HDPA (Greece) - 27/2024
| HDPA - 27/2024 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 15(1) GDPR Article 15(3) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 04.02.2021 |
| Decided: | 21.06.2023 |
| Published: | 06.09.2024 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 27/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | Iliana Papantoni |
The DPA reprimanded an employer for the usage of vague language in its privacy policy creating the false impression that the processing of employment data is based on consent rather than the performance of the employment contract.
English Summary
Facts
A data subject, an employee of NIKOS LAZARIDIS S.A., filed a complaint with the HDPA on February 4, 2021, alleging multiple violations of the GDPR by her employer (the controller). The data subject claimed that her consent was not freely given or fully informed when she signed certain company documents (i.e., "Acceptable Use Policy" and the "Employee Confidentiality Agreement"), and that the controller did not properly inform her about the processing of her personal data.
In particular, the data subject claimed that the controller violated the transparency principle, as she was not informed about the exact personal data the controller held or had deleted unlawfully, nor the specific purposes for which her data was processed, as the controller cited different legal bases for the same processing activities in various documents. The data subject, also, alleged that the controller violated confidentiality, as personal data was sent to her corporate email instead of her personal email, despite her explicit request, making it accessible to unknown third parties, including the IT department. Also the data subject claimed that the controller did not fully satisfy her right of access to her personal data, and failed to provide her with copies of important documents and data related to her work, providing only partial information despite her request for copies of her complete personal data file, including medical test results, job descriptions, and various correspondences. Additionally, she reported issues with data security, such as unauthorized access to her computer and the improper handling of her email correspondence.
The controller’s response stated that data subject’s personal data was securely processed based on her employment agreement and would be retained for the necessary period. The controller claimed to have sent her the requested data and maintaining that no further personal data existed in their records.
Holding
The HDPA found that the controller violated the lawfulness and transparency principles, Articles 5(1)(a) and (c) GDPR, as well as the right of access under Articles 15(1) and (3) GDPR.
Specifically, the use of the term "approval" in the controller's forms created the false impression that the data subject had given her consent for data processing, whereas the legal basis was the contractual relationship. Additionally, the use of vague language such as "may" did not ensure the required transparency.
Regarding the violation of Article 15 GDPR, the DPA explained that the controller was obliged to disclose any information about the data subject maintained in their records. In this case, the controller failed to answer the access request fully. In particular the data subject should have received information about Covid medical examinations (its dates and numbers) which were performed when the data subject was employed. Also, the data subject was entitled to receive a detailed description of their position within the controller.
The Authority issued a reprimand to the controller and ordered it to comply with the GDPR provisions within three months and to fully satisfy the data subject's right of access.
Comment
Legal basis for data processing: The decision highlights a critical aspect of data protection legislation, i.e. the necessity for a clear and appropriate legal basis for data processing. The decision reinforces the need for companies to carefully consider and correctly apply the legal bases for data processing as outlined in the GDPR.
Importance of clear and plain language: The HDPA's critique of the company's use of vague terms like "may" and "approval" in its documentation underscores the importance of using clear and plain language in data protection policies and notices. Ambiguous language can lead to misunderstandings and undermine the transparency required by the GDPR. This decision serves as a reminder for companies to review and revise their data protection policies and notices to ensure they are clear, precise, and unambiguous.
Employee rights and employer responsibilities: The decision emphasizes the rights of employees to access their personal data and the corresponding responsibilities of employers to facilitate this access. The HDPA found that the company had not fully satisfied the complainant's right of access, particularly regarding medical test results, job descriptions, and correspondences. This finding highlights the need for employers to have robust processes in place to respond to data access requests comprehensively and promptly.
Future Compliance and Monitoring: The HDPA's order for the company to comply with GDPR provisions within three months and to fully satisfy the complainant's right of access indicates a forward-looking approach. It not only addresses past violations but also sets a clear expectation for future compliance. This aspect of the decision ensures that the company takes concrete steps to rectify its practices and aligns with the ongoing monitoring and enforcement role of the HDPA.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 06-09-2024 Prot. No.: 2337 DECISION 27/2024 (Department) The Personal Data Protection Authority met at the invitation of its President in a teleconference meeting on Monday 21- 06-2023 at 10:00 a.m., in order to examine the case referred to in the history of the present. The Deputy President of the Authority, Georgios Batzalexis, obstructing the President of the Authority Constantinos Menoudakou and the alternate members of the Authority Demosthenes Vougioukas and Maria Psalla appeared, in replacement of regular members Constantinos Lambrinoudakis and Grigorio Tsolias, who, although legally summoned, did not attend due to disability and Georgios Kontis as Speaker. Present without the right to vote were Stefania Plota, specialist scientist-lawyer, as assistant rapporteur and Irini Papageorgopoulou, employee of the Authority's administrative affairs department, as secretary. The Authority took into account the following: With the no. prot. C/EIS/876/04-02-2021 her complaint to the Authority, A (herein
