A brief guide explaining what to do and whom to address if you have problems with the processing of your personal data

By Lefteris Chelioudakis and Elpida Vamvaka

Having been informed about your rights in the first part of this article, it is reasonable to ask yourself how to apply them in practice.

Α Request to the Data Controller

In order to exercise any of your rights, you should submit to the Data Controller the relevant request and the Data Controller shall verify your request. Subsequently, the Data Controller has a time limit of one month from the time of the receipt of your request to answer to it. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests (this means a total of 3 months until you receive the final answer to your request). However, even in this case, the controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Any information provided and any actions to be taken by the controller shall be provided free of charge. Where your request is complicated or excessive, the controller may either charge a reasonable fee or refuse to act on your request.

Nonetheless, in such case the controller shall bear the burden of demonstrating the manifestly complicated or excessive nature of your request.

Lodge a complaint with the Supervisory  Data Protection Authority

If you consider that your rights have been infringed and the Controller or the representative (the natural or legal person processing your data according to the instructions and on behalf of the Data Controller) do not operate in compliance with the rules imposed by the law, you may, if you wish so, lodge a complaint with the Supervisory Personal Data Protection Authority. Τhis step, although not mandatory, is particularly useful. The reason is that the controllers of the Authority have the requisite knowledge and experience to evaluate the complaint and its basis.

A complaint may be lodged, at your choice, either with the Independent Authority of the Member State of your habitual residence (e.g Greece) or the Independent Authority of the Member State of EU place of work (e.g Bulgaria if you live in Greece and you cross the border to work there) or the Independent Authority of the Member State of the alleged infringement (e.g Italy if you went there for vacation and you consider that the hotel you made the reservation infringed the law in processing your personal data).

The complaint to the Authority can be submitted by electronic means completing a standardized format without excluding other means of communication. In general, the submission of the complaint shall be free of charge but where the request is manifestly ill-founded or excessive, the Authority may charge a reasonable fee based on administrative costs or refuse to act to the request. In such case, the Supervisory Authority shall bear the burden of demonstrating the manifestly ill-founded character of the request. For lodging of the complaints with the Greek Supervisory Personal Data Protection Authority, you can find here the relevant forms and other information regarding the procedure.

If the Authority decides that there has actually been an infringement of your rights, you can subsequently use this decision before the courts to have an increased chance of winning a claim for damages. However the Authority cannot, by its decision, oblige the controller or the processor to compensate you for your damage. What it can do, among other things, is to impose on them particularly high administrative fines.

In addition, the Authority may cooperate with Independent Authorities of other Member States and has the authority to conduct investigations on the application of law, to bring to the attention of the judicial authorities any infringement of law and where appropriate to commence or engage otherwise in legal proceedings in order to enforce the provisions of law.

But what happens if the authority issues a binding decision declaring that there has been no infringement  of your rights or does not examine your complaint at all or does not inform you on the progress or outcome of your complaint within three months? Then you have the right, if you wish, to bring legal proceedings against the Authority before the courts of the Member State where the authority is established.

Right to a judicial remedy against a controller or processor

Omitting the step of lodging a complaint with the authority or following that, if you consider that your rights have been infringed and you want to receive compensation, you have the right to a judicial remedy against the controller or processor. In such case you have two options: You may institute legal proceedings before the courts of the Member State where the controller or the processor is established or before the courts of the Member State where you have your habitual residence unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers. In this case you may initiate proceedings in the Member State to which the public authority belongs.

How can Homo Digitalis help you?

The law gives you the right to mandate a not-for-profit body which is active in the field of the protection of personal data, such as Homo Digitalis, to lodge the complaint on your behalf with the Supervisory Personal Data Protection Authority, to institute a judicial remedy against the Supervisory Personal Data Protection Authority and to institute a judicial remedy against the controller or the processor, exercising on your behalf your right to compensation.

Although we have limited human and financial resources, you should know that we are always at your disposal. Should you want to contact us you can send us an e-mail at info@homodigitalis.gr.

A brief guide explaining what to do and whom to address if you have problems with the processing of your personal data.

By Elpida Vamvaka and Lefteris Chelioudakis

The new General Data Protection Regulation provides a range of rights to protect and exercise your fundamental right to protect your personal data. This Regulation is part of activities not related to the investigation and prevention of criminal offenses, as these activities are not covered by the new Regulation but by the Directive 2016/680.

But how can you exercise the rights granted to you by the law and whom should you contact in order to exercise them? In this article, Homo Digitalis will provide you with the necessary clarifications.

What are your rights under the provisions of the new Regulation?

Right to Transparency of Data Processing (Article 12)

You have the right to be informed by your data controller (the natural or legal person who determines the purpose and manner of processing your data) in simple, concise and comprehensible words, in writing and/or oral explanation about any rights you have under this processing, the way you may exercise these rights, the person/service you need to address, and the time limit within which you can receive the necessary answers to your requests.

Right to Information (Article 13):

What is included:

Your right to request from the processor the necessary information related to the processing of your personal data such as:

– the identity and the contact details of the controller;

– the identity and the contact details of the data protection officer, where applicable; (the existence of a data protection officer is not always required by law);

– the purpose of the processing for which the personal data are intended as well as the legal basis for the processing and the relevant clarifications related to such legal basis;

– any recipients of your data, and any intention to transfer your data outside the EU, explaining how this transfer is based, and the impact that such action will have on the level of security of your data,

– the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

– the existence of your rights to request from the controller access to or rectification or erasure of your personal data or restriction of processing concerning the data subject or to object to processing as well as your right to transfer your data  to another data controller, or withdraw your consent if the processing of your data is based on such consent (see below for more regarding all these rights);

– your right to lodge a complaint with the Supervisory Personal Data Protection Authority;

– the existence of automated decision-making based on your personal data including profiling, meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for you (the rule is that you may not subject to a decision based solely on automated processing although there are some exceptions).

When can you receive the information?

When your personal data are collected from you, this information shall be obtained at the time when personal data are obtained. But when your personal data have not been obtained from you, this information shall be provided to you within one month from the collection. Particularly, if your personal data are to be used for communication with you, the information should be provided to you at the time of the first communication to you. Finally, if a disclosure of your data to another recipient is envisaged, such information shall be provided to you before such disclosure.

However, you must remember that the right to information is subject to serious restrictions as the case may be.

Right to access (Article 15):

Your right to know if a data controller processes your data.

If you receive a positive response, you will have the right of access to such data, the right to Information (as described above) as well as your right to obtain a copy of your personal data undergoing processing.

Right to rectification (Article 16)

Your right to request from the controller the rectification of personal data when there are inaccuracies or completing your incomplete data. Such rectification may take place without undue delay.

Right to erasure (known as “right to be forgotten”-Article 17)

Your right to request from the controller the erasure of your personal data without undue delay.

The grounds upon which you may exercise your right of erasure:

– where your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

– where the processing is based on the legal basis of the consent you may withdraw your consent and the controller has no other legal ground for the processing;

– in the exercise of the right of objection to the processing of your personal data (see below);

– where your personal data have been unlawfully processed;

– where your personal data have to be erased by the controller for compliance with a legal obligation in Member State or in EU law;

– where the processing is based on consent in relation to the offer of information society services to a child (e.g a child account on a social networking platform)

However the right to erasure is subject to significant restrictions. In particular, this right may not be exercised to the extent that processing is necessary:

– for exercising the right of freedom of expression and information;

– for compliance with a legal obligation which requires processing by the national or EU law to which the controller is subject to;

– to perform a task carried out in the name of public interest or in the exercise of official authority vested in the controller;

– for reasons of public interest in the area of public health;

– for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right of erasure is impossible or seriously impair the achievement of the objectives of the processing of the data;

– for the establishment, exercise or defence of legal claims.

Right to restriction of processing (Article 18)

Your right to obtain from the controller restriction of processing of your personal data where:

– you contest the accuracy of your personal data and you require the restriction for a period enabling the controller to verify the accuracy of the data;

– the processing of your personal data is unlawful and you oppose the erasure of your personal data and you request the restriction of their use instead;

– you need your data for the establishment, exercise or defence of legal claims even if the controller no longer needs the personal data for the purposes of the processing;

– you have submitted a request for exercising your right of objection to processing (see more information below) pending the verification of your request you require the restriction of processing of your personal data.

Right to data portability (Article 19)

Your right to receive your personal data and transmit those data to another controller. You may request the transmission of your personal data directly from one controller to another where technically feasible. The exercise of this right may not adversely affect the rights and freedoms of others.

When can you exercise this right?

– Where the processing is based on the legal basis of consent or on a contract and is carried out by automated means.

Exception:

The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to objection to the processing of your personal data (Article 21):

Your right to object to processing of your personal data, including profiling, at any time and for personal reasons. At the latest at the time of your first communication with the controller, your right to object shall be explicitly brought to your attention and shall be presented clearly and separately from any other information.

You may exercise this right where the processing or the profiling:

– is necessary according to law for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing, which override your grounds or the processing is necessary for the establishment, exercise or defence of legal claims.

– is necessary according to law for the purposes of legitimate interests pursued by the controller or by a third party unless the controller demonstrates compelling legitimate grounds for the processing which override your grounds or the processing is necessary for the establishment, exercise or defence of legal claims.

– refers to direct marketing purposes;

– in the context of the use of information society services, you may exercise your right to object by automated means using technical specifications;

– is necessary for scientific or historical research purposes or statistical purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Are these rights absolute?

No. As you have already understood from the above, these rights are subject to several restrictions as the case may be depending on the legal basis on which the processing of personal data is based. However, one thing to keep in mind is that the data controller is obliged to inform you accurately of your rights. Therefore, you should know at any time your rights for the processing of your personal data.

Are you wondering how you can exercise these rights in practice? Continue reading the second part of this article.

By Lefteris Chelioudakis

The right to privacy of every person and the right to the protection of its personal data are two distinct rights, according to the European Union Law. Many people confuse the two rights. This article aspires to make clear the values each of them safeguards by using simple language.

The core of the right to privacy of a person is the protection of his/her residence, his/her communications or/and his/her relationships with others, as well as his/her personality, as this is conceived in total.

This right does not apply only behind closed doors. On the contrary, it may be implemented and protected also in public spaces.

The right to personal data protection, which concern a person, refers exclusively to the processing of these data.

Its objective is the provision of legal protection against improper processing of these data.

Having read the informal definitions of these two rights, we can proceed to tracking down and analyzing their differences. In particular, it is understood that the right to privacy safeguards the residence and the communications of a person and concerns many aspects of his/her life. It is the right of everyone to choose how he/she defines his/her own existence.

The protection of this right constitutes a necessary condition for us to enjoy a series of other rights, which concern our interests, our relations, our beliefs, etc.

On the contrary, the right to personal data protection concerns solely the processing of these data. This processing may have to do with the core of the right to privacy of the data subject or not, depending on the case.

Let us try to understand the differences between these two rights through an example. We will use the case illustrated in the Handbook of European Data Protection Law, which has been published by the Fundamental Rights Agency of the European Union (FRA), the European Data Protection Supervisor (EDPS) and the Council of Europe (in collaboration with the Secretary of the European Court of Human Rights). The Handbook is available for free in electronic version in the website of FRA.

If the payroll of the company in which you work has a list with the names of the employees of the company and their respective salaries, the recording of this information can not be considered as an interference with your right to privacy. If, in the same example, the payroll chose to disclose this information to a third party, this could easily amount to an interference with your right to privacy.

The violation of the right to privacy does not necessarily equate to a violation of the right to data protection and vice versa.

Although European Union law distinguishes between the right to privacy and the right to data protection, the law of the Council of Europe adopts a different approach.

Specifically, the law of the Council of Europe perceives personal data protection as a reflection of the right to privacy, when these personal data are somehow related to the personal life of a person.

The Greek Constitution distinguishes between the two rights; the right to personal data protection is recognized under Article 9A (Personal Data Protection), while the various manifestations of the right to privacy are recognized under Article 9 (Asylum of the residence), Article 19 (Confidentiality of mail, correspondence & communication) and Article 21 (Protection of family, marriage, motherhood and childhood, disabled persons’ rights).

Therefore, it can be understood that the Greek Constitution distinguishes between the two rights, while it notably provides for distinct independent administrative authorities, which safeguard the distinct legal rights.

In particular, the Personal Data Protection Authority safeguards personal data protection, while the Confidentiality of Telecommunications Authority safeguards the confidentiality of mail and free correspondence and communication.

In any case, what the reader should bear in mind is that both the right to personal data protection and the right to privacy constitute fundamental rights, enjoyed by everyone and protected against arbitrary actions of the State or third persons.

By Lefteris Chelioudakis

The Cambridge Analytica case (CA) started being discussed in March 2018 and illustrated how the personal data you share on Facebook can be used by advertising companies and data brokers to manipulate your choices as a consumer, but also as a voter.

This article is not a commentary on the CA case. On the contrary, our goal is to help you adjust your Facebook settings to raise your control on the personal data you share. Before we present to you the simple steps you must follow, we will shortly describe the facts of this case. in 2014, Dr. Aleksandr Kogan, then researcher in the Psychology Department of Cambridge University, created a psychometric test for Facebook users for academic purposes.

Subsequently, this test was converted and used for commercial purposes by Dr. Kogan’s company Global Science Research (GSR). One of the companies which worked with GSR was Strategic Communication Laboratories (SCL), parent company of CA. Through this test, CA managed to gain access to more than 50 million profiles of Americans other Facebook users. This access was granted by the users themselves or by their Facebook friends. Every time that a Facebook user chose to do the impugned test, the test requested access to personal data the user shared on Facebook, as well as personal data his/her friends had publicly shared. In this way, if I had given my consent to do the test, I would have shared with the company which had created the test all the personal data it requested, including the public profile of my friends.

In this manner, CA managed to classify all the users, who had granted their consent, as well as their Facebook friends, based on their psychological profiles. This knowledge was used by CA as a basis for sending targeted political messages to the users in question, which influenced their choices during the US presidential elections in 2016, and possibly during the Brexit referendum during the same year.

Leaving the CA case aside, today, all the well-known social media platforms, such as Facebook, Instagram, Twitter, etc., use the so-called “Application Programming Interface” (API). Using interface tools, various applications can share your personal data, subsequent to you granting your consent, in order to offer to you services and products. Thus, you can permit to other applications to interact with your Facebook account and share with them your profile information, such as your friends list, your date of birth, your timeline posts, the place you live in, your education and working experience, etc.

It is quite likely that at some point you gave your consent for gaming applications, quiz or test applications or other types of applications to have access to your personal data. At that point you might not have been cautious regarding the content you would be sharing with these platforms. For instance, why should a quiz which will offer you several moments of laugh, have unlimited access to your profile photos, the place you work in or you live in, your friends list or your interests? Did you consider which data broker company might be behind this “innocent” test and for which purposes it will use your data in the future?

In order for you to reconsider the choices you made in the past, you must visit the Settings page of the platform you are using.

Furthermore, you must be very cautious regarding all the applications, which ask you to type the word “BFF” or other such words to check if your account is secure or not. These publications do not aim at nothing else but the pages, which host them, to get more popular, through the comments, likes and shares. The acronym “BFF” refers to the term “Best Friends Forever” and is accompanied by vivid colours, simply because it constitutes one of the keywords, which Facebook has chosen to accompany with graphics.

You can find more keywords like this in this link.

If you wish to learn more on whether your personal data have been used by CA through your Facebook account, you can visit the following section created by Facebook here.

In any case, before you decide to use a social media platform or share your personal data with other applications, you must always read carefully their privacy policies. In this way, you will be able to get informed on how, with who and for how long will your personal data be used. These privacy policies are required not to be extensive or illegible and are also required to explain with simple words what is happening with your personal data.

So, next time, before you start using a platform, devote some minutes of your time to learn what will you be sharing with this platform and under which terms and conditions.