HDPA (Greece) - 27/2024

From GDPRhub
HDPA - 27/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Type: Complaint
Outcome: Upheld
Started: 04.02.2021
Decided: 21.06.2023
Published: 06.09.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 27/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Iliana Papantoni

The HDPA reprimanded the company NIKOS LAZARIDIS S.A. for violations of the principles of transparency and lawfulness and for the partial fulfilment of employee's right of access.

English Summary

Facts

The complainant, an employee of NIKOS LAZARIDIS S.A., filed a complaint with the HDPA on February 4, 2021, alleging multiple violations of the GDPR by her employer. The complainant, an employee of the company, filed a complaint with the HDPA on February 4, 2021, alleging multiple violations of the GDPR by her employer. She claimed that her consent was not freely given or fully informed when she signed certain company documents (i.e., "Acceptable Use Policy" and the "Employee Confidentiality Agreement"), and that the company did not properly inform her about the processing of her personal data. In particular, she stated that the company violated the transparency principle, as she was not informed about the exact personal data the company held or had possibly deleted unlawfully, nor the specific purposes for which her data was processed, as the company cited different legal bases for the same processing activities in various documents. The complainant, also, alleged that the company violated confidentiality, as personal data was sent to her corporate email instead of her personal email, despite her explicit request, making it accessible to unknown third parties, including the IT department, did not fully satisfy her right of access to her personal data, and failed to provide her with copies of important documents and data related to her work, providing only partial information despite her request for copies of her complete personal data file, including medical test results, job descriptions, and various correspondences. Additionally, she reported issues with data security, such as unauthorized access to her computer and the improper handling of her email correspondence. Company’s response stated that complainant’s personal data was securely maintained based on her employment agreement and would be retained for the necessary period, claiming to have sent her the requested data and maintaining that no further personal data existed in their records.

Holding

The HDPA found that the company violated the lawfulness and transparency principles, Articles 5(1)(a) and (c) of the GDPR, as well as the right of access under Articles 15(1) and (3) of the GDPR. Specifically, the use of the term "approval" in the company's forms created the false impression that the complainant had given her consent for data processing, whereas the legal basis was the contractual relationship. Additionally, the use of vague language such as "may" did not ensure the required transparency. The Authority issued a reprimand to the company and ordered it to comply with the GDPR provisions within three months and to fully satisfy the complainant's right of access.

Comment

Legal basis for data processing: The decision highlights a critical aspect of data protection legislation, i.e. the necessity for a clear and appropriate legal basis for data processing. The HDPA found that the company incorrectly relied on employee’s consent as the legal basis for processing of certain personal data, whereas the appropriate basis should have been the contractual relationship between employer-employee. This distinction is vital because consent in an employment context is often not freely given due to the inherent power imbalance. The decision reinforces the need for companies to carefully consider and correctly apply the legal bases for data processing as outlined in the GDPR.

Importance of clear and plain language: The HDPA's critique of the company's use of vague terms like "may" and "approval" in its documentation underscores the importance of using clear and plain language in data protection policies and notices. Ambiguous language can lead to misunderstandings and undermine the transparency required by the GDPR. This decision serves as a reminder for companies to review and revise their data protection policies and notices to ensure they are clear, precise, and unambiguous.

Employee rights and employer responsibilities: The decision emphasizes the rights of employees to access their personal data and the corresponding responsibilities of employers to facilitate this access. The HDPA found that the company had not fully satisfied the complainant's right of access, particularly regarding medical test results, job descriptions, and correspondences. This finding highlights the need for employers to have robust processes in place to respond to data access requests comprehensively and promptly.

Future Compliance and Monitoring: The HDPA's order for the company to comply with GDPR provisions within three months and to fully satisfy the complainant's right of access indicates a forward-looking approach. It not only addresses past violations but also sets a clear expectation for future compliance. This aspect of the decision ensures that the company takes concrete steps to rectify its practices and aligns with the ongoing monitoring and enforcement role of the HDPA.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Athens, 06-09-2024 Prot. No.: 2337 DECISION 27/2024 (Department) The Personal Data Protection Authority met at the invitation of its President in a teleconference meeting on Monday 21-
06-2023 at 10:00 a.m., in order to examine the case referred to in the history of the present. The Deputy President of the Authority, Georgios Batzalexis, obstructing the President of the Authority Constantinos Menoudakou and the alternate members of the Authority Demosthenes Vougioukas and Maria Psalla appeared, in replacement of regular members Constantinos Lambrinoudakis and Grigorio Tsolias, who, although legally summoned, did not attend due to disability and Georgios Kontis as Speaker. Present without the right to vote were Stefania Plota, specialist scientist-lawyer, as assistant rapporteur and Irini Papageorgopoulou, employee of the Authority's administrative affairs department, as secretary. The Authority took into account the following: With the no. prot. C/EIS/876/04-02-2021 her complaint to the Authority, A (herein