in the form of a lump sum of € 5,287.50per day between the day after the deadline for transposition set out by the Directive expired and either compliance by Greece or the date of delivery of the judgment under Article 260(3) TFEU,with a minimum lump sum of € 1,310,000 and a daily penalty payment of € 22.169,70 from the day of the first judgment until full compliance or until the second Court judgment.
As for Spain, the Commission is calling on the Court to impose a financial sanction in the form of a lump sum of € 21,321 per day between the day after the deadline for transposition set out by the Directive expired and either compliance by Spain or the date of delivery of the judgment under article 260(3) of TFEU, with a minimum lump sum of € 5,290 000 and a daily penalty payment of € 89,548.20 from the day of the first judgement until full compliance or until the second Court judgment.
The protection of personal data is a fundamental right enshrined in the Charter of Fundamental Rights of the EU. The aim of the Directive is ensure a high level of protection of personal data while facilitating exchanges of personal data between national law enforcement authorities
the European Commission said.
It added that the lack of transposition by Spain and Greece creates a different level of protection of peoples’ rights and freedoms and hampers data exchanges between Greece and Spain on one side and other Member States who transposed the Directive on the other side.
As a result, the Commission opened the infringement proceedings by sending a letter of formal notice to national authorities of the Member States concerned in July 2018 and the respective reasoned opinions – in January 2019. Until now, Greece and Spain have not notified the Commission on the adoption of the national measures necessary in order to transpose the Directive.
In an effort to eliminate cyber risks and set the principal for transparent use of personal data, the EU adopted in 2016 the General Data Protection Regulation (GDPR) which from the 25th of May 2018 onwards will be directly applicable to all EU Member States.
The regulation requires all organizations providing services or handling data related to EU citizens, to comply with it, even if the organizations are not located in EU. The way in which a business manages a data breach has a direct impact on the final cost.
This will become even more the case under the GDPR. Reputational damage is irrevocably linked if the response to a cyber incident is inadequate. Therefore, shipping companies need to be aware of the new rules as well, and establish procedures to ensure proper compliance.
