A brief guide explaining what to do and whom to address if you have problems with the processing of your personal data.

By Elpida Vamvaka and Lefteris Chelioudakis

The new General Data Protection Regulation provides a range of rights to protect and exercise your fundamental right to protect your personal data. This Regulation is part of activities not related to the investigation and prevention of criminal offenses, as these activities are not covered by the new Regulation but by the Directive 2016/680.

But how can you exercise the rights granted to you by the law and whom should you contact in order to exercise them? In this article, Homo Digitalis will provide you with the necessary clarifications.

What are your rights under the provisions of the new Regulation?

Right to Transparency of Data Processing (Article 12)

You have the right to be informed by your data controller (the natural or legal person who determines the purpose and manner of processing your data) in simple, concise and comprehensible words, in writing and/or oral explanation about any rights you have under this processing, the way you may exercise these rights, the person/service you need to address, and the time limit within which you can receive the necessary answers to your requests.

Right to Information (Article 13):

What is included:

Your right to request from the processor the necessary information related to the processing of your personal data such as:

– the identity and the contact details of the controller;

– the identity and the contact details of the data protection officer, where applicable; (the existence of a data protection officer is not always required by law);

– the purpose of the processing for which the personal data are intended as well as the legal basis for the processing and the relevant clarifications related to such legal basis;

– any recipients of your data, and any intention to transfer your data outside the EU, explaining how this transfer is based, and the impact that such action will have on the level of security of your data,

– the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

– the existence of your rights to request from the controller access to or rectification or erasure of your personal data or restriction of processing concerning the data subject or to object to processing as well as your right to transfer your data  to another data controller, or withdraw your consent if the processing of your data is based on such consent (see below for more regarding all these rights);

– your right to lodge a complaint with the Supervisory Personal Data Protection Authority;

– the existence of automated decision-making based on your personal data including profiling, meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for you (the rule is that you may not subject to a decision based solely on automated processing although there are some exceptions).

When can you receive the information?

When your personal data are collected from you, this information shall be obtained at the time when personal data are obtained. But when your personal data have not been obtained from you, this information shall be provided to you within one month from the collection. Particularly, if your personal data are to be used for communication with you, the information should be provided to you at the time of the first communication to you. Finally, if a disclosure of your data to another recipient is envisaged, such information shall be provided to you before such disclosure.

However, you must remember that the right to information is subject to serious restrictions as the case may be.

Right to access (Article 15):

Your right to know if a data controller processes your data.

If you receive a positive response, you will have the right of access to such data, the right to Information (as described above) as well as your right to obtain a copy of your personal data undergoing processing.

Right to rectification (Article 16)

Your right to request from the controller the rectification of personal data when there are inaccuracies or completing your incomplete data. Such rectification may take place without undue delay.

Right to erasure (known as “right to be forgotten”-Article 17)

Your right to request from the controller the erasure of your personal data without undue delay.

The grounds upon which you may exercise your right of erasure:

– where your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

– where the processing is based on the legal basis of the consent you may withdraw your consent and the controller has no other legal ground for the processing;

– in the exercise of the right of objection to the processing of your personal data (see below);

– where your personal data have been unlawfully processed;

– where your personal data have to be erased by the controller for compliance with a legal obligation in Member State or in EU law;

– where the processing is based on consent in relation to the offer of information society services to a child (e.g a child account on a social networking platform)

However the right to erasure is subject to significant restrictions. In particular, this right may not be exercised to the extent that processing is necessary:

– for exercising the right of freedom of expression and information;

– for compliance with a legal obligation which requires processing by the national or EU law to which the controller is subject to;

– to perform a task carried out in the name of public interest or in the exercise of official authority vested in the controller;

– for reasons of public interest in the area of public health;

– for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right of erasure is impossible or seriously impair the achievement of the objectives of the processing of the data;

– for the establishment, exercise or defence of legal claims.

Right to restriction of processing (Article 18)

Your right to obtain from the controller restriction of processing of your personal data where:

– you contest the accuracy of your personal data and you require the restriction for a period enabling the controller to verify the accuracy of the data;

– the processing of your personal data is unlawful and you oppose the erasure of your personal data and you request the restriction of their use instead;

– you need your data for the establishment, exercise or defence of legal claims even if the controller no longer needs the personal data for the purposes of the processing;

– you have submitted a request for exercising your right of objection to processing (see more information below) pending the verification of your request you require the restriction of processing of your personal data.

Right to data portability (Article 19)

Your right to receive your personal data and transmit those data to another controller. You may request the transmission of your personal data directly from one controller to another where technically feasible. The exercise of this right may not adversely affect the rights and freedoms of others.

When can you exercise this right?

– Where the processing is based on the legal basis of consent or on a contract and is carried out by automated means.

Exception:

The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to objection to the processing of your personal data (Article 21):

Your right to object to processing of your personal data, including profiling, at any time and for personal reasons. At the latest at the time of your first communication with the controller, your right to object shall be explicitly brought to your attention and shall be presented clearly and separately from any other information.

You may exercise this right where the processing or the profiling:

– is necessary according to law for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing, which override your grounds or the processing is necessary for the establishment, exercise or defence of legal claims.

– is necessary according to law for the purposes of legitimate interests pursued by the controller or by a third party unless the controller demonstrates compelling legitimate grounds for the processing which override your grounds or the processing is necessary for the establishment, exercise or defence of legal claims.

– refers to direct marketing purposes;

– in the context of the use of information society services, you may exercise your right to object by automated means using technical specifications;

– is necessary for scientific or historical research purposes or statistical purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Are these rights absolute?

No. As you have already understood from the above, these rights are subject to several restrictions as the case may be depending on the legal basis on which the processing of personal data is based. However, one thing to keep in mind is that the data controller is obliged to inform you accurately of your rights. Therefore, you should know at any time your rights for the processing of your personal data.

Are you wondering how you can exercise these rights in practice? Continue reading the second part of this article.

By Lefteris Chelioudakis

The right to privacy of every person and the right to the protection of its personal data are two distinct rights, according to the European Union Law. Many people confuse the two rights. This article aspires to make clear the values each of them safeguards by using simple language.

The core of the right to privacy of a person is the protection of his/her residence, his/her communications or/and his/her relationships with others, as well as his/her personality, as this is conceived in total.

This right does not apply only behind closed doors. On the contrary, it may be implemented and protected also in public spaces.

The right to personal data protection, which concern a person, refers exclusively to the processing of these data.

Its objective is the provision of legal protection against improper processing of these data.

Having read the informal definitions of these two rights, we can proceed to tracking down and analyzing their differences. In particular, it is understood that the right to privacy safeguards the residence and the communications of a person and concerns many aspects of his/her life. It is the right of everyone to choose how he/she defines his/her own existence.

The protection of this right constitutes a necessary condition for us to enjoy a series of other rights, which concern our interests, our relations, our beliefs, etc.

On the contrary, the right to personal data protection concerns solely the processing of these data. This processing may have to do with the core of the right to privacy of the data subject or not, depending on the case.

Let us try to understand the differences between these two rights through an example. We will use the case illustrated in the Handbook of European Data Protection Law, which has been published by the Fundamental Rights Agency of the European Union (FRA), the European Data Protection Supervisor (EDPS) and the Council of Europe (in collaboration with the Secretary of the European Court of Human Rights). The Handbook is available for free in electronic version in the website of FRA.

If the payroll of the company in which you work has a list with the names of the employees of the company and their respective salaries, the recording of this information can not be considered as an interference with your right to privacy. If, in the same example, the payroll chose to disclose this information to a third party, this could easily amount to an interference with your right to privacy.

The violation of the right to privacy does not necessarily equate to a violation of the right to data protection and vice versa.

Although European Union law distinguishes between the right to privacy and the right to data protection, the law of the Council of Europe adopts a different approach.

Specifically, the law of the Council of Europe perceives personal data protection as a reflection of the right to privacy, when these personal data are somehow related to the personal life of a person.

The Greek Constitution distinguishes between the two rights; the right to personal data protection is recognized under Article 9A (Personal Data Protection), while the various manifestations of the right to privacy are recognized under Article 9 (Asylum of the residence), Article 19 (Confidentiality of mail, correspondence & communication) and Article 21 (Protection of family, marriage, motherhood and childhood, disabled persons’ rights).

Therefore, it can be understood that the Greek Constitution distinguishes between the two rights, while it notably provides for distinct independent administrative authorities, which safeguard the distinct legal rights.

In particular, the Personal Data Protection Authority safeguards personal data protection, while the Confidentiality of Telecommunications Authority safeguards the confidentiality of mail and free correspondence and communication.

In any case, what the reader should bear in mind is that both the right to personal data protection and the right to privacy constitute fundamental rights, enjoyed by everyone and protected against arbitrary actions of the State or third persons.

By Lefteris Chelioudakis

The Cambridge Analytica case (CA) started being discussed in March 2018 and illustrated how the personal data you share on Facebook can be used by advertising companies and data brokers to manipulate your choices as a consumer, but also as a voter.

This article is not a commentary on the CA case. On the contrary, our goal is to help you adjust your Facebook settings to raise your control on the personal data you share. Before we present to you the simple steps you must follow, we will shortly describe the facts of this case. in 2014, Dr. Aleksandr Kogan, then researcher in the Psychology Department of Cambridge University, created a psychometric test for Facebook users for academic purposes.

Subsequently, this test was converted and used for commercial purposes by Dr. Kogan’s company Global Science Research (GSR). One of the companies which worked with GSR was Strategic Communication Laboratories (SCL), parent company of CA. Through this test, CA managed to gain access to more than 50 million profiles of Americans other Facebook users. This access was granted by the users themselves or by their Facebook friends. Every time that a Facebook user chose to do the impugned test, the test requested access to personal data the user shared on Facebook, as well as personal data his/her friends had publicly shared. In this way, if I had given my consent to do the test, I would have shared with the company which had created the test all the personal data it requested, including the public profile of my friends.

In this manner, CA managed to classify all the users, who had granted their consent, as well as their Facebook friends, based on their psychological profiles. This knowledge was used by CA as a basis for sending targeted political messages to the users in question, which influenced their choices during the US presidential elections in 2016, and possibly during the Brexit referendum during the same year.

Leaving the CA case aside, today, all the well-known social media platforms, such as Facebook, Instagram, Twitter, etc., use the so-called “Application Programming Interface” (API). Using interface tools, various applications can share your personal data, subsequent to you granting your consent, in order to offer to you services and products. Thus, you can permit to other applications to interact with your Facebook account and share with them your profile information, such as your friends list, your date of birth, your timeline posts, the place you live in, your education and working experience, etc.

It is quite likely that at some point you gave your consent for gaming applications, quiz or test applications or other types of applications to have access to your personal data. At that point you might not have been cautious regarding the content you would be sharing with these platforms. For instance, why should a quiz which will offer you several moments of laugh, have unlimited access to your profile photos, the place you work in or you live in, your friends list or your interests? Did you consider which data broker company might be behind this “innocent” test and for which purposes it will use your data in the future?

In order for you to reconsider the choices you made in the past, you must visit the Settings page of the platform you are using.

Furthermore, you must be very cautious regarding all the applications, which ask you to type the word “BFF” or other such words to check if your account is secure or not. These publications do not aim at nothing else but the pages, which host them, to get more popular, through the comments, likes and shares. The acronym “BFF” refers to the term “Best Friends Forever” and is accompanied by vivid colours, simply because it constitutes one of the keywords, which Facebook has chosen to accompany with graphics.

You can find more keywords like this in this link.

If you wish to learn more on whether your personal data have been used by CA through your Facebook account, you can visit the following section created by Facebook here.

In any case, before you decide to use a social media platform or share your personal data with other applications, you must always read carefully their privacy policies. In this way, you will be able to get informed on how, with who and for how long will your personal data be used. These privacy policies are required not to be extensive or illegible and are also required to explain with simple words what is happening with your personal data.

So, next time, before you start using a platform, devote some minutes of your time to learn what will you be sharing with this platform and under which terms and conditions.

Do corporations indeed feel responsible for the protection of our personal data?

By Konstantinos Kakavoulis

In the contemporary world, corporations play a significant role in Greece, but also in the international plane. This role is constantly increasing. Certainly, they do not operate freely, but they are subject to obligations according to the rules and regulations of the legal orders in which they operate in.

In the past, corporations were considered –and also considered themselves- to be closed systems, which did not have any link to persons, the environment and society. They existed and operated with the sole purpose of producing profit. During the last two decades, they have realized –at least the majority of them- that their role in a rapidly changing world entails corporate social responsibility, which is much broader than the obligations, to which they are subject to under the rule of law.

There is no uniform definition for corporate social responsibility. According to the definition of the European Commission it is “the responsibility of corporations for their impact on society”.[1]

Of course, corporations did not perceive their responsibility in their own. A series of scandals with corporations being liable for massive loss of lives, for gross violations of human rights and for environmental disasters, have augmented public awareness regarding these topics. The latter resulted in a huge amount of pressure directed to the corporations in a local, national or international level –depending on the size of the scandal and the corporate activities.

Their reputation was severely damaged and their profits fell steeply in many occasions. The media started monitoring their functioning systematically. The corporations had to promote a socially sensitive profile in order to protect their reputation and, consequently, their existence.

Corporate social responsibility costs a lot. The corporations have to undertake expenditure and make commitments to the public. Nonetheless, they know that strong competition by other corporations with a socially sensitive profile, makes the promotion of such a profile –if not an even more sensitive one- an imperative need for them.

Nike constitutes an important example of a corporation, which saw its reputation collapse in one night in the beginning of the 90s. This occurred when evidence for gross violations of labour rights and child labour in Asian countries (Indonesia, China and Vietnam) came into light. The protests against the corporation did not decrease not even when world-class sports stars, such as Michael Jordan, took a position for the corporation. The damage in the reputation, sales and consequently the profits of the corporation was immense and lasted for at least a decade.

In 1999, the masterminds of Nike realized that they had no choice but adopting a socially sensitive profile regarding labour rights. They created the Union for Fair Labour, with the objective of adherence to specific labour requirements by an independent authority. Subsequently, many corporations and organizations dedicated to the protection of human rights acceded to the Union.

The first factories that were inspected belonged to Nike. Even today, Nike is still charged for human rights violations. Nonetheless, now the corporation itself publishes reports regarding human rights violations within its premises, reprimanding them and announcing ways it intends to use in order to combat them.[2]As a result, the public trusts again the corporation, which sees an unprecedented raise in its profits. Moreover, working conditions in its premises are ameliorated. In this case, corporate social responsibility worked in favour of everyone: the corporation, the consumers, the employees.

Corporate responsibility for labour rights, which was the dominant form of corporate responsibility in the 90s, was succeeded by corporate environmental responsibility. Since the beginning of the 21^st century, consumers turn to more “ecological”, “organic”, “biodegradable”, “recyclable”, “renewable” products.

To this end, corporations compete for being the leader in “green growth”. All these notions were unknown prior to 2000. Nowadays, everyone knows them and the rules of the market are formed by them.

Today, it seems that the concept of corporate responsibility is changing once again. The new General Data Protection Regulation signals an era in which persons appear to be interested more than ever for their personal data. Correspondingly, corporations face for the first time a new form of corporate responsibility, the corporate responsibility for data protection. Nonetheless, the Regulation and the new legislative framework, which will be created in the Greek legal order, is not enough.

The only non-legal means, which is universal and powerful enough to cause a significant turn in the corporate functioning is human conscience. The latest developments in legislation seem to have raised the awareness of transnational and big Greek corporations. These corporations have already amended their structures and will continue to adapt their operation to the requirements of the new legal framework.

The new Regulation provides corporations with the opportunity to receive certifications, which will “prove” their compliance with the prerequisites set by the law. These certifications have as an objective the promotion of a corporate profile, which will show compliance with the data protection legislation and will give the green light to persons to show trust and share their data with the certified corporation.

It remains to be seen whether these certifications will indeed constitute an ally of the persons or will confine in being a void stamp, which will be acquired through a typical procedure and will be renewed almost automatically and without meticulous monitoring.

If persons do not show their interest, if nobody realizes the value of his/her personal data, the new legislation will become void and corporations will do only what is absolutely necessary in order to comply with the few prerequisites set by the State.

Furthermore, corporations of medium or small size have not shown the same sensitization regarding the new legal framework. Notably, data violations by these corporations might be of equal importance. If these corporations realize that apart from the strict legal framework, Greek citizens are indeed interested in their personal data, it is highly probable that they amend their functioning as well.

Corporations seem to realize that they have a grave responsibility for data protection. However, we must all realize that our personal data are, above all, personal. This means that each one of us must personally care about them. Corporations appear to be ready to undertake their responsibilities. Are we ready to demand from them to do so?

[1] European commission (2011),A renewed EU strategy 2011-14 for Corporate Social Responsibility, COM(2011) 681 final, Brussels

[2] See http://abcnews.go.com/Business/story?id=5503956&page=1