On the 25th of May in 2018, the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, commonly known as GDPR, came into force and changed the existing legislative framework. During the last few years, the technological development, the breakthrough of the internet and the social media in our daily lives and the advancement of commercial and advertising practices, caused a significant increase of the use and process of personal data from various legal persons such as companies and enterprises. Following the enforcement of GDPR and the adoption of the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, EU member states were obliged to amend and implement their existing national legislation accordingly. Greece was the last to adopt a new law regarding the protection of personal data while The European Commission decided to refer Greece to the Court of Justice of the EU for failing to transpose the EU rules on personal data protection on time. After that, in order to avoid administrative fines, the new Law No 4624/2019 was quickly published in October of 2019.
GDPR established a strong and more coherent data protection framework with the aim of safeguarding and securing the principles and rules on the protection of natural persons with regard to the processing of their personal data from public authorities and private companies. The new legislation increased the awareness of people regarding the protection of their personal information and the importance of wise sharing of them. A balance had to be found between the rights and freedoms of natural persons to secure their personal data and the need of collecting such data for the proper functioning of the internal market and the accomplishment of the public interest. Under the new provisions, public authorities and enterprises were forced to modify and reconsider their privacy policies and their purpose of collecting, storing and processing personal data. For the efficient enforcement of the provisions, extremely high administrative fines were regulated in cases of infringement.
Moreover, the new legislation provided efficient means of controlling data processing both within the EU and nationally. On the one hand, the natural persons, or else the subjects of data processing are equipped with a set of rights under which they can allow, restrict or even prohibit the processing of their personal data as well as the free movement of those, by providing or withdrawing their consent. Moreover they can, rectify, receive, obtain information and gain access to the personal data that has been processed. In conjunction with that personal data must be processed lawfully, fairly and transparently in a way that data is collected and used only for specific legitimate purposes and only to the absolutely necessary extend.
On the other hand, in order to attain compliance with those principles, the legal entity responsible for the delineation and execution of data processing, or else the data controller is responsible to follow a set of rules and take certain measures. In particular, the data controller is obliged to implement technical and organizational measures (such as pseudonymisation and encryption) for the security of the data and the gradual operation of the processing. Moreover, the data controller should keep a record of all the processing activities and conform with the rights and freedoms of the subjects. Where a type of processing in particular using new technologies, is likely to result in a high risk to the rights and freedoms of the subjects, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. In case of personal data breach, the data controller must inform the supervisory authority within 72 hours after having become aware of it. Similarly, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
It is common practice for the data processing to be carried out not only by the data controller, but also by a third party called data processor who is legally bound by a contract and operates on behalf of the data controller. As above, the data processor must provide sufficient guarantees for the implementation of the appropriate technical and organizational measures, in such a manner that processing will meet the requirements of the legislation and ensure the protection of the rights of the data subject. Additionally, in a few cases regulated by the legislation, the data controller and the data processor are obliged to designate a data protection officer who will be responsible for acting as a contact point for the supervisory authority, advising and informing the data controller and processor regarding the processing operations as well as monitoring the compliance with GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data. According to the provisions, a data protection officer must be designated when (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
Nowadays, a significant number of companies and legal entities have reformed their business policies and complied with the new legislative prescriptions. According to the legalists and legal counsels, companies should revise their privacy policies and change the terms and conditions under which they operate in practice and through online services (such as through webpages, newsletters, e-mails etc.). In the spirit of that, companies must provide the appropriate tools to the natural persons in order for them to be particularly aware of the personal data that has been collected and processed and provide their lawful consent. Regarding the employees of companies and enterprises who process and use personal data, confidentiality agreements must be signed. Protection of the personal data of the employees must be provided from the company as well. In the spirit of that, Article 27 of the Greek Law No 4624/2019 states that, personal data of the employees can be processed for the purposes of the employment contract, provided that they are absolutely necessary for the decision to award a contractor and the execution of such contract. Additionally, the processing of personal data through a closed surveillance system whether publicly accessible or not, is only allowed if necessary for the protection of natural persons and goods. The data collected through such system may not be used as a criterion for evaluating the efficiency of employees. Employees are informed either in written or in electronic form for the use of surveillance system in the workplace.
The importance of radical measures from legal entities for the protection of personal data is strongly reflected to the numerous complaints to the supervisory authorities, lodged by the data subjects and the ruinous fines stipulated to those companies who have not complied yet. Recently, the Hellenic Data Protection Authority has granted a fine of 150.00 euros to a company called PWC for the unlawful processing of personal data from its employees. More specifically, PWC requested the employee’s consent on the processing of their personal data and the use of a surveillance system in their working place without taking any appropriate security measures for the protection of their personal data and without restricting the process to the necessary extend for the purposes of the company. Once more, the Hellenic Data Protection Authority has granted a fine of 20.000 euros to a company named WIND only this time for the unlawful and unsolicited phone calls for promotional reasons. In particular, the client has lodged a complaint to the Authority stating that despite exerting his right to be forgotten and requesting the company to stop such calls, the company repeatedly called him to promote the products. In a global and EU level, big companies such as Google, British Airlines, Facebook etc. have suffered the severe fines for data breaches and infringements of the GDPR. As the data protection authorities seem determined to enforce the legislation and the natural persons become more and more cautious regarding their personal data, the need for companies and public authorities to ensure their compliance and keep up with the latest legislative changes has become more prominent than ever.
About the Author:
Anna Sfetsiou is a Greek lawyer, at the Bar Association of Athens, specialized in IP Law. In 2018 she graduated with honors from the Democritus University of Thrace Law School. Subsequently, in 2019 she obtained an LL.M in European Intellectual Property Law from Stockholm University. She has been actively writing articles with a focus on Intellectual Property law, GDPR legislation and in general commercial law. Nowadays, she is working as a lawyer in HLaw Legal Services.