Banner1.png
Banner3.png

Commissioner - 11.17.001.007.220

From GDPRhub
Commissioner - 11.17.001.007.220
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 7(4) GDPR
Article 35(9) GDPR
Type: Complaint
Outcome: Upheld
Decided: 06.08.2020
Published: 22.10.2020
Fine: None
Parties: ΚΕΟ PLC
National Case Number/Name: 11.17.001.007.220
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: Office of the Commissioner for Personal Data Protection (in EL)
Initial Contributor: Panayotis Yannakas

The Cypriot DPA (Commissioner) asked the company KEO PLC to suspend its new employee time tracking system, due to a lack of compatibility with Article 7(4) and Article 35(9) of GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

KEO PLC decided to upgrade its ERP system, whose upgrade was configured with the module of recording when an employee started and ended their work. Until then, the card-swipe terminal only recorded an ID number, as well as arriving and departing times, to and from the premises of the Company.

The new terminal included a tiny camera as a measure of the employees who swiped their colleagues' cards too. Grounded on the concerns of the principle of proportionality, the right of privacy, as well as the right of public life, two trade unions submitted a complaint against KEO PLC and before the Cypriot DPA.

Dispute[edit | edit source]

The main questioning was if the particular data-processing is reasonable and consists of a minimised processing under the meaning of what is absolutely necessary in order to achieve the aim pursued.

Starting with the Complainant, they argued on an enlarged general line of argument and points of law. Firstly, they claimed that there was documentation for the impending upgrade system including the privacy policy and specific information on the changes between the old and new ERP system. Secondly, they were of the opinion that before any changes, the Company should have sought less intrusive methods of employee time tracking. Thirdly, The Complainers stated that the resolution of the camera is irrelevant; it's enough that data produced an identifiable natural person.

KEO Public Company alleges that upon receiving legal advice, they expanded the duration of processing and storage of these data which are tracked, inputted to, or created by the new terminal. KEO's intension of regarding change was the harmonisation with the limitation period for bringing an action to the court. Also, KEO Public Company claimed that under the GDPR, there is no right that a trade union can exercise. They thought that the justiciability of GDPR is limited only to the natural persons who are the direct possessor of the personal data.

Holding[edit | edit source]

Cypriot DPA totally dismisses the argument that the duration of storage of the personal data should be linked with the time constraint with which someone is allowed to bring an action to the court. The DPA commented that if any other law could set a minimum duration for the storage of personal data, then the letter and the spirit of the GDPR would be overlooked. The only eligible criteria shall satisfy the initial reason for collecting these personal data, which in the present case was ensuring that employees do not violate their employment contract.

The DPA holds that the Company could adopted milder measures of getting control over contravening the traditional swipe-card tracking system. Otherwise, the Company at least should have asked for the employees (or their representatives) for their opinions and/or for their suggestions. Asking the personal data subject’s opinion is also a requirement of the Cypriot. For example, Article 35(9) of GDPR provides the possibility that impact assessment may include such an investigation.

The Cypriot DPA considered Article 7(4), which refers to a clear and explicit consent. To deliver an in-depth insight, we can state that if consent was gained through the performance of a service or other contract, the examination of the necessity of the personal data processing is an inseparable criterion. Due to an employment contract, the employer shall be considered to hold a dominant position and any such consent can not be characterised as an explicit agreement.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

No. Fax: 11.17.001.007.220 August 6, 2020



                             Decision in the form of an Order in accordance

                           with the provisions of Article 58 (2) (d) of the GCC


 SUBJECT: Complaint by OVIEK - Σ.Ε.Κ and Σ.Ε.Β.Ε.Τ.Τ.Υ.Κ. - PEO of employees
                          of KEO PLC, for possible violation of GKPD

Bearing in mind the provisions:


       (a) Articles 55 (1), 56 (2), 57 (1) (a) and 58 (2) (d) of General Regulation (EU) 2016/679; and

       (b) of article 19 (5) of Law 125 (I) / 2018,


the following Order is issued:

A. Facts:

1. On 14/10/2019, a complaint was submitted to my Office by representatives of OVIEK - S.E.K and

Σ.Ε.Β.Ε.Τ.Τ.Υ.Κ. - PEO (hereinafter Complainants) on behalf of the employees in the company KEO PLC
(hereinafter referred to as the complaint), in connection with the replacement and upgrade of the system
so that it is compatible with modern technology and software systems.

1.1. Specifically, the representatives of the employees of OVIEK - S.E.K and S.E.V.E.T.Y.K. - ΠΕΟ
in the Complaint, claim that both the content of the Policy Statement and its

Information leaflet entitled Upgrade of entry / exit time recording system, does not comply with
the provisions of General Regulation (EU) 2016/679 (hereinafter GCC).

1.2. In the form submitted to my Office, they were briefly mentioned as issues to
investigation of the use and duration of data retention, processing of personal data,
as well as the fact that the entry / exit card is an excessive measure.


2. On 17/10/2019, an Officer of my Office sent an email to his XXXXXXXX
Defendant's staff's complaint, asking for its position on their allegations
Complainants, until 11/11/2019, as well as a) Impact Assessment conducted for the
implications / risks of using such a System (Article 35 of the GIP), b) Activity Archive,
c) Posted Protection Policy and d) Details of the Data Protection Officer of KEO PLC.


Positions At the complaint represented by a lawyer and annexes:

3. The lawyer of the Defendant on the complaint, on 11/18/2019 sent a letter with her positions and views.
On 12/30/2019 my Office raised various issues that arose from the letter and
The attachments sent by the Defendant in the complaint are also listed below. On 14/02/2020, o

Defendant's lawyer sent a second reply letter to the complaint. Along with the two letters that
sent, attached a) the Employees' Personal Data Protection Statement and / or
Dealers, b) the Input / Output Time Recording System Upgrade Notice, c) the
Impact Assessment, the Activity Archive, d) the Privacy Statement in
relation with Job Applicants and e) the form KEO GENERAL DATA PROTECTION PRIVACY
POLICY, as Annexes.


3.1. The two letters of the Defendant, dated 18/11/2019 and 14/02/2020, refer to
including the following: 3.1.1. the union complaint does not appear to have been filed by an organization to which
includes in its statutory purposes the protection of personal data or has
submitted by the data subjects themselves. Therefore, this is not a legitimate complaint and

To this end, the Defendant reserves all its rights,

3.1.2. Defendant complained for the purpose of cooperating with my Office,
answer the Questionnaire dated 17/10/2019. In the case in which it is submitted
complaint in a lawful manner in the future or if it is informed in the future that such complaint
formally investigated, then the Defendant reserves the right to challenge the complaint

additional comments and positions in defense of its rights.

3.2. The Defendant on 3/10/2019, for the purposes of compliance with the GCC, sent via
e-mail and / or handed over to the Employees (Complainants) Statement
Privacy Policy.


3.3. He did the same on 9/10/2019, where for the purposes of implementing the mentioned measure, he sent
and / or delivered a separate notice regarding the replacement and installation of the new one
card swipe system.

3.3.1. In that notice, the Defendant informed its staff that through
new devices will collect, store and use the employee card number, the date

entry / exit, entry / exit time and low resolution photo of the employee to
in order to comply with working hours and compliance with contractual obligations
ultimate goal is time management and dealing with any complaints and disciplinary measures
misdemeanors.

3.4. For the information of my Office, attach the Privacy Statement

Employees and / or Agents and the Time Logging System Upgrade Notification
entry / exit, sent and / or delivered to employees, respectively.

3.5. Defendant's position is that the replacement and installation of this system
as well as the processing of such data is necessary for the execution of an agreement between it
The Complainant and the Complainants as well as for the satisfaction of the legal interest

sought by the controller (in this case the Defendant). In the sub
report processing applies, as stated, to at least one of the following cases
Article 6 of the GCC:

       “B) The processing is necessary for the execution of a contract of which the subject of
       data is a contracting party [] ..]

       (f) the processing is necessary for the purposes of the legitimate interests pursued by

       controller or third party ”

3.6. For the information of my Office, it has attached the Impact Assessment.


3.7. It is the position of the Defendant that the replacement and installation of the new system
A card can not be considered a faulty, unjustified or disproportionate action. THE
During the complaint, he had previously used the card flipping system while collecting
via this device the employee card number, date and time of entry / exit. The only
substantial change with the replacement and installation of the new system, is the collection and
save a low resolution photo of the employee and in this regard the Defendant
has reduced the retention time of the photo to one month in contrast to other data which
it is necessary, as he claims, to be kept for a longer period of time. In the past they had

cases where individuals used another employee's card for purposes
circumvention of schedule rules.



                                                                                                 23.8. The retention period of the remaining data was set at 7 years after they were received
take into account the limitation periods that apply to contractual disputes under the Cyprus issue
Law. The Impact Report states that this issue will be re-evaluated and amended

if deemed necessary.

3.9. The range of data stored is limited to what is absolutely necessary, the number
employee card, the date and time of entry / exit and his low resolution photo
employee. In addition, access to these data has been restricted.


3.10. According to the Defendant, the present case does not concern video surveillance
and use of biometric systems but in the low resolution photo collection of the employee.
However, it considers it appropriate to refer by analogy to the following report of Opinion 2/2018 which
issued on 19/10/2018 based on Article 58 (3) (b) of the GCC for Video Surveillance in the area
work and the use of biometric systems,


       "Therefore, the use of biometric systems (facial recognition or facial recognition or
       fingerprinting) by employers, for arrival time control purposes and
       departure of employees to their place of work is prohibited. The controller
       must choose other means less intrusive / burdensome to human dignity than

       what the collection and use of fingerprints entails. As such means are for
       For example, the card ticking system, frequent / unannounced checks by
       Manager / Head in the card system, the presence of a supervisor in the area where
       the system works or alternatively the placement of a surveillance camera over it
       card machine ”.


3.11. The collection and editing of the low resolution photo of the employee in combination
with the card machine as a whole as applied by the Defendant, can not
to be considered an excessive measure. On the contrary it is a less burdensome and proportionate measure (unlike
surveillance camera which would continuously videotape the specific points and would not
was limited to the moments when an employee beats his card). It concludes that this measure

in line with the provisions of the GCP.

3.12. The Defendant complains when choosing the features of the mentioned system
card, had extensive conversations and consultations with the provider of that system with a view to
the best possible compliance with the GPA. For this purpose they requested and received legal
tips.


3.13. For the information of my Office, it has attached the Activity Archive of the Defendant
complaint.

3.14. At the time of the implementation of the GCP, there was a team, which consisted of its members
Management and the Personnel Department and which took all the necessary steps and measures for

Defendant's compliance with the GCC. At this stage the debts of the Protection Officer
Data (hereinafter referred to as DPA), is executed by XXXXXXXXXX

4. In a letter of the Office, dated 30/12/2019, to the lawyer of the Defendant, the
content of which is not an exhaustive list of the findings of my Office as well
several issues have emerged that need to be corrected in the forms submitted, the

the complaint sent a reply letter on 14/2/2020, stating the following:

4.1. Notes the position of my Office regarding the legality of the complaint and clarifies that the
report on whether the Employees in the Defendant made the assignment
in accordance with the Directive, "Complaints Procedure".


4.2. Wants to clarify that the low resolution photo associated with the reported
system is not biometric data. In other words, this system does not collect biometrically
characteristics which are unique, measurable, physical features used
                                                                                                  3in order to identify an individual. Therefore, they do not need to be found
other ways as the system used is not a collection and processing system
biometric data.


4.3. Considers the system in question, which includes taking low resolution photography
at the time of card entry and stroke, instead of biometric data or continuous
video recording, which will videotape the data subject for a few seconds during
attendance at work is a measure that takes into account the principle of proportionality.


4.3.1. The replacement and implementation of this system was deemed necessary for the better
implementation of the agreement between the Defendant and the Complainants (their subjects
and the satisfaction of the legitimate interest pursued by the controller
(Article 6 (b) and (f) of the GCC).


4.3.2. The placement of a camera that takes low resolution photos (keeping them for only
period of one month) and consequently their collection and processing is not an excessive measure
but it is a measure which takes into account the principle of proportionality.

4.3.3. The data collected by this system is necessary for the intended
purposes of processing, ie the monitoring and evaluation of compliance with labor
and compliance with contractual obligations with the ultimate goal of time management and

dealing with any complaints and disciplinary misconduct. Preserving photos for
a period of one month is a proportionate measure. Relevant, as he states, the reports in relation to
Opinion 2/2018 of my Office on page 3 of the letter dated 18/11/2019.

4.4. In relation to the Employees' Personal Data Protection Declaration form and / or
Delegates (hereinafter Statement) and other sub-issues, notes the following:


4.4.1. In no case has the Defendant's complaint been based on Article 6 (1) (a) of the GIP which
concerning securing the consent of data subjects (in this case
of the Complainants). The Defendant sent the complaint and / or delivered the Statement to its subjects
and what he was asking for was confirmation of receipt of those documents and assurance
compliance with the Transparency Principle.


4.4.2. On page 7 of the Declaration, it clarifies that consent is not a condition of the contract
employment, nor even for the special categories.

4.4.3. Page 4 of the Declaration clearly lists the cases concerning the conditions

of Article 6 with the relevant legal bases for elaboration and while there are specific legal bases
in that part of the Declaration, however, it lacks any reference to the consent that
provided for in Article 6 (1) (a) of the GCC.

4.5. The individual issues listed in the letter of my Office dated 30/12/2019 and
which as I have already mentioned do not constitute an exhaustive list of the findings of my Office as well

Several issues have emerged in the forms submitted, they are the following:

    to make clearer and more specific the way in which information is collected and
       for what reason. Generality, for example, we collect information about whether you have declared
       bankruptcy is not sufficient. White criminal record information should be relevant
       directly with the nature of the work.

    - there is confusing information, for existing employees and for potential ones
       employees. They need to be separated and specified as to whom.
    - the publication refers to protection policy and in general to the policy of the Defendant
       complaint. Is this policy published somewhere? Is it easily accessible?
    - the term particularly sensitive personal data is not testable, there is a special

       data category.
    - if the service provider is from a country within the EU it does not mean a third party.
                                                                                                       4 - if it is from a non-EU country then an Assignment Agreement must be concluded under Article
       28 ΓΚΠΔ.
   - The Knowledge Need Principle should be observed for all (employees and non-employees).

   procedures have been put in place for the exercise of access rights, deletion and
       restriction? Are they easily accessible?
   - data collection is done for a specific purpose and the necessary things are requested.
   - who is the Data Protection Officer of the Company? Contact info;

4.5.1. The Defendant gives her own position on the above, as follows:


   - considers that the Statement under the circumstances is quite clear, but is ready to proceed to
       further control it so as to consider the possibility of making changes to
       become even more understandable, especially on the point of how and why
       to whom the data are collected,
   with regard to the criminal record, clarifies that the provision existed for cases where for

       any reason an employee or agent voluntarily decides to provide it either
       such information shall be sent by a third party to the Defendant,
   - Recently, the External Auditors of the Complainant suggested that
       certificate where the nature of the subject's work requires the production of blank
       criminal record,
   - for the same reason there was the provision concerning whether someone would go bankrupt, such
       notification to be sent to the Defendant.

   - as provided in the Bankruptcy Law notification of any decree declaring the
       the debtor in bankruptcy is notified, inter alia, to the employer of the bankrupt,
   indeed in the Statement there are references to information collected at the stage before
       hiring someone. This is there to cover cases where such information is
       necessary to maintain and later, ie at the stage where one will become
       employed,
   - for people who simply remain "potential employees" there is a separate statement of protection

       data, which was attached as Annex A to the letter dated 14/2/2020. As a million
       therefore, no further separation should be made in the Declaration, which concerns
       people who have become employees,
   - there is a more general and concise document on personnel protection policy
       of the Defendant in relation to all employees / Complainants,
       as well as a form which can be given by the DPO of the Defendant in case
       requested by anyone (Annex B of the letter dated 14/2/2020). The
       This document will also be posted on the Defendant's website, where it already exists

       specific data protection policy for the use of the website.
   - the reason the term "sensitive personal data" was used is because it is used
       widely, such as for example by the European Commission itself on its website when
       provides explanations for the legal reasons for processing with reference to the GCC itself. also
       Such references also exist in the recitals (recitals) 10 & 51 of the GCP.
   - in any case it is clarified that the Defendant does not send information about
       non-EU employees.

   - the only service provider of the Defendant who personally processes the complaint
       data of its employees (Complainants) is the company that provides the SAP system
       ERP. A relevant award contract has been prepared between the Defendant and him
       provider, to be signed by 29/2/2020,
   - Defendant aims and seeks to establish and implement procedures and
       workplace culture that restrict access to information that concerns them
       employees (Complainants) in such a way that access is only available to persons who
       need to have access,

   - the Defendant has established procedures for exercising access rights,
       deletion and restriction, contained in a form which may be given by the DPO to
       case requested by any employee.



                                                                                                          5 - The Defendant understands that any information she collects and maintains about them
       subjects is why this has become necessary for employment purposes.

       That, after all, is the main purpose of the Defendant's compliance with the complaint,
    - The Defendant understands that full compliance with this principle in one
       workplace requires a change of culture from all parties involved and from all
       without exception,
    - until recently the DPO was XXXXXXXXXX, but which leaves the Defendant on
       complaint, therefore procedures for the appointment of a new DPO.


4.6. Further, in the entry / exit time recording system Upgrade form, which consists of
from almost three pages, all the necessary information regarding the replacement has been given
and installation of the new system so that staff can receive the necessary information about it
system.


4.7. In relation to the concern that arises as to whether the low resolution of the photo will exist
any special processing, the Defendant states that the low resolution photos
which will be collected by the input / output recording system, will not be transferred nor will
are stored in the SAP ERP software but on the Defendant's server with a limited complaint
access. The input / output time recording system is a completely separate system from SAP
ERP. Defendant confirms the complaint that no special treatment will be given to

low resolution photos.

4.8. The people of SAP ERP are employees of a third independent company, which provides the system
to the Defendant. This system stores all the data collected with
new devices, except for low resolution photos, and only the
individuals of the Personnel Department and the IT Department.


4.9. As stated in the Impact Assessment form that was conducted, SAP ERP individuals have
access to the software, only after the Defendant has authorized the complaint for purposes
software upgrade or repair of any software malfunction, the
which cannot be remedied by Defendant's IT department.


4.10. The Defendant considers that the time of one month for keeping the photos low
analysis, is accordingly legitimate.

4.10.1. With regard to the retention of data concerning the time and date of entry and
exit from the workplace, the retention period is currently set at 7 years,
provided that limitation periods under Cypriot law have been taken into account in relation to

contractual disputes (6 years) and civil offenses (3 years).

4.10.2. A legal dispute may arise in relation to an employee (Complainant)
concerning matters for which the limitation period of the transferable rights in accordance with
Cypriot Law amounts to 6 years and the entry / exit data to be a relevant testimony
in such cases.


4.10.3. It is possible for a case to arise with an employee (Complainant) and the Defendant
complaint, other than those contained in the jurisdiction of the Labor Disputes Tribunal,
for which the limitation period is shorter. For this reason, the Defendant received the complaint
legal advice, as to maintain such data for a period of 7 years, except of course in cases
where a case arises, where the case-related information will be retained for as long as

the case is pending.

4.10.4. The retention of these data for a period of 7 years is not excessive
period as the input / output elements in the workplace are not of such a nature as to
poses a serious threat to the rights and freedoms of data subjects
(Complainants). At the same time, it remains at the disposal of my Office to discuss and


                                                                                                     We will adjust this detail accordingly in the future as the system has just been set up
in application.


5. Then, on 12/3/2020, an Officer of my Office sent an e-mail to
DPO of the Complainants, making aware of the allegations of the Defendant, requesting
his positions and views until 13/4/2020.

Positions of Complainants represented by a lawyer:


6. On 13/4/2020, the Complainants' lawyer sent a letter with the positions and views of the
of its customers, as follows:

6.1. To answer the question of whether the Defendant is entitled to photograph them

Complainants / employees upon entering / leaving employment, the
legal framework within which the Defendant may make such a complaint
processing.

6.1.1. In accordance with the Principles set out in Article 5 of the GIP and concludes that the adoption of
measure of taking a photograph of the employee during his entry / exit procedure may be allowed,
only when the employer is able to justify the legality and necessity of the control and

monitoring and when there is no other less intrusive way of doing it
of the purposes it pursues.

6.1.2. The positions and the reasons put forward by the Defendant in the Complaint for its installation
upgraded card system with photo capture, can be satisfied with both
existing card system as well as the adoption of other methods, such as frequent unannounced

checks by a Chief in the card system or even in the presence of a supervisor at the place where
the card system works.

6.1.3. Further, the complaint was not indicated by the Defendant what the reasons were
it is necessary and / or necessary to upgrade the card system. Defendant complained to
merely stating the aims without substantiating the necessity which led her to it

decision.

6.1.4. As long as the photo that is taken identifies the employee, even though it is low
analysis falls within the interpretation of the term "personal data".


6.1.5. Given the Principle of Proportionality, taking a photograph of the employee is recommended
an intervention measure that restricts the right to privacy and does not serve either
the purposes for which the Defendant stated that she wanted to serve.

6.1.6. He expected the Defendant to file the complaint, as Processor, before upgrading the
card system, would try to strike a balance between its legitimate interest and
protection of its rights and the fundamental right to privacy

of its employees.

6.2. Regarding the data retention period, the retention time is defined as
necessary period of time to satisfy the purposes for which it is collected by the person in charge
data processing.


6.2.1. In this case, the Defendant informed the complainant that the data concerned
at the time and date of entry and exit to the workplace is 7 years. In his calculation
during this period, the limitation periods provided by Peri were taken into account
Limitation Law, ie 6 for contracts and 3 years for civil offenses.


6.2.2. The reasoning is correct but the calculation by the Defendant is wrong with
given that any difference arises in relation to the entry / exit hours of this employee
                                                                                                   7 will be reduced to a labor dispute and therefore the limitation period of the
labor disputes, amounting to 12 months.


6.3. In the SEP ERP software system, employee data is entered correctly. It must
but for the Defendant to explain and justify the complaint as to whether there is a reason to
data is stored on a KEO PLC server. In addition, the issue of a signatory is raised
award agreement between the Defendant and the company operating the SEP system
ERP.


6.4. Concluding, in the positions of the Complainants' side, he stated that the taking of a photograph of them
is not necessary to protect the legitimate interests of the Defendant
complaint, since it can be secured in less burdensome ways, while in any case the
The entry / exit card data retention period should be limited to a maximum of 2
years.


B. Legal analysis:

7. The photograph of a natural person, in so far as his identity is immediately or indirectly revealed,
constitute "personal data" as defined in Article 4 thereof
GPA, which states that "personal data" is "any information that concerns
identified or identifiable natural person (data subject) ".

7.1. The same article also defines as processing "any act or series of acts performed
with or without the use of automated media, in personal data or in sets

personal data, such as the collection, registration, organization, structure, h
storage, adaptation or modification, retrieval, retrieval of information, use,
transmission by disclosure, dissemination or any other form of distribution, association or combination,
restriction, deletion or destruction ".

7.2. Furthermore, the controller is defined as anyone (the natural or legal person, the
public authority, service or other body) which, ‘alone or jointly with another,

and how personal data is processed ".
7.3. In addition, it defines it as an "archiving system": any structured set of personnel data

which are accessible based on specific criteria, or as a whole
centralized or decentralized or distributed on a functional or geographical basis ".

8. Article 5 of the GPA sets out the Principles governing the processing of personnel data
character, as follows: '1. Personal data: '… (c) is appropriate, relevant and
limited to what is necessary for the purposes for which they are processed
("Data minimization");… (e) are kept in a form which allows them to be identified

data subjects only for the period required for the purposes of their processing
personal data; personal data can be stored for
longer intervals if personal data is processed
only for archiving purposes in the public interest, for scientific or historical purposes
for statistical purposes, in accordance with Article 89 (1) and provided that

appropriate technical and organizational measures required by this Regulation to ensure
rights and freedoms of the data subject ("restriction of the period
2. The controller is responsible and is able to prove the
compliance with paragraph 1 ("accountability") ".

8.1. Based on the Data Minimization Principle established by Article 5 (1) (c) of the GIP,
Defendant, in any case, must ensure that, personnel data

appropriate, relevant and limited to what is necessary for the purposes for which they are made
processed and based on the Principle of limitation of the storage period, which
Article 5 (1) (e) of the GIP, the data must be kept in a form which allows the
identification of data subjects only for the time required to achieve them

purposes of processing.
                                                                                                 88.2. Recital 39 of the GCP Preface explains, inter alia, that “The data
should be adequate and relevant and limited to what is necessary for them

purposes of their processing. This requires in particular to ensure that storage space
personal data to be kept to a minimum. Staff data
should only be processed if the purpose of the processing cannot
achieved by other means ".

8.3. Recital 4 of the Preamble to the IGC explains that, “the right to protection of
personal data is not an absolute right; it must be valued in relation to

its function in society and be weighted with other fundamental rights, in accordance with its principle
proportionality ".

8.4. Further, Recital 47 explains that, “The legitimate interests of the
including those of a controller to whom they may
disclose personal or third party data may provide the legal basis for the
provided that they do not outweigh the interests or fundamental rights and

freedoms of the data subject, taking into account the legitimate expectations of the subjects
data on the basis of their relationship with the controller ".

8.5. Related to the issue are also, (a) Opinion no. 06/2014 on the meaning of law
interests of the controller issued on 9/4/2014 by the Working Group of Article 29
on data protection, (b) the Opinion of the Article 29 Working Party on GATT entitled
"Opinion 2/2017 on data processing at work", (c) paragraph 9 of Article 35 of the GCP, in which

It is stated that "Where appropriate, the controller shall consult the
data or their representatives for the intended processing, subject to protection
commercial or public interests or the security of processing operations "(d) Opinion 2/2018
issued by the Commissioner for Personal Data Protection under Article
58 (3) (b) of the GCC for Workplace Video Surveillance and the Use of Biometric

systems and (e) Directive 1/2011 issued by the Hellenic Data Protection Authority
Personal Use for the use of video surveillance systems to protect persons and
goods.

9. Article 35 (9) of the GPA concerning the Impact Assessment on data protection
stating that "Where appropriate, the controller shall consult the
data or their representatives for the intended processing, subject to protection

commercial or public interests or the security of processing operations ".
10. The Law on Limitation of Inviolable Rights of 2012, as amended (hereinafter N.

66 (I) / 2012).

11. In Article 12. (10A) of the Law on Annual Leave with Remuneration of 1967 (hereinafter Law 8/1967)
states that “An application to the Labor Disputes Tribunal shall be submitted within twelve months of
the date on which the right to apply arose or within nine months of
Fund response for redundant staff… »

C. Commentary:

12. It is the position of the Defendant's lawyer that the complaint that for his replacement and installation
card system as well as for data processing, at least one of the
the following cases of Article 6 of the GCC:

       “B) The processing is necessary for the execution of a contract of which the subject of

       data is a contracting party [] ..]

       (f) the processing is necessary for the purposes of the legitimate interests pursued by
       controller or third party… ”.

12.1. In order for Article 6 (1) of the GIP to be used as a legal basis,
explicit provision should be included in the employment contract signed between the Defendant

                                                                                                  9 the complaint and the data subjects (employees). Such data were not presented
in front of me.

12.1.1. But even if there was explicit provision in the employment contract this would be considered under

in the light of Article 7 (4) of the GIP and whether the consent of the data subject
(employee) is given freely. As mentioned in my Office letter dated
30/12/2019, the employer is considered to have a dominant position in the employment relationship, therefore the
employee consent is not considered free.

12.2. With regard to Article 6 (1) (f) of the GBER, I accept that it could be used as
legal basis, provided, however, that the processing of the data of the subjects (employees), ie the
taking and storing their photo obeys the Principles of Proportionality, Restriction

of the storage and accountability period and in any case does not take precedence over interests or
fundamental rights and freedoms of data subjects.

13. In the present case, therefore, I am called upon to consider

       (a) whether the installation of a camera by the Defendant in order to receive the complaint
       low resolution photograph of the data subject (employee) to identify
       that the employee who beats the card is the holder and not a third party, as a measure
       control, obeys the Data Minimization Principle and

       (b) whether the retention time of employees' entry / exit data (number

       employee card, date and time of entry / exit) for a period of seven years, for purposes
       for the settlement of labor disputes or for the exercise of legal rights, obeys its Principle
       Limit the Storage Period.

14. With regard to Question 13 (a), I take note of the following:

14.1. In the Impact Assessment carried out by the Defendant on page 5,
in the paragraph entitled STEP 3: Consultation process, it is stated that:

       "The advice of the subjects was not sought, nor of their representatives as the
       Recording and time data management has always existed as part of Management

       Staff ".

14.2. In the letter of the lawyer of the Defendant the complaint dated 18/11/2019, on page 2,
it is referred that:
       «…. In any case, KEO used to use the card flipping system in the past
       collecting through this device the employee card number, date and time
       input / output. That is, the only substantial change in the card flip system is

       collecting and storing the employee's low resolution photo and so on
       KEO has reduced the retention time of the photo to one month in contrast to others
       data which need to be retained for a longer period of time… "

14.3. In the Impact Assessment carried out by the Defendant on the complaint, on pages 5
and 6, in the paragraph entitled STEP 4: Proportionality and Necessity Assessment, states that:

       «1. Time recorders are necessary for the Company to be able to perform the
       contract with its employees and for the protection of its legal interest or

       third. Given the conditions of the Company there seems to be no other way
       processing with which the Company can adequately monitor and evaluate the
       observing working hours and detecting any disciplinary violations. It is noted that
       in the past there have been incidents where people have beaten another colleague's card. In every
       In this case, we consider that only the data are collected and stored through the devices

       which are necessary to serve the stated purposes ".

14.4. In addition, in the letter of the lawyer of the Defendant the complaint, date. 11/18/2019, on page 3,
it is referred that:

                                                                                                 10 "επίσης We also consider it appropriate to refer to Opinion 2/2018 issued by the
       Office of the Personal Data Protection Commissioner pursuant to Article 58 (3) (b)

       of the General Regulation on Data Protection (Regulation (EU) 2016/679) on Video
       workplace monitoring and the use of biometric systems. Although the
       This case does not concern video surveillance and the use of biometric systems but
       concerns collection of low resolution photo of the employee we consider appropriate to
       refer by analogy to the following reference contained in this document: “As ex

       therefore, the use of biometric systems (facial recognition or
       fingerprinting) by employers, for arrival time control purposes and
       departure of employees to their place of work is prohibited. The controller
       must choose other means less intrusive / burdensome to human dignity than
       what the collection and use of fingerprints entails. As such means are for

       For example, the card ticking system, frequent / unannounced checks by
       Manager / Head in the card system, the presence of a supervisor in the area where
       the system works or alternatively the placement of a surveillance camera over it
       card machine ”. Therefore, we consider the collection and processing of the photo low

       analysis of the employee in conjunction with the card machine as a whole as it is
       implemented by our customers, can not be considered an excessive measure (in contrast
       for example with a surveillance camera that would continuously videotape the specifics
       points and would not be limited to the moments when an employee beats his card) to
       achievement of the above mentioned objectives of KEO. This measure is therefore consistent with

       provisions of the General Regulation on Data Protection… ".
14.5. In addition, in the letter dated. 14/2/2020, the lawyer of the Defendant states that:

       … Or our customers want to clarify that the low resolution photo is related

       with this system is not a biometric data. In other words, it does not collect this system
       biometric features which are unique, measurable, physical features which
       are used to identify an individual. It is therefore not considered
       other ways need to be found as the system used is not a system
       collection and processing of biometric data… ".

14.6. All of the above references contained in the Impact Assessment and its letters

Defendant's lawyer, explain that taking a low-resolution photo of
was the only practical solution for the purposes pursued by the
complaint to serve. I do not rule out that, in some cases, taking a photo or video,
as I mention in Directive 2/2018, when the card is struck, it may be mandatory.
However, in such cases, under the Accountability Principle, the employer should be in

able to prove that, there is no other less intrusive way to achieve it
intended purpose, namely the effective control of employees.

14.7. In the present case, the Defendant has not substantiated the complaint, nor has it arisen in
any stage that other ways and measures were applied by it, e.g. the
frequent / unannounced checks by the Manager / Manager on the card system, the presence of a
supervisor in the area where the system operates or even the camera, which would focus on their hands

employees at the time they hit the card and not in the face, and be judged as
ineffective or inadequate or insufficient to confirm the choice of
low resolution photography, as the most appropriate measure to serve the purposes set
Defendant seeks the complaint. In the context of employment, the monitoring measures set
reflect the employee's behavior should be proportionate to

risks faced and implemented in the least intrusive way.

14.8. Therefore, in relation to question (a) I ask in paragraph 11 above, the position of the Defendant that,
the installation of a camera in order to take a low resolution photo of their subject
(employee) to identify that the employee who beats the card is the holder and
not a third party, as a control measure, obeys the Data Minimization Principle,


                                                                                                 11 rejected, as the Defendant did not take or consider any other less intrusive measures,
before the application of this measure.

15. As regards question 13 (b), I have regarded the following:

15.1. In the Impact Assessment carried out by the Defendant on page 2,
in the paragraph entitled Nature of Processing, it is stated that:

       "… The data in relation to the employee card number, time and date of entry and

       exit to the workplace may be maintained for a period of up to seven (7) years from
       date of their collection unless legal proceedings and / or a contractual dispute are pending where
       the data will be stored for a longer period for purposes of recommendation, exercise and
       advocacy νομ »

15.2. On page 5 of the same Impact Assessment, in the section entitled STEP 3: Advisory
Consultation process, it is stated that:

       "The advice of the data subjects was not sought, nor of their representatives
       as well as recording and managing time data has always existed as part of it

       Personnel Management… ».

15.3. Additionally, on page 7 of the same Impact Assessment, in the section entitled STEP 4:
Proportionality and Necessity Assessment states that:

       «7. Υπόλοι The remaining data was considered appropriate, at least at this stage, to be retained
       for a period of 7 years having regard to the limitation periods applicable to the breach
       contractual relationship under Cypriot law. As explained below the question of time
       will be re-evaluated in the near future and in particular after the appointment of a DPO ".

15.4. In the letter of the lawyer of the Defendant the complaint dated 18/11/2019, on page 3,

it is referred that:
       ". As for the retention of the remaining data, the retention period is at present

       stage is set at 7 years taking into account the limitation periods applicable under it
       Cypriot law regarding contractual disputes. But as explained in the Report
       Impact (Annex C) this issue will be re-evaluated and amended if deemed appropriate
       necessary. We also note that the range of data retained is limited

       in what is absolutely necessary, ie in the data concerning the employee card number, the
       date / time of entry / exit and low resolution photo of the employee.
       In addition, we note that, as explained in Annex C, access has been restricted
       in the specific data… »

15.5. In addition, in the letter dated. 14/2/2020, the lawyer of the Defendant states that:

       "… Regarding the retention of data concerning the time and date of entry and
       exit to the workplace, it is noted that the retention period is at this stage
       determined at 7 years taking into account the limitation periods based on the Cyprus problem

       Law regarding contractual disputes (6 years) and civil offenses (3 years). Of those
       we realize it is possible in relation to an employee to arise litigation
       disputes concerning matters for which the statute of limitations period
       according to Cypriot Law amounts to 6 years. Input details are possible and
       to be relevant evidence in such cases. That is, in relation to one

       an employee other than those listed in
       jurisdiction of the Labor Disputes Tribunal for which the limitation period is
       smaller. It is for this reason that we have advised our customers as they maintain such
       data for a period of 7 years except of course in cases where a case arises and
       such information should, if relevant, be kept for as long as the trial is pending.

       Finally, on this issue, we consider that objectively speaking the maintenance of such
       data for 7 years is not an excessive period as the data containing the time
       entry and exit to the workplace is not of such a nature as to create serious
                                                                                                  12 danger to the rights and freedoms of subjects (emphasis added).
       But at the same time we remain at your disposal to discuss and adapt

       depending on this detail in the future as the system has only recently been put into
       application…".

15.6. In summary, the Defendant claims that the data retention period of its employees
for a period of seven (7) years is absolutely necessary because, it may occur between the Defendant and the
conductive right of its employees, which, based on Law 66 (I) / 2012, as amended, provides
limitation periods of six (6) years for contracts and three (3) years for civil offenses. On the contrary, the

The complainants' lawyers argue that any dispute between the Defendant and the
its employees will be of a labor nature, which will have to be resolved before the Court
Labor Disputes, meaning, in accordance with the provisions of article 12 (10A) of Law 8/1967, as
amended, which, inter alia, provides that: “Application to the Labor Disputes Tribunal
shall be submitted within twelve months from the date on which it is to be submitted

application or within nine months of the response of the Fund to redundant staff ".

15.7. I am of the opinion that both positions suffer because neither Law 66 (I) / 2012 nor Law 8/1967
is a legal basis for determining the storage period of the data in question. And the
two Laws provide for periods during which respective rights can be exercised, however
do not, at the same time, create an obligation to retain certain data in order to exercise them
of rights. After all, if I accepted the positions that, these Laws could constitute

criterion for determining the storage time of the data in question, I would reach
paradoxical conclusion that, all the data collected by all processors who
falling within the scope of the GGP, should be stored for periods similar to these
provided for in their national laws for the settlement of labor and civil disputes, respectively,
which circumvents both the letter and the spirit of the GCP.

15.8. The data in question, ie the employee card number, the date and time of entry /

of each employee, are stored in the system installed by the Defendant, for a long time
specific purposes, namely the control of timetable and payroll and, on the basis of
the Beginning of the Storage Period, the only factor / criterion for determining the period
their storage, in a form that allows the identification of employees, must be the time
required to fulfill these purposes. Storing them for longer periods,

can only be done for archiving purposes in the public interest or for scientific purposes
or historical research or for statistical purposes. In this case, these purposes do not
are applicable or at least, the Defendant has not brought them before me. Hence her position
Defendant that, the period of storage of the data of its employees for a period of seven (7) years is
absolutely necessary, is rejected.

16. Furthermore, it should be borne in mind that the decision of the Defendant to establish the complaint

low resolution camera and its decision to keep the data of its employees for a period
seven (7) years of age, have been obtained without prior consultation with the staff or
their guilds.

16.1. Defendant's lawyer in the impact assessment assessment he sent states that no
the advice of neither the employees nor their representatives was sought as the recording and
Time data management has always existed as part of Personnel Management. The fact that the

Prior to the complaint, he previously collected and maintained data without justifying the time
This does not mean that he can continue to do so and that he could
in the context of this system upgrade to consult with stakeholders,
so as to correct any distortions of the past.

16.2. In addition to the fact that, pursuant to Article 35 (9) of the GIP, the Defendant, during the preparation of the
an impact assessment would be appropriate to seek the views of its officials or their representatives,

for measures it intended to take, this was also required by the Transparency Authority.
16.3. For transparency purposes, the participation of employee representatives is necessary (e.g.

trade unions) during the discussions that take place before measures are taken involving him
                                                                                                  13control and / or supervision of staff through the processing of their personal data.
Relevant is the following excerpt from the Opinion of the Article 29 Working Party, "Opinion

2/2017 on data processing at work »:

       «6.3 Transparency
       Effective communication should be provided to employees concerning any monitoring that takes

       place, the purposes for this monitoring and the circumstances, as well as possibilities for employees
       to prevent their data being captured by monitoring technologies. Policies and rules concerning
       legitimate monitoring must be clear and readily accessible. The Working Party recommends
       involving a representative sample of employees in the creation and evaluation of such rules and
       policies as most monitoring has the potential to infringe on the private lives of employees. ».

D. Conclusion - Conclusion:

17. In the light of the above and exercising the powers conferred upon me by the provisions of Article

58 (1) (d) I inform the Defendant of the complaint that:
17.1. In relation to the question (a) that I ask in par. 13 above, the installation of a camera by

Each in order to take a low resolution photo of the data subject (employee)
to identify that the employee who beats the card is the holder and not a third party, as
without taking into account or considering other less intrusive measures
before the implementation of this measure, violates the Principle of Data Minimization

and therefore can not be accepted.
17.2. In relation to question (b) that I ask in par. 13 above, the retention time of the data

entry / exit of employees (employee card number, date and time of entry / exit) for
period of seven (7) years, for the purposes of exercising legal rights, violates the Principle of
Limit the Storage Period.

17.3. Pursuant to Article 58 (2) of the GIP, I have the power to impose an administrative sanction on the
above violations, which includes the possibility of imposing an administrative fine on the basis of
Article 83 thereof. However, considering:

       (a) all the factors set out in Article 83 (2) of the GIP;

       (b) that, at all stages of the examination of this complaint, the Defendant had

       working with my Office,
       (c) that the case could have been avoided if the Defendant had consulted the

       measures taken by its officials or their representatives,

       (d) that the Defendant in the complaint has taken several measures to comply with the IGC, in particular as regards
       concerns the obligation to inform its employees and

exercising the powers conferred on me by the provisions of Article 58 (2). (d) of the GCC, I consider
more appropriate in the first phase, to give the Defendant the following order:

       (a) suspend the installation of the upgraded card flip system
       includes installing the camera and destroying the material collected if the
       download this and inform my Office of the actions and

       (b) to choose through transparent procedures, with the participation of their representatives
       employees, differentiated measures / solutions that are appropriate and sufficient and

       to ensure guarantees of legality, transparency, preservation, proportionality and
       security of personal data and as a draft of the en
       due procedures until 4/12/2020.

17.4. In case the Defendant does not comply with the above order within them
above deadlines, I will consider the need for stricter administrative measures
against her.

                                                                                                   14Irene Loizidou - Nikolaidou

Commissioner for Protection

Personal Data
























































                                                                                             15