HDPA (Greece) - 24/2022

From GDPRhub
Revision as of 11:38, 11 November 2022 by Anastasia.tsermenidou (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=24/...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HDPA - 24/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 2 GDPR
Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 15 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 29.04.2022
Published: 29.04.2022
Fine: 35.000 EUR
Parties: n/a
National Case Number/Name: 24/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Greek DPA (in EL)
Initial Contributor: Anastasia Tsermenidou

Infringement of the principles of legality, transparency and security, as well as failure to satisfy the right of access for failure to comply with the GDPR and National Law and respective policies and procedures. The DPA imposed a fine of 35.000 €.

English Summary

Facts

The first complaint concerned breach of the provisions concerning the control of the computer during the complainant's work and, on the other hand, the second complaint concerned the failure to comply with the right of access. The DPA stated that employees have a reasonable expectation of privacy workplace, which is not removed by the fact that they use equipment, communications devices or any other professional facilities and infrastructure (e.g. electronic communications network, Wi-Fi, corporate e-mail addresses, etc.) of the employer. The fact that the public employer may be the owner of the means of electronic communication (e.g. computers) does not lead to a a denial of the employees' right to data protection, the right to the protection of personal data, the right to the protection of the confidentiality of personal data, protection of communications and related location data. Access by the employer to personal data stored on the employee's computer constitutes processing of personal data. The employer processes the personal data of the employees in principle on the basis of their contractual relationship and, in exercising its managerial right for the proper functioning of the organisation, it is entitled to exercise control over the electronic means of communication provided to the employees for their work, provided that the relevant processing, subject to the the principle of proportionality, is necessary for the fulfilment of the legitimate interest of the interest it pursues and provided that this clearly outweighs the rights and interests of the worker, without prejudice to the fundamental rights and interests of the worker, and his/her fundamental freedoms.

Holding

Infringement of the principles of legality, transparency and security under Art. 5 par. 1(a) and (f), 2 (in conjunction with Article 24(1. 2) and Article 5(1)(a) and (f), (2) (in conjunction with Article 24(1. 2)) and Article 24(1. 2). 32 par. 1, 2 of the GDPR, as well as failure to satisfy the right of access for failure to comply with the GDPR and National Law No. 4624/2019 and respective policies and procedures.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.