HDPA (Greece) - 29/2023: Difference between revisions

From GDPRhub
No edit summary
 
(5 intermediate revisions by the same user not shown)
Line 65: Line 65:
}}
}}


Unlawful transfer of special categories of data and failure to comply with the right of access
The Hellenic DPA (HDPA) reprimanded the Greek Social Security Authority (e-Efka) for breaching [[Article 5 GDPR|Article 5(1)(c) GDPR]] and [[Article 15 GDPR]], as e-Efka had unlawfully transferred special categories of data to another municipal body, and had failed to comply with an access request.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A civil servant lodged a complaint against the Greek social security institution (from now on referred to as e-Efka) because, as she claimed, e-Efka, in the context of the control of the lawful exercise of the complainant's duties following a complaint against them, found a violation of the principle of data minimisation and the purpose limitation (article 5 par.1(b) GDPR), by sharing special category data, in this case the complainant's health data, with another body, as well as a violation of their right of access to the data, since their question as to the identity of the complainant was not provided.
On 27 May 2022, a civil servant lodged a complaint against the controller, the Greek Social Security Authority (e-Efka).
 
E-Efka had instigated internal disciplinary proceedings against the data subject following an internal complaint made against them by another civil servant, and had shared the details of the proceedings and the complaint with Municipality X. As part of an access request to the controller, the data subject requested to be informed of the identity of the complainant. The controller orally responded to the data subject and had refused to disclose who the complainant was.
 
In their complaint to the Hellenic DPA, the data subject claimed that e-Efka had violated the principles of data minimisation and purpose limitation by sharing their sensitive data with Municipality X (data which fell under Article 9 GDPR's special categories of personal data). The data subject also contended that the controller had violated their right of access, as the controller had refused to disclose the identity of the complainant in the internal proceedings against the data subject.  


=== Holding ===
=== Holding ===
The HDPA, after a thorough consultation, found that the transmission of the complainant's complaint in its entirety to a public body by e-Efka, which contained data which were not appropriate and necessary for the fulfilment of the purpose of the processing, namely the verification of the lawful exercise of the complainant's duties, violated the provision of Article 5(1)(c) of the GDPR on the obligation to comply with the principle of data minimisation.  
The HDPA, after a consultation, found that the controller had violated [[Article 5 GDPR|Article 5(1)(c) GDPR]] and [[Article 15 GDPR]]. 
 
Firstly, the HDPA found that the controller violated [[Article 5 GDPR|Article 5(1)(c) GDPR]] because its transmission of the data subject's special data to Municipality X was not necessary for the purposes of the processing. Even though the complaint against the data subject concerned Municipality X, there was no need for Municipality X to have access to the data subject's sensitive data for the purposes of the internal disciplinary proceedings instigated against them by e-Efka. 
 
Secondly, the HDPA found that the controller was in breach of [[Article 15 GDPR]]. The controller did not respond to the data subject's access request under [[Article 15 GDPR]] within the time-limit laid down in [[Article 12 GDPR|Article 12(3) GDPR]]. While the controller did not need to disclose the identity of the complainant to the data subject as part of their response to an access request under Article 15 GDPR, because this fell outside the scope of the provision, they did need to address the other informational obligations under Article 15 GDPR. An oral response to an access request was insufficient. Under Article 15 GDPR, the controller was obliged to provide the data subject with the categories of information outlined in Articles 15(1)(a)-(h) GDPR.


In addition, a breach of Article 15 of the GDPR, concerning the right of access of the data subject, was also found, because e-Efka did not reply as required to the complainant regarding their request for access under Article 15 of the GDPR within the time-limit laid down in Article 12(3) of the GDPR, concerning the request for disclosure of the complainant's data. For these reasons, the HDPA is issuing a reprimand pursuant to Article 58 para. 2(b) of the GDPR to e-Efka for the above infringements and instructs the body pursuant to Article 58 para.2 (d) to process the personal data in accordance with the requirements of the principle of data minimisation (Article 5(2) of the GDPR).
For these reasons, under [[Article 58 GDPR]], the HDPA reprimanded the controller for violating [[Article 5 GDPR|Article 5(1)(c) GDPR]] and [[Article 15 GDPR]]. In addition, the HDPA ordered the controller to bring their processing operations into compliance with the GDPR, and in particular, with the principle of data minimisation.


== Comment ==
== Comment ==

Latest revision as of 09:12, 25 October 2023

HDPA - 29/2023
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(c) GDPR
Article 12(3) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started: 27.05.2022
Decided:
Published: 31.08.2023
Fine: n/a
Parties: e-EΦΚΑ
National Case Number/Name: 29/2023
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Greek
Original Source: HDPA (Greece) (in EL)
Initial Contributor: Anastasia Vlachopoulou

The Hellenic DPA (HDPA) reprimanded the Greek Social Security Authority (e-Efka) for breaching Article 5(1)(c) GDPR and Article 15 GDPR, as e-Efka had unlawfully transferred special categories of data to another municipal body, and had failed to comply with an access request.

English Summary

Facts

On 27 May 2022, a civil servant lodged a complaint against the controller, the Greek Social Security Authority (e-Efka).

E-Efka had instigated internal disciplinary proceedings against the data subject following an internal complaint made against them by another civil servant, and had shared the details of the proceedings and the complaint with Municipality X. As part of an access request to the controller, the data subject requested to be informed of the identity of the complainant. The controller orally responded to the data subject and had refused to disclose who the complainant was.

In their complaint to the Hellenic DPA, the data subject claimed that e-Efka had violated the principles of data minimisation and purpose limitation by sharing their sensitive data with Municipality X (data which fell under Article 9 GDPR's special categories of personal data). The data subject also contended that the controller had violated their right of access, as the controller had refused to disclose the identity of the complainant in the internal proceedings against the data subject.

Holding

The HDPA, after a consultation, found that the controller had violated Article 5(1)(c) GDPR and Article 15 GDPR.

Firstly, the HDPA found that the controller violated Article 5(1)(c) GDPR because its transmission of the data subject's special data to Municipality X was not necessary for the purposes of the processing. Even though the complaint against the data subject concerned Municipality X, there was no need for Municipality X to have access to the data subject's sensitive data for the purposes of the internal disciplinary proceedings instigated against them by e-Efka.

Secondly, the HDPA found that the controller was in breach of Article 15 GDPR. The controller did not respond to the data subject's access request under Article 15 GDPR within the time-limit laid down in Article 12(3) GDPR. While the controller did not need to disclose the identity of the complainant to the data subject as part of their response to an access request under Article 15 GDPR, because this fell outside the scope of the provision, they did need to address the other informational obligations under Article 15 GDPR. An oral response to an access request was insufficient. Under Article 15 GDPR, the controller was obliged to provide the data subject with the categories of information outlined in Articles 15(1)(a)-(h) GDPR.

For these reasons, under Article 58 GDPR, the HDPA reprimanded the controller for violating Article 5(1)(c) GDPR and Article 15 GDPR. In addition, the HDPA ordered the controller to bring their processing operations into compliance with the GDPR, and in particular, with the principle of data minimisation.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary The Authority examined a complaint against e-EFKA for the complainant's sending a letter to a Municipality, requesting the decision to elect the complainant to a public benefit enterprise, with the existence of a complaint against her as the justification for the said request, at the same time referring to the body of the letter and the content of said complaint. 1 Kifisias Ave. 1-3, 11523 Athens T: 210 6475 600 E: contact@dpa.gr www.dpa.gr Athens, 31-08-2023 Ref. Prot. 2217 Decision 29/2023 (One-person Body) The President of the Authority, as a one-person body according to articles 17 par. 1 of Law 4624/2019 (Government Gazette A΄ 137), in the context of the powers provided for in articles 4 par. 3 and 10 par. 4 of the Regulation of Operation of the Authority (Government Gazette B΄879/25.02.2022), met via teleconference on March 6, 2023 in order to examine the case mentioned below in the history of this decision. Present without the right to vote were Anastasia Kaniklidou, legal auditor - lawyer, as well as Irini Papageorgopoulou, an employee of the administrative affairs department, as secretary. The Authority took into account the following: 1. With the no. prot. C/EIS/7515/27-05-2022 complaint to the Authority A is directed against the Electronic Social Security Agency (hereinafter e-EFKA) and complains about the illegal transmission of special category data related to her health as well as for not satisfaction of right of access and information. In particular, according to the complainant, with the document no. ... the Director's Office (local address ...) of the e-EFKA store X asked the Municipality X to send it the decision to elect the complainant to the Public Benefit Enterprise of the Municipality X (hereinafter KED X) to inform the service, 2 citing as the justifying basis of the said request "a telephone complaint from a citizen claiming to be a journalist, who asked about A being absent on long-term sick leave from her service, while at the same time appearing in the media social networking to have undertaken various activities as vice-president of KED X". In this way, according to its claims, a violation of the principles of purpose limitation and data minimization took place. In addition, according to the complainant's claims, the rights of access and information were violated (a) in relation to the transmission in question and (b) with the existence of a complaint against her, while she was not informed about the person of the complainant, although on ... she addressed the Responsible Data Protection of the complainant, requesting to be notified of the details of the person who filed the complaint against her. 2. The Authority, following its document with protocol number C/EX/1961/02-08-2022, in which it asked the complainant for clarifications on the complaints, received in response the protocol number ... (and with its protocol number Authority C/EIS/10053/13-09-2022) document of the Independent GDPR Office of the complainant. In the above response, after it is stated that the complainant was verbally informed of the existence of the complaint against her, it is pointed out that in the document sent to Municipality X, the content of the complaint - Journalist's question was simply quoted and disclosed, without it being adopted and confirmed by e-EFKA. Therefore, according to the above response, the document in question does not have the status of notification to Municipality X of the long-term sick leave taken by the complainant and her absence from work for this reason, but was sent as part of the control of the legal performance of the duties of the public servants who serve in it and investigation on both sides (by e-EFKA and Municipality X) of any disciplinary offences. Specifically, both elements required an investigation in combination, i.e. both the long-term absence due to sick leave (the fact of the granting of sick leave was known only to e-EFKA) while at the same time 3 activities were carried out at KED X, as well as the investigation into any reasons for the incompatibility of the two qualities (public servant - election to KED X). Finally, according to what is understood in the above response, with regard to the submitted request of the complainant to obtain information about the complainant, this was answered on ... after cross-verification of the information available at the competent services of e-EFKA, for which it took a certain amount of time. According to the response given to the complainant, the information in question was not available to e-EΦΚΑ, a relevant thorough investigation was carried out, but it was not possible to locate it, as on the one hand the then competent Director who spoke with the complainant has retired , on the other hand, emphasis was placed on the content of the complaint-question and its details were not observed. 3. Subsequently, with the Authority's protocol numbers C/EX/329/08-02-2023 and C/EX/330/08-02-2023 calls, the Authority invited the involved parties to attend via video conference before the President of the Authority as a one-person body on 02-16-2023 in order to discuss the aforementioned case. Due to a technical problem in the realization of the teleconference on 16-02-2023, the discussion of the case was determined for 06-03-2023, a date on which the parties involved were invited to appear again via teleconference before the President of the Authority as a one-person body, with the Authority's protocol number C/EX/432/20-02-2023 and C/EX/434/20-02-2023 calls to the parties. Before the President, the attorney of the complainant, Aikaterini Karapatsia, lawyer (AM/DSA ...), appeared on behalf of the complainant Charalambos Tsiliotis, lawyer (AM/DSA ...) and B, deputy director ... of the EFKA. Also present was the Complainant's Data Protection Officer, C. During the hearing, the complainant supported what was mentioned in the complaint, pointing out that Mayor X, from whom the decision to elect her to KED X was requested, is not a hierarchically superior body of the complainant, while in any case, the complainant could ask the 4 complainant herself for the decision to elect her to KED X. Finally, she reiterated that she was never informed by the complainant about the existence of the complaint. The complainant, during the hearing, repeated the positions he had supported in the document of the Autonomous GDPR Office with protocol number ... (and with the Authority's protocol number C/EIS/10053/13-09-2022), and specifically argued that e - EFKA had a reasonable interest in finding out whether the complainant had been elected to KED X as vice-president and to request the decision on her election, while pointing out that the reference to the letter to Mayor X of the exact contents of the complaint was necessary in order to justify his reasonable interest to Mayor X. He also noted the existence of more questions and phone calls regarding the complainant, as due to X's size, her frequent absence from the service was widely known. The Authority, after examining all the elements of the file and those that emerged during the hearing, THINKS IN ACCORDANCE WITH THE LAW 1. Because, in article 5 of the General Data Protection Regulation (Regulation 2016/679), which defines the principles that govern the processing of personal data, it is provided in point b' of paragraph 1 that "personal data are collected for specified, explicit and lawful purposes and are not further processed in a manner incompatible with these purposes" ("limitation of purpose") , while according to point c' of the same paragraph "personal data are appropriate, relevant and limited to what is necessary for the purposes for which they are processed ("minimization of data"). According to the above provisions, personal data to be legally processed should be relevant, relevant and not more than 5 times what is required in view of the purpose of the processing. 2. Because, in this case, from all the elements of the case file, it appears that the complained processing, consisting in the sending of the disputed letter from ... and with protocol number ... to Municipality X, with which the complainant requested from the latter , to send him the decision on the election of the complainant to KED X and it was mentioned in its body that the complainant based on a related complaint was absent from her service on long-term sick leave, while she had undertaken activities as vice-president of KED X, was carried out in violation of the provision of the article 5 paragraph 1 point c of the GDPR, regarding the obligation to observe the principle of data minimization. Specifically, for the purpose of conducting an administrative investigation by the complainant, it was sufficient for the complainant to find out whether the complainant - his employee has been elected vice-president of KED X, while she was on sick leave, and to request the relevant election decision from Municipality X, stating that the therefore, a request is submitted in the context of an administrative investigation, without it being necessary to reveal the specific reason for which the investigation is being conducted and to quote the entire content of the relevant citizen's complaint. What was further stated in the disputed letter, and in particular the complete citation of the content of the complaint, was not appropriate and necessary for the purpose served by the specific processing, given that for the investigation of any liability of the complainant - employee based on the provisions of Law 3528/ 2007, as amended and valid, it was sufficient to disclose only the above legal basis for granting the requested information of the complainant. 3. Because, as a data controller, the person complained about must comply with the requirements for the protection of personal data, which include the obligation to observe the principle of proportionality.
4. Because, in relation to the established violation of the principle of minimization on the part of the complainant, as data controller,
6
there is a case for the Authority to exercise its corrective powers under article 58 par. 2 GDPR. In particular, the Authority, taking into account the facts of the case as analyzed above in the history of the present case, in accordance with recital 148 of the GDPR, considers that it must address a reprimand in accordance with article 58, paragraph 2, point b of the GDPR, to the complainant for the above in violation of article 5 paragraph 1 point c GDPR processing, which is judged to be proportional to the severity of the violation found, and to give an order, according to article 58 paragraph 2 point. d' GDPR, as henceforth the complainant, as controller, processes the personal data in a manner consistent with what is required by the principle of data minimization (article 5 par. 1 item c' of the GDPR), as mentioned above.
5. Because, according to article 15 par. 1 and 3 GDPR: "1. The data subject has the right to receive from the controller confirmation as to whether or not the personal data concerning him is being processed and, if this is the case, the right to access the personal data and the following information: a) the purposes of the processing, b) the relevant categories of personal data, c) the recipients or categories of recipients to whom the personal data have been disclosed or are to be disclosed, in particular recipients in third countries or international organizations, d) if possible, the period for which the personal data will be stored or, when this is impossible, the criteria that determine the period in question, e) the existence of the right to submit a request to the data controller for the correction or deletion of personal data or to limit the processing of the data of a personal nature concerning the data subject or the right to object to said processing, f) the right to submit a complaint to a supervisory authority, g) when the personal data is not collected from the data subject, any available information about its origin, h) the existence of automated decision-making, including profiling;
7
provided for in Article 22 paragraphs 1 and 4 and, at least in these cases, important information about the logic followed, as well as the importance and intended consequences of said processing for the data subject. […] 3. The controller shall provide a copy of the personal data being processed.[…] If the data subject submits the request by electronic means and unless the data subject requests otherwise, the information shall be provided in electronic form commonly used". At the same time, Article 12 para. 3 GDPR states the following: "The data controller shall provide the data subject with information on the action taken upon request pursuant to Articles 15 to 22 without delay and in any case within one month of receipt of the request. This deadline may be extended by a further two months if necessary, taking into account the complexity of the request and the number of requests. The data controller shall inform the data subject of said extension within one month of receipt of the request, as well as of the reasons for the delay. If the data subject makes the request by electronic means, the information shall be provided, if possible, by electronic means, unless the data subject requests otherwise.'
According to the Authority's jurisprudence1, each complainant, as the subject of the complaint data that has been submitted against him in a public service, has the right to access the text of the complaint in question, as well as information related to the origin (source) of this data . Origin means the identifying information of the complainant contained in the text of the complaint, such as in particular the name and address of the complainant.
6. Because, from all the elements of the case file, it appears that the complainant requested with her e-mail message from ... to the Data Protection Officer of e-EFKA "in exercise of
1 See decision of the Authority 73/2010, published on its website.
8
information and access rights" to be informed of the details of the complainant (citizen who claimed to be a journalist). The complainant, despite the fact that on the basis of this complaint he requested from Municipality X the above-mentioned information, he replied to the complainant on ... that the said information of the complainant is not at his disposal
e-EFKA, because on the one hand the then competent Director who spoke with the complainant had retired, on the other hand because emphasis was placed on the content of the complaint-question and its details were not respected. Therefore, as it emerges from the facts, the complained e-EFKA did not respond as it should to the complainant regarding her access request in accordance with Article 15 of the GDPR within the period provided for in Article 12 paragraph 3 of the GDPR2.
7. Because, in relation to the established violation of article 12 paragraph 3 of the GDPR by the complained e-EFKA, as data controller, the Authority, taking into account the facts of the case as analyzed above in the present history, in accordance with and recital 148 GDPR, considers that there is a case for the Authority to exercise its corrective powers under article 58 paragraph 2 GDPR, and, in particular, to issue a reprimand according to article 58 paragraph 2 point b', which is considered analogous to the gravity of the found violation.
FOR THOSE REASONS
THE BEGINNING
a) Addresses a reprimand according to Article 58 paragraph 2 point b of the GDPR to the complained e-EFKA for the above violation of the provision of Article 5 paragraph 1 point c of the GDPR as well as for a violation of Article 12 paragraph 3 of the GDPR and,
b) gives an order, according to article 58 par. 2 item d of the GDPR, as hereinafter processed by
2 See in particular decisions 26/2021 and 37/2022, available on the website of the Authority.
9
complainant
e-EFKA, as controller, the personal data in the manner described above, complying with the requirements of the principle of data minimization (article 5 par. 1 item c' of the General Regulation on the Protection of Personal Data).
THE PRESIDENT AND THE SECRETARY
Konstantinos Menudakos Irini Papageorgopoulou
The Authority considered that the complained processing was carried out in violation of the principle of data minimization and reprimanded the complainant for the aforementioned violation. Also, with regard to the part of the complaint regarding the non-satisfaction of the complainant's right of access to the data of the citizen who had filed a complaint against her, the Authority reprimanded the complainant for not responding to the said request in a timely manner.