HDPA (Greece) - 23/2020

From GDPRhub
HDPA - 23/2020
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4(1) GDPR
Article 4(7) GDPR
Article 5 GDPR
Article 12 GDPR
Article 15 GDPR
Article 23 GDPR
Article 51 GDPR
Article 55 GDPR
Article 57(1)(f) GDPR
Article 58 GDPR
Article 8(1) CFR
Article 9A Greek Constitution
Article 1(g) Law 4629/2019
Article 9 Law 4629/2019
Article 15 Law 4629/2019
Article 33 Law 4629/2019
Type: Complaint
Outcome: Other Outcome
Started:
Decided: 30.07.2020
Published:
Fine: None
Parties: Hellenic Electricity Distribution Network Operator
National Case Number/Name: 23/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Fotini Zarogianni

The HDPA of Greece examined the complaint of an employee of the Hellenic Electricity Distribution Network Operator S.A. against the latter regarding a possible violation of the data subject's right to access their data (Article 15 GDPR) via the refusal to issue a certificate of employment status needed by the complainant for the purposes of fulfilling the prerequisites for a new position they were chosen for. The HDPA held that the subject-matter of the complaint was no longer existent, but referred the case to the HDPA Plenary for the purposes of defining the relation between the data subject's right to access their data and the issuing of certificates of employment.

English Summary

Facts

The data subject filed an application to the Human Resources Directorate of the Hellenic Electricity Distribution Network Operator S.A. [HEDNO S.A.] for the purposes of obtaining an up-to-date certificate of employment that was needed in view of their transfer to another position at the National Centre of Audiovisual Media and Communication S.A. [NCAM S.A.]. The HEDNO S.A. denied the issuing of such a certificate. The company's response to the application focused on the fact that HEDNO S.A. is no longer a legal person of public law, but has been transformed into a legal person of private law (already from the 1st of May of 2012) and its employees' relation to the company is governed by private law and, thus, its employees do not fall under the categories of employees that can be consider for a job post in NCAM S.A. (namely all employees serving either permanently or under an open-ended contract of private law at institutions of the General Government or of the Broader Public Sector or of the Local Authorities of the first or second degree). Therefore, according to the HEDNO S.A. the issuing of any such certificate of employment or the consideration of their employee for such a job post is not in accordance with the legal framework governing the company itself and the employee's relation to it. Eventually, during the consideration of the complaint by the HDPA, the HEDNO S.A. provided the complainant with the requested certificate of employment, an event that was confirmed both by the HEDNO S.A. and by the complainant themselves.

Dispute

The HDPA considered the following legal issues;

Did the HDPA have the necessary jurisdiction to rule on the complaint under question regarding the possible violation of the data subject's right to access their data based on Article 15 GDPR and the jurisdiction to rule on the issue of the legality of the complainant's candidacy for a job transfer to NCAM S.A.?

Was the complainant's right to access their data (Article 15 GDPR) violated by the HEDNO S.A.?

Does the issuing on the data subject's request of a certificate regarding personal data based on the record held by the data processor fall within the protection of the data subject's right to access their data under Article 15 GDPR?

Holding

The HDPA held that it had the necessary jurisdiction to rule only upon the complaint of the complainant regarding a possible violation of their right to access their data (Article 15 GDPR), and not on the issue of the legality of the complainant's candidacy for a job transfer to NCAM S.A. The HDPA, having taken into account the principles relating to the processing of data (Article 5 GDPR) and having underlined that the data subject's right to access their data is not an absolute right, but a right that is estimated in relation to its function within the society and a right that can be cogitated in relation to other fundamental rights but always on the basis of the principle of proportionality (Article 8(1) CFR, Article 9A Greek Constitution, Recital 64 GDPR), underlined that the GDPR totally respects all fundamental rights and freedoms included in the European Charter of Fundamental Rights and in the [European Union] Conventions.

Additionally, the HDPA analysed in detail the content of the data subject's right to access their data and came to highlight that the data subject has the right to know whether their personal data are being processed, the right to access these data without having to prove a special legal interest for doing so, and the right to exercise these rights easily and frequently so as to be informed of the data processing and to be able to verify its legality (Articles 12 & 15 GDPR, Recital 63 GDPR).

Furthermore, the HDPA underlined that a certificate of employment contains, on a first basis, personal data referring to a certain employee and, thus, this employee as a data subject has the right to access these data. The HDPA, though, made it clear that issuing a certificate of employment in order to fulfil such an employee's request requires the further processing of the personal data of the employee under question already existing in the data processor's records. Thus, every time an employee requests the issuing of a certificate of employment, they are actually asking the employer/data processor to further process their data in order to create a new document that did not exist in the records up until then.

Therefore, the HDPA noted that the refusal to issue a certificate of employment, meaning a document that has not yet been created, cannot constitute the rejection of a data subject's request to access personal data, since the respective legal provisions protect the data subject's right to have knowledge of all the data already existing within the data processor's records at the time of the issuing request and the right to be able to examine the legality of the collection and storing of the data concerned. It was due to the complexity and the greater importance of this issue that the HDPA decided to refer to the HDPA plenary the part of the case concerning the question whether the issuing on the data subject's request of a certificate regarding personal data based on the record held by the data processor falls within the protection of the data subject's right to access their data under Article 15 GDPR, while the HDPA also noted that the subject-matter of the specific complaint of the case was no longer existent, since the HEDNO S.A. did eventually provide the complainant with the requested certificate of employment.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.