Personal data is information about an identified or identifiable living person. Different information which, if gathered together, can lead to the identification of a particular person, is also personal data.
The GDPR protects personal data regardless of the technology used to process it. It is technologically neutral and applies to both automated and manual processing. It also doesn’t matter how the data is stored – in an information technology system, via video surveillance or in print. In all cases, personal data is subject to the protection requirements provided by the GDPR.
Typical examples of personal data are:
name and surname
email address, e.g. first name
card ID number
location data (eg mobile data location function)
Internet Protocol (IP) address
your phone’s ad ID
data stored by hospital or physician.
Personal data that are considered “sensitive” and subject to specific processing requirements are:
personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs
participation in a trade union organization
genetic data, biometric data that are processed exclusively for the identification of an individual
data on a person’s sex life or sexual orientation.
The general rule is that data processing of the above categories is prohibited. However, there are some exceptions to which a company or organization may be able to process sensitive personal data when, for example:
you have given your express consent
there is a law governing a specific type of data processing for a specific purpose concerning the public interest or public health
A law that includes adequate guarantees provides for the processing of sensitive personal data in areas such as public health, employment and social protection.
The term “processing” covers a wide range of operations performed on personal data. It includes the collection, registration, organization, structure, storage, adaptation or modification, retrieval, retrieval of information, use, notification by transmission, dissemination or any other form of disposal, correlation or combination, restriction, deletion or destruction of personal data.
What does the right to “data portability” mean?
The implementation of the GDPR does not allow a person’s data to be “insured” in a company or service provider and the user will be able to receive his personal data and transfer it where he wishes.
To whom is the data protection law applicable?
The GDPR applies:
a) to any company or entity that processes personal data in the context of the activities of one of its EU-based branches, regardless of where the data is processed or
b) to any company based outside the EU and offering goods / services (for a fee or free of charge) or monitoring the behavior of individuals in the EU.
With the implementation of the GDPR, users have the right to receive clear and understandable information not only about who is processing their personal data but also why. They can ask all companies to have access to themselves and learn what exactly the companies keep about them and also demand that they be deleted from the company’s databases. In addition to technology companies, this also applies to banks, retailers and any company or organization that maintains personal data, including the employer.
As the regulation stipulates, the right of access should be easily exercised and provided in a “reasonable time”. The company or organization should provide a copy of your personal data free of charge. Any additional copies may be subject to reasonable charges. When the request is made by electronic means (eg via email) the information must be provided in electronic form, unless otherwise stated.
This right is not absolute: the use of the right of access to your personal data should not affect the rights and freedoms of others, such as professional secrecy or intellectual property rights.
The regulatory authority in Greece is the Authority for the Protection of Personal Data, which functions as a constitutionally guaranteed independent Authority. Administrative audits, as well as the review of relevant complaints, appeals and inquiries into law enforcement and the protection of applicants’ rights when they are affected by the processing of data, are among the Authority’s audit responsibilities.