5G-TOURS hereby informs you that it collects, processes and stores, in electronic or paper form, the personal data that you are providing to our study, according to the provisions of the applicable legislation on personal data, namely the Regulation (EU) 2016/679 of the European Parliament and of the Council (‘General Data Protection Regulation’), as well as the applicable national data protection legislation, and according to the terms and conditions set below:
By participating in 5G-TOURS activities, you agree that your personal data will be processed by 5G-TOURS for the purposes of the research conducted by the 5G-TOURS project. The above personal data will not be disclosed to any third party without the participant’s explicit written consent. The legal basis of the above processing is your written consent granted hereby and the serving of the legitimate interests of 5G-TOURS.
The above personal data will be accessible and processed by authorized employees of 5G-TOURS consortium members, who will process the personal data solely for the fulfillment of the aforementioned purposes, and in no case for their own benefit. Furthermore, some of the above personal data will be accessible and processed, within the framework of their responsibilities, by authorized external associates of 5G-TOURS for the fulfillment of the aforementioned purposes. Any further transfer of personal data to any third person or to a country outside the European Union will take place only in the case it is provided so by the aforementioned legislation.
Subject to the exceptions, conditions, and limitations provided by the applicable legislation, you can exercise your right of access, rectification, restriction of processing, objection, erasure of the above personal data, as well as the right to data portability. In case you exercise one of the aforementioned rights, 5G-TOURS will take any possible measure for the prompt satisfaction of your request, according to the specific provisions and conditions of the applicable legislation, and shall inform you in writing regarding the satisfaction of your request, or for the reasons that prevent the exercise of the right by you or the satisfaction of one or more of the aforementioned rights according to the applicable legislation.
In addition, you may at any time withdraw your present consent, without however affecting the lawfulness of processing based on consent before its withdrawal and the processing based on other legal bases.
Furthermore, you have the right to lodge a complaint with the relevant National Data Protection Authority, in case you consider that the processing of your personal data is against the applicable legislation.
Personal Data Breach Notification Procedure
I. PERSONAL DATA BREACH UNDER THE GDPR
The General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter “the GDPR”) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority (or in the case of a cross-border breach, to the lead authority) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach.
According to the GDPR, any personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). Furthermore, under the GDPR, a ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Accordingly, the GDPR requires both controllers and processors to have in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed to the personal data being processed. They should take into account the state of the art, the costs of implementation and the nature, the scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Also, the GDPR requires all appropriate technological protection and organisational measures to be in place to establish immediately whether a breach has taken place, which then determines whether the notification obligation is engaged. Such notification, if necessary, should be made without undue delay, taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in the GDPR.
Consequently, a key element of any data security policy is being able, where possible, to prevent a breach and, where it nevertheless occurs, to react to it in a timely manner.
II. NOTIFICATION REQUIREMENT
Pursuant to Article 33 of the GDPR, in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority , unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. According to Article 29 Working Part, a controller should be regarded as having become “aware” when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.
The controller retains overall responsibility for the protection of personal data, but the processor has an important role to play to enable the controller to comply with its obligations; and this includes breach notification. Pursuant to Article 33(2), if a processor is used by a controller and the processor becomes aware of a breach of the personal data it is processing on behalf of the controller, it must notify the controller “without undue delay”. It should be noted that the processor does not need to first assess the likelihood of risk arising from a breach before notifying the controller, as the controller must make this assessment on becoming aware of the breach. The processor just needs to establish whether a breach has occurred and then notify the controller. The controller uses the processor to achieve its purposes; therefore, in principle, the controller should be considered as “aware” once the processor has informed it of the breach. the processor shall notify the controller without undue delay after becoming aware of a personal data breach.
When a controller notifies a breach to the supervisory authority, at the minimum, it should:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) communicate the name and contact details of the data protection officer or another contact point where more information can be obtained;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where precise information is not available (e.g. exact number of data subjects affected) this should not be a barrier to timely breach notification. The GDPR allows for approximations to be made in the number of individuals affected and the number of personal data records concerned. The focus should be directed towards addressing the adverse effects of the breach rather than providing precise figures.
III. COMMUNICATION TO THE DATA SUBJECT
Controllers should recall that notification to the supervisory authority is mandatory unless there is unlikely to be a risk to the rights and freedoms of individuals as a result of a breach. In addition, where there is likely high risk to the rights and freedoms of individuals as the result of a breach, individuals must also be informed. The threshold for communicating a breach to individuals is, therefore, higher than for notifying supervisory authorities and not all breaches will, therefore, be required to be communicated to individuals, thus protecting them from unnecessary notification fatigue.
The GDPR states that communication of a breach to individuals should be made “without undue delay,” which means as soon as possible. The main objective of notification to individuals is to provide specific information about steps they should take to protect themselves. As noted above, depending on the nature of the breach and the risk posed, timely communication will help individuals to take steps to protect themselves from any negative consequences of the breach.
According to Article 34(2) of the GDPR, the controller should at least provide the following information:
(a) a description of the nature of the breach;
(b) the name and contact details of the data protection officer or another contact point;
(c) a description of the likely consequences of the breach; and
(d) a description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
IV. NOTIFICATION IN CASE OF DATA BREACH
Effective treatment of a personal data breach incident requires early detection and disclosure of the relevant facts. Therefore, 5G-TOURS shall appoint a person responsible for the handling of the personal data breach incident and the notification to the supervisory authority, who will act as a central reporting channel for all personal data breach incidences for 5G-TOURS.
This person shall be the Data Protection Officer (DPO) of the 5G-TOURS project, namely:
Dr Sofoklis Sotiriou
Head of the Research and Development Department
Dimitriou Panagea Street
153 51 Pallini
It is of the utmost importance that all employees, outsourcers, representatives, personal data processors clearly understand what an incident is and who should be mentioned. Once a person realizes that an incident has taken place or is taking place, he/she should immediately and without delay report the incident to the above-mentioned telephone line or email and to the responsible officer. The DPO shall then further investigate the situation and assess the impact of the breach.
Consequently, the aforementioned responsible officer, not later than 72 hours after having become aware of the breach, shall submit the notification to the competent national supervisory authority.