HDPA (Greece) - 24/2022

From GDPRhub
Revision as of 16:14, 15 November 2022 by Kk (talk | contribs) (changed short summary, rearranged and clarified facts and holding, some elements of the facts were moved to the holding as they concern substantive issues, no automated translation)
HDPA - 24/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 2 GDPR
Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 15 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 29.04.2022
Published: 29.04.2022
Fine: 35.000 EUR
Parties: n/a
National Case Number/Name: 24/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Greek DPA (in EL)
Initial Contributor: Anastasia Tsermenidou

The Greek DPA imposed a fine of €35,000 on a controller for infringing the principles of legality, transparency and security, as well as failure to satisfy the right of access.

English Summary

Facts

The first complaint concerned a breach of the provisions concerning the control of the computer during the data subject's work and the second complaint concerned the failure to comply with the right of access. The employer (the controller) processed personal data of the employees on the basis of their contractual relationship and, in exercising its managerial right for the proper functioning of the organisation.

Holding

The DPA stated that employees have a reasonable expectation of privacy in a workplace, which is not removed by the fact that they use equipment, communications devices or any other professional facilities and infrastructure (e.g. electronic communications network, Wi-Fi, corporate e-mail addresses, etc.) of the employer. The fact that the public employer may be the owner of the means of electronic communication (e.g. computers) does not lead to a a denial of the employees' right to data protection.

According to the DPA, the controller was entitled to exercise control over the electronic means of communication provided to the employees for their work, provided that the relevant processing, was subject to the principle of proportionality, necessary for the fulfilment of the legitimate interest of the interest it pursues and provided that this clearly outweighs the rights and interests of the worker, without prejudice to the fundamental rights and interests of the worker, and their fundamental freedoms.

In conclusion, the DPA found an infringement of, among others, the principles of legality, transparency and security under Article 5(1)(a) and (f) GDPR, and Article 32(1)(2) GDPR, as well as failure to satisfy the right of access. The DPA imposed a €35,000 fine on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Retrieved from "https://gdprhub.eu/index.php?title=HDPA_(Greece)_-_24/2022&oldid=29363"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki