HDPA (Greece) - 41/2021: Difference between revisions
No edit summary |
|||
(5 intermediate revisions by one other user not shown) | |||
Line 48: | Line 48: | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor= | |Initial_Contributor= Florence D'Ath | ||
| | | | ||
}} | }} | ||
Line 60: | Line 60: | ||
=== Holding === | === Holding === | ||
After reviewing the | After reviewing the facts of the case, the Greek DPA found the following violations: | ||
* violation of [[Article 9 GDPR#2h|Article 9(2)(h) GDPR]] (processing of special categories of data): according to the applicable data protection law, the processing of data, including sensitive health data, is allowed when necessary for the purpose of preventive or occupational medicine, health or social care systems, or other health-related reason. Before initiating such processing, however, the controller must receive an authorization, in the form of a committee decision consisting of competent medical and nursing staff. In this case, however, the HDPA found that the nursing home had installed the camera without the prior approval of such committee, which is a necessary condition for documenting the need for supervision and the possibility of relying on [[Article 9 GDPR#2h|Article 9(2)(h) GDPR]]; | * '''violation of [[Article 9 GDPR#2h|Article 9(2)(h) GDPR]] (processing of special categories of data)''': according to the applicable data protection law, the processing of data, including sensitive health data, is allowed when necessary for the purpose of preventive or occupational medicine, health or social care systems, or other health-related reason. Before initiating such processing, however, the controller must receive an authorization, in the form of a committee decision consisting of competent medical and nursing staff. In this case, however, the HDPA found that the nursing home had installed the camera without the prior approval of such committee, which is a necessary condition for documenting the need for supervision and the possibility of relying on [[Article 9 GDPR#2h|Article 9(2)(h) GDPR]]; | ||
* violation of [[Article 13 GDPR]] (the obligation to inform data subjects): the HDPA also found that the installation and operation of the cameras took place without prior notification of the employees in written or electronic form, and that the limited information which was provided to them did not cover the requirements of [[Article 13 GDPR]]. In particular, the information was too general, and the given purpose of the processing did not accurately relate to the given legal basis and the type of data (i.e. special categories of data); | *'''violation of [[Article 13 GDPR]] (the obligation to inform data subjects):''' the HDPA also found that the installation and operation of the cameras took place without prior notification of the employees in written or electronic form, and that the limited information which was provided to them did not cover the requirements of [[Article 13 GDPR]]. In particular, the information was too general, and the given purpose of the processing did not accurately relate to the given legal basis and the type of data (i.e. special categories of data);<br /> | ||
*'''violation of [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] (principle of data minimisation):''' finally, the HDPA found that the cameras were installed in violation of the principle of data minimization as the employees' movements and position were recorded. | |||
It was noted by the HDPA that the nursing home had conducted a data protection impact assessment (DPIA), in accordance with Article Article 35 GDPR. The HDPA found however that the controller had failed to properly address the issues identified by the DPIA. | |||
Following the intervention of the HDPA, a series of modifications were made to the operation of the CCTV system. In addition, the HDPA instructed the nursing home to adjust the cameras installed in the kitchens so that they would focus exclusively on entry and exit areas. Finally, the HDPA also instructed the nursing home to destroy the material that had already been recorded. | Following the intervention of the HDPA, a series of modifications were made to the operation of the CCTV system. In addition, the HDPA instructed the nursing home to adjust the cameras installed in the kitchens so that they would focus exclusively on entry and exit areas. Finally, the HDPA also instructed the nursing home to destroy the material that had already been recorded. |
Latest revision as of 13:14, 29 September 2021
HDPA (Greece) - 41/2021 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1)(c) GDPR Article 9(2)(h) GDPR Article 13 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 21.09.2021 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 41/2021 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Greek |
Original Source: | Greek DPA (in EL) |
Initial Contributor: | Florence D'Ath |
The Greek DPA found that a nursing home had unlawfully recorded its employees in violation of the principle of data minimisation and of the right to information. The Greek DPA instructed the nursing home to adjust the visual fields of some cameras and to destroy the already recorded material.
English Summary
Facts
An employee working in a nursing home lodged a complaint with the Greek DPA (HDPA) because the CCTV cameras installed in the nursing home were filming the premises, including the employees and residents, in an intrusive manner.
Holding
After reviewing the facts of the case, the Greek DPA found the following violations:
- violation of Article 9(2)(h) GDPR (processing of special categories of data): according to the applicable data protection law, the processing of data, including sensitive health data, is allowed when necessary for the purpose of preventive or occupational medicine, health or social care systems, or other health-related reason. Before initiating such processing, however, the controller must receive an authorization, in the form of a committee decision consisting of competent medical and nursing staff. In this case, however, the HDPA found that the nursing home had installed the camera without the prior approval of such committee, which is a necessary condition for documenting the need for supervision and the possibility of relying on Article 9(2)(h) GDPR;
- violation of Article 13 GDPR (the obligation to inform data subjects): the HDPA also found that the installation and operation of the cameras took place without prior notification of the employees in written or electronic form, and that the limited information which was provided to them did not cover the requirements of Article 13 GDPR. In particular, the information was too general, and the given purpose of the processing did not accurately relate to the given legal basis and the type of data (i.e. special categories of data);
- violation of Article 5(1)(b) GDPR (principle of data minimisation): finally, the HDPA found that the cameras were installed in violation of the principle of data minimization as the employees' movements and position were recorded.
It was noted by the HDPA that the nursing home had conducted a data protection impact assessment (DPIA), in accordance with Article Article 35 GDPR. The HDPA found however that the controller had failed to properly address the issues identified by the DPIA.
Following the intervention of the HDPA, a series of modifications were made to the operation of the CCTV system. In addition, the HDPA instructed the nursing home to adjust the cameras installed in the kitchens so that they would focus exclusively on entry and exit areas. Finally, the HDPA also instructed the nursing home to destroy the material that had already been recorded.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Category Decision Date 21/09/2021 Transaction number 41 Thematic unit 11. Labor Relations Applicable provisions Article 5.1.c: Principle of data minimization Article 13: Information collected by the data subject Summary The Authority reprimanded a controller in connection with the operation of a video surveillance system in a nursing home. After a complaint from an employee, it was found that: a) the installation of the cameras took place without a decision of a committee consisting of competent medical and nursing staff, which is a necessary condition for documenting the need for supervision and the possibility of applying the provision no. 9 par. 2 sub-paragraph h ', b) the installation and operation of the cameras took place without prior notification of the employees in written or electronic form and the information provided does not cover the obligations of art. 13, as it is general and the purpose of the respective processing is not related to the legal basis and the type of data, c) cameras were installed in violation of the principle of minimization as the image was taken from employee positions. The controller had conducted a data protection impact assessment without properly addressing the issues. Following the intervention of the Authority, a series of modifications were made to the operation of the system, while the Authority also instructed to adjust the cameras installed in the kitchens so that they focus exclusively on entry and exit areas and to destroy the collected material. PDF Decision 41_2021anonym.pdf349.81 KB Category Decision Date 21/09/2021 Transaction number 41 Thematic unit 11. Labor Relations Applicable provisions Article 5.1.c: Principle of data minimization Article 13: Information collected by the data subject Summary The Authority reprimanded a controller in connection with the operation of a video surveillance system in a nursing home. After a complaint from an employee, it was found that: a) the installation of the cameras took place without a decision of a committee consisting of competent medical and nursing staff, which is a necessary condition for documenting the need for supervision and the possibility of applying the provision no. 9 par. 2 sub-paragraph h ', b) the installation and operation of the cameras took place without prior notification of the employees in written or electronic form and the information provided does not cover the obligations of art. 13, as it is general and the purpose of the respective processing is not related to the legal basis and the type of data, c) cameras were installed in violation of the principle of minimization as the image was taken from employee positions. The controller had conducted a data protection impact assessment without properly addressing the issues. Following the intervention of the Authority, a series of modifications were made to the operation of the system, while the Authority also instructed to adjust the cameras installed in the kitchens so that they focus exclusively on entry and exit areas and to destroy the collected material. PDF Decision 41_2021anonym.pdf349.81 KB