Has anyone come across this one before in connection with Greek DP Law?
Imagine a Greek citizen who normally lives in Greece but has a holiday home in the UK. Whilst in the UK, this person does some business with a UK Data Controller who processes some personal data about the Greek citizen.
Below is a translation of the Greek DPA. Section 3b appears to put Greek DPA obligations on UK data controllers (and other EU data controllers as well). Is this not at odds with the EU DP Directive (Article 4) which defines how national DP law should apply?
3. The present law shall apply to any processing of personal data, provided that such processing is carried out:
a) by a Controller or a Processor established in Greek Territory or in a place where Greek law applies by virtue of public international law.
b) by a Controller who is not established in Greek Territory or in a place where Greek law applies, when such processing refers to persons established in Greek Territory. In this case, the Controller must designate in writing, by a statement addressed to the Authority, a representative established in Greek territory, who will substitute the Controller to all the Controller's rights and duties, without prejudice to any liability the latter may be subject to. The same shall also apply when the Controller is subject to exterritoriality, immunity or any other reason inhibiting criminal prosecution.
c) by a Controller who is not established in the territory of a member-state of the European Union but in a third country and who, for the purposes of processing personal data, makes use of equipment, automated or otherwise, situated on the Greek territory, unless such equipment is used only for purposes of transit through such territory. In this case, the Controller must designate in writing by a statement addressed to the Authority a representative established in Greek territory, who will substitute the Controller to all the Controller's rights and duties, without prejudice to any liability s/he may be subject to. The same shall also apply when the Controller is subject to exterritoriality, immunity or any other reason inhibiting criminal prosecution.
Would anyone like to comment on whether they think this may just be a dodgy translation of Greek DP law, or if a UK data controller could indeed be bound by the Greek DPA in the above circumstances?
--
------------------------------------------------------------------------------
Halifax plc, Registered in England No. 2367076. Registered Office: Trinity Road, Halifax, West Yorkshire HX1 2RG. Regulated by the Financial Services Authority. Represents only the Halifax Financial Services Marketing Group for the purposes of advising on and selling life assurance, pensions and collective investment scheme business.
==============================================================================
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|