HDPA (Greece) - 31/2020: Difference between revisions

From GDPRhub
m (Panayotis.Yannakas moved page HDPA - 31/20 to HDPA - 31/2020)
No edit summary
Line 58: Line 58:
}}
}}


An employee had submitted a complaint to the Greek Data Protection Authority about the video surveillance in the store in which she had worked. The Greek DPA held that a CCTV system shall be handled as subject to Article 4(1) and Article 4(2) of GDPR Regulation. That judgment does not mean that any CCTV surveillance in workplaces and under any circumstances is forbidden; the Data Protection Officer seems to make an obiter dictum legal comment and not a ratio decidendi of that decision.  
An employee had submitted a complaint to the Greek Data Protection Authority about the video surveillance in the store in which she had worked. The Greek DPA held that a CCTV system shall be handled as subject to Article 4(1) and Article 4(2) of GDPR. The Greek Office before finishing his judgment, goes through the principle of proportionality and finds that in these facts the merchant had not violated employees' rights when he installed the surveillance system.  


The Greek Office before finishing his judgment, goes through the principle of proportionality and finds that in these facts the merchant had not violated employees' rights when he installed the surveillance system.
==English Summary==


== English Summary ==
===Facts===
The complainant was working in one of the merchant's stores where a CCTV system was installed and active. The employer repeatedly had assured (to the employees) not only that the field of view of the cameras was the cash registers, but also that the CCTV did not capture any sound at all.


=== Facts ===
The complainant began to believe that more cameras had been installed in the store and they were recording sound as well. Therefore, the she submitted the following complaint to the Greek DPA. She also brought a court action with which she claimed damages for the unlawful processing. She claimed that some of the cameras were scoped to the WC room and the changing rooms.  
The complainer was working in one of the merchant's stores, where a CCTV system was installed and active. The employer repeatedly had assured (to the employees) not only that the field of view of the cameras was the cash registers, but also that the CCTV does not capture sound at all.  


After the complainer beginning to believe that more cameras exist in the store and that these cameras are recording sound as well, she submitted the following complaint to the Greek DPA. She brought a court action with which she was claiming damages, as well. She claimed that some of the cameras were scoped to the WC room and the changing rooms.  
During the hearing, the employer declined any allegation regarding the sound recording. He also submitted a detailed list of all the cameras with recording samples for each one and clarified all the ways he used to inform visitors and staff for the existence of that CCTV system, including notices signs and brochures, as well as the entire company's policy of the personal data protection in written form.


During the hearing, the employer declined any allegation relevant that the CCTV surveillance system recording sound too. Furthermore, he disclaimed various points. He also submitted a detailed list of all the cameras with recording samples for each one and clarified all the ways he used to inform visitors and staff for the existence of that CCTV system, including notices signs and brochures, as well as the entire company's policy of the personal data protection in written form. 
===Dispute===


=== Dispute ===
The Greek DPA deals with certain requirements of lawfulness of CCTV systems.
===Holding===
The Greek Data Protection Officer argued four points. 


First, under Article 4(1), the Greek DPA Office confirms that visual and sound data may be considered personal data when identifiable information relating to natural persons are included.


=== Holding ===
Second, indoor and outdoor video surveillance in areas which persons are invited to visit fulfils the definition of processing as per Article 4(2) GDPR.  
The Greek Data Protection Officer laid down four points of the GDPR. Firstly, with Article 4(1) the Decision Board of the Greek DPA Office considers that visual and sound data may be characterized as personal data when identifiable information relating to natural persons are included. Secondly, the interpretation of the processing term under Article 4(2) should include any video surveillance in indoors and outdoors areas which persons are invited to visit.  


Thirdly using the article 5th the Greek DPA concludes that a genuine adoption of the concept of proportionality on such circumstance shall also examine  (a) the lawfulness, fairness and transparency of the contested data processing; without underestimating aspects as (b) how further the processed goes in a manner that is incompatible with announced, specified, explicit and legitimate purposes or (c) minimizing the amount of data to what is absolutely necessary with those purposes .  
Third, the Greek DPA concludes that a genuine adoption of the concept of proportionality on such circumstance shall also examine  (a) the lawfulness, fairness and transparency of the processing; without underestimating aspects as (b) how further the processed goes in a manner that is incompatible with announced, specified, explicit and legitimate purposes or (c) minimizing the amount of data to what is absolutely necessary with those purposes.  


Fourth, the Decision Board concluded that the contested CCTV system is straightforward compatible with the requirement of Article 6(f). That article describes that a data processing is lawful when it is strictly necessary for the purposes of the legitimate interests pursued by the controller, except where fundamental rights of the data subject override such interests.  
Fourth, the Board concluded that the contested CCTV system was compatible with the requirement of Article 6(f) GDPR according to which a data processing is lawful when it is strictly necessary for the purposes of the legitimate interests pursued by the controller, except where fundamental rights of the data subject override such interests.  


The Greek DPA found that merchant collects collects only the strictly necessary data in order to increase the security level of the store and protect it against thieves.   
The Greek DPA found that merchant collected only the strictly necessary data in order to increase the security level of the store and protect it against thieves.   


== Comment ==
==Comment==
The word content of the decision seems modest; it is not clear if the decision board rejected the complainer allegations relative to the sound recording and the cameras' field of view for reasons concerning the burden of proof, or the rejection was grounded on other reasons.  
The content of the decision seems modest. In particular, it is not clear which reasons the Authority has considered to reject the complainant's allegations concerning the sound recording and the cameras' field of view.


Back to 2011 the Greek DPA issued a national directive for the CCTV to workplaces, and that national directive was also a reference to that decision. Relative highlights of the Greek DPA's Directive 1/2011 is that the CCTV (i) shall be used as a supervising tool only when it is absolute necessary in terms of employees' safety (i.e. factories) or in strictly critical workplaces, like banks and military buildings. A regulated exemption is when (ii) the purpose of the camera is to protect cash registrars or when the camera field of view is limited to the entrance of an area. Last and not least, under the National Directive 1/2011, (iii) data for a CCTV shall not be use to monitoring employees effectiveness and performance.
Back to 2011 the Greek DPA issued a national directive for the CCTV at workplaces, and that national directive was also a reference to that decision. Relative highlights of the Greek DPA's Directive 1/2011 is that the CCTV (i) shall be used as a supervising tool only when it is absolute necessary in terms of employees' safety (i.e. factories) or in strictly critical workplaces, like banks and military buildings. A regulated exemption is when (ii) the purpose of the camera is to protect cash registrars or when the camera field of view is limited to the entrance of an area. Last and not least, under the National Directive 1/2011, (iii) data for a CCTV shall not be use to monitoring employees effectiveness and performance.


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.



Revision as of 14:40, 22 October 2020

HDPA - 31/20
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 5 GDPR
Article 6 GDPR
HDPA Directive 1/2011
HDPA Directive 115/2001
Type: Complaint
Outcome: Rejected
Started:
Decided: 04.09.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: 31/20
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Panayotis Yannakas

An employee had submitted a complaint to the Greek Data Protection Authority about the video surveillance in the store in which she had worked. The Greek DPA held that a CCTV system shall be handled as subject to Article 4(1) and Article 4(2) of GDPR. The Greek Office before finishing his judgment, goes through the principle of proportionality and finds that in these facts the merchant had not violated employees' rights when he installed the surveillance system.

English Summary

Facts

The complainant was working in one of the merchant's stores where a CCTV system was installed and active. The employer repeatedly had assured (to the employees) not only that the field of view of the cameras was the cash registers, but also that the CCTV did not capture any sound at all.

The complainant began to believe that more cameras had been installed in the store and they were recording sound as well. Therefore, the she submitted the following complaint to the Greek DPA. She also brought a court action with which she claimed damages for the unlawful processing. She claimed that some of the cameras were scoped to the WC room and the changing rooms.

During the hearing, the employer declined any allegation regarding the sound recording. He also submitted a detailed list of all the cameras with recording samples for each one and clarified all the ways he used to inform visitors and staff for the existence of that CCTV system, including notices signs and brochures, as well as the entire company's policy of the personal data protection in written form.

Dispute

The Greek DPA deals with certain requirements of lawfulness of CCTV systems.

Holding

The Greek Data Protection Officer argued four points.

First, under Article 4(1), the Greek DPA Office confirms that visual and sound data may be considered personal data when identifiable information relating to natural persons are included.

Second, indoor and outdoor video surveillance in areas which persons are invited to visit fulfils the definition of processing as per Article 4(2) GDPR.

Third, the Greek DPA concludes that a genuine adoption of the concept of proportionality on such circumstance shall also examine (a) the lawfulness, fairness and transparency of the processing; without underestimating aspects as (b) how further the processed goes in a manner that is incompatible with announced, specified, explicit and legitimate purposes or (c) minimizing the amount of data to what is absolutely necessary with those purposes.

Fourth, the Board concluded that the contested CCTV system was compatible with the requirement of Article 6(f) GDPR according to which a data processing is lawful when it is strictly necessary for the purposes of the legitimate interests pursued by the controller, except where fundamental rights of the data subject override such interests.

The Greek DPA found that merchant collected only the strictly necessary data in order to increase the security level of the store and protect it against thieves.

Comment

The content of the decision seems modest. In particular, it is not clear which reasons the Authority has considered to reject the complainant's allegations concerning the sound recording and the cameras' field of view.

Back to 2011 the Greek DPA issued a national directive for the CCTV at workplaces, and that national directive was also a reference to that decision. Relative highlights of the Greek DPA's Directive 1/2011 is that the CCTV (i) shall be used as a supervising tool only when it is absolute necessary in terms of employees' safety (i.e. factories) or in strictly critical workplaces, like banks and military buildings. A regulated exemption is when (ii) the purpose of the camera is to protect cash registrars or when the camera field of view is limited to the entrance of an area. Last and not least, under the National Directive 1/2011, (iii) data for a CCTV shall not be use to monitoring employees effectiveness and performance.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.