Collection of Personal Data – 9/2021
Originally published: newspaper “Estia” (in Greek)
Date: 14/05/2021
Aimilios Koronaios
Attorney at Law
LL.M. (Aberdeen), LL.M. (Athens)
HCCD – “Investment” scams
A case was filed by the Hellenic of Cyber Crime Division (HCCD) against three people for fraud under the pretext of providing investment services. 11 cases were investigated with the illegal property benefit amounting to 460,000 euros. The perpetrators had set up a company to provide marketing consulting services, without having obtained a special license to provide investment services. They approached their victims by phone and e-mail, where they pretended specialized investment advisers, who allegedly represented a foreign brokerage firm. After gaining the trust of their victims, they extracted money from them for investments with high rates of return. But then, the money… disappeared.
Cyprus – COVID-19 Certificates
Demonstration of vaccination certificates, negative rapid test, PCR test and recovery from COVID-19 occupied the Office of the Personal Data Protection Commissioner of Cyprus. According to his announcement, these certificates contain health data, which should enjoy increased protection. Employees who are required to hold a negative rapid test or PCR test do not have to present or display them to their employer, informing them only of the result. The same applies to the vaccination, where the employer is informed, without the obligation to present the certificate.
Malta – COVID-19 Vaccinations I
Guidelines for the collection of personal data of employees by their employers regarding the vaccination of the former against COVID-19 were issued by the Data Protection Authority of Malta. As noted, information on whether an employee has been vaccinated is a health data, i.e. a specific category of data that enjoys enhanced protection. The collection of such data requires a prior specific assessment of the impact it may have on the employee, in order to ensure that the protective framework for personal data is complied with. The processing of vaccination status information must not lead to unfair discrimination against the worker. If this happens, then data collection is illegal and prohibited.
Norway – International transfers
A pay toll company will pay a lot regarding its decision to illegally transfer to China personal data of Norwegian drivers. The data were transfered to an external partner of the company in the Far East for a long time during its operation, without any relevant measures being taken to ensure adequate protection of personal data in the importing country, such as the conclusion of a special contract between the parties. Due to these shortcomings, it was decided to impose a fine of approximately 500,000 euros. It is noted that, according to the General Data Protection Regulation (GDPR), the transfer of personal data to a recipient located outside the European Economic Area can only take place under certain conditions.
Czech Republic – Lack of cooperation
The Czech Data Protection Authority imposed a fine of approximately € 3,800 on a television station for non-cooperation during an audit. Furthermore, it was found that the privacy policy posted on the broadcaster’s website was not complete, up-to-date and easily accessible. It is recalled that, according to the GDPR, the degree of cooperation with the supervisory authority during the audit is a criterion that is taken into account for the imposition and the amount of any administrative fine. Also, the respective website must have a posted personal data protection policy, which informs, among other things in an easily accessible form, about the processing of personal data during its operation.
Philippines – COVID-19 Vaccinations II
The Philippine Data Protection Authority has issued a report on the processing of personal data as part of the government’s COVID-19 vaccination program. As mentioned therein, the supervisory authority received a number of relevant complaints, e.g. complaint about the requirement of local government staff to require the elderly to disclose their personal data by posting a comment on social media, which was publicly accessible and therefore visible to anyone. Among other remarks, it is emphasized that relevant information should not be posted on publicly accessible platforms. Instead, appropriate measures must be taken to ensure their confidentiality. In addition, the subjects of personal data must be informed with a special text for the processing of their personal data in the context of the vaccination program.