Hi Trevor,  Hope you're keeping well

My observations

EC95/46 Art 4 forms basis for mational law drafting as observed. UK Act
Section 5 was UKs interpretation.
Section 3 of Greek law as you have extracted appears to be covering similar
ground. Whats your source?

I do recall in the early days of the lobbying that there were observations
made about difficulties in the translation of the directive between Greek,
French and English. Unfortunately I no longer have the information I
collected on the discussions.

Given this I suspect that your source may well have a high probability of
potential and arguable transalation errors.

I would argue that the UK Act will apply.  So the only question is if any
'extra' obligations arise from the Greek law on UK controllers should a
ruling ever be made that Greek law 'travels' and if those obligations are
relevant to the situation being managed.

The point of the directive was to harmonise laws across the EC and latterly
EEA so in principle the national laws should be pretty similar. The spirit
of what was intended should be the same..

When individuals provide personal data to a financial services controller,
somewhere in the contract the prevailing law is stated.
Therefore if you collect data for a financial services contract you have
probably already advised the individual that the contract and by implication
the personal data necessary for that contract is subject to UK law. They
presumably did not raise any issue with that..

If it transpires that Greek law does a apply then I see that a lot of
organisations will have to adapt their contract wordings.  Id doubt that all
those organisations legal advisors would have missed such a point.

Id guess that Greek Act would not be tenable in the UK. Perhaps a question
for the European DP Commissioner to resolve.

On another issue. Just a quick snippet.

Ive been reading the Companies (Audit, Investigations and Community
Enterprise) Act 2004 (Sections 65,66 and 67 came into force 28/10/2004).

It amends the Companies Acts of 1985 and 1989 with stated objective to
introduce further audit controls to try to improve consumer confidence, due
to the various high profile company failures..

In the Act Schedule 2 Part 3 references amendments to section 449 of
companies Act 1985. This section headed 'Provision for Security of
Information obtained' in its subsection 11 states noting in section 449
authorises the making of a disclosure in Contravention nof the Data
Protection Act 1998. ie if fair obatining notices do not adequately advise
data subjects of the potential  access to 'ie disclosures' as discussed in
this section then the use and disclosures of the personal data by those
arguing access (ie auditors, investigators, regulators)  will be in
contravention of DPA98.

I haven't checked yet to see if the existing section 449 of the 1985
companies Act referenced DPA 1984 in the same way.

But theres a possibility that some notice amendments on financial services
contracts may have to be made as a consesquence of the change.

Happy days

David Wyatt

----- Original Message -----
From: "Trevor Chew" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Wednesday, December 01, 2004 10:53 AM
Subject: [data-protection] Greek Data Protection Law


Has anyone come across this one before in connection with Greek DP Law?

Imagine a Greek citizen who normally lives in Greece but has a holiday home
in the UK.  Whilst in the UK, this person does some business with a UK Data
Controller who processes some personal data about the Greek citizen.

Below is a translation of the Greek DPA.  Section 3b appears to put Greek
DPA obligations on UK data controllers (and other EU data controllers as
well).  Is this not at odds with the EU DP Directive (Article 4) which
defines how national DP law should apply?

3. The present law shall apply to any processing of personal data, provided
that such processing is carried out:

a)      by a Controller or a Processor established in Greek Territory or in
a place where Greek law applies by virtue of public international law.
b)      by a Controller who is not established in Greek Territory or in a
place where Greek law applies, when such processing refers to persons
established in Greek Territory. In this case, the Controller must designate
in writing, by a statement addressed to the Authority, a representative
established in Greek territory, who will substitute the Controller to all
the Controller's rights and duties, without prejudice to any liability the
latter may be subject to. The same shall also apply when the Controller is
subject to exterritoriality, immunity or any other reason inhibiting
criminal prosecution.
c)      by a Controller who is not established in the territory of a
member-state of the European Union but in a third country and who, for the
purposes of processing personal data, makes use of equipment, automated or
otherwise, situated on the Greek territory, unless such equipment is used
only for purposes of transit through such territory. In this case, the
Controller must designate in writing by a statement addressed to the
Authority a representative established in Greek territory, who will
substitute the Controller to all the Controller's rights and duties, without
prejudice to any liability s/he may be subject to. The same shall also apply
when the Controller is subject to exterritoriality, immunity or any other
reason inhibiting criminal prosecution.

Would anyone like to comment on whether they think this may just be a dodgy
translation of Greek DP law,  or if a UK data controller could indeed be
bound by the Greek DPA in the above circumstances?




--

------------------------------------------------------------------------------
Halifax plc, Registered in England No. 2367076.  Registered Office: Trinity
Road, Halifax, West Yorkshire HX1 2RG. Regulated by the Financial Services
Authority.  Represents only the Halifax Financial Services Marketing Group
for the purposes of advising on and selling life assurance, pensions and
collective investment scheme business.
 =============================================================================

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^