Data Protection Day – The million dollar question

January 28th is Data Protection Day (in the EU) or Privacy Day (in the US). But how did this day begin?

The story of January 28

The establishment of the day was initiated by the Committee of Ministers of the Council of Europe in 2006. Council of Europe resolutions on the privacy of individuals preceded and even served as a partial catalyst for the first national data protection laws in Austria, Denmark, France, Germany, Luxembourg, Norway and Sweden.

January 28 was chosen for Data Protection Day because it marks the anniversary of the opening for signature of the Council of Europe Convention 108 in 1981. Convention 108 has a special status as the first legally binding international agreement on data protection and continues to influence data protection laws around the world to date.

In 2018 Convention 108 took a modernized form as Convention 108+ incorporating in some of the key principles of EU law and the definitions set out in the GDPR, such as the concept of proportionality and that data processing should be based on “free, specific, informed and explicit consent' of the subject.

Today, all over the world and in Greece, many informative events on "current issues of personal data protection" are held on this occasion. Today in Greece, in Europe and in the world we have sufficient legislation on basic data protection issues and new legislation is underway to regulate the use of artificial intelligence (among others). What is lacking is control and enforcement. For our country, the "competent supervisory authority" is the Personal Data Protection Authority (PDPA).

Public bodies and data in Greece

The obligations of public bodies in matters of personal data protection have been clearly described, among which is the designation of a Data Protection Officer (DPO) and the publication of his contact details. In a country that does not have a culture of measurable indicators, quality, evaluation, control, but also risk management, it would be interesting for someone to find out who the Greek public bodies are and indeed (obviously) this would be a matter of transparency and open data for the citizen.

It is therefore reasonable for a citizen to ask the GDPR the following question: "Which public bodies have complied with the GDPR?" However, her answer is not logical: "regarding the request for information on the Data Protection Officers of the Greek Public bodies, we inform you that, in accordance with article 37 of the General Data Protection Regulation and article 6 of Law 4624/2019, the each institution publishes the contact details of the Data Protection Officer, which it announces to the Authority.

The granting by the Authority of a file with the information announced in it, is not provided for by the above provisions nor by any other provision of the legislation."

So to celebrate this day a Greek citizen should find a list of Greek GDPR and search one – one to see their privacy compliance!  So he discovers that the question above turns into a question of a million ! The General Secretariat of Public Administration Information Systems (GIPSDD) gives 3753 registrations, but with deficiencies (all professional associations are missing, e.g. medical, dental, lawyers, etc.).

There are respectively the Register of Services and Bodies of the Greek Administration of the Ministry of the Interior (last recorded 2018) and the Register of Bodies of General Government / 2019 of the Hellenic Statistical Authority. And of course there are also about 6700 (!) NPDDs connected to church structures in Greece that are not easy for an ordinary citizen to see.

The compliance of Greek public bodies with data protection rules is not only a matter of formality. Because by following these rules, it is ensured that the processing of the data of each and every one of us is done in a legitimate and legal way and that it concerns only the data that is necessary to achieve a specific and legal purpose. It is, in other words, an issue that also concerns the moral responsibility of the State towards the citizens.

With these in mind, today's Data Protection Day offers plenty of food for thought and action to make public bodies' compliance with the personal data regulatory framework easily auditable by the public:  be public data .

The author declares no conflict of interest. The author received no financial support for the research, writing and/or publication of this article.