The European Union’s General Data Protection Regulation is, according to the EU-hosted GDPR website, “the most important change in data privacy regulation in the past 20 years.” The Act, which was approved by the EU Parliament on April 14, 2016 and will become fully effective on May 25, 2018, was designed “to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy.”
Are businesses in those CEE countries that are members of the EU that are therefore bound to follow the GDPR’s requirements, ready? We asked Data Protection experts in the CEE/EU countries (and one outside the EU) to report on their clients’ readiness – and their own.
Alexander Kompein, Attorney at Law, Fellner Wratzfeld & Partners, Austria
According to our information, there are no official studies available on how many Austrian companies have prepared for the entry into force of the GDPR. In Germany about 12% of the companies have not even heard of the GDPR, [and] 32% have heard of it but have not taken any steps in preparation for the regulation’s entry into force yet. We assume that similar numbers may apply to Austrian companies. Our law firm has prepared company guidelines for compliance. Currently the Vienna Bar Association and the main Austrian law firm software developers are working on their own guidelines and compliance concepts. As soon as these guidelines and concepts are presented, we will add them to our latest company guideline draft. By May 2018, FWP will be compliant with the GDPR.
Stefana Tsekova, Partner, Schoenherr, Bulgaria
The companies’ launching pads are quite diverse: some are well aware of the upcoming changes and others are newcomers to this area of law. They mainly struggle with determining their data processing landscape, which is a prerequisite to properly determine compliance gaps that need to be at least mitigated, if not eliminated, before the GDPR comes into force. Another challenge is to implement the GDPR requirements for historically collected personal data, which is stored in various places and systems in both hard and soft copies. Other fields demanding action typically are improperly defined (or even missing) data processing agreements, consent declarations, and of course implementation of the new concepts of the GDPR. We at Schoenherr have created various tools to support the concrete needs of our clients and their businesses so they could reach sufficient level of GDPR compliance by May 25, 2018.
Olena Manuilenko, Head of IP & TMT, Divjak Topic Bahtijarevic, Croatia
The first wave of public awareness about the GDPR hit Croatia in September 2017. Over the course of the past six months, we have witnessed a numerous of awareness-raising events organized by the national supervisory authority and other public-sector stakeholders as well as private-sector consultants. Our experience shows that multinational companies with local presence are more alert and diligent in terms of GDPR compliance. We assessed that the small and medium-sized business sector is not sufficiently informed and prepared for the GDPR. Moreover, a first draft of the national implementation statute has just been released for public consultations, which has already given rise to some heated discussions.
Drahomir Tomasuk, Counsel, Kocian Solc Balastik, Czech Republic
Many [Czech] companies just started to consider GDPR implications. Large scale companies, like banks and insurance companies, have been deep into the process from the very beginning (meaning 2015); they are better regulated, and way ahead of the market. Smaller companies say that they don’t see a clear national regulation or interpretation of the law, so they don‘t know how to implement it. Others are seeing it as a burden right now. It is an ongoing process, and at the end of the day, I don’t think there will be a company with full compliance before May 25, 2018. Our firm started its compliance with a very detailed mapping of data processing. The seminars that we provided for our clients were quite beneficial for us too, especially in analyzing the gaps.
Tambet Toomela, Partner, Eversheds Sutherland Ots & Co, Estonia
The preparedness of our clients at the moment can be rated as medium. During the last year we have conducted many data protection assessments, where we have mapped all possible risks to our clients and gave relevant recommendations. The follow-ups (e.g. GDPR compliance and privacy policy) to such assessments is mostly in process. Our firm is ready for the GDPR’s implementation.
Panagiotis Drakopoulos, Partner, Drakopoulos Law, Greece
The bigger companies – mainly banks, insurance, telecommunication companies, or the subsidiaries of multinationals – have started their compliance programs, but others are still hoping for an extension. Part of the problem is that there are very few private advisors in Greece on this matter; lawyers who are asked don’t have the specific knowledge they need. The so-called experts lack experience. They have just started to read about data privacy, and so even if they know the theory, they have no idea how to implement it in practice. I think that very few companies will be 100% ready by May. We are busy working on the implementation for our clients, but we’ve already put together a working group at our firm; we will have to run the implementation through all four of our offices, so it will take time, but we will fit in the deadline.
Janos Toth, Partner, Wolf Theiss, Hungary
We can distinguish two main groups of clients: regional and/or international businesses are not only well aware of the topic, but have also commenced their internal implementation and compliance programs. Smaller businesses, with less exposure to international trade relations and/or direct private customer contacts, have so far appeared hesitant to commence their internal evaluations and to consider running a proper compliance program. Nonetheless, we find them equally conscious of this topic, which is clearly the result of the recent tsunami of communication around the GDPR in all media. We at Wolf Theiss have been carefully following the developments around the GDPR since it appeared in the lawmaking. What we find most appealing and relevant to our clients is to combine our legal advice with competent IT and technological insight so that our clients receive custom-made and readily useable advice.
Sarmis Spilbergs, Head of Communications, Media, and Technology, Ellex Klavins, Latvia
I can’t say that everybody is ready at the moment, but as far as I can see, large international companies are mobilized and others also are attentive. We have a lot of requests for legal services to review [clients’] internal documents, to provide opinions on their compliance status, and to measure their implementation status. We also organize seminars and trainings – and I have to say, the classes are highly demanded and well-attended. Our goal is to raise awareness on the importance of the GDPR. To be honest, I cannot tell what the preparedness level of medium and smaller-sized enterprises is. They may not have prioritized it yet, as the Latvian Supervisory Authority has promised to “go easy” at the beginning. As far as our firm, we have internally assessed what we have to improve; we sat down with the marketing team and while we were creating a concept for our clients, we were also getting ready.
Raminta Stravinskaite, Acting Head of Data Protection, Glimstedt, Lithuania
At present, most of the companies are on standby because despite the fact that the General Data Protection Regulation takes effect on May 25, 2018, we may expect from the practical point of view that no issues dealing with its implementation will be addressed by the Lithuanian legislators and supervisory authorities before that date. Consequently, it may take a rather long time for the reform of European data protection legislation to be fully implemented in Lithuania. We have inventoried our hardware and software resources and the personal data processed by our law firm, and we now are taking all measures required to be taken for the implementation of the GDPR.
Przemyslaw Kozdoj, Partner, and Monika Gaczkowska, Associate, Wolf Theiss, Poland
GDPR implementation is being widely discussed among business circles in Poland. Large companies have already done extensive work to ensure the implementation of GDPR regulations before the new rules come into effect, but many companies are waiting until the last moment to prepare. One reason for this may be that ancillary local data protection rules have not been adopted yet. We have already completed an audit of data processing in Wolf Theiss Warsaw. On the basis of our audit, the partners are developing and amending our internal procedures. We want to make sure we are in compliance with both European and Polish rules when GDPR comes into force on May 25, 2018 so that we will be in the best position to help our clients do the same thing.
Mihai Buciuman, Managing Associate, Maravela | Asociatii, Romania
Romanian companies that have significant obligations and liability under the GDPR such as telecom operators, health service providers, and social media companies have started data privacy audits and gap analysis and are in various stages of implementation of updated policies, guidelines, etc. Among small and medium-sized enterprises the significance of the GDPR has not been fully understood and there has not been a tangible push towards compliance. This is exacerbated by the fact that Romania’s National Data Protection Authority has not so far proposed any legislation for the corroboration and detailing of the GDPR’s provisions in concordance to national law. Our firm’s data privacy department is performing a gap analysis on our law firm’s procedures and practices in order to review our data protection policies. Since the local authority has not so far proposed any legislation meant to modify the legislation governing law firms and attorney practices, it is rather unclear how the GDPR will be interpreted in light of attorney-client privilege, mandatory keeping of records of documents, etc.
Pavol Rak, Partner, Noerr, Slovakia
The Slovak Act on Personal Data Protection already imposes stricter requirements on data controllers and data processors and granted more rights to data subjects, [than laws in other] EU countries. Therefore, the GDPR should theoretically not represent a dramatic change for Slovak companies. Yet many companies are nowadays fully occupied with the implementation into their internal processes. This is due to the fact that many companies have disregarded the data protection rules altogether and now have a hard time implementing these rules under the danger of high fines. Our law firm is ready for the GDPR, both on our internal level and on the level of advising our clients on timely implementation of the regulation.
Katarina Skrbec, Senior Associate, and Uros Ilic, Partner, ODI Law Firm, Slovenia
So far, Slovenia has not passed any act to adjust its own data protection law to the GDPR. It has, however, already published a draft bill, but with less than three months to go, considerable uncertainty remains among companies about how to prepare for May 25, 2018. Yet, most of the companies are already in the process of adapting their internal regulations and procedures to the new requirements with a goal to ensure a timely compliance of their business operations with the GDPR, and (once adopted) the new Slovene data protection legislation. In order to avoid uncertainty related to the delayed implementation, most of the companies have decided to engage external advisors. ODI Law GDPR experts regularly provide legal support to clients belonging to different sectors, in particular those for which the compliance with the new data protection regulation might represent a more arduous task than to others.
Goran Radosevic, Partner / independent attorney at law in cooperation with Karanovic & Nikolic, Serbia
Since Serbia is not an EU member state, the formal effect of GDPR on Serbian companies is limited to the boundaries of GDPR’s exterritorial applicability – i.e., to cases when they are processing the personal data of individuals who are in the EU, in relation to the offering of goods and services to them or monitoring their behavior on EU territory. However, the GDPR is, in practice, also important for those Serbian companies which are: (a) engaged as data processors by EU entities (or other entities to which GDPR applies), since they will be contractually obliged to meet certain processing requirements, or (b) part of multinational companies which decided to implement GDPR standards to all their operations affiliates. Karanovic & Nikolic has been providing its clients with advice and assistance in all legal aspects of the GDPR’s implementation for some time now, and the volume of such requests is increasing significantly each day.
This Article was originally published in Issue 5.3 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.