The General Data Protection Regulation (GDPR), the most significant legislative initiative in the area of personal data in Europe, came into force on May 25th 2018. The GDPR imposes significant new burdens on organisations and in particular on employers across Europe, including a substantial amount of additional reporting requirements under the threat of increased fines and penalties. The GDPR’s main goal is to increase the level of protection afforded to employees and in particular to safeguard their human dignity, legitimate interests and fundamental rights.

Why is the GDPR important for employers?

In the context of any employer-employee relationship, the processing of personal data is inevitable. Human Resources departments collect, store and process a large amount of employee personal data (such as names, birth-dates, bank accounts, Social Security Codes, CVs, referral letters etc.), both for internal purposes and in order to comply with the applicable employment/social security legislation. In many instances, HR departments also process special (sensitive) personal data (such as health data, data in relation to diversity in the workplace, etc.), which are subject to a higher degree of scrutiny.

What is the definition of “health data” as per GDPR?

Pursuant to Art. 4(15) GDPR, “data concerning to health” (i.e. health data) means “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. This personal information shall include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject, including¹:
- Information about the natural person collected in the course of the registration for, or the provision of, health care services
- A number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes
-Information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples
- Any information on, for example, a disease, disability, disease risk, medical history, clinical treatment, or the physiological or biomedical state of the data subject independent of its source, for example, from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

The constitutional context and the right to data protection

The Greek Constitution, adopted in 1975 quite after the fall of military dictatorship, recognized explicitly the rights of privacy (Article 9) and secrecy of communications (Article 19). Article 9 guarantees both the asylum of home and inviolability of private and family life. Both theorists and the jurisprudence regarded Article 9 in combination with Article 2§1 (dignity of the person) and Article 5§1 (right to free development of personality and participation in the political, social and economic life) as the legal ground for the recognition of a “right to informational self-determination”.

The constitutional revision of 2001 added a new provision granting individuals an explicit right to protection of their personal information. According to Article 9A, “all persons have the right to be protected from the collection, processing and use, especially by electronic means, of their personal data, as specified by law”. The existence of an independent data protection authority has also developed into a constitutional element of the right to data protection: Article 9A also establishes an independent oversight mechanism providing explicitly that “the protection of personal data is ensured by an independent authority, which is established and operates as specified by law.” As additional guarantee against the infringements of the rights to privacy, data protection and freedom of communication, article 19§3 provides that the use of evidence acquired in violation of the present article and of articles 9 and 9A is prohibited.

What is personal data?

Any information relating to an identified or identifiable natural person (‘data subject’). Information relating to entities does not qualify as personal data. Statistics, including data relating to natural persons, do not qualify as personal data provided that they are truly anonymized, i.e. that the natural persons are not identifiable.

What is sensitive personal data?

Any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and generic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Complying with the legal provisions for ensuring confidentiality and security of public electronic communications is a legal requirement for licensing and functioning of Communication and Internet Service Providers.

PRIVACY, DATA PROTECTION AND DATA RETENTION
Is the right to the confidentiality of communications protected by the Constitution?

According to article 9 of the Greek Constitution one’s privacy and family life is inviolable. According to article 19 par. 1 of the Greek Constitution the confidentiality of the communications is absolutely inviolable with the exception of national security reasons and the criminal investigation, detection and prosecution of serious crimes, where the Judicial Authority is entitled to order the lawful interception of content and access to communications data. Violation of the constitutional right leads to criminal and in some cases administrative sanctions.

According to article 19 par. 2 of the Greek Constitution the protection of confidentiality of the communications is also a matter of an Independent Authority: Hellenic Authority for Communication Security and Privacy (A.D.A.E.).