Filenews 21 June 2021 - by Evagoras Prokopiou
This is at least a strange time. Technology and the introduction into our daily lives of the media, the onset of the pandemic and its effects, put the protection of personal data at risk. Without a doubt, state, society and citizens are experiencing an unprecedented situation. In such circumstances, some people see individual rights as an obstacle to luxury goods. Somewhere here comes the plan of the Office of the Commissioner for Personal Data and the work it has been doing in the 19 years since its establishment.
From May 2018 in the arsenal of Commissioner Irene Nikolaidou Loizidou is the institutional framework of the general European regulation on the protection of personal data. "The most important need to protect privacy through the processing of personal data, which was also the purpose of establishing this strict legislative framework, is to shield personal data in the current environment of rapid technological progress," notes the Commissioner.
When was the institution of the Commissioner for the Protection of Personal Data established and what role is it called upon to play?
The Office of the Privacy Commissioner was set up in 2002 by legislation of 2001 and to date four Commissioners have served in the Office. The Term of Office of the Commissioner is now six years with the possibility of renewal for another term. The establishment of the Office in Cyprus came from a Union obligation of our country as well as of the other EU Member States. The legislative framework governing the functioning of the Office is the General European Data Protection Regulation 679/2016, now known as GDPR, and implementing national legislation 125(I) 2018 which was passed by the Cyprus Parliament in June 2018, one month after the universal application of the General Regulation 25 May 2018. Also, Harmonising Law 44(I)/2019 protects citizens' data processed for law enforcement purposes.
The Office as the guardian of citizens' personal data in Cyprus has a responsibility and role to inform citizens about current affairs personal data, to guide both citizens and public and private law organisations on the lawful use of personal data and to correct incorrect and/or illegal practices, exercising the powers to impose administrative fines at each level.
What do the terms "personal data" mean and what do the terms "processing personal data" mean?
Personal data is any information that identifies us or can identify us. The classification of personal data includes simple personal data such as name, identity, address, etc. and the specific category of personal data, which includes data which, if used, may create discrimination such as medical data, origin, sexual orientation, etc.
Processing is called separately the action of collecting, disposing, sharing, destroying etc personal data.
ABOUT GDPR THE LOGO
Almost three years after the incorporation of the 'General Data Protection Regulation' (GDPR) do you believe that as citizens we know what it is predicting and what changes it has brought to our lives? What's the point of it?
Since the regulation was adopted in 2016 and has set a time limit for its implementation over the two years, the Office has carried out a major information campaign, both in the public and private sectors, in order to be able for society to accept the mandatory culture change that promotes this new European institutional framework. It had to be, and has been, to be indicated and trained by us, the Data Protection Officers of public authorities and private organisations who met the conditions and qualifications, in order to make it clear to the potential of each agency/organisation/company that, the new framework for the protection of personal data requires first and for all accountability and transparency, creates new obligations but at the same time strengthens existing citizens' rights and introduces some new ones.
From 25 May 2018, everyone should demonstrate in practice through transparent procedures and not in words, that they comply and follow in the performance of their duties/responsibilities/activities, the principles required by the GDPR.
I believe that the most important need to protect privacy through the processing of personal data, which was also the purpose of the adoption of this strict legislative framework, is to protect personal data in the current environment of rapid technological progress.
On this basis, new obligations have been introduced by organisations such as that of consultation with the Commissioner, before and during the design of applications relating to high-risk data volume processing. New rights such as portability and oblivion were also introduced on this basis. What I can safely attest to is that the issue of the protection of personal data concerns citizens in their daily lives, they know their rights mostly in the right sense and they exercise them.
Is there or will a campaign run from your office for the public to understand the General Data Protection Regulation?
This has never stopped. It is our obligation but also our responsibility to constantly inform society about anything we find useful. You will have noticed that at every opportunity, either through announcements or with my own personal presentations to the media, we take care to explain issues and give understandable guidance on what is within the framework of legality and what is not. In addition, thematic events/presentations are also held in order to shed light on any grey areas that may exist.
What are the most common complaints submitted to the Commissioner's office and why are fines imposed?
Previously the lion's share were complaints about unwanted commercial/political promotion messages. Such complaints due to constant warnings and increased fines have been significantly reduced. For example, for example, for spam, in 2018 we had 268 complaints, in 2019 92 complaints and in 2020, only 60 complaints.
In 2019, we had 421 complaints, most of which related to the legality of processing (157), the exercise of rights (7 complaints) and infrastructure security (16). We are particularly sensitive to matters relating to the specific category of personal data and those relating to minors. In 2020, we had a total of 12 complaints about minors.
COVID-19 AND PROTECTION OF PERSONAL DATA
The pandemic has brought upheavals in our way of life. Do you generally believe that our personal data was attacked? Are they protected? For example what about the so-called safepass, for rapid test the PCR test?
In times like this that, I would like to think, we have almost completed, there are restrictions on personal freedoms and rights. The protection of personal data as a non-absolute right has allowed restrictions, but with the involvement of our Office, they have not led to their abolition. Some processing of personal data since the beginning of the pandemic has been consulted with my Office and has progressed and some have not, as they did not satisfy the principles of proportionality, purpose, necessity, etc. Also, since the beginning of the pandemic with our own initiative, most of the time intervention, procedures have been corrected concerning the illegal use of personal data such as the pronunciation of names and results during rapid testing, the pronunciation of names in vaccination centres, SMS, tracking applications, etc. Even if applications had or have as their legal basis consent, they have an obligation, inter alia, to carry out an impact assessment and consultation.
On the one hand, we should separate the obligation to hold some evidence from citizens in compliance with the decrees of the Ministry of Health, from the obligation to show it, in the case of control by an authorised officer and or by the Police. On the other hand, both the possession and mere display of such certificates do not constitute the processing of personal data, since there is neither collection, registration nor any act which constitutes the processing of personal data.
In any case, any measure to restrict personal data must, in order to be legitimate and lawful, be weighed against public health and the greater good.
In the light of the latest findings and the thriller with the Giorgis List, the question arises as to when personal data can be processed? Essentially, when does the public interest allow such processing?
In order to serve the public interest and thus its primacy over privacy and its protection, even public persons, certain criteria must be met, which have been analysed in my opinions which have seen the light of day. These criteria in general terms relate to whether each public person, from his position, has acted in such a way as to benefit, whether he has participated in the decisions concerning him or her and which have benefited him, whether the public person has been treated more favourably than another public person, but also by a non-public person.
The public interest as we often hear it used is not a vague and abstract concept but is justified by both European and national decisions.
What do you consider to be one of your most important actions or moment in your career as Commissioner so far?
Thus, as the institution evolves through its involvement and its interventions in the everyday life of citizens, every day is a challenge.
If I can single out a moment, it is the positive assessment of my Office by the European Commission, in the context of an assessment of entry into the Schengen area.
My Office was assessed as the Supervisory Authority of the mechanism and with the positive evaluation, it paved the way for the evaluations of the Police, the Ministry of the Interior, the Ministry of Foreign Affairs and other Agencies, for the implementation of the Schengen acquis in the Republic.
