Personal data protection

Definition

In everyday life information is exchanged between people for every
kind of human activity. Every person should have the right to control
the information related to his person and to choose which information
should be revealed, processed or communicated to others. Personal data
is a special kind of information which is related to an identified or
identifiable person (the “data subject”). The identification can be done
directly or indirectly, in particular by reference to an identification
number or to one or more factors specific to the physical,
physiological, mental, economic, social or cultural identinty of a
person.

The definition of personal data is very broad and covers a wide range
of information in any form (image, sound, paper files ets). The
protection concerns also minors, but not deceased persons or objects.
However, sometimes even data concerning objects can be sometimes
protected : for example, a picture of a house with indication to the
address (the exact location of it) could lead to the owner and reveal
information about him, such as economic status. In that way, it can
reveal information for the person in an indirect way. Examples of
personal data are : the name of a person, the image of a person, eg a
picture of a person or a video, the bank account number, the number of
credit card, an email address, fingerprints, DNA, even the IP address
(For IP addresses see : ECJ, Case C 275/06 January 29, 2008)

A special category of personal data are the so called “sensitive
data”. These are personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade-union
membership and data concerning health or sex life.

Processing of personal data

The basic legal instrument for personal data protection is the
Directive 95/46/CE which was implemented in Greek Law by the provisions
of Law 2472/1997 and in Cyprus by the Law 138 (I) 2001 .

Processing of personal data is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage,adaptation, alteration, retrieval, consultation, disclosure by
transmission, dissemination or otherwise making available, alignement or
combination, blocking, erasure or destruction. The natural or legal
person which determines the purposes and means of the processing of
personal data is called “controller”. The processing of personal data can be done legally
only if the data subject has given a specific and informed consent.
Exceptions to this rule are : a) the processing which is necessary for
the performance of a contract to which the data subject is party or in
order to take steps at the request of the data subject prior to entering
into a contract b)the processing which is necessary for the compliance
with a legal obligation to which the controller is subject c)the
processing is necessary to protect vital interests of the person d)the
processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the
controller or in a third party to whom the data are disclosed or e) the
processing is necessary for the purposes of the legitimate interests
pursued by the controller or by the third party to whom the data are
disclosed, except where such interests are overridden by the interests
for fundamental rights and freedoms of the person.

Processing of personal data for personal or family activities is
exempted by the application of the protection and can be done without
consent. For example, creating a personal agenda or diary with names,
telephone numbers, birthday dates of family members and friends is not a
kind of processing covered by the Directive 95/46/CE and the Greek law.
However, what does it happen if somebody decides to put all these
information to the Web through an Internet site, a blog or otherwise?

The European Court of Justice (ECJ) dealed with this question in the
“Âïdil Lindqvist” case (6th of November 2003). According to the Court,
the act of referring, on an internet page, to various persons and
identifying them by name or by other means, for instance by giving their
telephone number or information regarding their working conditions and
hobbies, constitutes the processing of personal data wholly or partly by
automatic means within the meaning of Article 3(1) of Directive
95/46/EC. Such processing of personal data is not covered by any of the
exceptions of Directive 95/46.

Rules concerning the processing of personal data

Except for the person’s consent, normally every person who plans to
process personal data should make a special written notification to the
Personal Data Protection Authority. In Greek law, if the data fall in the category pf
“sensitive data” the controller should be given a special authorisation
from the Personal Data Protection Authority for the processing.

For these formalities see in detail : Internet site of the Greek Data Protection Authority and the site of the Cypriot data protection authority : http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/intro_gr/intro_gr?OpenDocument