The virtual international conference that was organised in view of the completion of the two-year project “byDefault”, which is being run by the Hellenic Data Protection Authority (HDPA), in collaboration with the University of Piraeus Research Center and ICT Abovo PC, and is funded by the European Union’s Citizens, Equality, Rights and Values (CERV) Programme, successfully concluded its proceedings on July 24.
The conference began with Dr. Elias Athanasiadis, Head of Communications of the HDPA, welcoming attendees and giving the floor to the President of the HDPA, Honorary President of the Council of State, Konstantinos Menoudakos. In his opening speech K. Menoudakos welcomed the attendees and noted that “the project ‘byDefault’ aims at a high degree of impact in the Greek society, taking also a European dimension. It continues on the basis of the results of the project ‘byDesign’, for which we are very proud of being the winners of the People’s Choice Prize from the 45th Global Privacy Assembly on 15-20 November 2023”. Furthermore, the President of the HDPA pointed out that “the Authority is firmly oriented towards increasing the awareness of controllers/processors as well as the development of a culture of compliance, which is expected to lead to an increase in the degree of trust of data subjects in businesses in the way they manage their data”.
The General Director of the HDPA Dr. Vasilios Zorkadis, afterwards, also welcomed the audience, identified the main goals of the conference which were to communicate and reflect on the project’s results, share insights and address audience questions. Dr. Zorkadis described the structure of the conference and referred to the next EU funded project that the HDPA will initiate very soon.
- Session 1: “The international experience”
-
In session 1, “The international experience”, that was moderated by Dr. Zorkadis, Pavlina Peneva, Legal and Policy Officer, European Commission, DG for Justice and Consumers, Unit C.3 – Data protection, emphasized in her presentation, “The objectives of the EU CERV programme in the data protection field”, that “the Citizens, Equality, Rights and Values (CERV) programme aims to promote the EU’s core values and rights, such as the right to data protection. The projects funded under the CERV-2021-Data Call are expected to: i) develop practical support that can facilitate SMEs’ compliance with the GDPR and be replicated in other Member States; ii) increase the awareness of data protection among the general public and iii) improve the overall application of the GDPR in the EU.” Ms Peneva also highlighted that “the Commission looks forward for the results of the new projects to be funded under the CERV-2024-Data Call and will continue to provide financial support for activities of DPAs that facilitate implementation of the GDPR”.
Then, Greet Gysen, Head of Information and Communications, European Data Protection Board, explained in her speech, “The EDPB Data Protection Guide for Small Business”, that “under the GDPR, it is primarily the data protection authorities (DPAs) that are responsible for raising awareness on data protection rights and obligations. The European Data Protection Board (EDPB), in order to give greater visibility to the work done by DPAs and to support them, created a single hub with access to all available material in the form of a dedicated website for small business. This led to the creation of the EDPB Data Protection Guide for Small Business, launched in April 2023. The Guide aims to provide practical information to SMEs to facilitate GDPR compliance. It is designed for non-experts using a non-legalistic and easily understandable language. The Guide is available in English, French, German and as of 24 July also in Greek”.
The online conference continued with the presentation of Dr. Andreas Zavadil, Head of International Special Affairs, Austrian DPA, “privacy4kids – EU funded project by the Austrian Data Protection Authority and the University of Vienna”. Dr. Zavadil analysed the goals and the outcomes of the project “privacy4kids” which was carried out in collaboration between the University of Vienna, Institute for Innovation and Digitalization in Law, and the Austrian DPA. He pointed out the following: “as part of the project, animated educational videos and a learning card game (‘Privo’) on the topics of data protection and privacy for children and adolescents were created and published. These materials explain in simple terms why protecting their data is important, what rights they have, the dangers to their privacy on the internet, and how they can protect themselves from online fraud and manipulation in social media. The use of videos as a medium was intended to ensure scalability. The content of the educational videos and the card game was created by students from different fields of study at the University of Vienna during two courses. The aim was to simplify legal concepts. The students were supported by selected external experts from the fields of law, pedagogy, didactics, and media studies. To maximize the learning effect and support teaching staff and parents, an additional guide was written”.
Then followed the presentation of Dāvis Bludins, Legal advisor of Prevention Department, Latvian DPA, “Distance learning program on data protection for SMEs”. Mr Bludins emphasized that “E-learning is a quick and easy solution that explains the Data Regulation in simple language, its implementation, the main data protection requirements, and the rules for small and medium-sized businesses regarding data collection, monitoring, storage, and deletion. Anyone interested can use the e-learning course either in open access mode or by registering and selecting the course in Latvian or English. Registered participants will have the opportunity to take a test at the end of the course and upload a certificate for successful completion (at least 70%). The course content consists of eight sequential modules, each supplemented with practical examples and tasks, self-assessment tests, and visual materials that can be useful even after completing the course”.
Next, Anamarija Mladinic, Head of Sector for EU, International Cooperation and Legal Affairs, Croatian DPA, noted in her presentation, “ARC2 Project for SMEs: Introducing Olivia - Your Simplified Solution for GDPR Compliance”, that “to address the GDPR compliance needs of Croatian and Italian SMEs, the ARC II Consortium (led by the Croatian Personal Data Protection Agency in collaboration with the Italian DPA, the Faculty of Organisation and Informatics from Croatia, Vrije University Bruxelles, and the University of Florence), laid out a comprehensive plan which includes: 1) Creating "Olivia," an open-source, freely accessible, interoperable, and innovative digital tool tailor-made to the needs of Croatian and Italian SMEs; 2) hosting 20 GDPR workshops in Croatia and 20 in Italy where SMEs can receive hands-on assistance to address their individual GDPR compliance challenges; 3) launching an awareness campaign in Croatian and Italian media targeting SMEs and the general public, alongside the development of educational materials and 10 informative videos; 4) organizing 2 validation workshops; 5) hosting 2 international conferences to disseminate the project's outcomes; 6) running a social media campaign to promote the digital tool Olivia and encourage its adoption by SMEs; 7) drafting a Handbook on personal data protection tailored for SMEs”. Closing her presentation Ms Mladinic pointed out that “the EU funded project aims to deliver a GDPR compliance digital tool developed in open-source code, enabling all data protection authorities (DPAs) to customize it to their national legislation and language”.
Finally, Dr. Prokopios Drogkaris, Project Manager on privacy and data protection and deputy DPO, ENISA, explained in his presentation “Engineering Personal Data Protection in EU Data Spaces”, that “common European data spaces (EU data spaces) are a novel concept introduced in the European strategy for data and elaborated further within the Data Governance Act (DGA)”. As they are meant to facilitate sharing of both personal and non personal data, his presentation aimed to “highlight the role of Privacy Enhancing Technologies (PETS) and how they can be deployed in order to support meeting data protection principles, as defined under the GDPR”.
- Session 2: “Collab.dpa.gr: A platform for privacy professionals”
-
Session 2, “Collab.dpa.gr: A platform for privacy professionals”, that was moderated by Dr. George Rousopoulos, Director of Supervision, HDPA, began with Kalli Karveli, Ηead of Complaints Department I, HDPA. In her presentation, “Supporting DPOs and privacy professionals through an electronic platform – needs and requirements analysis”, she focused on the methodology for determining the topics and the content of the electronic platform for DPOs and privacy professionals. More specifically, the process of the topics’ selection, and the applied criteria for both the platform and the digital library were presented as well as the platform regulation and its rules of conduct.
Τhen, Dr. Nikolaos Dellas, ICT Abovo in his presentation, “The development of a platform for privacy professionals”, he noted that “the platform includes 11 thematic sections. A Digital Library area and a structured discussion area have been created for each section”. During his presentation, the following key features of the platform were described: user registration, verification, and approval; user profile information; basic forum structure: categories, topics, and posts; post rating; topic and post moderation; polls; digital library structure; accessibility tools.
Afterwards, Leonidas Roussos, IT auditor, DPO, HDPA, in his speech, “10 months of collab.dpa.gr in operation – An assessment”, referred to the low user participation in the collab.dpa.gr platform. In particular, he noted that “the project partners compiled a targeted questionnaire aimed to the users, which had the same low ratio of responses with the aforementioned participation. Its results and analysis showed that users, as field professionals, lacked the appropriate time availability in order to ‘interact’ with the platform, despite the fact that they found its technical implementation quite appealing. Next steps include the promotion of the tool even more by the SA as the standard and ‘authorized’ means of feedback amongst field professionals, as well as reviewing the list of platform moderators in order to ‘recruit’ users with more active engagement”.
Finally, Dr. George Rousopoulos noted in his presentation “Lessons learned and the way forward. (How) can privacy professionals and the DPAs benefit from collaborative platforms?” that, with regard to Collab.dpa.gr, “DPOs’ participation so far has been at a low level” and added that there is an “underlying unwillingness to expose Controller/Processor (employer) or even DPO shortcoming”. Dr. Rousopoulos emphasized that “the HDPA needs to promote the tool as the standard & ‘authorized’ means of feedback amongst the relevant stakeholders”.
- Session 3: “Educational material”
-
Session 3, “Educational material”, was moderated by Costas Lambrinoudakis, Professor, University of Piraeus, and began with the presentation “Learning resources and scenarios” by Georgia Panagopoulou, Head of Audits and Security, HDPA. Ms Panagopoulou pointed out that “‘byDefault project’ focused on the development of a comprehensive education program about privacy, targeting children and especially while using electronic services. The initial steps consisted in the development of the learning resources, with clear goals and messages to be conveyed to the children and learning resources evaluation and adaptation, taking into consideration pedagogical issues and involving various learning styles. The following learning topics were selected: 1. Real cases, statistics, reports, 2: Basic personal data concepts, 3: Personal data online sharing, 4: Personal data exchange on social media and online messaging, 5: Online profiling, targeting, advertising and influence, 6: Privacy policies, 7: Deceptive patterns, 8: Identity protection and account security, 9: Personal data subject rights, 10: Children and parents legal responsibility. An educational game was created as the ‘vehicle’ for the personal data protection awareness ‘journey’, to keep children’s interest and maximize the learning results”.
In the next presentation, “Educational Tools”, Simos Retalis, Professor, University of Piraeus, noted that “the ‘byDefault project’ has developed an education program for training elementary and secondary school students, enhancing their privacy awareness and data protection culture. Part of this program is the Augmented Reality Physical-Digital game ‘Tzimanious’”. During the presentation the functionality of the game was explained together with the way in which the principles of game-based learning (GBL) and augmented reality (AR) have been adopted for its development.
Finally, Dr. Konstantinos Limniotis, Head of Research, HDPA, in his presentation, “Pilot Education and Assessment”, he showcased the results of the pilot implementation of the new augmented reality educational AR game Tzimanious. In particular, Dr. Limniotis noted that “pilot educational activities took place, in order to evaluate the learning resources created, by means of applying the game in authentic classroom environments. Before this, the teachers received an appropriate training through a 4-hour webinar. A total of 533 students from 24 classrooms of 9 public and private schools from various regions in Greece have participated in this pilot implementation. The findings highlight the positive influence of the Tzimanious AR game in improving learning outcomes and classroom dynamics. Additionally, the project's approach to train teachers and provide supportive material apart from the AR game per se was found to be very effective”.
- Session 4: “Teachers’ training”
-
Session 4, “Teachers’ training”, was moderated by Dr. Efrosini Siougle, Head of Advisory and Compliance, HDPA, and began with the presentation entitled “Resources and Methodology” by Costas Lambrinoudakis, Professor, University of Piraeus. Professor Lambrinoudakis highlighted that “the training program for the teachers aims at explaining principles and key concepts of data protection, informing about the risks of internet use, applying best practices to address these risks and protecting personal data based on the rights of data subjects. To this respect, the learning objectives of the training program have been presented along with the main principles that have been followed, indicatively: student centered approach, interactive and engaging, collaborative etc. It has been stressed that the provision of diverse educational material, oriented to the needs of school reality and the continuous support of participants through webinars and messages or comments in the Forum, provide a safe environment and enhance incentives to achieve the expected learning outcomes”. Finally, the contents of the seven training modules were presented.
Then followed the presentation “Training activities organization and implementation” by Dr. Maria Alikakou, Legal Auditor, HDPA. Dr. Alikakou focused on the organization and implementation of the four training activities that took place in the context of the project “byDefault”. More specifically, her presentation included a short description of five basic topics related to all these training events, namely the objective, preparation, invitation method, design of each event as well as the relevant participant allocation. Dr. Alikakou highlighted the “various ways (in person, distant, fast track, extended) of providing training to the teachers of elementary and secondary schools in Greece in order to achieve a broad geographical coverage and make it also possible for the teachers to attend at their own convenience”. Finally, she underlined that “these events were basically designed with the main aim of achieving teachers’ awareness and education on data protection issues in order for them to be able to raise awareness, inform and advice their students about the protection of their personal data and privacy”.
In the last presentation of Session 4, “Training evaluation and assessment”, Eleni Kapralou, Legal Auditor, HDPA, analysed the evaluation and assessment of a) the extended learning and training seminar and b) the conclusive fast-track training seminar. She noted that “evaluation took place by means of online questionnaires. The teachers replied in a very positive way with regards to the objectives of the training seminars, their content, duration and organization, their usefulness (in view of new knowledge and skills or helping students understand data protection), the design of the e-platform used, the trainers’ skills to transfer knowledge and the means of teaching used, the usefulness of specific learning resources (videos, quizzes etc.), the extent of implementation of the Tzimanious game and its role in the process of learning. As a conclusion, the preparation of training events was assessed as appropriate, the educational material as adequate and useful, the platform and learning methods as suitable and the design and delivery of the educational programs satisfactory. All these led to a high level of effectiveness of the training seminars into promoting teachers’ understanding and knowledge”.
Closing the conference, Dr. Vasilis Zorkadis summarized the speakers’ contributions, beginning with the work of the European Commission, the EDPB, ENISA and also the national SAs (Austrian, Croatian and Latvian DPAs) as well as all contributions that were focused on the “byDefault project”. Dr. Zorkadis pointed out that “with the “byDefault project” the Hellenic DPA had the opportunity to promote two crucial objectives, to contribute to the education of students, but also to put into operation a communication platform with specialized information for privacy professionals”.
All presentations are available at
Follow the byDefault project:
https://www.linkedin.com/in/bydefaultproject/
  |
|
The project byDefault is funded by the European Union (Citizens, Equality, Rights and Values Programme – CERV). Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Commission. Neither the European Union nor the granting authority can be held responsible for them. |
Communications Department
