The General Data Protection Regulation
Frequently Asked Questions [FAQs]
Data subject is a natural person to which personal data relates.
1. What is the GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
2. When will the GDPR come into effect?
The GDPR has been approved by the EU Parliament on April 14th 2016 and will come into effect on May 25th 2018.
3. Who does the GDPR affect?
The regulation applies if the data controller (an organization that collects data from EU residents), or processor (an organization that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. Under certain circumstances, the regulation also applies to organizations based outside the EU if they collect or process personal data of individuals located inside the EU.
4. What are personal data and special categories of personal data?
Personal data is information that can be related to an individual. Data is considered personal, if the person it concerns can be identified.
Special categories of data (also known as sensitive personal data) is data on: religious, philosophical, political or trade union-related views or activities, health, genetic or biometric information, the racial and ethnic origin, data concerning a person's sex life or sexual orientation criminal proceedings and sanctions.
5. What does "data processing" mean?
Data processing is any activity involving personal data, irrespective of the means applied and the procedure, e.g. the collection, storage, use, revision, disclosure, archiving, viewing and destruction of personal data.
6. What is the difference between a data processor and a data controller?
Data controller is the legal person who decides on the purpose, content and procedure of processing personal data. Data processor is a natural or legal person that processes personal data as instructed by the data controller.
Under GDPR both controller and processor have certain obligation. In addition the controller has to ensure that contracts with processors comply with the GDPR.
7. What are the key principles when processing personal data?
No matter how minor the processing is, processing of personal data must stand on a firm legal basis. The data controllers must provide clear views on how the processing works and the consequences on the data subject before collecting and processing the data.
Purpose limitation requires the data controllers to define the reasons for data collection and processing. Data controllers need to ensure that the data is processed according to the original purpose. The data should not be processed when the purpose has changed without firm legal ground. Also, data traceability throughout the data lifecycle is needed to know when the processing is not according to the original purpose anymore.
Data minimization involves reducing the amount of the collected data to what is necessary that the interaction with the data subject is satisfied without.
Storage limitation principle focuses on keeping the identifiable data for only the period that the data serve its purpose. The data controllers have full responsibility to maintain data tracking and remove the data when it is no longer being processed for its original purpose.
Integrity and confidentiality are part of the foundation of information security. Protecting the privacy of the data subject by maintaining its integrity is to maintain the accuracy and consistency of stored data. Also, the confidentiality of the data is maintained by protecting the information from disclosure to unauthorized access. The measures for this principle shall be implemented and operated throughout the data lifecycle.
Data controllers must take necessary steps to ensure the accuracy of data obtained and to verify the data source. Furthermore, any challenges to the accuracy of information shall be considered and keep up to date when necessary.
Accountability is a new concept introduced in GDPR. The data controllers must be accountable and be able to demonstrate compliance with the provisions of the regulations. The demonstration can be achieved in several ways, from not processing un-legal personal data, to implement the privacy principles into IT systems.
The data controllers should takes appropriate personnel, technical and organizational measures to minimize the risk of accidental or intentional breach, destruction, or loss of personal data.
8. What rights does the individuals have?
One of the key elements the GDPR is the rights granted to individuals, as outlined below:
Right to be informed. The right to be informed about what data we collect and how we use them.
Right of Access. The right to request confirmation as to whether or not Personal Data concerning the data subject are being processed, and, where that is the case, access to the Personal Data in a concise, intelligible, transparent, and easily accessible form.
Right to Rectification. The right to request without undue delay the rectification of inaccurate or incomplete Personal Data concerning the data subject, including by means of providing supplementary statement.
Right to Erasure. The right to request the erasure of Personal Data concerning the data subject, without undue delay and under certain conditions.
Right to Restriction. The right to request restriction of processing under certain conditions.
Right to Object. The right to object on grounds relating to the data subject’s particular situation, at any time to processing of Personal Data concerning the data subject. Personal Data shall then no longer processed unless compelling legitimate grounds for the processing is demonstrated, which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
Right to Portability. The right to receive the Personal Data concerning the data subject, which the data subject has provided, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
Right to Obtain Human Intervention. The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects it.
In any case, if the data subject feels that the protection of his/hers personal data is violated in any way whatsoever, has the right to lodge a complaint with the Hellenic Data Protection Authority.
9. What are the penalties in case of non- compliance?
Penalties at a lower level could be fined up to 10M euro or 2% global turnover, whichever is higher and can reach up to 20M euro or 4% of global turnover, whichever is higher.
10. What is a Privacy Notice?
Is a statement that provides the individual information about the ways his/hers data are, used, disclosed, and managed. It fulfills a legal requirement to protect a customer or client's privacy. This statement should be clear, easy to access and free of charge.
11. What are the lawful bases of processing?
Personal data may only be processed lawfully. Every data processor shall ensure compliance with this policy and the relevant laws and regulations. Data is processed lawfully if one of the following applies:
- if the data subject has made its personal data generally accessible, e.g. information provided in a newspaper or public white or yellow pages, and has not prohibited its processing;
- for the performance of a contract to which the data subject is party;
- in order to take steps at the data subject’s request prior to entering into a contract;
- for compliance with legal obligations of the data controller;
- in order to protect the vital interests of the data subject or another natural person;
- for the performance of a task carried out in the public interest;
- if the legitimate interests pursued by the Controller or a third party prevail over those of the data subject, except where such prevailing interests are overridden by fundamental rights and freedoms of the data subject;
- If the data subject has consented to such processing (see below additional information on consent).
Special Categories of Personal Data may only be processed lawfully if one of the following conditions applies:
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or of the data subject in the field of employment and social security and social protection law in so far as processing is authorised by Greek or EU Law;
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- processing relates to personal data which are manifestly made public by the data subject;
- processing is necessary for the establishment, exercise or defence of legal claims;
- processing is necessary for reasons of substantial public interest;
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment
- processing is necessary for reasons of public interest in the area of public health;
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- when the data subject has given its explicit consent.
12. When is consent required?
Before personal data may be processed, the data subject must be duly informed, and voluntarily and actively give its consent.
Consent does not necessarily need to be in writing, however, in order to evidence consent (e.g. towards courts and authorities), written consent or permissible audio recordings are advisable. The data subject may withdraw its consent at any time. When processing special categories of personal data on the basis of consent, such consent should be explicitly provided.
No consent is required if processing is performed under a different legal basis. Consent for processing data of children below 16 years (e.g. in the context of CSR activities) should be granted by the holder of parental responsibility.
13. What are the Data Protection Officer’s (DPO) responsibilities?
The DPO is responsible for coordinating data protection. In particular, she/he shall:
- independently monitor the company’s accordance with applicable data protection laws and regulations,
- independently monitor and implement future explanatory materials from the European Union Commission with regard to the execution of the GDPR provisions,
- support executive management in ensuring legal compliance within data protection framework,
- independently monitor compliance with this policy on a regular basis,
- maintain the list of databases and the list of breaches of data protection,
- monitor and assist in Data Protection Impact Assessments (DPIA),
- be responsible for replying to data subject’s requests for information,
- be responsible for creating a training concept to raise data protection awareness and advise personnel processing data, in particular controller employees, of their data processing obligations,
- act as contact point for supervisory authorities on issues related to the processing of personal data, as well as cooperate with authorities in any other matter.
For further reference regarding GDPR legislation, please find here.