master_admin

The Court of Justice of the European Union creates precedent according to which Google must erase personal data subsequent to a request by the person concerned

By Konstantinos Kakavoulis

The case Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (referred to as Google Spain v. Costeja Gonzalez) was decided before the Court of Justice of the European Union. The decision was issued on 25 June 2013. It constitutes a landmark for human rights in the digital age.

– Case history

On 5 March 2010, a Spanish citizen, Mario Costeja Gonzalez, filed a claim before the Spanish Authority for Personal Data Protection (AEPD) against a Spanish newspaper, Google Spain SL and Google Inc. The applicant complained that any Internet user, who typed his name in the Google search engine, would receive as a result two publications by some Spanish newspaper regarding a confiscation order for his house. The applicant requested that the newspaper erased his name from the publications and that Google removed his personal data in issue from the results it provides to its users. He argued that the confiscation procedure against his house had long been terminated and that any reference to it was totally irrelevant at present.

The Spanish Data Protection Authority dismissed the claim regarding the newspaper, but approved it regarding Google. According to the Authority, the newspaper was not obliged to repeal the publications, since they were lawfully published during the date on which they had been issued. On the contrary, it found that search engines are personal data processors and consequently Google Spain and Google Inc. had to erase the personal data, subsequently to the application filed by Mr. Costeja Gonzalez. The Authority based its decision on EU Directive 1995/46/EU.

Subsequently, Google Spain and Google Inc. appealed, against the aforementioned decision before the High Court of Spain. The latter referred a series of questions to the Court of Justice of the European Union (CJEU) regarding the correct implementation of the Directive. The questions concerned whether Google is subject to the notion of the processor of personal data and also whether, as an EU corporation, is subject to the provisions of the Directive. In case of a negative response, the High Court requested from the CJEU to determine Google’s liability as a data processor and assess whether a citizen has the right to request from Google to erase his personal data, namely the right to be forgotten.

– The CJEU decision

The CJEU found that Google is indeed a processor of personal data, since it “collects such data which it subsequently ‘retrieves’, ‘records’ and ‘organises’ within the framework of its indexing programmes, ‘stores’ on its servers and, as the case may be, ‘discloses’ and ‘makes available’ to its users in the form of lists of search results” and since it determines the purposes and means of this processing. The Court also found that Google Spain is an affiliated company of Google Inc. and therefore, Google Inc. is subject to the EU Directive.

One of the main points of the decision concerns the legal obligations which search engines, such as Google, have, according to the Directive. The Court found that search engines have the right to process personal data, when this is necessary in order for the legitimate interest of the data holder or third parties to be served. This right is not absolute. It may be limited when it contests the interests or the fundamental rights of the data subject –especially its right to privacy. The Court underlined that the economic interests of the search engine are not enough to impose limitations on the right to privacy. The Court also reminded that the right to privacy in principle prevails over the right of the public to gain access to personal data of a non-public figure.

The Court decided that the data subject has undoubtedly a legitimate interest to deny the disclosure of its personal data, even if such disclosure is not harmful to it. This right is founded on its right to privacy. Consequently, the data subject –in the present case Mr. Costeja Gonzalez- can request the erasure of his data, if the information disclosed are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine”. In such an event, not only the data subject has the pertinent right, but also the data controller has the obligation to erase the data.

With this decision, the Court found that Mario Costeja Gonzalez had the right to request the erasure of his personal data from Google, while the latter had the obligation to erase them. Thus, this decision acknowledged the right to be forgotten for data subjects and the pertinent obligation for the data controller.

– Commentary on the decision

This decision is of great significance. It created precedent upon which subsequent rulings of the Court may be justified. Furthermore, national courts’ judgements may be based upon its reasoning or the opinions of the minority. We already see that the General Data Protection Regulation (GDPR) institutionalizes the right to be forgotten, in a way which constitutes a logical continuation of the decision at issue. It is therefore very important for the decision to be analysed and commented.

It must be underlined that the decision does not seem to distinguish between the consequences of removing data from a search engine and removing them from a website. The publication of data in a single website has significantly fewer consequences for the right to privacy and personal data protection than the disclosure of the same data in a search engine. The capability of the search engine to collect information, to aggregate them, to publish them as a whole and therefore create a whole profile for the user is something which may not be done by a single website. Thus, the data published in a search engine can be accessed by a wider public and can create a whole digital personality for a person. This reasoning was used by the Court in its judgement.

According to the same way of thinking, the removal of data from a search engine has much more important consequences than the removal of data from a website. The first influences in a much more substantial way the right to be informed. When someone searches for information regarding a person, it is much more probable that he searches for this information by typing the name of the said person in a search engine rather than searching for it in every single website, in which he considers that this name is possibly mentioned. Therefore, if the personal data of a person are removed from a search engine, the right to privacy of the said person and his personal data are more adequately protected than if such data are removed from a website. The right of the public to be informed is correspondingly affected. The latter is safeguarded under the Charter of Fundamental Rights of the EU Article 11. Although the Court noted the difference between the data processing by a search engine and a website, it did not deal with the right to be informed in the same way, despite the fact that the latter is influenced in a different fashion in the two cases.

Furthermore, the Court seems to consider only public interest reasons as capable of imposing limitations to the right to privacy and personal data protection. The right to be informed should be mentioned and used as a reason for delimiting the aforementioned rights. The protection of personal data is of great importance. However, it cannot be absolute. There are cases in which other rights –and not only public interest reasons- prevail and should be taken into account in the attempt to strike a fair balance. Thus, the Court should have included the right to be informed as a right, which should be weighted with the right to be forgotten. The outcome of this case would not have been different. However, this judgement may have serious implications in future cases. For this reason, the Court should have included this thought and should have referred to the EU Charter 11 in a more detailed fashion. The right to privacy and personal data protection prevail over the right to be informed. In any case, the two rights should be weighted by the Court, which should take into account the circumstances of the specific case.

Another very important point which was not clarified by the decision is the geographical implementation of the right to be forgotten, namely whether the right is implemented beyond the EU boundaries. Very strong arguments exist for both options. The issue will probably be clarified in the case Google v. France, pending before the same Court.

Much criticism has also been raised regarding the extended definition the Court gave to the notion of “personal data controller”. According to this criticism, not only search engines, but also their users, might be considered to be personal data controllers. This criticism has fallen short of substance, since the General Data Protection Regulation seems to define adequately the notion of “personal data controller”. Certainly, the implementation of the Regulation by the Court in cases to come is anticipated with great interest.

The judgement in the case Google Spain v. Mario Costeja Gonzalez constitutes a point of reference in the protection of personal data in the European, but also the international level. Google, which constitutes one of the most prominent personal data controllers, has established a procedure for the fast and easy access of its users to the right to be forgotten (you can have access to the pertinent application form by clicking here). Furthermore, the right to be forgotten is safeguarded under the GDPR. All personal data processors are obliged to respect it and all data subjects may enjoy it, with certain limitations. Mr. Costeja Gonzalez –intentionally or not- assisted in the establishment of a right, which will play an important role in the digital age in which we live in.

By Konstantinos Kakavoulis

Those who were born after 1990 are very likely to have left traces of their underage life in the Internet. The younger the user, the better the chances for that. Particularly for those who have been born just before 2000, the question is not if they have left traces, but how many traces they have left. According to UNICEF, 2 children use the Internet for the first time in their lives every second that passes. Nowadays, we see children who have just learned to walk and still face difficulties in kicking a ball, using a smartphone or a tablet with ease. Children and teenagers are so familiar with technology, that often even their parents have a hard time monitoring and supervising their activities –especially if the parents themselves do not have a good relationship with technology.

Easy access to the Internet has undoubtedly a positive impact to children and adolescents. The screen of their mobile phone, their tablet or their computer is transformed to a window to the world for them. Adolescents do not only have their school, their family, their private courses and the team in which they play as a source of information. With just a few “clicks” or touches on their screens, they enjoy access to information and images, which were unconceivable for past generations. This creates an additional need for them: to be part of this digital world. It is unusual to meet a teenager without an account in at least one social media.

Adolescents seem ready to make a part of their private life public, in order to feel liked and accepted by others, and, consequently, part of the digital reality. This said part is often very big –maybe bigger than it should be. Thus, we frequently see photos of drunk or provocatively dressed teenagers, photos from their love life and posts with particularly acid content, which may contain insults, describe illegal actions for this age or may constitute bullying.

Minors seem to start recognizing that from the moment that some of their personal data go online, they can never disappear. Even if their public profile is deleted, the personal data remain in the databases of the social media companies. This fear is likely to have led to the great success of Snapchat and Instagram stories within teenagers. These two social media promise temporariness in the public exposure of their posts, which lasts from 3 seconds to 24 hours.

The question is what happens when adolescents realize the consequences of the imprudent use of social media and wish to erase the personal data, which they have publicly shared. The answer to this question is given by the right to be forgotten. GDPR Article 17 explicitly provides that in case “personal data have been collected in relation to the offer of information society services to children”, the person of concern has the right to ask for their erasure from the data controller –in most cases this will be Facebook, Instagram or some other social media. It is important to note that the Regulation stipulates that the maximum applicable age for a person to be considered a “minor” is 16 years. The Member States may regulate differently, but under no circumstances this age might be less than 13 years. It remains to be seen what the Greek legislation will determine as a “child” age, during which data protection is absolute. The right to be forgotten does not end, when child or adolescent life ends. The persons maintain it during their whole life, regarding the data which they shared, while they were still children.

The right to be forgotten provides that the mistakes someone has made during his youth, do not stigmatize him forever. Teenage memories are undoubtedly some of the most important memories a person makes during his life. Nonetheless, they are also some of the most personal ones. Many of these memories constitute sensitive personal data. Persons tend to keep these memories well-guarded and permit only to certain persons –if to anyone- to have access and knowledge of their teenage and child cheatings and everyday activities. GDPR Article 17 is here to give them back the opportunity to safeguard their memories and to permit them to manage their personal memories, which they shared during the age of “innocence”- if it can still be named so.

Erasing the past

By Konstantinos Kakavoulis

Article 17 of the new General Data Protection Regulation institutionalizes the right to erasure, the so-called “right to be forgotten”. According to this article, a person has the right to request the erasure of his personal data and the controller has the obligation to erase the personal data without undue delay. The right to be forgotten is not established for the first time with the entry into force of the new Regulation. It has been established at the European level by the Directive EU/95/46. The Court of Justice of the European Union has ruled in favour of the existence of the said right in the case Google Spain v AEPD and Mario Costeja González.

According to Article 17 of the new Regulation, The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

1. 1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
   2. the data subject withdraws consent on which the processing is based and their processing cannot be based on another legal ground;
   3. the data subject objects to the processing, which is made for public order reasons or the exercise of an official authority or in the interest of the data controller or third parties, and there are no overriding legitimate grounds for the processing;
   4. the data subject objects to the processing which is made for the direct commercial promotion of products;
   5. the personal data have been unlawfully processed;
   6. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
   7. the personal data have been collected in relation to the offer of information society services to a child

Therefore, it can be concluded that the right to be forgotten is not absolute. The mere fact that a person requests the erasure of his personal data from the Internet does not necessarily result in their erasure. According to data from Google, the company has received 720,000 requests for personal data erasure during the past 3 years and has accepted 43% of them.

For instance, in the case of a house confiscation for debts, which has taken place some years ago, the request for erasure is likely to get approved. In the case of a criminal conviction for a grave crime, this is highly unlikely; besides, the latter will always appear in the criminal record of the perpetrator.

But what is going to happen in the case of an old allegation for a serious crime, which has never been proven?

Or in the event of a recent bankruptcy?

Or in the event that someone has publicly expressed political views, which he now wants to withdraw?

In all the aforementioned circumstances there must be a weighting of the right to be forgotten with the freedom of expression, the economic interest of the data processor, as well as the public interest to gain access to this information according to the right to get informed. This weighting shall always be made taking into account the circumstances of the specific case and under no occasion may its results be predetermined. It must be noted that according to the jurisprudence of the Court of Justice of the European Union, the right to be forgotten in principle prevails over the economic interest of the data processor, as well as the right of the public to get informed.

Another very important case is pending before the Court of Justice of the European Union; the case of France versus Google. The most significant issue of concern raised before the Court is the universality of the right to be forgotten. The Court has to determine whether the pertinent right extends beyond the European Union. France’s argument in favour of the extension is that, without it, the right to be forgotten is void. Even if Google is forced to delete or edit the results of some search within the European plane, these results will still be publicly available in the rest of the world. On the contrary, Google points to freedom of expression, which will be substantially curtailed, if the Court decides that the right is to be extended. The company argues that in such an event, authoritarian regimes will be able to enforce their laws in a way that will universalize the restrictions they impose.

For instance, Thailand will be able to enforce its legislation, which prohibits any insult against its king, universally. Google argues that there must be room for every State to strike a fair balance between the right to privacy and freedom of expression. According to the company, no State must be in a position to impose its legislation on another State.

It is undisputable that both sides have very strong arguments. No matter what the outcome of the case will be, it is sure that the right to be forgotten has been established and is here to stay. This is because it guarantees something very important: the right to live without a flawless past; in other words, the right to live a normal life.

By Konstantinos Kakavoulis

Digital rights are human rights. More specifically, they are the human rights which provide persons with access to digital means of communication and the chance to use them, as well as access to computers, other electronic devices and communication networks with the respective opportunity to use them. The most significant and most well-known of these communication networks is the Internet, which, as illustrated by its name, constitutes the “network of networks”.

Which are the digital rights?

Digital rights are all the human rights, which are related to the aforementioned activities in the digital age, in which we live in. The most important digital rights, at the moment these lines are written, are the right to privacy, the personal data protection, the freedom of expression, the right to information, the right to property – material and intellectual- the right to judicial review and the prohibition of discrimination. This list is not exhaustive. The technological evolution and the pertinent extension of human activity is likely to create new digital rights.

When were digital rights created?

Digital rights are the expansion of the fundamental human rights, which were already guaranteed in the Universal Declaration of Human Rights, in international and European law, but also in the Greek Constitution. The evolution of technology and the entrance in the digital age created a new digital world, which exists in parallel with the real world. The vested rights took a new dimension, in order to regulate the new space of human activity.

Are digital rights protected?

As already mentioned, digital rights constitute the expansion of the vested fundamental human rights. Therefore, they enjoy the same protection with the vested rights. Certainly, the adoption of new legislation is imperative, in order to regulate thoroughly the particularities of the new situation.

Why are digital rights important?

All of us use the Internet and electronic devices on a regular basis: we purchase products and services, we exchange opinions and information, we get informed. It is not exaggerated to state that apart from the real world, we also live and operate in a digital one. As our real self needs to be safeguarded, so does our digital self. In order to be able to safeguard our digital rights, we must firstly get informed on them. We must learn how are personal data are used by corporations, States and other persons. We must learn where our freedom of expression in the Internet begins and where it ends. We must learn how to protect our Internet transactions. We must learn where and when is the surveillance of our actions by cameras permitted and in which cases it is not.

A brief guide explaining what to do and whom to address if you have problems with the processing of your personal data

By Lefteris Chelioudakis and Elpida Vamvaka

Having been informed about your rights in the first part of this article, it is reasonable to ask yourself how to apply them in practice.

Α Request to the Data Controller

In order to exercise any of your rights, you should submit to the Data Controller the relevant request and the Data Controller shall verify your request. Subsequently, the Data Controller has a time limit of one month from the time of the receipt of your request to answer to it. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests (this means a total of 3 months until you receive the final answer to your request). However, even in this case, the controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Any information provided and any actions to be taken by the controller shall be provided free of charge. Where your request is complicated or excessive, the controller may either charge a reasonable fee or refuse to act on your request.

Nonetheless, in such case the controller shall bear the burden of demonstrating the manifestly complicated or excessive nature of your request.

Lodge a complaint with the Supervisory  Data Protection Authority

If you consider that your rights have been infringed and the Controller or the representative (the natural or legal person processing your data according to the instructions and on behalf of the Data Controller) do not operate in compliance with the rules imposed by the law, you may, if you wish so, lodge a complaint with the Supervisory Personal Data Protection Authority. Τhis step, although not mandatory, is particularly useful. The reason is that the controllers of the Authority have the requisite knowledge and experience to evaluate the complaint and its basis.

A complaint may be lodged, at your choice, either with the Independent Authority of the Member State of your habitual residence (e.g Greece) or the Independent Authority of the Member State of EU place of work (e.g Bulgaria if you live in Greece and you cross the border to work there) or the Independent Authority of the Member State of the alleged infringement (e.g Italy if you went there for vacation and you consider that the hotel you made the reservation infringed the law in processing your personal data).

The complaint to the Authority can be submitted by electronic means completing a standardized format without excluding other means of communication. In general, the submission of the complaint shall be free of charge but where the request is manifestly ill-founded or excessive, the Authority may charge a reasonable fee based on administrative costs or refuse to act to the request. In such case, the Supervisory Authority shall bear the burden of demonstrating the manifestly ill-founded character of the request. For lodging of the complaints with the Greek Supervisory Personal Data Protection Authority, you can find here the relevant forms and other information regarding the procedure.

If the Authority decides that there has actually been an infringement of your rights, you can subsequently use this decision before the courts to have an increased chance of winning a claim for damages. However the Authority cannot, by its decision, oblige the controller or the processor to compensate you for your damage. What it can do, among other things, is to impose on them particularly high administrative fines.

In addition, the Authority may cooperate with Independent Authorities of other Member States and has the authority to conduct investigations on the application of law, to bring to the attention of the judicial authorities any infringement of law and where appropriate to commence or engage otherwise in legal proceedings in order to enforce the provisions of law.

But what happens if the authority issues a binding decision declaring that there has been no infringement  of your rights or does not examine your complaint at all or does not inform you on the progress or outcome of your complaint within three months? Then you have the right, if you wish, to bring legal proceedings against the Authority before the courts of the Member State where the authority is established.

Right to a judicial remedy against a controller or processor

Omitting the step of lodging a complaint with the authority or following that, if you consider that your rights have been infringed and you want to receive compensation, you have the right to a judicial remedy against the controller or processor. In such case you have two options: You may institute legal proceedings before the courts of the Member State where the controller or the processor is established or before the courts of the Member State where you have your habitual residence unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers. In this case you may initiate proceedings in the Member State to which the public authority belongs.

How can Homo Digitalis help you?

The law gives you the right to mandate a not-for-profit body which is active in the field of the protection of personal data, such as Homo Digitalis, to lodge the complaint on your behalf with the Supervisory Personal Data Protection Authority, to institute a judicial remedy against the Supervisory Personal Data Protection Authority and to institute a judicial remedy against the controller or the processor, exercising on your behalf your right to compensation.

Although we have limited human and financial resources, you should know that we are always at your disposal. Should you want to contact us you can send us an e-mail at info@homodigitalis.gr.

A brief guide explaining what to do and whom to address if you have problems with the processing of your personal data.

By Elpida Vamvaka and Lefteris Chelioudakis

The new General Data Protection Regulation provides a range of rights to protect and exercise your fundamental right to protect your personal data. This Regulation is part of activities not related to the investigation and prevention of criminal offenses, as these activities are not covered by the new Regulation but by the Directive 2016/680.

But how can you exercise the rights granted to you by the law and whom should you contact in order to exercise them? In this article, Homo Digitalis will provide you with the necessary clarifications.

What are your rights under the provisions of the new Regulation?

Right to Transparency of Data Processing (Article 12)

You have the right to be informed by your data controller (the natural or legal person who determines the purpose and manner of processing your data) in simple, concise and comprehensible words, in writing and/or oral explanation about any rights you have under this processing, the way you may exercise these rights, the person/service you need to address, and the time limit within which you can receive the necessary answers to your requests.

Right to Information (Article 13):

What is included:

Your right to request from the processor the necessary information related to the processing of your personal data such as:

– the identity and the contact details of the controller;

– the identity and the contact details of the data protection officer, where applicable; (the existence of a data protection officer is not always required by law);

– the purpose of the processing for which the personal data are intended as well as the legal basis for the processing and the relevant clarifications related to such legal basis;

– any recipients of your data, and any intention to transfer your data outside the EU, explaining how this transfer is based, and the impact that such action will have on the level of security of your data,

– the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

– the existence of your rights to request from the controller access to or rectification or erasure of your personal data or restriction of processing concerning the data subject or to object to processing as well as your right to transfer your data  to another data controller, or withdraw your consent if the processing of your data is based on such consent (see below for more regarding all these rights);

– your right to lodge a complaint with the Supervisory Personal Data Protection Authority;

– the existence of automated decision-making based on your personal data including profiling, meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for you (the rule is that you may not subject to a decision based solely on automated processing although there are some exceptions).

When can you receive the information?

When your personal data are collected from you, this information shall be obtained at the time when personal data are obtained. But when your personal data have not been obtained from you, this information shall be provided to you within one month from the collection. Particularly, if your personal data are to be used for communication with you, the information should be provided to you at the time of the first communication to you. Finally, if a disclosure of your data to another recipient is envisaged, such information shall be provided to you before such disclosure.

However, you must remember that the right to information is subject to serious restrictions as the case may be.

Right to access (Article 15):

Your right to know if a data controller processes your data.

If you receive a positive response, you will have the right of access to such data, the right to Information (as described above) as well as your right to obtain a copy of your personal data undergoing processing.

Right to rectification (Article 16)

Your right to request from the controller the rectification of personal data when there are inaccuracies or completing your incomplete data. Such rectification may take place without undue delay.

Right to erasure (known as “right to be forgotten”-Article 17)

Your right to request from the controller the erasure of your personal data without undue delay.

The grounds upon which you may exercise your right of erasure:

– where your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

– where the processing is based on the legal basis of the consent you may withdraw your consent and the controller has no other legal ground for the processing;

– in the exercise of the right of objection to the processing of your personal data (see below);

– where your personal data have been unlawfully processed;

– where your personal data have to be erased by the controller for compliance with a legal obligation in Member State or in EU law;

– where the processing is based on consent in relation to the offer of information society services to a child (e.g a child account on a social networking platform)

However the right to erasure is subject to significant restrictions. In particular, this right may not be exercised to the extent that processing is necessary:

– for exercising the right of freedom of expression and information;

– for compliance with a legal obligation which requires processing by the national or EU law to which the controller is subject to;

– to perform a task carried out in the name of public interest or in the exercise of official authority vested in the controller;

– for reasons of public interest in the area of public health;

– for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right of erasure is impossible or seriously impair the achievement of the objectives of the processing of the data;

– for the establishment, exercise or defence of legal claims.

Right to restriction of processing (Article 18)

Your right to obtain from the controller restriction of processing of your personal data where:

– you contest the accuracy of your personal data and you require the restriction for a period enabling the controller to verify the accuracy of the data;

– the processing of your personal data is unlawful and you oppose the erasure of your personal data and you request the restriction of their use instead;

– you need your data for the establishment, exercise or defence of legal claims even if the controller no longer needs the personal data for the purposes of the processing;

– you have submitted a request for exercising your right of objection to processing (see more information below) pending the verification of your request you require the restriction of processing of your personal data.

Right to data portability (Article 19)

Your right to receive your personal data and transmit those data to another controller. You may request the transmission of your personal data directly from one controller to another where technically feasible. The exercise of this right may not adversely affect the rights and freedoms of others.

When can you exercise this right?

– Where the processing is based on the legal basis of consent or on a contract and is carried out by automated means.

Exception:

The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to objection to the processing of your personal data (Article 21):

Your right to object to processing of your personal data, including profiling, at any time and for personal reasons. At the latest at the time of your first communication with the controller, your right to object shall be explicitly brought to your attention and shall be presented clearly and separately from any other information.

You may exercise this right where the processing or the profiling:

– is necessary according to law for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing, which override your grounds or the processing is necessary for the establishment, exercise or defence of legal claims.

– is necessary according to law for the purposes of legitimate interests pursued by the controller or by a third party unless the controller demonstrates compelling legitimate grounds for the processing which override your grounds or the processing is necessary for the establishment, exercise or defence of legal claims.

– refers to direct marketing purposes;

– in the context of the use of information society services, you may exercise your right to object by automated means using technical specifications;

– is necessary for scientific or historical research purposes or statistical purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Are these rights absolute?

No. As you have already understood from the above, these rights are subject to several restrictions as the case may be depending on the legal basis on which the processing of personal data is based. However, one thing to keep in mind is that the data controller is obliged to inform you accurately of your rights. Therefore, you should know at any time your rights for the processing of your personal data.

Are you wondering how you can exercise these rights in practice? Continue reading the second part of this article.

By Lefteris Chelioudakis

The right to privacy of every person and the right to the protection of its personal data are two distinct rights, according to the European Union Law. Many people confuse the two rights. This article aspires to make clear the values each of them safeguards by using simple language.

The core of the right to privacy of a person is the protection of his/her residence, his/her communications or/and his/her relationships with others, as well as his/her personality, as this is conceived in total.

This right does not apply only behind closed doors. On the contrary, it may be implemented and protected also in public spaces.

The right to personal data protection, which concern a person, refers exclusively to the processing of these data.

Its objective is the provision of legal protection against improper processing of these data.

Having read the informal definitions of these two rights, we can proceed to tracking down and analyzing their differences. In particular, it is understood that the right to privacy safeguards the residence and the communications of a person and concerns many aspects of his/her life. It is the right of everyone to choose how he/she defines his/her own existence.

The protection of this right constitutes a necessary condition for us to enjoy a series of other rights, which concern our interests, our relations, our beliefs, etc.

On the contrary, the right to personal data protection concerns solely the processing of these data. This processing may have to do with the core of the right to privacy of the data subject or not, depending on the case.

Let us try to understand the differences between these two rights through an example. We will use the case illustrated in the Handbook of European Data Protection Law, which has been published by the Fundamental Rights Agency of the European Union (FRA), the European Data Protection Supervisor (EDPS) and the Council of Europe (in collaboration with the Secretary of the European Court of Human Rights). The Handbook is available for free in electronic version in the website of FRA.

If the payroll of the company in which you work has a list with the names of the employees of the company and their respective salaries, the recording of this information can not be considered as an interference with your right to privacy. If, in the same example, the payroll chose to disclose this information to a third party, this could easily amount to an interference with your right to privacy.

The violation of the right to privacy does not necessarily equate to a violation of the right to data protection and vice versa.

Although European Union law distinguishes between the right to privacy and the right to data protection, the law of the Council of Europe adopts a different approach.

Specifically, the law of the Council of Europe perceives personal data protection as a reflection of the right to privacy, when these personal data are somehow related to the personal life of a person.

The Greek Constitution distinguishes between the two rights; the right to personal data protection is recognized under Article 9A (Personal Data Protection), while the various manifestations of the right to privacy are recognized under Article 9 (Asylum of the residence), Article 19 (Confidentiality of mail, correspondence & communication) and Article 21 (Protection of family, marriage, motherhood and childhood, disabled persons’ rights).

Therefore, it can be understood that the Greek Constitution distinguishes between the two rights, while it notably provides for distinct independent administrative authorities, which safeguard the distinct legal rights.

In particular, the Personal Data Protection Authority safeguards personal data protection, while the Confidentiality of Telecommunications Authority safeguards the confidentiality of mail and free correspondence and communication.

In any case, what the reader should bear in mind is that both the right to personal data protection and the right to privacy constitute fundamental rights, enjoyed by everyone and protected against arbitrary actions of the State or third persons.

By Lefteris Chelioudakis

The Cambridge Analytica case (CA) started being discussed in March 2018 and illustrated how the personal data you share on Facebook can be used by advertising companies and data brokers to manipulate your choices as a consumer, but also as a voter.

This article is not a commentary on the CA case. On the contrary, our goal is to help you adjust your Facebook settings to raise your control on the personal data you share. Before we present to you the simple steps you must follow, we will shortly describe the facts of this case. in 2014, Dr. Aleksandr Kogan, then researcher in the Psychology Department of Cambridge University, created a psychometric test for Facebook users for academic purposes.

Subsequently, this test was converted and used for commercial purposes by Dr. Kogan’s company Global Science Research (GSR). One of the companies which worked with GSR was Strategic Communication Laboratories (SCL), parent company of CA. Through this test, CA managed to gain access to more than 50 million profiles of Americans other Facebook users. This access was granted by the users themselves or by their Facebook friends. Every time that a Facebook user chose to do the impugned test, the test requested access to personal data the user shared on Facebook, as well as personal data his/her friends had publicly shared. In this way, if I had given my consent to do the test, I would have shared with the company which had created the test all the personal data it requested, including the public profile of my friends.

In this manner, CA managed to classify all the users, who had granted their consent, as well as their Facebook friends, based on their psychological profiles. This knowledge was used by CA as a basis for sending targeted political messages to the users in question, which influenced their choices during the US presidential elections in 2016, and possibly during the Brexit referendum during the same year.

Leaving the CA case aside, today, all the well-known social media platforms, such as Facebook, Instagram, Twitter, etc., use the so-called “Application Programming Interface” (API). Using interface tools, various applications can share your personal data, subsequent to you granting your consent, in order to offer to you services and products. Thus, you can permit to other applications to interact with your Facebook account and share with them your profile information, such as your friends list, your date of birth, your timeline posts, the place you live in, your education and working experience, etc.

It is quite likely that at some point you gave your consent for gaming applications, quiz or test applications or other types of applications to have access to your personal data. At that point you might not have been cautious regarding the content you would be sharing with these platforms. For instance, why should a quiz which will offer you several moments of laugh, have unlimited access to your profile photos, the place you work in or you live in, your friends list or your interests? Did you consider which data broker company might be behind this “innocent” test and for which purposes it will use your data in the future?

In order for you to reconsider the choices you made in the past, you must visit the Settings page of the platform you are using.

Furthermore, you must be very cautious regarding all the applications, which ask you to type the word “BFF” or other such words to check if your account is secure or not. These publications do not aim at nothing else but the pages, which host them, to get more popular, through the comments, likes and shares. The acronym “BFF” refers to the term “Best Friends Forever” and is accompanied by vivid colours, simply because it constitutes one of the keywords, which Facebook has chosen to accompany with graphics.

You can find more keywords like this in this link.

If you wish to learn more on whether your personal data have been used by CA through your Facebook account, you can visit the following section created by Facebook here.

In any case, before you decide to use a social media platform or share your personal data with other applications, you must always read carefully their privacy policies. In this way, you will be able to get informed on how, with who and for how long will your personal data be used. These privacy policies are required not to be extensive or illegible and are also required to explain with simple words what is happening with your personal data.

So, next time, before you start using a platform, devote some minutes of your time to learn what will you be sharing with this platform and under which terms and conditions.