Supervisors info:
Σπυρίδων Βλαχόπουλος, Καθηγητής, Νομική Σχολή, ΕΚΠΑ
Ιωάννης Τούντας, Καθηγητής, Ιατρική Σχολή, ΕΚΠΑ
Μαρία Καντζανού, Καθηγήτρια, Ιατρική Σχολή, ΕΚΠΑ
Summary:
This dissertation explores the special legal issue of consent in health data processing.
Firstly, the fundamental distinction, for data protection law, between simple and sensitive personal data is made - health data being included in the latter. Also, the theoretical basis for such distinction is sought in the German "theory of personality spheres".
Then, following a short reference to the relations between domestic, EU and international law, the institutional framework for data protection is presented. More specifically, the constitutional grounds for informational self-determination and the Greek legal framework on data protection are presented. Furthermore, the EU regulatory provisions related to privacy protection are outlined and, particularly, the relevant provision of the Charter of Fundamental Rights, while reference is also made to the General Data Protection Regulation, which recently updated the personal data protection law. The presentation of the legal framework on data protection is completed with a reference to the most important International Conventions in relation to informational self-determination: the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108).
Then, the following concepts are conceptually clarified and analysed: health data, personal data processing, controller, processor, recipient-third party, person acting under the authority of the controller, representative and the crucial concept of subject consent to data processing.
The main part of the dissertation thoroughly analyses the cases of lawful sensitive personal data processing under the previously applicable law (L.2472/97 which transposed Directive 95/46/EC into the Greek law) and, then, the currently applicable legal protection framework on personal data processing under the General Data Protection Regulation which replaced the provisions of L.2472/97. Since the rule of prohibition of personal sensitive data processing, including health data, has certain exceptions, the cases of lawful processing, both with the subject's consent or otherwise are mentioned in detail.
Under both the previously and the currently applicable personal data protection framework, the subject's consent is what makes sensitive personal data processing lawful and certain conditions are set for the validity of the said processing. The analysis of the new institutional framework in this dissertation makes clear the EU legislator's intention to truly match the declaration of consent with the data subject's sincere will.
Keywords:
Personal Data, Sensitive Personal Data, Special Categories of Personal Data, Processing of Personal Data, Controller, Data Subject, Data Subject's Consent , Lawful Basis for Processing , Lawfulness of Processing , Purpose of Processing
