The General Data Protection Regulation (GDPR), radically changes the way businesses and organizations collect, process, and manage personal data of any form. The GDPR defines under which circumstances personal data can be used, stored, deleted, transferred, and processed, and most importantly, how we can protect it. The GDPR affects every organization and company in Europe that handles personal data in any way, as well as any company that conducts transactions within the European Union. The rules are complex, and the fines for non-compliance are severe, with penalties reaching up to 20 million euros.
Key changes under the GDPR include:
Protection of children’s rights: The landscape on social media changes. According to the new regulation, the use of social media by children under 16 years old is prohibited unless consent is given by parents. In Greece, the digital consent age is defined as 15 years.
Right to be forgotten: Users have the right to request the erasure of their data, and data controllers are obligated to promptly delete them. If the data has been disclosed, the data controller must inform all other parties who have republished the data that its erasure has been requested.
Right to information and access to data: Citizens have more comprehensive and clearer information during the collection of their data for processing and the right to access this data.
Right to rectification: Users have the right to demand the correction of inaccurate data and the completion of incomplete data concerning them.
Right to object to processing: Citizens have the right to object to the processing of their data under specific conditions, especially when profiling is involved or for direct marketing purposes.
The full text of the GDPR in Greek can be found in the official journal of the European Union here.
Frequently Asked Questions
What are personal data?
Personal data refers to information concerning an identified or identifiable living individual. Different pieces of information, if gathered together, can lead to the identification of a specific person, and therefore, they also qualify as personal data.
The GDPR protects personal data regardless of the technology used for processing it. It is technologically neutral and applies to both automated and manual processing. Moreover, the way data is stored, whether in an information technology system, through video surveillance, or in paper form, does not matter. In all cases, personal data is subject to the protection requirements outlined in the GDPR.
Examples of personal data include:
- • Name and surname
- • Residential address
- • Email address, e.g., name.surname@company.com
- • Identification card number
- • Location data (e.g., geolocation data on a mobile phone)
- • Internet Protocol (IP) address
- • Cookie identifier
- • Advertising identifier of your phone
- • Data stored by a hospital or doctor.
Which personal data are considered sensitive?
Sensitive personal data subject to specific processing conditions includes:
- • Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
- Membership in a trade union
- Genetic data, biometric data processed solely for the purpose of identifying an individual
- Data concerning health
- Data concerning an individual’s sex life or sexual orientation.
The general rule is that the processing of data from the above categories is prohibited. However, there are certain exceptions where a company or organization may potentially process sensitive personal data when, for example:
- Explicit consent has been given by the individual
- There is a law governing a specific type of data processing for a particular purpose related to public interest or public health
- A law that includes adequate safeguards provides for the processing of sensitive personal data in areas such as public health, employment, and social protection.
What constitutes data processing?
The term “processing” covers a wide range of actions carried out on personal data. It includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, dissemination by transmission, dissemination, or any other form of making available, alignment or combination, restriction, erasure, or destruction of personal data.
What does the “right to data portability” mean?
With the implementation of the GDPR, individuals have the right to receive their personal data from a company or service provider and transfer it to another location of their choice. This allows users to take their personal data and move it where they wish.
Who does the data protection legislation apply to?
The GDPR applies to:
a) Any company or entity that processes personal data within the activities of one of its establishments located in the EU, regardless of where the data processing takes place, or
b) Any company that is based outside the EU but offers goods/services (paid or for free) or monitors the behavior of individuals within the EU.
What are the rights of users?
With the implementation of the GDPR, users have the right to receive clear and understandable information not only about who is processing their personal data but also about the reasons for the processing. They can request access to and learn which specific data companies hold about them and can demand the deletion of their data from companies’ databases. This applies not only to technology companies but also to banks, retail stores, and any company or organization that holds personal data, including employers.
How can I access my personal data held by a company/organization?
As defined by the regulation, the right to access should be easily exercisable and provided within a “reasonable timeframe.” The company or organization should provide a copy of your personal data free of charge. Any additional copies may be subject to reasonable fees. When the request is made electronically (e.g., via email), the information should be provided in electronic form unless you specify otherwise.
However, this right is not absolute: the use of the right to access your personal data should not affect the rights and freedoms of others, such as trade secrets or intellectual property rights.
What is the competent regulatory authority in Greece?
The competent regulatory authority in Greece is the Hellenic Data Protection Authority (HDPA), which operates as a constitutionally established independent authority. Conducting administrative checks and examining related complaints, appeals, and inquiries regarding the application of the law and the protection of data subjects’ rights when they are affected by data processing, are among the auditing powers of the Authority.