• The European Union’s General Data Protection Regulation (GDPR) protects the fundamental rights and freedoms of individuals.
• The new Regulation 2016/679 has been enforced since May 25 2018 in all European countries, without needing to adopt a corresponding national law.
• It is designed to allow individuals to have more control over their personal data and to impose new obligations on organizations that collect, manage or analyze such data. Therefore, a comprehensive process of adopting regulations that result in a positive declaration of compliance is required by all bodies in Europe.
• In Greece, the qualified supervisory authority is the PERSONAL DATA PROTECTION AUTHORITY.

Personal data:

Is any information concerning an identified or identifiable natural person (‘data subject’); the identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as a name, to an identity number, location data, online ID or one or more factors that characterize the physical, physiological, genetic, psychological, economic, cultural or social identity of the individual in question.

What is sensitive personal data?

Organizations and companies providing health and social support services, as well as all health professionals, have increased obligations from the implementation of the Regulation. Sensitive personal data, are the data related to

• Medical history (Diagnoses, prescriptions, references, opinions, laboratory and imaging results)
• racial or ethnic origin,
• political beliefs and religious beliefs
• information on sex life
• Criminal prosecutions and convictions.

Basic definitions (Article 4)

“Processing”: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Processor”: means the natural or legal person, public authority, service or other body that, alone or in conjunction with others, determines the purposes and manner of processing personal data; when its purposes and manner its processing is determined by Union law or the law of a Member State; the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State;

“Controller””: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

“Filing system”: means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

Principles governing the processing of personal data “Personal data”:

• undergo lawful and fair processing in a transparent manner with respect to the data subject (‘legality, objectivity and transparency’)
• are collected for specified, express and legitimate purposes and are not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest or for scientific or historical research or statistical purposes shall not be considered incompatible with the original Article 89 (1) (‘Limitation of purpose’)
• are appropriate, relevant and limited to what is necessary for the purposes for which they are processed (‘data minimization’)
• they are accurate and, where necessary, updated; all reasonable measures should be taken to immediately delete or correct personal data which are inaccurate with regard to the purposes of the processing (‘accuracy’);
• are kept in a format that allows the data subjects to be identified only for the time required for the processing of personal data; personal data may be stored for longer periods, as long as the personal data will be processed only for the purposes of filing in the public interest, for the purposes of scientific or historical research or for statistical purposes, in accordance with Article 89 (1) and where applicable inappropriate technical and organizational measures required by this Regulation to safeguard the data subject’s rights and freedoms (‘limitation of storage period’),
• are processed in a manner that guarantees the appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’) .
• The processor shall be responsible and able to demonstrate compliance with paragraph 1 (“accountability”).

According to the right to erasure (‘right to be forgotten’) the data subject shall have the right to obtain the erasure of personal data concerning him or her from the controller without undue delay and the controller shall have the obligation to erase personal data without undue delay (Article 17).

Upon request, the Controller shall delete data without undue delay if one of the following reasons applies:

• personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
• the data subject withdraws consent on which the processing is based
• the data subject objects to the processing
• personal data have been unlawfully processed
• personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
• personal data have been collected in relation to the offer of information society services

Violation of personal data may, where appropriate, result in penal penalties under Articles 370 and 371.

Clerics, lawyers and all kinds of legal counsel, notaries, doctors, midwifes, nurses, pharmacists and others in whom people usually trust private information because of their profession or their status and the assistants of such persons, are punishable by fine or imprisonment up to one year if they reveal private information which they have been trusted with or learned due to their profession or status. Penal code, article 371, paragraph 1 –

Note: unofficial translation

-Penal Law The data protection authority has issued several guidelines on the practices for the protection and destruction of personal data. – Safe Data Protection Directive 2005” Other European provisions dealing with the subject are the “Treaty on European Union (Article 6), the” European Convention on Human Rights (Article 8) “and the” Charter of Fundamental Rights of the European Union (Article 8) “. For more information visit the website of the “Greek Data Protection Authority”