The cooperation with the Institution's Administration for the development of compliance procedures of the Athens School of Fine Arts (ASFA) with the European Union Regulation 2016/679 which sets out rules on the protection of natural persons with regard to the processing of personal data and rules on the free movement of personal data. The subject matter of the new Regulation is the protection of natural persons with regard to the processing of personal data by organisations, as well as the principles for the free movement of such data. The new regulation replaces the provisions of Directive 95/46/EC which is repealed. The goal of the new Regulation is the protection of all EU citizens from breaches of their private life and their personal data.
The term personal data includes any information that may characterise a person. According to Article 2, Law 2472/1997 (Protection of the person from the processing of personal data), personal data may be divided in two categories:
- Personal data: Any information related to a natural person that may allow their identification as well as any other information through which their identity may be directly or indirectly determined. Cumulative statistical data are not considered personal data that may allow the identification of the data subjects. Personal data may include as an example the full name of a person, their home address, their work address, their email, their telephone number, their interests and their profession.
- Sensitive Personal Data Special categories of personal data are the data revealing racial or ethnic origin, political beliefs, religious or philosophical beliefs, participation in trade unions, as well as genetic data, biometric data and data relating to the health, sexual life or sexual orientation of a natural person.
2. Useful definitions and explanations
Data subject:
The natural person to whom the data refer to and whose identity is known or may be identified, directly or indirectly, especially based on an identification number or based on one or more specific data characterising their physical, biological, psychological, financial, cultural, political or social existence.
Data processing:
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller:
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor:
The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Third party:
Any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor are authorised to process personal data.
Recipient:
The natural or legal person, public authority, agency or other body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients. The processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Processing register:
The Controller or the Processor shall establish a data processing Register, where any critical activities relating to personal data shall be recorded in detail, in particular among others: The type of personal data collected and processed, the location of their storage, their retention period, the persons to whom they are disclosed, the security measures taken for the protection of data.
Personal data breach:
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Genetic data:
Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Biometric data:
Personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Data Protection Officer (DOP):
The Regulation provides that the Controller or the Processor shall designate a Data Protection Officer where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity, or
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale, or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data (such as genetic or biometric data, health data) and data relating to criminal convictions and offences.
3. Tasks of the Data Protection Officer (DOP).
- The DOP shall actively participate in all the issues which relate to personal data protection, while the university shall accordingly ensure to that purpose their access to any information relating to personal data and their processing procedures.
- The university shall offer their full support to the DOP and must provide them with all necessary means for the proper execution of their tasks.
- The DOP must be able to act and operate independently within the university.
- The DOP shall inform and advise the University regarding the obligations arising from the GDPR and other provisions on data protection.
- The DOP shall comply with the internal compliance with the GDPR and other provisions on data protection (e.g. identifying and managing processing operations, carrying out internal controls, etc.).
- The DOP shall provide advice as regards the data protection impact assessment and monitor its performance.
- The DOP shall be the first point of contact for supervisory authorities and the data subjects (students, employees, etc.).
- The DOP shall cooperate with the supervisory authority and act as the point of contact for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 GDPR.
- The DOP shall participate in all the issues relating to personal data protection.
- Under no circumstances shall the position of the DOP and their devotion to it result in the punishment of the latter or their dismissal by the Controller or the Processor.
- The university shall not assign to the DOP tasks that may cause a conflict of interests with the tasks they carry out as Data Protection Officer (e.g. CFO tasks, Manager of Personnel Department, etc.).
- The DOP may contribute dynamically in recording and maintaining records regarding the processing procedures taking place within the university,always in accordance with the information made available by the Controller or the Processor. In this way, university compliance may be enhanced via regular updating of and reporting to the DOP.
4. Rights of the Data Subject:
The Regulation broadens and enhances the rights of the data subject, which are the following:
- Right to be informed: The controller shall provide the data subject with a series of information, among other regarding the identity and the contact details of the controller, the contact details of the DOP, the purposes of and the legal basis for the processing, the recipients of the data and any transmissions, the period of time during which the data shall be stored, the rights of the data subject (Articles 13,14 GDPR).
- Right of access: The data subject shall have the right to know whether their personal data are being processed or not and have access to information regarding the purpose of the processing, the categories of the personal data, the recipients to whom the data have been disclosed, the period for which data will be stored, the rights of the data subject, the existence of profiling methods (Article 15 GDPR).
- Right to rectification: the data subject shall have the right to obtain from the controller without undue delay the rectification or completion of personal data concerning them (Article 16 GDPR).
- Right to erasure (“right to be forgotten”): the data subject shall have the right to obtain from the controller the erasure of personal data concerning them without undue delay where one of the grounds referred to in the Regulation applies (e.g. the personal data are no longer necessary in relation to the purposes for which they were processed, the data subject withdraws consent or objects to the processing and no other processing legal basis exists, when processing is illegal, Article 17 GDPR).
- Right to restriction of processing: the data subject shall have the right to select stored personal data to restrict their processing in the future, when one of the reasons referred to in the Regulation applies (e.g. the accuracy of the data is contested, processing is illegal and the data subject objects to it, Article 18 GDPR).
- Right to data portability: the data subject shall have the right to receive the personal data concerning them in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller as the Regulation provides (Article 20 GDPR).
- Right to object: the data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them, under the conditions set in the Regulation (Article 21 GDPR).
- The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them (Article 22 GDPR).
5. Supervisory Authority:
An independent public authority established by a Member State in accordance with Article 51 of the Regulation. More specifically, for Greece the supervisory authority is the Personal Data Protection Authority.
6. Contact
Heracles Papadopoulos
Tel. 210 3897100
E-mail hercpap@asfa.gr
42, Patision street, 106 82 Athens