HDPA (Greece) - 27/2024: Difference between revisions
m (Fb moved page HDPA (Greece) - 27/2024 to HDPA (Greece) - 27-2024) |
m (Fb moved page HDPA (Greece) - 27-2024 to HDPA (Greece) - 27/2024 over redirect) |
(No difference)
|
Latest revision as of 12:23, 16 October 2024
HDPA - 27/2024 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 15(1) GDPR Article 15(3) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 04.02.2021 |
Decided: | 21.06.2023 |
Published: | 06.09.2024 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 27/2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Greek |
Original Source: | HDPA (in EL) |
Initial Contributor: | Iliana Papantoni |
The DPA reprimanded an employer for the usage of vague language in its privacy policy creating the false impression that the processing of employment data is based on consent rather than the performance of the employment contract.
English Summary
Facts
A data subject, an employee of NIKOS LAZARIDIS S.A., filed a complaint with the HDPA on February 4, 2021, alleging multiple violations of the GDPR by her employer (the controller). The data subject claimed that her consent was not freely given or fully informed when she signed certain company documents (i.e., "Acceptable Use Policy" and the "Employee Confidentiality Agreement"), and that the controller did not properly inform her about the processing of her personal data.
In particular, the data subject claimed that the controller violated the transparency principle, as she was not informed about the exact personal data the controller held, nor the specific purposes for which her data was processed, as the controller cited different legal bases for the same processing activities in various documents. The data subject, also, alleged that the controller violated confidentiality, as personal data was sent to her corporate email instead of her personal email, despite her explicit request, making it accessible to unknown third parties, including the IT department. Also the data subject claimed that the controller did not fully satisfy her right of access to her personal data, and failed to provide her with copies of important documents and data related to her work, providing only partial information despite her request for copies of her complete personal data file, including medical test results, job descriptions, and various correspondences. Additionally, she reported issues with data security, such as unauthorized access to her computer and the improper handling of her email correspondence.
The controller’s response stated that data subject’s personal data was securely processed based on her employment agreement and would be retained for the necessary period. The controller claimed to have sent her the requested data and maintaining that no further personal data existed in their records.
Holding
The HDPA found that the controller violated the lawfulness and transparency principles, Articles 5(1)(a) and (c) GDPR, as well as the right of access under Articles 15(1) and (3) GDPR.
Specifically, the use of the term "approval" in the controller's forms created the false impression that the data subject had given her consent for data processing, whereas the legal basis was the contractual relationship. Additionally, the use of vague language such as "may" did not ensure the required transparency.
Regarding the violation of Article 15 GDPR, the DPA explained that the controller was obliged to disclose any information about the data subject maintained in their records. In this case, the controller failed to answer the access request fully. In particular the data subject should have received information about Covid medical examinations (its dates and numbers) which were performed when the data subject was employed. Also, the data subject was entitled to receive a detailed description of their position within the controller.
The Authority issued a reprimand to the controller and ordered it to comply with the GDPR provisions within three months and to fully satisfy the data subject's right of access.
Comment
Legal basis for data processing: The decision highlights a critical aspect of data protection legislation, i.e. the necessity for a clear and appropriate legal basis for data processing. The decision reinforces the need for companies to carefully consider and correctly apply the legal bases for data processing as outlined in the GDPR.
Importance of clear and plain language: The HDPA's critique of the company's use of vague terms like "may" and "approval" in its documentation underscores the importance of using clear and plain language in data protection policies and notices. Ambiguous language can lead to misunderstandings and undermine the transparency required by the GDPR. This decision serves as a reminder for companies to review and revise their data protection policies and notices to ensure they are clear, precise, and unambiguous.
Employee rights and employer responsibilities: The decision emphasizes the rights of employees to access their personal data and the corresponding responsibilities of employers to facilitate this access. The HDPA found that the company had not fully satisfied the complainant's right of access, particularly regarding medical test results, job descriptions, and correspondences. This finding highlights the need for employers to have robust processes in place to respond to data access requests comprehensively and promptly.
Future Compliance and Monitoring: The HDPA's order for the company to comply with GDPR provisions within three months and to fully satisfy the complainant's right of access indicates a forward-looking approach. It not only addresses past violations but also sets a clear expectation for future compliance. This aspect of the decision ensures that the company takes concrete steps to rectify its practices and aligns with the ongoing monitoring and enforcement role of the HDPA.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 06-09-2024 Prot. No.: 2337 DECISION 27/2024 (Department) The Personal Data Protection Authority met by teleconference on Monday 21- 06- 2023 at 10:00 a.m., at the invitation of its Chairman, in order to examine the case mentioned in the background of this document. In attendance were, the Deputy Chairman of the Authority, Georgios Batzalexis, in the absence of the Chairman of the Authority, Konstantinos Menoudakos, and the alternate members of the Authority, Demosthenes Vougioukas and Maria Psalla, in place of the full members Konstantinos Lambrinoudakis and Gregorios Tsolias, who, although duly summoned, did not attend due to their absence, and Georgios Kontis as Rapporteur. Present without the right to vote were Stefania Plota, a lawyer, as Assistant Rapporteur and Irini Papageorgopoulou, an official of the Authority's Administrative Affairs Department, as Secretary. The Authority has taken note of the following: By means of her complaint to the Authority under reference C/EIS/876/04- 02-2021, A (hereinafter referred to as 'the complainant') complains against the company NIKOS LAZARIDIS OVGE S.A. (hereinafter referred to as 'the complainant company' or 'the company'), where she was employed from ... under an employment contract of indefinite duration until ..., for violation of provisions falling within the competence of the Authority. In particular, the subject matter of the complaint is as follows: "1. Failure to freely and fully obtain my informed consent at the time of signing of the work offered by it and were its obligation, belong to the company and are not to be given to it, as well as the records related to the company's production and production protocols of the company's wine products and it submits the following documents: Email Policy, Privacy Policy, Privacy Policy, Information Security Policy, Portable Device Policy. The Authority, after considering the evidence on the file, after hearing the rapporteur and clarifications from the co-rapporteur, who was present without the right to vote, after an extensive discussion, CONSIDERED IN ACCORDANCE WITH THE LAW 1. Because it follows from the provisions of Articles 51 and 55 of the General Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR") and Article 9 of Law 4624/2019 (Government Gazette A' 137) that the Authority is competent to supervise the application of the provisions of the GDPR, this law and other regulations concerning the protection of individuals with regard to the processing of personal data. In particular, from the provisions of Articles 57 par. 1(f) of the GDPR and Article 13(1)(f) of the GDPR. 1(g) of Law 4624/2019, it follows that the Authority is competent to deal with the complaint of A against the company NIKOS LAZARIDIS OVGE S.A. and to exercise, respectively, the powers conferred on it by the provisions of Articles 58 of the GDPR and 15 of Law 4624/2019. 2. Because Article 5 of the GDPR lays down the processing principles governing the processing of personal data. In particular, paragraph 1 provides that personal data shall, inter alia: '(a) be processed fairly and lawfully and in a transparent manner in relation to the data subject ("lawfulness, objectivity, transparency"); (b) be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (...); (c) be adequate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimisation") (of personal data, including the protection of personal data against unauthorised or unlawful processing and accidental loss, destruction or deterioration, using appropriate technical or organisational measures ("integrity and confidentiality")". In order for personal data to be processed lawfully, i.e. processed in accordance with the requirements of the GDPR, the cumulative conditions of application and compliance with the principles of Article 5(5)(a) and (b) of the GDPR must be met. 1 GDPR. The controller, in the context of its compliance with the principle of fair or lawful processing of personal data, must inform the data subject that it is going to process his or her data in a lawful and transparent manner1 and must be able to demonstrate at any time its compliance with these principles2 . The processing of personal data in a transparent manner is a manifestation of the principle of fair processing and is linked to the principle of accountability3 , giving data subjects the right to exercise control over their data by holding data controllers accountable4 . The collection and processing of personal data should not take place in secret or with the data subject withholding all necessary information, except as provided for by law, subject to the conditions of Article 8 ECHR, as interpreted by the judgments of the ECtHR and always in the light of the principle of proportionality .5 3. Because, according to the provisions of Article 5 para. 2 of the GDPR implies that the controller bears the responsibility and must be able to demonstrate its compliance with the principles of processing established in Article 5(1). As the Authority has already held6 , the GDPR has adopted a new model of compliance, the central point of which 1 See. CJEU C-496/17 and CJEU C-201/14 of 01-10-2015 para. 31-35 and in particular 34. 2 Principle of accountability under Art. 2 σε συνδυασμό με άρθρα 24 παρ. 1 and 32 of the GDPR. 3 See. Decisions CPC 26/2019, p. 15-17, 43/2019, p. 14. 4 See. OC Guidelines 29, Guidelines on transparency under Regulation 2016/679, WP260 rev.01, p. 4 and 5. 5 See. Judgment CPC 43/2019, para. 5. 6 See. Decisions CPD 66/2022 p. 3, 67/2022 para.3, 36/2021 para. 3, 44/2019 p. 19, 26/2019 p. 8 available on its website. is the principle of accountability under which the controller is required to design, implement and generally adopt the measures and policies necessary to ensure that the processing of data complies with the relevant legal provisions. In addition, the controller bears the further duty to demonstrate itself and at all times its compliance with the principles set out in Article 5(5)(b) of the Directive. 1 GDPR. 4. Because according to the Authority's Directive No. 115/2001 on the processing of data in employment relationships, where it is stated that the consent of the employees cannot lift the prohibition of overstepping the purpose and that in the case of employment relationships, the inherent inequality of the parties and the generally dependent relationship of the employees casts doubt on the freedom of consent of the employees, an element necessary for the validity of the processing7 . Moreover, according to the Article 29 Working Party Guidelines8 , the imbalance of power between employer and employee leads to the conclusion that in the majority of cases of processing of personal data at work the legal basis cannot and should not be that of consent. Indeed, the WP29 cites as an example of the misapplication of the legal basis of consent the case of the operation of a surveillance system of employees at the workplace through cameras. 5. Because, in any case, the employer, applying the principles of the GDPR, should implement policies on acceptable use of electronic media and communicate them to employees. These policies should describe in detail the permitted use of the entity's networks and equipment and the processing that will take place, as well as the employer's ability to provide fair access to the electronic media used by employees. In accordance with the OC Guidelines9 , the CJEU case law10 and as has 7 See. CPC Decision 26/2019 para 9 8 See. OE29 Guidelines of 10-4-2018 "on consent under the GDPR (WP259rev.01)", p. 7 9 See. OE29 Guidelines of 10-4-2018 "on consent under the GDPR (WP259rev.01)", p. 8 10 See in this respect ECtHR, Barbulescu v Romania paras 133-140) the Authority11 , the employer may lawfully process employees' personal data on the basis of their contractual relationship, after having informed them in a transparent manner in accordance with the provisions of recital 58 of the GDPR pursuant to Art. 5 para. 1 GDPR of all individual processing operations. 6. Where personal data relating to a data subject are collected from the data subject, the controller shall, when receiving the personal data, provide the data subject with all the information required by Article 13(1)(b) of the GDPR. 1; and 2 GDPR. In line with the OG 29 Guidelines on Transparency12 when providing information to data subjects, the information provided should be specific, definitive and clear. In particular, the above mentioned GC (paragraph 13) clarifies that: "The use of language such as "may", "certain", "often" and "possible" should also be avoided. Where data controllers choose to use vague wording, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such wording could not have been avoided and why it does not undermine the lawfulness of the processing' (§ 13). 7. Because, with regard to the right of access, taking into account Articles 12 and 15 of the GDPR in conjunction with recital 63 of the GDPR, Article 32 of Law 4624/2019 which introduces, by virtue of Article 23 of the GDPR, restrictions on the right of access and, as the Authority has consistently accepted13 , the data subject must have a right of access to personal data collected concerning him or her and must be able to exercise that right easily and at reasonable intervals in order to be aware of and verify the lawfulness of the processing. The controller 11 See. CPC Decision 26/2019 para 9 12 See. Guidelines on Transparency under Regulation 2016/679 of the OC 29, final revision 11-04-2018, WP260 rev.01 13 See. Judgment CPC 42/2022 para 8 available on the website of the in any case, the data controller is obliged to respond, even in the negative, to a request from the data subject. 8. Because, in the complaint under examination, it appears from the information in the case file, the hearing of the parties involved, as well as the submitted pleadings, that, with regard to the issues that the Authority considers that should have been investigated in the context of the complaint under examination and within the scope of its competence, it is clear that: i. the complainant company processed personal data of the complainant, an employee of the complainant, having the right under Art. 7 of the GDPR, since it determines the purposes and means of processing the personal data of its employees contained in filing systems, and is therefore obliged to comply with the principles introduced by Article 5 of the GDPR. ii. the complainant submitted to the Authority the forms "E-mail Policy", "Privacy Policy and P r i v a c y Policy", "Information Security Policy", "Portable Devices Policy", stating that they have been brought to the attention of the employees in relevant briefings and that the complainant has signed the forms "Policy of Correct Use", "Employee Privacy Statement" and "Employee Confidentiality Agreement" as part of her employment contract and has attended the relevant briefing on ... . iii. the company has drawn up a "Fair Use Policy" form, the first page of which states: "approval details", where the complainant's full name, signature, date and time are recorded, and on page 3, Chapter 2, Item 1 states that "I acknowledge that my use of the computer and communication systems provided by "NIKOS LAZARIDES SA" may be monitored and/or recorded for lawful purposes" and the complainant states that "the telephones and computer she will use and other means of communication may be monitored and/or recorded by the employer". The phrase "approval" incorrectly gives the impression that the the complainant gives its consent to the application of that Policy, a practice which is contrary to the provisions set out in paragraphs 4 and 5 above, as the complainant should, under conditions of transparency, confirm that it has taken note of the relevant form. The Authority considers that the inclusion of the phrase 'approval' in the form in question constitutes a breach of the principle of legality laid down in Article 5(5) of the Directive. 1(a)(a) of the GDPR and the complainant company should correct this reference/phrase in any relevant policy or information document in compliance with the provisions of the GDPR. Moreover, the phrase 'may' mentioned in the Policy in question, taking into account the above-mentioned Guidelines (paragraph 6), creates legal uncertainty for the data subject, as it does not ensure the required transparency for the individual processing of personal data of its employees. The Authority considers that this wording constitutes a breach of the principle of transparency in Article 5(5) of the Directive. 1(a)(c) of the GDPR and that the complainant company should in any corresponding information policy or document remove linguistic designations such as 'may' and provide clear and precise information to the data subject. Finally, the evidence in the file shows that the company has not installed and does not use a system for monitoring and recording telephone communications. iv. concerning the company's reply to the complainant that "Your personal data is kept, in a secure manner, by the company o n the basis of your employment contract, with your consent from ...", referring to the date of signature by the complainant of the relevant documents referred to in paragraph 8 above ii, the Authority considers that the company's reply referring to the legal basis of consent is incorrect, as it creates the impression that the legal basis for the processing of personal data is consent, whereas it is the contractual relationship between the complainant and the complainant. v. with regard to the alleged breach of the principle of security of processing in the use of the complainant's computer, the The Authority considers from the file that no further evidence has been provided, nor does it emerge, that would substantiate any breach by the complainant company of the confidentiality principle of Art. 1(f) of the GDPR, as regards the use of the complainant's computer. vi. with regard to the alleged violation of the complainant's right of access and taking into account that the complainant was dismissed from the company on ..., with the result that it is no longer possible to provide her with access to the company's e-mail accounts, it follows that: a. as to the copies of the Covid-19 medical examinations requested by the complainant, which were performed by the employees prior to their employment with the company and the results of which were shown to the company upon their employment with the company, which bore the related costs, the Authority considers that the company must provide the complainant with any information it maintains in its records regarding these examinations, such as the dates they were performed and the number of such examinations. b. with regard to the description of the jobs held by the complainant in the company, their content and any correspondence exchanged between the complainant and the complainant's company which shows any rotation of the complainant's responsibilities within the company, the Authority considers that the company must provide a detailed description of the jobs and responsibilities assumed by the complainant during the period of her employment in the company, from the records kept by the company, in order to show that c. regarding correspondence exchanged between the company and the complainant, which contains personal data of the complainant, such as requests submitted by the latter for a security visit by a security technician, for information from the Responsible Data Protection and the replies thereto, as well as the letters dated ..., ..., ..., ..., insofar as it has not already been provided to the complainant, the Authority considers that the company, since the correspondence in question is contained in the electronic or physical file of the company as the recipient or addressee thereof, must provide it to the complainant. d. as regards the research that the complainant states that she has carried out on the internet during the ... (...) years that she has been working in the company, the scientific research, the legislation, the analysis protocols etc., the Authority considers that they do not constitute personal data of the complainant and there is no violation of the right of access on the part of the complainant company. In view of the above, the Authority considers that the complainant company, as a controller, has an obligation to duly satisfy the right of access under Article 15 para. 1 and 3 of the GDPR exercised by the complainant to the personal data concerning her under points (a), (b) and (c). 9. Because in assessing the data, the Authority took into account: - that the complainant had, at least since 2019, taken steps to comply with the GDPR, the implementation of which started in May 2018, having drawn up policies and procedures to comply with the legal framework for the protection of personal data, of which it had informed its employees, - that the complainant has partially satisfied the complainant's right of access - the absence of previous infringements committed by the complainant, as a relevant check shows that no administrative sanction has been imposed on it by the Authority to date. 10. In relation to the violations of the principles of legality and transparency established in Articles 5(5)(a) and (b) of the EC Treaty, the Commission has found that there was a violation of the principles of legality and transparency. 1(a)(a) and (c) of the GDPR, as referred to in paragraph 8(iii) and (iv) above, as well as the right of access under Article 15(1)(a) and (c) of the GDPR, as well as the right of access under Article 15(1)(a) and (c) of the GDPR. 1 and 3 of the GDPR in view of the partial satisfaction so far the Authority considers that there is a case for exercising the rights referred to in Article 58(1) of the EEA Agreement. 2 of the GDPR and that, in the light of the circumstances found, it must, in application of the provision of Article 58(2) of the GDPR, address a request to the Authority for a decision on the application of Article 58(2) of the GDPR. 2(b) of the GDPR and also to issue a reprimand to the complainant company and to instruct it to do so in accordance with Article 58(2)(b) of the GDPR. 2(c) of the GDPR to satisfy the complainant's right of access to the extent that it has been exercised and has not yet been satisfied, as mentioned in paragraph 8(vi) above. On the basis of the above, the Authority unanimously decides that the complainant company, in its capacity as controller, should be subject to the administrative sanctions set out in the operative part of the decision, which are considered proportionate to the gravity of the infringements FOR THESE REASONS THE AUTHORITY Α. Finds that the complainant company "NIKOS LAZARIDIS OBE S.A.", as controller, has infringed Articles 5(1)(a) and (b) of the GDPR. 1(a)(a' and (c) of the GDPR and hereby addresses a reprimand to the complainant company pursuant to Article 58(1)(a) and (c) of the GDPR. 2(b) of the GDPR. Β. It shall give an order pursuant to Article 58 par. 2(d) of the GDPR to the complainant company "NIKOS LAZARIDIS OVGE S.A.", to comply with the provisions of the GDPR within three (3) months from the receipt of the present letter, as regards the infringements established under point A. Γ. Finds that the complainant company "NIKOS LAZARIDIS OBE S.A.", as controller, has satisfied the complainant's right of access incompletely in breach of the provisions of Article 15 para. 1 and 3 of the GDPR and addresses a reprimand to the complainant company. D. 2(c) of the GDPR, to the company complained of "NIKOS LAZARIDES S.R.O." as controller, to satisfy the complainant's right of access to the part of the complaint which has been exercised and not yet satisfied, in accordance with paragraph 8 vi. The Deputy President The Secretary George Batzalexis Irini Papageorgopoulou