When things go wrong-Part Two
A brief guide explaining what to do and whom to address if you have problems with the processing of your personal data
By Lefteris Chelioudakis and Elpida Vamvaka
Having been informed about your rights in the first part of this article, it is reasonable to ask yourself how to apply them in practice.
Α Request to the Data Controller
In order to exercise any of your rights, you should submit to the Data Controller the relevant request and the Data Controller shall verify your request. Subsequently, the Data Controller has a time limit of one month from the time of the receipt of your request to answer to it. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests (this means a total of 3 months until you receive the final answer to your request). However, even in this case, the controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Any information provided and any actions to be taken by the controller shall be provided free of charge. Where your request is complicated or excessive, the controller may either charge a reasonable fee or refuse to act on your request.
Nonetheless, in such case the controller shall bear the burden of demonstrating the manifestly complicated or excessive nature of your request.
Lodge a complaint with the Supervisory Data Protection Authority
If you consider that your rights have been infringed and the Controller or the representative (the natural or legal person processing your data according to the instructions and on behalf of the Data Controller) do not operate in compliance with the rules imposed by the law, you may, if you wish so, lodge a complaint with the Supervisory Personal Data Protection Authority. Τhis step, although not mandatory, is particularly useful. The reason is that the controllers of the Authority have the requisite knowledge and experience to evaluate the complaint and its basis.
A complaint may be lodged, at your choice, either with the Independent Authority of the Member State of your habitual residence (e.g Greece) or the Independent Authority of the Member State of EU place of work (e.g Bulgaria if you live in Greece and you cross the border to work there) or the Independent Authority of the Member State of the alleged infringement (e.g Italy if you went there for vacation and you consider that the hotel you made the reservation infringed the law in processing your personal data).
The complaint to the Authority can be submitted by electronic means completing a standardized format without excluding other means of communication. In general, the submission of the complaint shall be free of charge but where the request is manifestly ill-founded or excessive, the Authority may charge a reasonable fee based on administrative costs or refuse to act to the request. In such case, the Supervisory Authority shall bear the burden of demonstrating the manifestly ill-founded character of the request. For lodging of the complaints with the Greek Supervisory Personal Data Protection Authority, you can find here the relevant forms and other information regarding the procedure.
If the Authority decides that there has actually been an infringement of your rights, you can subsequently use this decision before the courts to have an increased chance of winning a claim for damages. However the Authority cannot, by its decision, oblige the controller or the processor to compensate you for your damage. What it can do, among other things, is to impose on them particularly high administrative fines.
In addition, the Authority may cooperate with Independent Authorities of other Member States and has the authority to conduct investigations on the application of law, to bring to the attention of the judicial authorities any infringement of law and where appropriate to commence or engage otherwise in legal proceedings in order to enforce the provisions of law.
But what happens if the authority issues a binding decision declaring that there has been no infringement of your rights or does not examine your complaint at all or does not inform you on the progress or outcome of your complaint within three months? Then you have the right, if you wish, to bring legal proceedings against the Authority before the courts of the Member State where the authority is established.
Right to a judicial remedy against a controller or processor
Omitting the step of lodging a complaint with the authority or following that, if you consider that your rights have been infringed and you want to receive compensation, you have the right to a judicial remedy against the controller or processor. In such case you have two options: You may institute legal proceedings before the courts of the Member State where the controller or the processor is established or before the courts of the Member State where you have your habitual residence unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers. In this case you may initiate proceedings in the Member State to which the public authority belongs.
How can Homo Digitalis help you?
The law gives you the right to mandate a not-for-profit body which is active in the field of the protection of personal data, such as Homo Digitalis, to lodge the complaint on your behalf with the Supervisory Personal Data Protection Authority, to institute a judicial remedy against the Supervisory Personal Data Protection Authority and to institute a judicial remedy against the controller or the processor, exercising on your behalf your right to compensation.
Although we have limited human and financial resources, you should know that we are always at your disposal. Should you want to contact us you can send us an e-mail at firstname.lastname@example.org.