General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) radically changes the way businesses and organizations collect, process and manage personal data of any kind. The GDPR determines in which cases our personal data may be used, stored, deleted, transferred and generally processed and, above all, how we may protect it. The GDPR affects every organization and company in Europe that manages personal data in any way, but also every company that trades in the territory of the European Union. The rules are complicated and the fines for non-compliance are very strict and can reach up to 20 million euros. What will be the main changes that will apply: Protecting children's rights: The social media landscape is changing. Under the new regulation, the use of social media is prohibited for children up to 16 years of age, only with the consent of the parents. In Greece, the age of digital consent has been set at 15 years. Right to forget: The user has the right to request the deletion of his data and the editor is obliged to immediately delete them and, if he has published them, to inform all others who have republished them that their deletion has been requested. Right to information and access to data: The citizen has more and clearer information when collecting his data for their processing and the right to access it. Right of correction: The user has the right to demand from the editor in charge the correction of inaccurate data as well as the completion of incomplete data concerning him. Right to object to the processing: The citizen has the right to object to the processing of his data under certain conditions, especially in the case of "profile" training or for direct commercial purposes.

Personal data is information about an identified or identifiable living person. Different information which, if gathered together, can lead to the identification of a particular person, is also personal data.

The GDPR protects personal data regardless of the technology used to process it. It is technologically neutral and applies to both automated and manual processing. It also doesn’t matter how the data is stored – in an information technology system, via video surveillance or in print. In all cases, personal data is subject to the protection requirements provided by the GDPR.

Typical examples of personal data are:

name and surname
email address, e.g. first name
card ID number
location data (eg mobile data location function)
Internet Protocol (IP) address
cookie ID
your phone’s ad ID
data stored by hospital or physician.

Personal data that are considered “sensitive” and subject to specific processing requirements are:

personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs
participation in a trade union organization
genetic data, biometric data that are processed exclusively for the identification of an individual
health data
data on a person’s sex life or sexual orientation.
The general rule is that data processing of the above categories is prohibited. However, there are some exceptions to which a company or organization may be able to process sensitive personal data when, for example:

you have given your express consent
there is a law governing a specific type of data processing for a specific purpose concerning the public interest or public health
A law that includes adequate guarantees provides for the processing of sensitive personal data in areas such as public health, employment and social protection.

The term “processing” covers a wide range of operations performed on personal data. It includes the collection, registration, organization, structure, storage, adaptation or modification, retrieval, retrieval of information, use, notification by transmission, dissemination or any other form of disposal, correlation or combination, restriction, deletion or destruction of personal data.

What does the right to “data portability” mean?

The implementation of the GDPR does not allow a person’s data to be “insured” in a company or service provider and the user will be able to receive his personal data and transfer it where he wishes.

To whom is the data protection law applicable?

The GDPR applies:

a) to any company or entity that processes personal data in the context of the activities of one of its EU-based branches, regardless of where the data is processed or

b) to any company based outside the EU and offering goods / services (for a fee or free of charge) or monitoring the behavior of individuals in the EU.

With the implementation of the GDPR, users have the right to receive clear and understandable information not only about who is processing their personal data but also why. They can ask all companies to have access to themselves and learn what exactly the companies keep about them and also demand that they be deleted from the company’s databases. In addition to technology companies, this also applies to banks, retailers and any company or organization that maintains personal data, including the employer.

As the regulation stipulates, the right of access should be easily exercised and provided in a “reasonable time”. The company or organization should provide a copy of your personal data free of charge. Any additional copies may be subject to reasonable charges. When the request is made by electronic means (eg via email) the information must be provided in electronic form, unless otherwise stated.

This right is not absolute: the use of the right of access to your personal data should not affect the rights and freedoms of others, such as professional secrecy or intellectual property rights.

The regulatory authority in Greece is the Authority for the Protection of Personal Data, which functions as a constitutionally guaranteed independent Authority. Administrative audits, as well as the review of relevant complaints, appeals and inquiries into law enforcement and the protection of applicants’ rights when they are affected by the processing of data, are among the Authority’s audit responsibilities.

© All Rights Reserved 2020

© All Rights Reserved 2020