Report of the Personal Data Protection Authority
In its Report the Authority presents the themes of the decisions it issued in 2007. These include telephone concerns, issues related to Tiresias SA, disclosure of names of persons exempted from the obligation to serve, security measures, biometrics, labor relations, aliens and SMEs.
Another section concerns international issues, including binding corporate rules, airline passenger data transfer, and so on.
Finally, the Authority highlights the shortcomings in personnel that are hampering its operation.
In particular, the Report reads as follows:
(...)
2. Activity in statistics
The Authority issued 65 judgments and responded to 980 other appeals or complaints and questions. Responding to queries is largely a case of consultative work as they examine the legitimacy of a specific treatment that the controller makes to the Authority. The Authority in 3 cases gave an opinion on draft laws and existing provisions on the protection of personal data. It also examined 560 file and process notifications, of which 368 concerned the installation and operation of closed circuit television. It has granted or renewed 110 licenses to keep sensitive data files, file interconnection and data transfers to non-EU countries, and 8 licenses for closed circuit television. Still, the Authority carried out 19 administrative records and processing checks on 17 processors. In 12 cases, the Authority imposed the sanction of the strict warning, in 17 cases fines 1,500-50,000 Euros and in 3 other cases the uninstall of a closed circuit television.
In 2007, complaints / complaints and inquiries were submitted in 2005 as a whole, 1045 cases were handled and 2,264 cases were pending, including in previous years. To this number, some 600 cases have to be added with rapporteurs seconded to the auditor, for whom there is no deferment due to lack of staff. The total stock of some 3000 cases highlights the Authority's inability to respond to today's staffing and operating data to the ever increasing rate of incoming affairs. There is, therefore, a significant increase in the number of citizens and the controllers, which are addressed to the Authority. For example, considering only appeals and questions, while in 2002, as in 2003, about 1200 were submitted,
3. Decisions
Decisions of general interest:
• Telephone nuisances: Telephone communication for the purpose of promoting products and services is allowed only with the prior explicit and specific consent of the recipient of the telephone call. The register of Article 13 of Law 2472/1997 maintained by the Authority on individuals who do not wish to receive advertising does not apply to telephone and other electronic communications (Decision 57/2007).
• Banking sector - TIRESIAS: Banks are required to transmit accurately unfavorable data to TIRESIAS SA, which has the independent duty to control and ensure the requirements of Law 2472/1997 for lawful processing of data (Decisions 35/2007 and 49 / 2007). It is not lawful without the prior consent of the borrowers that bankers in TIRESIAS SA be transferred from the details of their loans to individuals concerning loans and credit cards that were approved before 2003 (Decision 63/2007).
• Disclosure of the names of persons exempt from conscription: These are three categories of persons: (a) those who have been legally exempted from the obligation to serve for health reasons; (b) those deemed suitable for military service after re-checking their supporting documents; and ) of those unlawfully exempted from the obligation to serve for health reasons. In all three cases, the disclosure was considered illegal, as there is no relevant provision of law providing for the specific treatment - disclosure, nor does it fall under any of the conditions for lawful processing provided for in Article 7 of Law 2472/1997 on sensitive data Decision 6/2007).
• Security measures and secure data destruction: The controller is also required to safely destroy the data. The mere dropping of the files into litter bins does not meet the requirements of Law 2472/1997 for the adoption of appropriate organizational and technological security measures (Decisions 1/2007, 2/2007, 8/2007, 12/2007, 13/2007, 14/2007, 15/2007, 20/2007, 21/2007, 32/2007, 33/2007, 46/2007, 47/2007, 55/2007).
• Biometric data: It is illegal for the employer to use the biometric method of fingerprint analysis of workers to control the entry and exit of the latter's facilities, as well as to check the timetable (Decisions 50/2007 and 62/2007).
• Labor relations and data protection: Employers can not investigate without the employee's consent to the files he holds on his computer (Decision 37/2007).
Another section concerns international issues, including binding corporate rules, airline passenger data transfer, and so on.
Finally, the Authority highlights the shortcomings in personnel that are hampering its operation.
In particular, the Report reads as follows:
(...)
2. Activity in statistics
The Authority issued 65 judgments and responded to 980 other appeals or complaints and questions. Responding to queries is largely a case of consultative work as they examine the legitimacy of a specific treatment that the controller makes to the Authority. The Authority in 3 cases gave an opinion on draft laws and existing provisions on the protection of personal data. It also examined 560 file and process notifications, of which 368 concerned the installation and operation of closed circuit television. It has granted or renewed 110 licenses to keep sensitive data files, file interconnection and data transfers to non-EU countries, and 8 licenses for closed circuit television. Still, the Authority carried out 19 administrative records and processing checks on 17 processors. In 12 cases, the Authority imposed the sanction of the strict warning, in 17 cases fines 1,500-50,000 Euros and in 3 other cases the uninstall of a closed circuit television.
In 2007, complaints / complaints and inquiries were submitted in 2005 as a whole, 1045 cases were handled and 2,264 cases were pending, including in previous years. To this number, some 600 cases have to be added with rapporteurs seconded to the auditor, for whom there is no deferment due to lack of staff. The total stock of some 3000 cases highlights the Authority's inability to respond to today's staffing and operating data to the ever increasing rate of incoming affairs. There is, therefore, a significant increase in the number of citizens and the controllers, which are addressed to the Authority. For example, considering only appeals and questions, while in 2002, as in 2003, about 1200 were submitted,
3. Decisions
Decisions of general interest:
• Telephone nuisances: Telephone communication for the purpose of promoting products and services is allowed only with the prior explicit and specific consent of the recipient of the telephone call. The register of Article 13 of Law 2472/1997 maintained by the Authority on individuals who do not wish to receive advertising does not apply to telephone and other electronic communications (Decision 57/2007).
• Banking sector - TIRESIAS: Banks are required to transmit accurately unfavorable data to TIRESIAS SA, which has the independent duty to control and ensure the requirements of Law 2472/1997 for lawful processing of data (Decisions 35/2007 and 49 / 2007). It is not lawful without the prior consent of the borrowers that bankers in TIRESIAS SA be transferred from the details of their loans to individuals concerning loans and credit cards that were approved before 2003 (Decision 63/2007).
• Disclosure of the names of persons exempt from conscription: These are three categories of persons: (a) those who have been legally exempted from the obligation to serve for health reasons; (b) those deemed suitable for military service after re-checking their supporting documents; and ) of those unlawfully exempted from the obligation to serve for health reasons. In all three cases, the disclosure was considered illegal, as there is no relevant provision of law providing for the specific treatment - disclosure, nor does it fall under any of the conditions for lawful processing provided for in Article 7 of Law 2472/1997 on sensitive data Decision 6/2007).
• Security measures and secure data destruction: The controller is also required to safely destroy the data. The mere dropping of the files into litter bins does not meet the requirements of Law 2472/1997 for the adoption of appropriate organizational and technological security measures (Decisions 1/2007, 2/2007, 8/2007, 12/2007, 13/2007, 14/2007, 15/2007, 20/2007, 21/2007, 32/2007, 33/2007, 46/2007, 47/2007, 55/2007).
• Biometric data: It is illegal for the employer to use the biometric method of fingerprint analysis of workers to control the entry and exit of the latter's facilities, as well as to check the timetable (Decisions 50/2007 and 62/2007).
• Labor relations and data protection: Employers can not investigate without the employee's consent to the files he holds on his computer (Decision 37/2007).
• Removal of aliens from the Schengen Information System and from the National Aliens List: The withdrawal of the Greek nationality is not a reason for registering an alien in the Schengen Information System and the National Aliens List, as the presence of this alien in the Greek territory is not a threat on public order and security or on national security. The following lists are also automatically removed from the above lists and the aliens against whom the measure of expulsion was imposed, if they subsequently received a residence permit under the provisions of Law 2910/2001 and Law 3386/2005 regarding the entry and residence of aliens in Greece (Decisions 7/2007 and 10/2007).
• Foreigners Data: The Ministry of Employment, Youth and Sports has to delete the fields that are relevant to the religion and national origin of the applicants as unnecessary and inappropriate from the application forms for the residence permit issued to aliens. If he wishes to collect the above data for statistical purposes, he must do so by issuing different forms, which will be anonymous (decision 16/2007).
• SMEs and personal data: Balancing the competing rights of information technology and freedom of the press and informing citizens, in line with the principles of practical harmonization of constitutional provisions. The judgment as to whether such processing was legitimately exercised or whether the right of information self-determination of the persons affected and privacy was violated, obeys both the criterion of whether such processing served the interest of public opinion and whether the infringement in question was within the framework of the principle of proportionality necessary for the exercise of the right to information (43/2007).
4. International Issues
The most important issues addressed by the Authority, mainly in the context of its cooperation with the Data Protection Authorities of the EU Member States but also at a national level, include the following:
• Binding Corporate Rules on the transmission of data to non-EU countries,
• the transmission of data of passengers airlines (PNRs),
• the global SWIFT financial messaging service,
• Informative system of administrative cooperation and information exchange (Internal Market Inf ormation (IMI) within the EU;
• Social networking services;
• Search engines;
• Private health care,
• spam,
• the protection of minors' personal data, and
• data protection in the Third Pillar of the EU.
5. Integrated Information System
In December 2007, the Personal Information Protection Authority, within the framework of the Information Society program, completed the implementation of the Information System-Electronic Service Center in order to provide electronic services to the public and to improve of its internal function. The project was based on Internet and open source technologies and its implementation lasted about 2 years.
6. Problems and Response Measures
The Authority faces, to a greater extent than in previous years, serious operational problems caused by the insufficient number of organizational positions, the lack of remuneration and grading incentives to attract and remain in the service of scientific staff, the excessive increase in incoming cases , appeals / complaints, disclosures) as well as increased requirements for audits and support for controllers.
Human resources problems have also been highlighted in the annual reports of 2005 and 2006. They continue to exist, which in many cases renders the Authority's response in the exercise of its responsibilities inadequate or even unfeasible.
Following the appointment of the members of the new composition of the Authority, some organizational measures have been attempted to address the problems, such as the establishment and operation of a department alongside the Plenary, the adjustment of the special additional remuneration for the staff (scientific and administrative) Secretariat, the recruitment of trainees from the stage program of the OAED and the announcement of a competition for the filling of five vacant positions.
It is already being studied, in order to work more efficiently and faster, to allocate the scientific staff to four offices on the basis of handling cases in related objects. Also, a working group will be set up to propose the amendment to the founding law in the light of the experience of its more than 12 years of implementation. Among the amendments, it will be proposed to change the status of auditors from the IP category to specialist scientific posts. This change will allow for salaried assimilation with the staff of other independent authorities with the same or less formal qualifications.
The brave but gradual increase in organic positions from 50 to 90 is a prerequisite for the smooth operation of the Authority. At the moment, due to workload, a major Authority mission is the administrative authority's own ex officio control of records and treatments with serious risks to the citizen (eg banking and insurance, product and service promotion, electronic communications, health , industrial relations, etc.) and the small number of staff are struggling to respond to the handling of minor complaints. For the same reason, in recent years, no directives and regulations have been drawn up to regulate specific issues and no studies on new technologies and support for controllers are being prepared.
The Authority should develop further preventive action in the coming years. In order to achieve this goal, the state must ensure the necessary human resources and the necessary logistical infrastructure.
About Jhon Petter
This comment has been removed by the author.
ReplyDelete