Data Protection

The constitutional context and the right to data protection

The Greek Constitution, adopted in 1975 quite after the fall of military dictatorship, recognized explicitly the rights of privacy (Article 9) and secrecy of communications (Article 19). Article 9 guarantees both the asylum of home and inviolability of private and family life. Both theorists and the jurisprudence regarded Article 9 in combination with Article 2§1 (dignity of the person) and Article 5§1 (right to free development of personality and participation in the political, social and economic life) as the legal ground for the recognition of a “right to informational self-determination”.

The constitutional revision of 2001 added a new provision granting individuals an explicit right to protection of their personal information. According to Article 9A, “all persons have the right to be protected from the collection, processing and use, especially by electronic means, of their personal data, as specified by law”. The existence of an independent data protection authority has also developed into a constitutional element of the right to data protection: Article 9A also establishes an independent oversight mechanism providing explicitly that “the protection of personal data is ensured by an independent authority, which is established and operates as specified by law.” As additional guarantee against the infringements of the rights to privacy, data protection and freedom of communication, article 19§3 provides that the use of evidence acquired in violation of the present article and of articles 9 and 9A is prohibited.

What is personal data?

Any information relating to an identified or identifiable natural person (‘data subject’). Information relating to entities does not qualify as personal data. Statistics, including data relating to natural persons, do not qualify as personal data provided that they are truly anonymized, i.e. that the natural persons are not identifiable.

What is sensitive personal data?

Any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and generic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Why did EU need to regulate the cyberspace and establish cybersecurity?

Ever since technology and computer intelligence entered our lives numerous legal and ethical issues have arisen. Since 1990’s the Digital Economy created through the application of the digital computer technology has attracted the interest of researchers and, most importantly, Governments; the latter were brought before the dilemma between safeguarding net neutrality and the need to regulate this new prosperous environment.

Inadvertently discussions reached the European Union (EU) and the concept of the EU Digital Single Market was introduced. The initial vision of EU entails that all EU citizens enjoy the same goods and services, internet and start-up companies have the ability to offer the most innovative products and service, while businesses and governments are able to apply technology for their benefit. As stated by the EU Commission this initiative “could contribute €415 billion per year to our economy and create hundreds of thousands of new jobs”.

The EU Digital Single Market was defined in three pillars, as introduced by the EU Commission on May 2015: the access to online products and services, the “conditions for digital networks and services to develop and prosper, and the growth of the EU digital economy. In that concept Cybersecurity was deemed a regulatory priority with the EU Commission establishing a cybersecurity package on September 13th, 2017.

What is the definition of “health data” as per GDPR?

Pursuant to Art. 4(15) GDPR, “data concerning to health” (i.e. health data) means “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. This personal information shall include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject, including¹:
- Information about the natural person collected in the course of the registration for, or the provision of, health care services
- A number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes
-Information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples
- Any information on, for example, a disease, disability, disease risk, medical history, clinical treatment, or the physiological or biomedical state of the data subject independent of its source, for example, from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

The General Data Protection Regulation (GDPR), the most significant legislative initiative in the area of personal data in Europe, came into force on May 25th 2018. The GDPR imposes significant new burdens on organisations and in particular on employers across Europe, including a substantial amount of additional reporting requirements under the threat of increased fines and penalties. The GDPR’s main goal is to increase the level of protection afforded to employees and in particular to safeguard their human dignity, legitimate interests and fundamental rights.

Why is the GDPR important for employers?

In the context of any employer-employee relationship, the processing of personal data is inevitable. Human Resources departments collect, store and process a large amount of employee personal data (such as names, birth-dates, bank accounts, Social Security Codes, CVs, referral letters etc.), both for internal purposes and in order to comply with the applicable employment/social security legislation. In many instances, HR departments also process special (sensitive) personal data (such as health data, data in relation to diversity in the workplace, etc.), which are subject to a higher degree of scrutiny.