HDPA (Greece) - 27/2024
| HDPA - 27/2024 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 15(1) GDPR Article 15(3) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 04.02.2021 |
| Decided: | 21.06.2023 |
| Published: | 06.09.2024 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 27/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | Iliana Papantoni |
The DPA reprimanded an employer for the usage of vague language in its privacy policy creating the false impression that the processing of employment data is based on consent rather than the performance of the employment contract.
English Summary
Facts
A data subject, an employee of NIKOS LAZARIDIS S.A., filed a complaint with the HDPA on February 4, 2021, alleging multiple violations of the GDPR by her employer (the controller). The data subject claimed that her consent was not freely given or fully informed when she signed certain company documents (i.e., "Acceptable Use Policy" and the "Employee Confidentiality Agreement"), and that the controller did not properly inform her about the processing of her personal data.
In particular, the data subject claimed that the controller violated the transparency principle, as she was not informed about the exact personal data the controller held, nor the specific purposes for which her data was processed, as the controller cited different legal bases for the same processing activities in various documents. The data subject, also, alleged that the controller violated confidentiality, as personal data was sent to her corporate email instead of her personal email, despite her explicit request, making it accessible to unknown third parties, including the IT department. Also the data subject claimed that the controller did not fully satisfy her right of access to her personal data, and failed to provide her with copies of important documents and data related to her work, providing only partial information despite her request for copies of her complete personal data file, including medical test results, job descriptions, and various correspondences. Additionally, she reported issues with data security, such as unauthorized access to her computer and the improper handling of her email correspondence.
The controller’s response stated that data subject’s personal data was securely processed based on her employment agreement and would be retained for the necessary period. The controller claimed to have sent her the requested data and maintaining that no further personal data existed in their records.
Holding
The HDPA found that the controller violated the lawfulness and transparency principles, Articles 5(1)(a) and (c) GDPR, as well as the right of access under Articles 15(1) and (3) GDPR.
Specifically, the use of the term "approval" in the controller's forms created the false impression that the data subject had given her consent for data processing, whereas the legal basis was the contractual relationship. Additionally, the use of vague language such as "may" did not ensure the required transparency.
Regarding the violation of Article 15 GDPR, the DPA explained that the controller was obliged to disclose any information about the data subject maintained in their records. In this case, the controller failed to answer the access request fully. In particular the data subject should have received information about Covid medical examinations (its dates and numbers) which were performed when the data subject was employed. Also, the data subject was entitled to receive a detailed description of their position within the controller.
The Authority issued a reprimand to the controller and ordered it to comply with the GDPR provisions within three months and to fully satisfy the data subject's right of access.
Comment
Legal basis for data processing: The decision highlights a critical aspect of data protection legislation, i.e. the necessity for a clear and appropriate legal basis for data processing. The decision reinforces the need for companies to carefully consider and correctly apply the legal bases for data processing as outlined in the GDPR.
Importance of clear and plain language: The HDPA's critique of the company's use of vague terms like "may" and "approval" in its documentation underscores the importance of using clear and plain language in data protection policies and notices. Ambiguous language can lead to misunderstandings and undermine the transparency required by the GDPR. This decision serves as a reminder for companies to review and revise their data protection policies and notices to ensure they are clear, precise, and unambiguous.
Employee rights and employer responsibilities: The decision emphasizes the rights of employees to access their personal data and the corresponding responsibilities of employers to facilitate this access. The HDPA found that the company had not fully satisfied the complainant's right of access, particularly regarding medical test results, job descriptions, and correspondences. This finding highlights the need for employers to have robust processes in place to respond to data access requests comprehensively and promptly.
Future Compliance and Monitoring: The HDPA's order for the company to comply with GDPR provisions within three months and to fully satisfy the complainant's right of access indicates a forward-looking approach. It not only addresses past violations but also sets a clear expectation for future compliance. This aspect of the decision ensures that the company takes concrete steps to rectify its practices and aligns with the ongoing monitoring and enforcement role of the HDPA.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 06-09-2024 Prot. No.: 2337 DECISION 27/2024 (Department)
The Personal Data Protection Authority met by teleconference on Monday 21- 06-
2023 at 10:00 a.m., at the invitation of its Chairman, in order to examine the case
mentioned in the background of this document. In attendance were, the Deputy
Chairman of the Authority, Georgios Batzalexis, in the absence of the Chairman of
the Authority, Konstantinos Menoudakos, and the alternate members of the
Authority, Demosthenes Vougioukas and Maria Psalla, in place of the full members
Konstantinos Lambrinoudakis and Gregorios Tsolias, who, although duly summoned,
did not attend due to their absence, and Georgios Kontis as Rapporteur. Present
without the right to vote were Stefania Plota, a lawyer, as Assistant Rapporteur and
Irini Papageorgopoulou, an official of the Authority's Administrative Affairs
Department, as Secretary.
The Authority has taken note of the following:
By means of her complaint to the Authority under reference C/EIS/876/04-
02-2021, A (hereinafter referred to as 'the complainant') complains against the
company NIKOS LAZARIDIS OVGE S.A. (hereinafter referred to as 'the complainant
company' or 'the company'), where she was employed from ... under an employment
contract of indefinite duration until ..., for violation of provisions falling within the
competence of the Authority. In particular, the subject matter of the complaint is as
follows: "1. Failure to freely and fully obtain my informed consent at the time of
signing
of the work offered by it and were its obligation, belong to the company and are not
to be given to it, as well as the records related to the company's production and
production protocols of the company's wine products and it submits the following
documents: Email Policy, Privacy Policy, Privacy Policy, Information Security Policy,
Portable Device Policy.
The Authority, after considering the evidence on the file, after hearing the
rapporteur and clarifications from the co-rapporteur, who was present without the
right to vote, after an extensive discussion,
CONSIDERED IN ACCORDANCE WITH THE LAW
1. Because it follows from the provisions of Articles 51 and 55 of the General
Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR") and Article 9 of Law
4624/2019 (Government Gazette A' 137) that the Authority is competent to
supervise the application of the provisions of the GDPR, this law and other
regulations concerning the protection of individuals with regard to the processing of
personal data. In particular, from the provisions of Articles 57 par. 1(f) of the GDPR
and Article 13(1)(f) of the GDPR. 1(g) of Law 4624/2019, it follows that the Authority
is competent to deal with the complaint of A against the company NIKOS LAZARIDIS
OVGE S.A. and to exercise, respectively, the powers conferred on it by the provisions
of Articles 58 of the GDPR and 15 of Law 4624/2019.
2. Because Article 5 of the GDPR lays down the processing principles governing
the processing of personal data. In particular, paragraph 1 provides that personal
data shall, inter alia: '(a) be processed fairly and lawfully and in a transparent manner
in relation to the data subject ("lawfulness, objectivity, transparency"); (b) be
collected for specified, explicit and legitimate purposes and not further processed in a
way incompatible with those purposes (...); (c) be adequate, relevant and limited to
what is necessary for the purposes for which they are processed ("data minimisation") (of personal data, including the protection of personal data against unauthorised or unlawful processing and accidental loss, destruction or deterioration, using
appropriate technical or organisational measures ("integrity and confidentiality")". In
order for personal data to be processed lawfully, i.e. processed in accordance with
the requirements of the GDPR, the cumulative conditions of application and
compliance with the principles of Article 5(5)(a) and (b) of the GDPR must be met. 1
GDPR. The controller, in the context of its compliance with the principle of fair or
lawful processing of personal data, must inform the data subject that it is going to
process his or her data in a lawful and transparent manner1 and must be able to
demonstrate at any time its compliance with these principles2 . The processing of
personal data in a transparent manner is a manifestation of the principle of fair
processing and is linked to the principle of accountability3 , giving data subjects the
right to exercise control over their data by holding data controllers accountable4 .
The collection and processing of personal data should not take place in secret or with
the data subject withholding all necessary information, except as provided for by
law, subject to the conditions of Article 8 ECHR, as interpreted by the judgments of
the ECtHR and always in the light of the principle of proportionality .5
3. Because, according to the provisions of Article 5 para. 2 of the GDPR implies
that the controller bears the responsibility and must be able to demonstrate its
compliance with the principles of processing established in Article 5(1). As the
Authority has already held6 , the GDPR has adopted a new model of compliance, the
central point of which
1 See. CJEU C-496/17 and CJEU C-201/14 of 01-10-2015 para. 31-35 and in particular 34.
2 Principle of accountability under Art. 2 σε συνδυασμό με άρθρα 24 παρ. 1 and 32 of the GDPR.
3 See. Decisions CPC 26/2019, p. 15-17, 43/2019, p. 14.
4 See. OC Guidelines 29, Guidelines on transparency under Regulation 2016/679, WP260 rev.01, p. 4
and 5.
5 See. Judgment CPC 43/2019, para. 5.
6 See. Decisions CPD 66/2022 p. 3, 67/2022 para.3, 36/2021 para. 3, 44/2019 p. 19, 26/2019 p. 8
available on its website.
is the principle of accountability under which the controller is required to design,
implement and generally adopt the measures and policies necessary to ensure that
the processing of data complies with the relevant legal provisions. In addition, the
controller bears the further duty to demonstrate itself and at all times its compliance
with the principles set out in Article 5(5)(b) of the Directive. 1 GDPR.
4. Because according to the Authority's Directive No. 115/2001 on the
processing of data in employment relationships, where it is stated that the consent
of the employees cannot lift the prohibition of overstepping the purpose and that in
the case of employment relationships, the inherent inequality of the parties and the
generally dependent relationship of the employees casts doubt on the freedom of
consent of the employees, an element necessary for the validity of the processing7 .
Moreover, according to the Article 29 Working Party Guidelines8 , the imbalance of
power between employer and employee leads to the conclusion that in the majority
of cases of processing of personal data at work the legal basis cannot and should not
be that of consent. Indeed, the WP29 cites as an example of the misapplication of
the legal basis of consent the case of the operation of a surveillance system of
employees at the workplace through cameras.
5. Because, in any case, the employer, applying the principles of the GDPR,
should implement policies on acceptable use of electronic media and communicate
them to employees. These policies should describe in detail the permitted use of the
entity's networks and equipment and the processing that will take place, as well as
the employer's ability to provide fair access to the electronic media used by
employees. In accordance with the OC Guidelines9 , the CJEU case law10 and as has
7 See. CPC Decision 26/2019 para 9
8 See. OE29 Guidelines of 10-4-2018 "on consent under the GDPR (WP259rev.01)", p. 7
9 See. OE29 Guidelines of 10-4-2018 "on consent under the GDPR (WP259rev.01)", p. 8
10 See in this respect ECtHR, Barbulescu v Romania paras 133-140)
the Authority11 , the employer may lawfully process employees' personal data on the
basis of their contractual relationship, after having informed them in a transparent
manner in accordance with the provisions of recital 58 of the GDPR pursuant to Art.
5 para. 1 GDPR of all individual processing operations.
6. Where personal data relating to a data subject are collected from the data
subject, the controller shall, when receiving the personal data, provide the data
subject with all the information required by Article 13(1)(b) of the GDPR. 1; and
2 GDPR. In line with the OG 29 Guidelines on Transparency12 when providing
information to data subjects, the information provided should be specific, definitive
and clear. In particular, the above mentioned GC (paragraph 13) clarifies that: "The
use of language such as
"may", "certain", "often" and "possible" should also be avoided. Where data
controllers choose to use vague wording, they should be able, in accordance with the
principle of accountability, to demonstrate why the use of such wording could not
have been avoided and why it does not undermine the lawfulness of the processing'
(§ 13).
7. Because, with regard to the right of access, taking into account Articles 12
and 15 of the GDPR in conjunction with recital 63 of the GDPR, Article 32 of Law
4624/2019 which introduces, by virtue of Article 23 of the GDPR, restrictions on the
right of access and, as the Authority has consistently accepted13 , the data subject
must have a right of access to personal data collected concerning him or her and
must be able to exercise that right easily and at reasonable intervals in order to be
aware of and verify the lawfulness of the processing. The controller
11 See. CPC Decision 26/2019 para 9
12 See. Guidelines on Transparency under Regulation 2016/679 of the OC 29, final revision 11-04-2018,
WP260 rev.01
13 See. Judgment CPC 42/2022 para 8 available on the website of the
in any case, the data controller is obliged to respond, even in the negative, to a
request from the data subject.
8. Because, in the complaint under examination, it appears from the
information in the case file, the hearing of the parties involved, as well as the
submitted pleadings, that, with regard to the issues that the Authority considers that
should have been investigated in the context of the complaint under examination
and within the scope of its competence, it is clear that:
i. the complainant company processed personal data of the complainant, an
employee of the complainant, having the right under Art. 7 of the GDPR, since
it determines the purposes and means of processing the personal data of its
employees contained in filing systems, and is therefore obliged to comply with
the principles introduced by Article 5 of the GDPR.
ii. the complainant submitted to the Authority the forms "E-mail Policy", "Privacy
Policy and P r i v a c y Policy",
"Information Security Policy", "Portable Devices Policy", stating that they have
been brought to the attention of the employees in relevant briefings and that
the complainant has signed the forms "Policy of Correct Use", "Employee
Privacy Statement" and "Employee Confidentiality Agreement" as part of her
employment contract and has attended the relevant briefing on ... .
iii. the company has drawn up a "Fair Use Policy" form, the first page of which
states: "approval details", where the complainant's full name, signature, date
and time are recorded, and on page 3, Chapter 2, Item 1 states that "I
acknowledge that my use of the computer and communication systems
provided by "NIKOS LAZARIDES SA" may be monitored and/or recorded for
lawful purposes" and the complainant states that "the telephones and computer
she will use and other means of communication may be monitored and/or
recorded by the employer". The phrase "approval" incorrectly gives the
impression that the
the complainant gives its consent to the application of that Policy, a practice
which is contrary to the provisions set out in paragraphs 4 and 5 above, as the
complainant should, under conditions of transparency, confirm that it has taken
note of the relevant form. The Authority considers that the inclusion of the
phrase 'approval' in the form in question constitutes a breach of the principle of
legality laid down in Article 5(5) of the Directive. 1(a)(a) of the GDPR and the
complainant company should correct this reference/phrase in any relevant
policy or information document in compliance with the provisions of the GDPR.
Moreover, the phrase 'may' mentioned in the Policy in question, taking into
account the above-mentioned Guidelines (paragraph 6), creates legal
uncertainty for the data subject, as it does not ensure the required
transparency for the individual processing of personal data of its employees.
The Authority considers that this wording constitutes a breach of the principle
of transparency in Article 5(5) of the Directive. 1(a)(c) of the GDPR and that the
complainant company should in any corresponding information policy or
document remove linguistic designations such as 'may' and provide clear and
precise information to the data subject. Finally, the evidence in the file shows
that the company has not installed and does not use a system for monitoring
and recording telephone communications.
iv. concerning the company's reply to the complainant that
"Your personal data is kept, in a secure manner, by the company o n the basis of
your employment contract, with your consent from ...", referring to the date of
signature by the complainant of the relevant documents referred to in
paragraph 8 above ii, the Authority considers that the company's reply referring
to the legal basis of consent is incorrect, as it creates the impression that the
legal basis for the processing of personal data is consent, whereas it is the
contractual relationship between the complainant and the complainant.
v. with regard to the alleged breach of the principle of security of processing in
the use of the complainant's computer, the
The Authority considers from the file that no further evidence has been
provided, nor does it emerge, that would substantiate any breach by the
complainant company of the confidentiality principle of Art. 1(f) of the GDPR, as
regards the use of the complainant's computer.
vi. with regard to the alleged violation of the complainant's right of access and
taking into account that the complainant was dismissed from the company on
..., with the result that it is no longer possible to provide her with access to the
company's e-mail accounts, it follows that:
a. as to the copies of the Covid-19 medical examinations requested by the
complainant, which were performed by the employees prior to their
employment with the company and the results of which were shown to the
company upon their employment with the company, which bore the related
costs, the Authority considers that the company must provide the
complainant with any information it maintains in its records regarding these
examinations, such as the dates they were performed and the number of
such examinations.
b. with regard to the description of the jobs held by the complainant in the
company, their content and any correspondence exchanged between the
complainant and the complainant's company which shows any rotation of
the complainant's responsibilities within the company, the Authority
considers that the company must provide a detailed description of the jobs
and responsibilities assumed by the complainant during the period of her
employment in the company, from the records kept by the company, in
order to show that
c. regarding correspondence exchanged between the company and the
complainant, which contains personal data of the complainant, such as
requests submitted by the latter for a security visit by a security technician,
for information from the Responsible
Data Protection and the replies thereto, as well as the letters dated ..., ..., ...,
..., insofar as it has not already been provided to the complainant, the
Authority considers that the company, since the correspondence in
question is contained in the electronic or physical file of the company as the
recipient or addressee thereof, must provide it to the complainant.
d. as regards the research that the complainant states that she has carried out on
the internet during the ... (...) years that she has been working in the
company, the scientific research, the legislation, the analysis protocols etc.,
the Authority considers that they do not constitute personal data of the
complainant and there is no violation of the right of access on the part of
the complainant company.
In view of the above, the Authority considers that the complainant company, as
a controller, has an obligation to duly satisfy the right of access under Article 15
para. 1 and 3 of the GDPR exercised by the complainant to the personal data
concerning her under points (a), (b) and (c).
9. Because in assessing the data, the Authority took into account:
- that the complainant had, at least since 2019, taken steps to comply with the
GDPR, the implementation of which started in May 2018, having drawn up
policies and procedures to comply with the legal framework for the protection
of personal data, of which it had informed its employees,
- that the complainant has partially satisfied the complainant's right of access
- the absence of previous infringements committed by the complainant, as a
relevant check shows that no administrative sanction has been imposed on it by
the Authority to date.
10. In relation to the violations of the principles of legality and transparency
established in Articles 5(5)(a) and (b) of the EC Treaty, the Commission has
found that there was a violation of the principles of legality and transparency.
1(a)(a) and (c) of the GDPR, as referred to in paragraph 8(iii) and (iv) above, as
well as the right of access under Article 15(1)(a) and (c) of the GDPR, as well as
the right of access under Article 15(1)(a) and (c) of the GDPR. 1 and 3 of the
GDPR in view of the partial satisfaction so far
the Authority considers that there is a case for exercising the rights referred to in
Article 58(1) of the EEA Agreement. 2 of the GDPR and that, in the light of the
circumstances found, it must, in application of the provision of Article 58(2) of
the GDPR, address a request to the Authority for a decision on the application of
Article 58(2) of the GDPR. 2(b) of the GDPR and also to issue a reprimand to the
complainant company and to instruct it to do so in accordance with Article
58(2)(b) of the GDPR. 2(c) of the GDPR to satisfy the complainant's right of
access to the extent that it has been exercised and has not yet been satisfied, as
mentioned in paragraph 8(vi) above.
On the basis of the above, the Authority unanimously decides that the complainant
company, in its capacity as controller, should be subject to the administrative
sanctions set out in the operative part of the decision, which are considered
proportionate to the gravity of the infringements
FOR THESE REASONS THE
AUTHORITY
Α. Finds that the complainant company "NIKOS LAZARIDIS OBE S.A.", as controller,
has infringed Articles 5(1)(a) and (b) of the GDPR. 1(a)(a' and (c) of the GDPR and
hereby addresses a reprimand to the complainant company pursuant to Article
58(1)(a) and (c) of the GDPR. 2(b) of the GDPR.
Β. It shall give an order pursuant to Article 58 par. 2(d) of the GDPR to the
complainant company "NIKOS LAZARIDIS OVGE S.A.", to comply with the provisions
of the GDPR within three (3) months from the receipt of the present letter, as
regards the infringements established under point A.
Γ. Finds that the complainant company "NIKOS LAZARIDIS OBE S.A.", as controller, has
satisfied the complainant's right of access incompletely in breach of the provisions of
Article 15 para. 1 and 3 of the GDPR and addresses a reprimand to the complainant
company.
D. 2(c) of the GDPR, to the company complained of
"NIKOS LAZARIDES S.R.O." as controller, to satisfy
the complainant's right of access to the part of the complaint which has been
exercised and not yet satisfied, in accordance with paragraph 8 vi.
The Deputy President The Secretary
George Batzalexis Irini Papageorgopoulou
