The “arsenal” of GDPR. What are our rights?

Originally published: www.huffingtonpost.gr (in Greek)
Date: 24/07/2019

Aimilios Koronaios
Attorney at Law
LL.M. (Aberdeen), LL.M. (Athens)

The frequent violation of personal data legislation in Greece is still, unfortunately, an unpleasant reality. It occurs, inter alia, when:

– A debt collection company is persistently calling on a mobile phone, without disclosing its exact details or where it found the phone number;

– An email address receives promotional emails from companies with which the recipient has no relationship.

– Messages (sms) from politicians unknown to the recipient are sent during the pre-election period.

– Someone takes pictures of people, without permission, and publishes their photo on the internet.

– A neighbor installs a camera that records the entrance of a neighbouring apartment building.

– An employer unjustifiably monitors employees in their workplace by electronic means.

These are situations in which those affected continue to feel helpless, resulting in failure to take action. But are they now really weak to react?

The answer lies in four letters: GDPR. This is the General Data Protection Regulation, which came into force about a year ago. The GDPR raises personal data protection to a new, unprecedented level. It brings a revolution in the rights of personal data subjects. Despite its widespread promotion in Greece, many still ignore the “arsenal” provided by both GDPR and the already existing Law 3471/2006 for the protection of personal data in electronic communications. But knowledge is power. The person concerned has strong means of defense against such incidents and should be aware of them.

The GDPR provides, inter alia, for the following fundamental rights, which are exercised subject to terms and conditions upon request. The latter must be processed compulsorily and as a rule free of charge by the person responsible for breaches of personal data legislation within one month of their submission. These are:

a) The right of access. The person concerned has the right to know if his/her personal data are being processed. If so, he/she has the right to access his/her personal data and information such as the purposes of the processing, the recipients of the personal data, the period of their storage, their origin.

b) The right of correction. The person concerned has the right to request the correction of inaccurate personal data and the completion of incomplete personal data.

c) The right to object. The person concerned has the right to object to the processing of his/her personal data, in order to stop the processing thereof.

d) The right to restrict processing. The person concerned has the right to request a restriction of the processing of his/her personal data.

e) The right of deletion. The person concerned has the right to request the deletion of his/her personal data.

The GDPR also provides for the possibility of filing a complaint with the national Data Protection Authority (DPA). For its submission, useful instructions are provided on the website of the Greek Data Protection Authority (dpa.gr). Its examination may lead to the imposition of very high fines against the offender. It is recalled that the largest fine provided by the GDPR is 20,000,000 euros or 4% of a company’s annual turnover, depending on which amount is higher. Finally, an additional means of defense is the possibility of initiating proceedings before civil and criminal courts. This is because the illegal processing of personal data creates civil and criminal liability under certain conditions.

Against such a frequent violation of the right to protection of personal data, there is a real possibility of defense. The means are available; the will to activate them is enough.