Commissioner (Cyprus) - 11.17.001.007.220
Commissioner - 11.17.001.007.220 | |
---|---|
Authority: | Commissioner (Cyprus) |
Jurisdiction: | Cyprus |
Relevant Law: | Article 7(4) GDPR Article 35(9) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 06.08.2020 |
Published: | 22.10.2020 |
Fine: | None |
Parties: | ΚΕΟ PLC |
National Case Number/Name: | 11.17.001.007.220 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | Office of the Commissioner for Personal Data Protection (in EL) |
Initial Contributor: | Panayotis Yannakas |
The Cypriot DPA (Commissioner) asked the company KEO PLC to suspend their new employee time tracking system, due to a lack of compatibility with Article 7(4) and Article 35(9) GDPR.
English Summary
Facts
KEO PLC decided to upgrade their ERP system, which upgrade was related with the module of recording when an employee started and ended their swift work. Until then, the card-swipe terminal only recorded an id number, as well as arriving and departing time, to and from the premises of the Company.
The new terminal included a tiny camera as a measure of the employees who swiped the cards of their colleagues too. Grounded on the concerns of the principle of proportionality, the right of privacy, as well as the right of public life, two trade unions submit a complaint against KEO PLC and before the Cypriot DPA.
Dispute
The main questioning was if the particular data-processing is reasonable and consist a minimised processing under the meaning of what is absolutely necessary in order to achieve the aim pursued.
Starting with complainers, they argued on an enlarged general line of argument and points of law. Firstly, claimed on the poor accompanying documentation for the impending upgrade system, including the privacy policy and specific information on the changes between the old and new ERP system. Secondly, they were of the opinion that before any changes, the Company should have sought for less intrusive methods of employee time tracking. Thirdly, complainers stated that the resolution of the camera is irrelevant; it’s enough the produced data concerning an identifiable natural person.
KEO Public Company alleges that upon receiving legal advice, they expanded the duration of processing and storage of these data which are tracked, inputted to or created by the new terminal. KEO’s intension of that change was the harmonisation with the limitation period for bringing an action to the court. Also, the KEO Public Company claimed that under the GDPR, there is no right which a trade union can exercise. They thought that the justiciability of GDPR is limited only limited to the natural persons who are the direct possess of the personal data.
Holding
Cypriot DPA totally dismisses the argument of the duration of storage of personal should be linked with the time-barred which someone is allowed to brings an action to the court. The DPA commented that if any other law could set a minimum duration for the storage of personal data, then the letter and the spirit of GDPR would be overlooked. The only eligible criteria shall satisfy the initial reason for collecting these personal data, which in the present case was ensuring that employees do not violate their employment contract.
The DPA hold that the Company could milder adopted measures of getting control over contravened the traditional swipe-card tracking system. Otherwise, the Company at least should had asked for the employees (or the representer of them) for their opinion and/or for their suggestion. Asking of the personal-data’s subject opinion is also a requirement of the Cypriot. For example, Article 35(9) of GDPR provides the possibility that impact assessment may include such an investigation.
The Cypriot DPA considered Article 7(4), which refers to a clear and explicit consent. As a more in-depth insight, we can state that if the consent gained through the performance of a service or other contract, the examination of the necessity of the personal data processing is an inseparable criterion. Due to an employment contract, the employer shall be considered hold a dominant position and any such consent de fact can be characterised explicitly agreement.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
No. Fax: 11.17.001.007.220 August 6, 2020 Decision in the form of an Order in accordance with the provisions of Article 58 (2) (d) of the GCC SUBJECT: Complaint by OVIEK - Σ.Ε.Κ and Σ.Ε.Β.Ε.Τ.Τ.Υ.Κ. - PEO of employees of KEO PLC, for possible violation of GKPD Bearing in mind the provisions: (a) Articles 55 (1), 56 (2), 57 (1) (a) and 58 (2) (d) of General Regulation (EU) 2016/679; and (b) of article 19 (5) of Law 125 (I) / 2018, the following Order is issued: A. Facts: 1. On 14/10/2019, a complaint was submitted to my Office by representatives of OVIEK - S.E.K and Σ.Ε.Β.Ε.Τ.Τ.Υ.Κ. - PEO (hereinafter Complainants) on behalf of the employees in the company KEO PLC (hereinafter referred to as the complaint), in connection with the replacement and upgrade of the system so that it is compatible with modern technology and software systems. 1.1. Specifically, the representatives of the employees of OVIEK - S.E.K and S.E.V.E.T.Y.K. - ΠΕΟ in the Complaint, claim that both the content of the Policy Statement and its Information leaflet entitled Upgrade of entry / exit time recording system, does not comply with the provisions of General Regulation (EU) 2016/679 (hereinafter GCC). 1.2. In the form submitted to my Office, they were briefly mentioned as issues to investigation of the use and duration of data retention, processing of personal data, as well as the fact that the entry / exit card is an excessive measure. 2. On 17/10/2019, an Officer of my Office sent an email to his XXXXXXXX Defendant's staff's complaint, asking for its position on their allegations Complainants, until 11/11/2019, as well as a) Impact Assessment conducted for the implications / risks of using such a System (Article 35 of the GIP), b) Activity Archive, c) Posted Protection Policy and d) Details of the Data Protection Officer of KEO PLC. Positions At the complaint represented by a lawyer and annexes: 3. The lawyer of the Defendant on the complaint, on 11/18/2019 sent a letter with her positions and views. On 12/30/2019 my Office raised various issues that arose from the letter and The attachments sent by the Defendant in the complaint are also listed below. On 14/02/2020, o Defendant's lawyer sent a second reply letter to the complaint. Along with the two letters that sent, attached a) the Employees' Personal Data Protection Statement and / or Dealers, b) the Input / Output Time Recording System Upgrade Notice, c) the Impact Assessment, the Activity Archive, d) the Privacy Statement in relation with Job Applicants and e) the form KEO GENERAL DATA PROTECTION PRIVACY POLICY, as Annexes. 3.1. The two letters of the Defendant, dated 18/11/2019 and 14/02/2020, refer to including the following: 3.1.1. the union complaint does not appear to have been filed by an organization to which includes in its statutory purposes the protection of personal data or has submitted by the data subjects themselves. Therefore, this is not a legitimate complaint and To this end, the Defendant reserves all its rights, 3.1.2. Defendant complained for the purpose of cooperating with my Office, answer the Questionnaire dated 17/10/2019. In the case in which it is submitted complaint in a lawful manner in the future or if it is informed in the future that such complaint formally investigated, then the Defendant reserves the right to challenge the complaint additional comments and positions in defense of its rights. 3.2. The Defendant on 3/10/2019, for the purposes of compliance with the GCC, sent via e-mail and / or handed over to the Employees (Complainants) Statement Privacy Policy. 3.3. He did the same on 9/10/2019, where for the purposes of implementing the mentioned measure, he sent and / or delivered a separate notice regarding the replacement and installation of the new one card swipe system. 3.3.1. In that notice, the Defendant informed its staff that through new devices will collect, store and use the employee card number, the date entry / exit, entry / exit time and low resolution photo of the employee to in order to comply with working hours and compliance with contractual obligations ultimate goal is time management and dealing with any complaints and disciplinary measures misdemeanors. 3.4. For the information of my Office, attach the Privacy Statement Employees and / or Agents and the Time Logging System Upgrade Notification entry / exit, sent and / or delivered to employees, respectively. 3.5. Defendant's position is that the replacement and installation of this system as well as the processing of such data is necessary for the execution of an agreement between it The Complainant and the Complainants as well as for the satisfaction of the legal interest sought by the controller (in this case the Defendant). In the sub report processing applies, as stated, to at least one of the following cases Article 6 of the GCC: “B) The processing is necessary for the execution of a contract of which the subject of data is a contracting party [] ..] (f) the processing is necessary for the purposes of the legitimate interests pursued by controller or third party ” 3.6. For the information of my Office, it has attached the Impact Assessment. 3.7. It is the position of the Defendant that the replacement and installation of the new system A card can not be considered a faulty, unjustified or disproportionate action. THE During the complaint, he had previously used the card flipping system while collecting via this device the employee card number, date and time of entry / exit. The only substantial change with the replacement and installation of the new system, is the collection and save a low resolution photo of the employee and in this regard the Defendant has reduced the retention time of the photo to one month in contrast to other data which it is necessary, as he claims, to be kept for a longer period of time. In the past they had cases where individuals used another employee's card for purposes circumvention of schedule rules. 23.8. The retention period of the remaining data was set at 7 years after they were received take into account the limitation periods that apply to contractual disputes under the Cyprus issue Law. The Impact Report states that this issue will be re-evaluated and amended if deemed necessary. 3.9. The range of data stored is limited to what is absolutely necessary, the number employee card, the date and time of entry / exit and his low resolution photo employee. In addition, access to these data has been restricted. 3.10. According to the Defendant, the present case does not concern video surveillance and use of biometric systems but in the low resolution photo collection of the employee. However, it considers it appropriate to refer by analogy to the following report of Opinion 2/2018 which issued on 19/10/2018 based on Article 58 (3) (b) of the GCC for Video Surveillance in the area work and the use of biometric systems, "Therefore, the use of biometric systems (facial recognition or facial recognition or fingerprinting) by employers, for arrival time control purposes and departure of employees to their place of work is prohibited. The controller must choose other means less intrusive / burdensome to human dignity than what the collection and use of fingerprints entails. As such means are for For example, the card ticking system, frequent / unannounced checks by Manager / Head in the card system, the presence of a supervisor in the area where the system works or alternatively the placement of a surveillance camera over it card machine ”. 3.11. The collection and editing of the low resolution photo of the employee in combination with the card machine as a whole as applied by the Defendant, can not to be considered an excessive measure. On the contrary it is a less burdensome and proportionate measure (unlike surveillance camera which would continuously videotape the specific points and would not was limited to the moments when an employee beats his card). It concludes that this measure in line with the provisions of the GCP. 3.12. The Defendant complains when choosing the features of the mentioned system card, had extensive conversations and consultations with the provider of that system with a view to the best possible compliance with the GPA. For this purpose they requested and received legal tips. 3.13. For the information of my Office, it has attached the Activity Archive of the Defendant complaint. 3.14. At the time of the implementation of the GCP, there was a team, which consisted of its members Management and the Personnel Department and which took all the necessary steps and measures for Defendant's compliance with the GCC. At this stage the debts of the Protection Officer Data (hereinafter referred to as DPA), is executed by XXXXXXXXXX 4. In a letter of the Office, dated 30/12/2019, to the lawyer of the Defendant, the content of which is not an exhaustive list of the findings of my Office as well several issues have emerged that need to be corrected in the forms submitted, the the complaint sent a reply letter on 14/2/2020, stating the following: 4.1. Notes the position of my Office regarding the legality of the complaint and clarifies that the report on whether the Employees in the Defendant made the assignment in accordance with the Directive, "Complaints Procedure". 4.2. Wants to clarify that the low resolution photo associated with the reported system is not biometric data. In other words, this system does not collect biometrically characteristics which are unique, measurable, physical features used 3in order to identify an individual. Therefore, they do not need to be found other ways as the system used is not a collection and processing system biometric data. 4.3. Considers the system in question, which includes taking low resolution photography at the time of card entry and stroke, instead of biometric data or continuous video recording, which will videotape the data subject for a few seconds during attendance at work is a measure that takes into account the principle of proportionality. 4.3.1. The replacement and implementation of this system was deemed necessary for the better implementation of the agreement between the Defendant and the Complainants (their subjects and the satisfaction of the legitimate interest pursued by the controller (Article 6 (b) and (f) of the GCC). 4.3.2. The placement of a camera that takes low resolution photos (keeping them for only period of one month) and consequently their collection and processing is not an excessive measure but it is a measure which takes into account the principle of proportionality. 4.3.3. The data collected by this system is necessary for the intended purposes of processing, ie the monitoring and evaluation of compliance with labor and compliance with contractual obligations with the ultimate goal of time management and dealing with any complaints and disciplinary misconduct. Preserving photos for a period of one month is a proportionate measure. Relevant, as he states, the reports in relation to Opinion 2/2018 of my Office on page 3 of the letter dated 18/11/2019. 4.4. In relation to the Employees' Personal Data Protection Declaration form and / or Delegates (hereinafter Statement) and other sub-issues, notes the following: 4.4.1. In no case has the Defendant's complaint been based on Article 6 (1) (a) of the GIP which concerning securing the consent of data subjects (in this case of the Complainants). The Defendant sent the complaint and / or delivered the Statement to its subjects and what he was asking for was confirmation of receipt of those documents and assurance compliance with the Transparency Principle. 4.4.2. On page 7 of the Declaration, it clarifies that consent is not a condition of the contract employment, nor even for the special categories. 4.4.3. Page 4 of the Declaration clearly lists the cases concerning the conditions of Article 6 with the relevant legal bases for elaboration and while there are specific legal bases in that part of the Declaration, however, it lacks any reference to the consent that provided for in Article 6 (1) (a) of the GCC. 4.5. The individual issues listed in the letter of my Office dated 30/12/2019 and which as I have already mentioned do not constitute an exhaustive list of the findings of my Office as well Several issues have emerged in the forms submitted, they are the following: to make clearer and more specific the way in which information is collected and for what reason. Generality, for example, we collect information about whether you have declared bankruptcy is not sufficient. White criminal record information should be relevant directly with the nature of the work. - there is confusing information, for existing employees and for potential ones employees. They need to be separated and specified as to whom. - the publication refers to protection policy and in general to the policy of the Defendant complaint. Is this policy published somewhere? Is it easily accessible? - the term particularly sensitive personal data is not testable, there is a special data category. - if the service provider is from a country within the EU it does not mean a third party. 4 - if it is from a non-EU country then an Assignment Agreement must be concluded under Article 28 ΓΚΠΔ. - The Knowledge Need Principle should be observed for all (employees and non-employees). procedures have been put in place for the exercise of access rights, deletion and restriction? Are they easily accessible? - data collection is done for a specific purpose and the necessary things are requested. - who is the Data Protection Officer of the Company? Contact info; 4.5.1. The Defendant gives her own position on the above, as follows: - considers that the Statement under the circumstances is quite clear, but is ready to proceed to further control it so as to consider the possibility of making changes to become even more understandable, especially on the point of how and why to whom the data are collected, with regard to the criminal record, clarifies that the provision existed for cases where for any reason an employee or agent voluntarily decides to provide it either such information shall be sent by a third party to the Defendant, - Recently, the External Auditors of the Complainant suggested that certificate where the nature of the subject's work requires the production of blank criminal record, - for the same reason there was the provision concerning whether someone would go bankrupt, such notification to be sent to the Defendant. - as provided in the Bankruptcy Law notification of any decree declaring the the debtor in bankruptcy is notified, inter alia, to the employer of the bankrupt, indeed in the Statement there are references to information collected at the stage before hiring someone. This is there to cover cases where such information is necessary to maintain and later, ie at the stage where one will become employed, - for people who simply remain "potential employees" there is a separate statement of protection data, which was attached as Annex A to the letter dated 14/2/2020. As a million therefore, no further separation should be made in the Declaration, which concerns people who have become employees, - there is a more general and concise document on personnel protection policy of the Defendant in relation to all employees / Complainants, as well as a form which can be given by the DPO of the Defendant in case requested by anyone (Annex B of the letter dated 14/2/2020). The This document will also be posted on the Defendant's website, where it already exists specific data protection policy for the use of the website. - the reason the term "sensitive personal data" was used is because it is used widely, such as for example by the European Commission itself on its website when provides explanations for the legal reasons for processing with reference to the GCC itself. also Such references also exist in the recitals (recitals) 10 & 51 of the GCP. - in any case it is clarified that the Defendant does not send information about non-EU employees. - the only service provider of the Defendant who personally processes the complaint data of its employees (Complainants) is the company that provides the SAP system ERP. A relevant award contract has been prepared between the Defendant and him provider, to be signed by 29/2/2020, - Defendant aims and seeks to establish and implement procedures and workplace culture that restrict access to information that concerns them employees (Complainants) in such a way that access is only available to persons who need to have access, - the Defendant has established procedures for exercising access rights, deletion and restriction, contained in a form which may be given by the DPO to case requested by any employee. 5 - The Defendant understands that any information she collects and maintains about them subjects is why this has become necessary for employment purposes. That, after all, is the main purpose of the Defendant's compliance with the complaint, - The Defendant understands that full compliance with this principle in one workplace requires a change of culture from all parties involved and from all without exception, - until recently the DPO was XXXXXXXXXX, but which leaves the Defendant on complaint, therefore procedures for the appointment of a new DPO. 4.6. Further, in the entry / exit time recording system Upgrade form, which consists of from almost three pages, all the necessary information regarding the replacement has been given and installation of the new system so that staff can receive the necessary information about it system. 4.7. In relation to the concern that arises as to whether the low resolution of the photo will exist any special processing, the Defendant states that the low resolution photos which will be collected by the input / output recording system, will not be transferred nor will are stored in the SAP ERP software but on the Defendant's server with a limited complaint access. The input / output time recording system is a completely separate system from SAP ERP. Defendant confirms the complaint that no special treatment will be given to low resolution photos. 4.8. The people of SAP ERP are employees of a third independent company, which provides the system to the Defendant. This system stores all the data collected with new devices, except for low resolution photos, and only the individuals of the Personnel Department and the IT Department. 4.9. As stated in the Impact Assessment form that was conducted, SAP ERP individuals have access to the software, only after the Defendant has authorized the complaint for purposes software upgrade or repair of any software malfunction, the which cannot be remedied by Defendant's IT department. 4.10. The Defendant considers that the time of one month for keeping the photos low analysis, is accordingly legitimate. 4.10.1. With regard to the retention of data concerning the time and date of entry and exit from the workplace, the retention period is currently set at 7 years, provided that limitation periods under Cypriot law have been taken into account in relation to contractual disputes (6 years) and civil offenses (3 years). 4.10.2. A legal dispute may arise in relation to an employee (Complainant) concerning matters for which the limitation period of the transferable rights in accordance with Cypriot Law amounts to 6 years and the entry / exit data to be a relevant testimony in such cases. 4.10.3. It is possible for a case to arise with an employee (Complainant) and the Defendant complaint, other than those contained in the jurisdiction of the Labor Disputes Tribunal, for which the limitation period is shorter. For this reason, the Defendant received the complaint legal advice, as to maintain such data for a period of 7 years, except of course in cases where a case arises, where the case-related information will be retained for as long as the case is pending. 4.10.4. The retention of these data for a period of 7 years is not excessive period as the input / output elements in the workplace are not of such a nature as to poses a serious threat to the rights and freedoms of data subjects (Complainants). At the same time, it remains at the disposal of my Office to discuss and We will adjust this detail accordingly in the future as the system has just been set up in application. 5. Then, on 12/3/2020, an Officer of my Office sent an e-mail to DPO of the Complainants, making aware of the allegations of the Defendant, requesting his positions and views until 13/4/2020. Positions of Complainants represented by a lawyer: 6. On 13/4/2020, the Complainants' lawyer sent a letter with the positions and views of the of its customers, as follows: 6.1. To answer the question of whether the Defendant is entitled to photograph them Complainants / employees upon entering / leaving employment, the legal framework within which the Defendant may make such a complaint processing. 6.1.1. In accordance with the Principles set out in Article 5 of the GIP and concludes that the adoption of measure of taking a photograph of the employee during his entry / exit procedure may be allowed, only when the employer is able to justify the legality and necessity of the control and monitoring and when there is no other less intrusive way of doing it of the purposes it pursues. 6.1.2. The positions and the reasons put forward by the Defendant in the Complaint for its installation upgraded card system with photo capture, can be satisfied with both existing card system as well as the adoption of other methods, such as frequent unannounced checks by a Chief in the card system or even in the presence of a supervisor at the place where the card system works. 6.1.3. Further, the complaint was not indicated by the Defendant what the reasons were it is necessary and / or necessary to upgrade the card system. Defendant complained to merely stating the aims without substantiating the necessity which led her to it decision. 6.1.4. As long as the photo that is taken identifies the employee, even though it is low analysis falls within the interpretation of the term "personal data". 6.1.5. Given the Principle of Proportionality, taking a photograph of the employee is recommended an intervention measure that restricts the right to privacy and does not serve either the purposes for which the Defendant stated that she wanted to serve. 6.1.6. He expected the Defendant to file the complaint, as Processor, before upgrading the card system, would try to strike a balance between its legitimate interest and protection of its rights and the fundamental right to privacy of its employees. 6.2. Regarding the data retention period, the retention time is defined as necessary period of time to satisfy the purposes for which it is collected by the person in charge data processing. 6.2.1. In this case, the Defendant informed the complainant that the data concerned at the time and date of entry and exit to the workplace is 7 years. In his calculation during this period, the limitation periods provided by Peri were taken into account Limitation Law, ie 6 for contracts and 3 years for civil offenses. 6.2.2. The reasoning is correct but the calculation by the Defendant is wrong with given that any difference arises in relation to the entry / exit hours of this employee 7 will be reduced to a labor dispute and therefore the limitation period of the labor disputes, amounting to 12 months. 6.3. In the SEP ERP software system, employee data is entered correctly. It must but for the Defendant to explain and justify the complaint as to whether there is a reason to data is stored on a KEO PLC server. In addition, the issue of a signatory is raised award agreement between the Defendant and the company operating the SEP system ERP. 6.4. Concluding, in the positions of the Complainants' side, he stated that the taking of a photograph of them is not necessary to protect the legitimate interests of the Defendant complaint, since it can be secured in less burdensome ways, while in any case the The entry / exit card data retention period should be limited to a maximum of 2 years. B. Legal analysis: 7. The photograph of a natural person, in so far as his identity is immediately or indirectly revealed, constitute "personal data" as defined in Article 4 thereof GPA, which states that "personal data" is "any information that concerns identified or identifiable natural person (data subject) ". 7.1. The same article also defines as processing "any act or series of acts performed with or without the use of automated media, in personal data or in sets personal data, such as the collection, registration, organization, structure, h storage, adaptation or modification, retrieval, retrieval of information, use, transmission by disclosure, dissemination or any other form of distribution, association or combination, restriction, deletion or destruction ". 7.2. Furthermore, the controller is defined as anyone (the natural or legal person, the public authority, service or other body) which, ‘alone or jointly with another, and how personal data is processed ". 7.3. In addition, it defines it as an "archiving system": any structured set of personnel data which are accessible based on specific criteria, or as a whole centralized or decentralized or distributed on a functional or geographical basis ". 8. Article 5 of the GPA sets out the Principles governing the processing of personnel data character, as follows: '1. Personal data: '… (c) is appropriate, relevant and limited to what is necessary for the purposes for which they are processed ("Data minimization");… (e) are kept in a form which allows them to be identified data subjects only for the period required for the purposes of their processing personal data; personal data can be stored for longer intervals if personal data is processed only for archiving purposes in the public interest, for scientific or historical purposes for statistical purposes, in accordance with Article 89 (1) and provided that appropriate technical and organizational measures required by this Regulation to ensure rights and freedoms of the data subject ("restriction of the period 2. The controller is responsible and is able to prove the compliance with paragraph 1 ("accountability") ". 8.1. Based on the Data Minimization Principle established by Article 5 (1) (c) of the GIP, Defendant, in any case, must ensure that, personnel data appropriate, relevant and limited to what is necessary for the purposes for which they are made processed and based on the Principle of limitation of the storage period, which Article 5 (1) (e) of the GIP, the data must be kept in a form which allows the identification of data subjects only for the time required to achieve them purposes of processing. 88.2. Recital 39 of the GCP Preface explains, inter alia, that “The data should be adequate and relevant and limited to what is necessary for them purposes of their processing. This requires in particular to ensure that storage space personal data to be kept to a minimum. Staff data should only be processed if the purpose of the processing cannot achieved by other means ". 8.3. Recital 4 of the Preamble to the IGC explains that, “the right to protection of personal data is not an absolute right; it must be valued in relation to its function in society and be weighted with other fundamental rights, in accordance with its principle proportionality ". 8.4. Further, Recital 47 explains that, “The legitimate interests of the including those of a controller to whom they may disclose personal or third party data may provide the legal basis for the provided that they do not outweigh the interests or fundamental rights and freedoms of the data subject, taking into account the legitimate expectations of the subjects data on the basis of their relationship with the controller ". 8.5. Related to the issue are also, (a) Opinion no. 06/2014 on the meaning of law interests of the controller issued on 9/4/2014 by the Working Group of Article 29 on data protection, (b) the Opinion of the Article 29 Working Party on GATT entitled "Opinion 2/2017 on data processing at work", (c) paragraph 9 of Article 35 of the GCP, in which It is stated that "Where appropriate, the controller shall consult the data or their representatives for the intended processing, subject to protection commercial or public interests or the security of processing operations "(d) Opinion 2/2018 issued by the Commissioner for Personal Data Protection under Article 58 (3) (b) of the GCC for Workplace Video Surveillance and the Use of Biometric systems and (e) Directive 1/2011 issued by the Hellenic Data Protection Authority Personal Use for the use of video surveillance systems to protect persons and goods. 9. Article 35 (9) of the GPA concerning the Impact Assessment on data protection stating that "Where appropriate, the controller shall consult the data or their representatives for the intended processing, subject to protection commercial or public interests or the security of processing operations ". 10. The Law on Limitation of Inviolable Rights of 2012, as amended (hereinafter N. 66 (I) / 2012). 11. In Article 12. (10A) of the Law on Annual Leave with Remuneration of 1967 (hereinafter Law 8/1967) states that “An application to the Labor Disputes Tribunal shall be submitted within twelve months of the date on which the right to apply arose or within nine months of Fund response for redundant staff… » C. Commentary: 12. It is the position of the Defendant's lawyer that the complaint that for his replacement and installation card system as well as for data processing, at least one of the the following cases of Article 6 of the GCC: “B) The processing is necessary for the execution of a contract of which the subject of data is a contracting party [] ..] (f) the processing is necessary for the purposes of the legitimate interests pursued by controller or third party… ”. 12.1. In order for Article 6 (1) of the GIP to be used as a legal basis, explicit provision should be included in the employment contract signed between the Defendant 9 the complaint and the data subjects (employees). Such data were not presented in front of me. 12.1.1. But even if there was explicit provision in the employment contract this would be considered under in the light of Article 7 (4) of the GIP and whether the consent of the data subject (employee) is given freely. As mentioned in my Office letter dated 30/12/2019, the employer is considered to have a dominant position in the employment relationship, therefore the employee consent is not considered free. 12.2. With regard to Article 6 (1) (f) of the GBER, I accept that it could be used as legal basis, provided, however, that the processing of the data of the subjects (employees), ie the taking and storing their photo obeys the Principles of Proportionality, Restriction of the storage and accountability period and in any case does not take precedence over interests or fundamental rights and freedoms of data subjects. 13. In the present case, therefore, I am called upon to consider (a) whether the installation of a camera by the Defendant in order to receive the complaint low resolution photograph of the data subject (employee) to identify that the employee who beats the card is the holder and not a third party, as a measure control, obeys the Data Minimization Principle and (b) whether the retention time of employees' entry / exit data (number employee card, date and time of entry / exit) for a period of seven years, for purposes for the settlement of labor disputes or for the exercise of legal rights, obeys its Principle Limit the Storage Period. 14. With regard to Question 13 (a), I take note of the following: 14.1. In the Impact Assessment carried out by the Defendant on page 5, in the paragraph entitled STEP 3: Consultation process, it is stated that: "The advice of the subjects was not sought, nor of their representatives as the Recording and time data management has always existed as part of Management Staff ". 14.2. In the letter of the lawyer of the Defendant the complaint dated 18/11/2019, on page 2, it is referred that: «…. In any case, KEO used to use the card flipping system in the past collecting through this device the employee card number, date and time input / output. That is, the only substantial change in the card flip system is collecting and storing the employee's low resolution photo and so on KEO has reduced the retention time of the photo to one month in contrast to others data which need to be retained for a longer period of time… " 14.3. In the Impact Assessment carried out by the Defendant on the complaint, on pages 5 and 6, in the paragraph entitled STEP 4: Proportionality and Necessity Assessment, states that: «1. Time recorders are necessary for the Company to be able to perform the contract with its employees and for the protection of its legal interest or third. Given the conditions of the Company there seems to be no other way processing with which the Company can adequately monitor and evaluate the observing working hours and detecting any disciplinary violations. It is noted that in the past there have been incidents where people have beaten another colleague's card. In every In this case, we consider that only the data are collected and stored through the devices which are necessary to serve the stated purposes ". 14.4. In addition, in the letter of the lawyer of the Defendant the complaint, date. 11/18/2019, on page 3, it is referred that: 10 "επίσης We also consider it appropriate to refer to Opinion 2/2018 issued by the Office of the Personal Data Protection Commissioner pursuant to Article 58 (3) (b) of the General Regulation on Data Protection (Regulation (EU) 2016/679) on Video workplace monitoring and the use of biometric systems. Although the This case does not concern video surveillance and the use of biometric systems but concerns collection of low resolution photo of the employee we consider appropriate to refer by analogy to the following reference contained in this document: “As ex therefore, the use of biometric systems (facial recognition or fingerprinting) by employers, for arrival time control purposes and departure of employees to their place of work is prohibited. The controller must choose other means less intrusive / burdensome to human dignity than what the collection and use of fingerprints entails. As such means are for For example, the card ticking system, frequent / unannounced checks by Manager / Head in the card system, the presence of a supervisor in the area where the system works or alternatively the placement of a surveillance camera over it card machine ”. Therefore, we consider the collection and processing of the photo low analysis of the employee in conjunction with the card machine as a whole as it is implemented by our customers, can not be considered an excessive measure (in contrast for example with a surveillance camera that would continuously videotape the specifics points and would not be limited to the moments when an employee beats his card) to achievement of the above mentioned objectives of KEO. This measure is therefore consistent with provisions of the General Regulation on Data Protection… ". 14.5. In addition, in the letter dated. 14/2/2020, the lawyer of the Defendant states that: … Or our customers want to clarify that the low resolution photo is related with this system is not a biometric data. In other words, it does not collect this system biometric features which are unique, measurable, physical features which are used to identify an individual. It is therefore not considered other ways need to be found as the system used is not a system collection and processing of biometric data… ". 14.6. All of the above references contained in the Impact Assessment and its letters Defendant's lawyer, explain that taking a low-resolution photo of was the only practical solution for the purposes pursued by the complaint to serve. I do not rule out that, in some cases, taking a photo or video, as I mention in Directive 2/2018, when the card is struck, it may be mandatory. However, in such cases, under the Accountability Principle, the employer should be in able to prove that, there is no other less intrusive way to achieve it intended purpose, namely the effective control of employees. 14.7. In the present case, the Defendant has not substantiated the complaint, nor has it arisen in any stage that other ways and measures were applied by it, e.g. the frequent / unannounced checks by the Manager / Manager on the card system, the presence of a supervisor in the area where the system operates or even the camera, which would focus on their hands employees at the time they hit the card and not in the face, and be judged as ineffective or inadequate or insufficient to confirm the choice of low resolution photography, as the most appropriate measure to serve the purposes set Defendant seeks the complaint. In the context of employment, the monitoring measures set reflect the employee's behavior should be proportionate to risks faced and implemented in the least intrusive way. 14.8. Therefore, in relation to question (a) I ask in paragraph 11 above, the position of the Defendant that, the installation of a camera in order to take a low resolution photo of their subject (employee) to identify that the employee who beats the card is the holder and not a third party, as a control measure, obeys the Data Minimization Principle, 11 rejected, as the Defendant did not take or consider any other less intrusive measures, before the application of this measure. 15. As regards question 13 (b), I have regarded the following: 15.1. In the Impact Assessment carried out by the Defendant on page 2, in the paragraph entitled Nature of Processing, it is stated that: "… The data in relation to the employee card number, time and date of entry and exit to the workplace may be maintained for a period of up to seven (7) years from date of their collection unless legal proceedings and / or a contractual dispute are pending where the data will be stored for a longer period for purposes of recommendation, exercise and advocacy νομ » 15.2. On page 5 of the same Impact Assessment, in the section entitled STEP 3: Advisory Consultation process, it is stated that: "The advice of the data subjects was not sought, nor of their representatives as well as recording and managing time data has always existed as part of it Personnel Management… ». 15.3. Additionally, on page 7 of the same Impact Assessment, in the section entitled STEP 4: Proportionality and Necessity Assessment states that: «7. Υπόλοι The remaining data was considered appropriate, at least at this stage, to be retained for a period of 7 years having regard to the limitation periods applicable to the breach contractual relationship under Cypriot law. As explained below the question of time will be re-evaluated in the near future and in particular after the appointment of a DPO ". 15.4. In the letter of the lawyer of the Defendant the complaint dated 18/11/2019, on page 3, it is referred that: ". As for the retention of the remaining data, the retention period is at present stage is set at 7 years taking into account the limitation periods applicable under it Cypriot law regarding contractual disputes. But as explained in the Report Impact (Annex C) this issue will be re-evaluated and amended if deemed appropriate necessary. We also note that the range of data retained is limited in what is absolutely necessary, ie in the data concerning the employee card number, the date / time of entry / exit and low resolution photo of the employee. In addition, we note that, as explained in Annex C, access has been restricted in the specific data… » 15.5. In addition, in the letter dated. 14/2/2020, the lawyer of the Defendant states that: "… Regarding the retention of data concerning the time and date of entry and exit to the workplace, it is noted that the retention period is at this stage determined at 7 years taking into account the limitation periods based on the Cyprus problem Law regarding contractual disputes (6 years) and civil offenses (3 years). Of those we realize it is possible in relation to an employee to arise litigation disputes concerning matters for which the statute of limitations period according to Cypriot Law amounts to 6 years. Input details are possible and to be relevant evidence in such cases. That is, in relation to one an employee other than those listed in jurisdiction of the Labor Disputes Tribunal for which the limitation period is smaller. It is for this reason that we have advised our customers as they maintain such data for a period of 7 years except of course in cases where a case arises and such information should, if relevant, be kept for as long as the trial is pending. Finally, on this issue, we consider that objectively speaking the maintenance of such data for 7 years is not an excessive period as the data containing the time entry and exit to the workplace is not of such a nature as to create serious 12 danger to the rights and freedoms of subjects (emphasis added). But at the same time we remain at your disposal to discuss and adapt depending on this detail in the future as the system has only recently been put into application…". 15.6. In summary, the Defendant claims that the data retention period of its employees for a period of seven (7) years is absolutely necessary because, it may occur between the Defendant and the conductive right of its employees, which, based on Law 66 (I) / 2012, as amended, provides limitation periods of six (6) years for contracts and three (3) years for civil offenses. On the contrary, the The complainants' lawyers argue that any dispute between the Defendant and the its employees will be of a labor nature, which will have to be resolved before the Court Labor Disputes, meaning, in accordance with the provisions of article 12 (10A) of Law 8/1967, as amended, which, inter alia, provides that: “Application to the Labor Disputes Tribunal shall be submitted within twelve months from the date on which it is to be submitted application or within nine months of the response of the Fund to redundant staff ". 15.7. I am of the opinion that both positions suffer because neither Law 66 (I) / 2012 nor Law 8/1967 is a legal basis for determining the storage period of the data in question. And the two Laws provide for periods during which respective rights can be exercised, however do not, at the same time, create an obligation to retain certain data in order to exercise them of rights. After all, if I accepted the positions that, these Laws could constitute criterion for determining the storage time of the data in question, I would reach paradoxical conclusion that, all the data collected by all processors who falling within the scope of the GGP, should be stored for periods similar to these provided for in their national laws for the settlement of labor and civil disputes, respectively, which circumvents both the letter and the spirit of the GCP. 15.8. The data in question, ie the employee card number, the date and time of entry / of each employee, are stored in the system installed by the Defendant, for a long time specific purposes, namely the control of timetable and payroll and, on the basis of the Beginning of the Storage Period, the only factor / criterion for determining the period their storage, in a form that allows the identification of employees, must be the time required to fulfill these purposes. Storing them for longer periods, can only be done for archiving purposes in the public interest or for scientific purposes or historical research or for statistical purposes. In this case, these purposes do not are applicable or at least, the Defendant has not brought them before me. Hence her position Defendant that, the period of storage of the data of its employees for a period of seven (7) years is absolutely necessary, is rejected. 16. Furthermore, it should be borne in mind that the decision of the Defendant to establish the complaint low resolution camera and its decision to keep the data of its employees for a period seven (7) years of age, have been obtained without prior consultation with the staff or their guilds. 16.1. Defendant's lawyer in the impact assessment assessment he sent states that no the advice of neither the employees nor their representatives was sought as the recording and Time data management has always existed as part of Personnel Management. The fact that the Prior to the complaint, he previously collected and maintained data without justifying the time This does not mean that he can continue to do so and that he could in the context of this system upgrade to consult with stakeholders, so as to correct any distortions of the past. 16.2. In addition to the fact that, pursuant to Article 35 (9) of the GIP, the Defendant, during the preparation of the an impact assessment would be appropriate to seek the views of its officials or their representatives, for measures it intended to take, this was also required by the Transparency Authority. 16.3. For transparency purposes, the participation of employee representatives is necessary (e.g. trade unions) during the discussions that take place before measures are taken involving him 13control and / or supervision of staff through the processing of their personal data. Relevant is the following excerpt from the Opinion of the Article 29 Working Party, "Opinion 2/2017 on data processing at work »: «6.3 Transparency Effective communication should be provided to employees concerning any monitoring that takes place, the purposes for this monitoring and the circumstances, as well as possibilities for employees to prevent their data being captured by monitoring technologies. Policies and rules concerning legitimate monitoring must be clear and readily accessible. The Working Party recommends involving a representative sample of employees in the creation and evaluation of such rules and policies as most monitoring has the potential to infringe on the private lives of employees. ». D. Conclusion - Conclusion: 17. In the light of the above and exercising the powers conferred upon me by the provisions of Article 58 (1) (d) I inform the Defendant of the complaint that: 17.1. In relation to the question (a) that I ask in par. 13 above, the installation of a camera by Each in order to take a low resolution photo of the data subject (employee) to identify that the employee who beats the card is the holder and not a third party, as without taking into account or considering other less intrusive measures before the implementation of this measure, violates the Principle of Data Minimization and therefore can not be accepted. 17.2. In relation to question (b) that I ask in par. 13 above, the retention time of the data entry / exit of employees (employee card number, date and time of entry / exit) for period of seven (7) years, for the purposes of exercising legal rights, violates the Principle of Limit the Storage Period. 17.3. Pursuant to Article 58 (2) of the GIP, I have the power to impose an administrative sanction on the above violations, which includes the possibility of imposing an administrative fine on the basis of Article 83 thereof. However, considering: (a) all the factors set out in Article 83 (2) of the GIP; (b) that, at all stages of the examination of this complaint, the Defendant had working with my Office, (c) that the case could have been avoided if the Defendant had consulted the measures taken by its officials or their representatives, (d) that the Defendant in the complaint has taken several measures to comply with the IGC, in particular as regards concerns the obligation to inform its employees and exercising the powers conferred on me by the provisions of Article 58 (2). (d) of the GCC, I consider more appropriate in the first phase, to give the Defendant the following order: (a) suspend the installation of the upgraded card flip system includes installing the camera and destroying the material collected if the download this and inform my Office of the actions and (b) to choose through transparent procedures, with the participation of their representatives employees, differentiated measures / solutions that are appropriate and sufficient and to ensure guarantees of legality, transparency, preservation, proportionality and security of personal data and as a draft of the en due procedures until 4/12/2020. 17.4. In case the Defendant does not comply with the above order within them above deadlines, I will consider the need for stricter administrative measures against her. 14Irene Loizidou - Nikolaidou Commissioner for Protection Personal Data 15