GDPR and Law
The General Data Protection Regulation (2016/679) (GDPR) is the new law of the European Union that replaces all previous legislation across Europe.
GDPR and Law – What You Need to Know
- The General Data Protection Regulation (GDPR) of the European Union protects the fundamental rights and freedoms of natural persons. For more information on GDPR and laws, see HERE.
- The new Regulation 2016/679 has been in effect since May 25, 2018, in all European countries without the need for corresponding national legislation.
- It is designed to allow individuals to have greater control over their personal data and to impose new obligations on organizations that collect, manage, or analyze such data. Therefore, all entities in Europe are required to adopt a comprehensive process of implementing the regulation, resulting in a positive declaration of compliance.
For Greece, the competent supervisory authority is the “Hellenic Data Protection Authority” (HDPA).
Key Definitions (Article 4)
“Processing”: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Controller”: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Processor”: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Filing System”: Any structured set of personal data which is accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.
Personal Data:
Personal data is any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What are sensitive personal data?
Organizations and companies providing health and social support services, as well as all healthcare professionals, have increased obligations under the Regulation. Sensitive personal data are defined as data concerning:
- Medical history (diagnoses, prescriptions, referrals, medical reports, results of laboratory and imaging tests),
- Racial or ethnic origin,
- Political opinions and religious beliefs,
- Information related to sexual life,
- Criminal charges or convictions.
Right to Erasure
The right to erasure (or right to be forgotten) gives the data subject the ability to have their personal data deleted by the data controller, thereby stopping the further dissemination and possibly the processing of the data by third parties. Article 17 states that the data subject has the right to request the deletion of personal data concerning them without undue delay.
The data controller, upon receiving such a request, is obliged to delete the data without undue delay if one of the following conditions applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- The data subject withdraws consent on which the processing is based.
- The data subject objects to the processing.
- The personal data have been unlawfully processed.
- The personal data must be erased to comply with a legal obligation in Union or Member State law to which the data controller is subject.
- The personal data have been collected in relation to the offer of information society services.
Principles Governing the Processing of Personal Data
Personal Data:
Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes is not considered incompatible with the initial purposes, in accordance with Article 89(1).
Data Minimization: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy: Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, with regard to the purposes for which they are processed, are erased or rectified without delay.
Storage Limitation: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods as long as the data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, in accordance with Article 89(1), and subject to the implementation of the appropriate technical and organizational measures required by the regulation to safeguard the rights and freedoms of the data subject.
Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
Accountability: The data controller is responsible for, and must be able to demonstrate, compliance with all these principles.
GDPR and Law
Why GDPR was created and what it changes in our daily lives
- It repeals, as outdated, the European Directive 95/46/EC.
- The GDPR represents an evolution of the existing EU data rules, the Data Protection Directive (DPD).
- It addresses many of the shortcomings of the DPD by adding requirements for documenting IT procedures, risk assessment under certain conditions, notification to consumers and authorities in the event of a breach, and strengthening rules for data minimization.
- One way to describe the GDPR is that it simply legislates many ideas regarding data security, minimizing the collection of personal data, deleting personal data that is no longer necessary, and restricting access to data.
- It now has extensive jurisdiction as it applies to ALL companies and organizations that process personal data.
- The terms for consent have been strengthened, and companies will no longer be able to use unreadable and jargon-filled terms and conditions, as the request for consent must be provided in an understandable and easily accessible form.
- A fine of up to 4% of the annual global turnover or up to 20 million euros (whichever is greater) can be imposed.
- It allows member states some leeway to specify their rules, including those concerning the processing of special categories of personal data (“sensitive data”).
Notification of Breach:
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk to the rights and freedoms of individuals.” This must be done within 72 hours of becoming aware of the breach. Data processors will also be required to notify their customers and controllers “without undue delay” once they become aware of the data breach.
Right of Access:
As part of the expanded rights of individuals, they have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Additionally, a free copy of the personal data must be provided in electronic form. This change marks a dramatic increase in data transparency.
Removal of Notification Obligation:
The existing obligation did not sufficiently contribute to improving the protection of personal data. General notification obligations of this kind, without differentiation, should be abolished and replaced with effective procedures and mechanisms. Such processing activities may include those involving the use of new technologies.
Data Protection Officer (DPO) – Article 37:
The appointment of a DPO is necessary for the controller and the processor in every case where:
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
- The core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale due to their nature, scope, and/or purposes.
- The core activities of the controller or the processor consist of large-scale processing of special categories of personal data, such as genetic or biometric data, health data, as well as data concerning criminal convictions and offenses.
The concept of “large-scale” activities includes hospitals, insurance companies, and pharmaceutical companies that may process a large amount of personal and sensitive data, such as patient health data.
Assignment & Obligations of the Data Protection Officer (DPO):
- Appointed based on professional qualifications, particularly expertise in data protection law and practices, and the ability to fulfill the duties.
- The appointment of the Data Protection Officer must be in writing.
- The Data Controller and the Processor must notify the supervisory authority of the name and contact details of the Data Protection Officer.
- The Data Protection Officer is bound by confidentiality obligations and must not disclose to any third party facts or information that came to their knowledge during the execution of their duties or on the occasion of their duties.
The Role of the Data Protection Officer (DPO):
- Primarily advisory and supportive.
- Acts as a communication link with the relevant authorities.
Taking into account the risk associated with processing operations, considering the nature, scope, context, and purposes of the processing, the Data Protection Officer must inform and advise the controller or processor regarding legislative requirements for data protection and monitor compliance with the Regulation to minimize the risk of breach. Article 38 of the GDPR states that the DPO reports to the highest management level, does not receive instructions regarding the performance of their duties, is not responsible for non-compliance of the controller/processor, and cannot be dismissed or penalized for performing their duties.
Duties of the Data Protection Officer (DPO):
- To inform and advise the Data Controller and employees who carry out processing of their obligations under the GDPR and other national or Union data protection provisions.
- To monitor compliance with data protection regulations and with the policies of the Data Controller, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations and related audits.
- To provide advice, upon request, regarding data protection impact assessments and monitor their compliance.
- To cooperate with the Data Protection Authority.
- To act as a point of contact for the Authority on issues related to processing.
In any case, to ensure compliance with the requirements of this Regulation:
- The controller should only use processors providing sufficient guarantees, particularly in terms of expertise, reliability, and resources, for the implementation of technical and organizational measures meeting the requirements of this Regulation, including those related to processing security.
- Adherence to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the controller’s obligations.
- Processing by a processor should be governed by a contract or other legal act under Union or member state law, binding the processor to the controller, setting out the subject matter and duration of processing, the nature and purposes of processing, the type of personal data, and categories of data subjects.
Right to Erasure (Right to be Forgotten)
The right to erasure, also known as the right to be forgotten, grants individuals the ability to have their personal data deleted by the data controller, thereby stopping any further dissemination or potential processing by third parties. Article 17 states that the data subject has the right to request the deletion of personal data concerning them without undue delay.
The Data Controller, upon such a request, is obliged to delete the data without undue delay if one of the following reasons applies:
- The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
- The data subject withdraws consent on which the processing is based.
- The data subject objects to the processing.
- The personal data has been processed unlawfully.
- The personal data must be erased in order to comply with a legal obligation under Union law or the law of the member state to which the data controller is subject.
- The personal data has been collected in relation to the offer of information society services.
Legal Context
The violation of personal data can, depending on the act, result in criminal sanctions based on Articles 370 and 371.
Clergy, lawyers and any type of legal representatives, notaries, doctors, midwives, nurses, pharmacists, and other professionals or practitioners, who are entrusted by individuals due to their profession or capacity with private secrets, as well as their assistants who reveal private secrets entrusted to them or learned due to their profession or capacity, are punished with imprisonment for up to one year or a fine. – Criminal Code Article 371, Paragraph 1.
The data protection authority has issued several guidelines on practices for the protection and destruction of personal data. – Directive for Secure Destruction of Personal Data 2005
Other European provisions addressing this issue include the “Treaty on European Union (Article 6),” the “European Convention on Human Rights (Article 8),” and the “Charter of Fundamental Rights of the European Union (Article 8).”
For more information, visit the website of the “Hellenic Data Protection Authority.”