Today are three yeas since the 25/05/2018, the date of the entrance in force of the General Data Protection Regulation, which has marked positive developments for the personal data protection, despite additional challenges. The importance of the regulation is underlined also in the current period, in the context of data generated by the global pandemic.
The European Regulation 2016/679 has adapted to new realities of the digital era and has modernized the principles established in the Directive 1995 on the personal data protection. It has defined the natural persons’ rights and obligation of data processors and controllers. It has also established new ways to guarantee the compliance and sanctions for those one who are breaching rules.
The firms of the European Data Protection Board, the National Supervisory Authorities and the European Data Protection Supervisor are encouraging. Generally, the compliance of data controllers and processors with new rules seems to increase gradually and at the same time citizens seems to be more conscious of their rights. In addition, supervisory authorities are still enforcing rules by using their best corrective powers.
It is naturally necessary more time in order to draw conclusions on the trend of this requirements of the new legislation, because the regulation it is not only a new strong legal framework, but it plasm a new culture of responsibility and compliance for companies and organizations. In each case, the implementation of new rules is a dynamic process which asks for supported and systematical efforts.
During the last 15 months we have lived unparallel circumstances in which, in the light of the global pandemic, the public health protection is the main priority. In this unparallel crisis, question related to the personal data protection and privacy are arising constantly. Since the first period where were imposed restrictive measures in order to fight the coronavirus, the question on their legality from the point of personal data protection view has worried the European Parliament and the European Commission, the European Data Protection Board and National Supervisory Authorities – some of them, among which the Greek one, have issued communications or guidelines – and then the European Data Protection Supervisor.
It is useful to notice that the independent Supervisory Authorities were charged of the difficult task to try to balance the privacy protection and the right of the informative auto-determination with the service of the general social interest. It is about balances which are particularly difficult to realize when they are applied to realities in the field of human and social rights. The different restrictions are gradually deleted. In addition, extend them beyond the necessary time in order to face the public health threat will be a breach of rights and freedoms of data subjects. In other words, the pandemic can not be used like an excuse for establishing a surveillance in name of the public health and security.
An important question of interest for the European Union in this critical time is the introduction of the “green digital certificate COVID”, which will facilitate the safe and free movement during the pandemic. A positive development is the temporary agreement between the European Parliament and the Council on this theme reached on the 21/5, which makes the explicit reference to the personal data protection guarantees planned by the Regulation. This opinion follows the opinions (4/2021) of the European Data Protection Board on the proposal of regulation of the European Commission at the beginning of April, which underlines that the introduction of this certificate shall be fully in line with the personal data protection legislation and in any case shall constitute, directly or indirectly, a form of discrimination among citizens, in the respect of fundamental principles of need, proportionality and efficiency.
The personal data protection authority, despite the lack of staff, is still compromised to realize the mission that the state has given to it, by making efforts in order to maximize the efficient of its works.
Among its responsibilities during these last three years since the implementation of the Regulation, the Authority has issued important decisions, some of them by imposing sanctions but also issuing recommendations, advices or reminders to data controllers. At the same time, it has taken initiatives in order to organize awareness-raising actions in order to inform citizens of their rights and operators of the obligations.
As a part of its responsibilities, the Authority in order to facilitate the compliance by small and medium companies, is implementing a project (by Design) in order to provide a specialized guide as a compliance toolkit.
It now seems that large companies, unlike SMEs and individual self-employed workers, have largely complied with the regulation. However, there is often an incorrect application of the provisions referring to the Data Protection Officer (DPO), as well as an incorrect application and interpretation of the legal bases. In addition, the Authority is often concerned about the delayed or incomplete fulfilment of the rights of data subjects, in particular those of access and cancellation. In addition, the Authority has received a number of data breach notifications, the processing of which shows that the concept of risk is generally interpreted correctly and, with its assistance, the consequences of the incidents concerned are satisfactorily addressed.
In the current era of new privacy risks, in order for the Authority to be able to fulfil its mission more fully, both in its monitoring and in its information and guidance activities, it is also necessary to ensure the conditions for its effective functioning. And, of course, it is a necessity and a primary obligation of the competent bodies of the State to complete the composition of the Authority, which recently operated at the limit of the quorum due to the expiry of the mandate of some members and the resignation of others.
The commitment to safeguarding human rights in the face of technological challenges is a long-term struggle that lies at the heart of EU values, and the quality of modern democracies at the dawn of the new “normality” will be judged by its outcome.
- Between 25/5/2018 and 24/5/2021, 2,932 complaints were submitted to the Authority. Of these, 1,561 were dealt with and 1,371 appeals are being examined.
- The cases of breaches notified from 25/5/2018 to 24/5/2021 under the obligation of the General Data Protection Regulation are 418
- Similarly, there are 94 notifications of data breaches under the obligation of the Electronic Communications Act (Law 3471/2006).