Commissioner (Cyprus) - 11.17.001.007.220
|Commissioner - 11.17.001.007.220
|Article 7(4) GDPR
Article 35(9) GDPR
|National Case Number/Name:
|European Case Law Identifier:
|Office of the Commissioner for Personal Data Protection (in EL)
The Cypriot DPA (Commissioner) asked the company KEO PLC to suspend its new employee time tracking system, due to a lack of compatibility with Article 7(4) and Article 35(9) of GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
KEO PLC decided to upgrade its ERP system, whose upgrade was configured with the module of recording when an employee started and ended their work. Until then, the card-swipe terminal only recorded an ID number, as well as arriving and departing times, to and from the premises of the Company.
The new terminal included a tiny camera as a measure of the employees who swiped their colleagues' cards too. Grounded on the concerns of the principle of proportionality, the right of privacy, as well as the right of public life, two trade unions submitted a complaint against KEO PLC and before the Cypriot DPA.
Dispute[edit | edit source]
The main questioning was if the particular data-processing is reasonable and consists of a minimised processing under the meaning of what is absolutely necessary in order to achieve the aim pursued.
KEO Public Company alleges that upon receiving legal advice, they expanded the duration of processing and storage of these data which are tracked, inputted to, or created by the new terminal. KEO's intension of regarding change was the harmonisation with the limitation period for bringing an action to the court. Also, KEO Public Company claimed that under the GDPR, there is no right that a trade union can exercise. They thought that the justiciability of GDPR is limited only to the natural persons who are the direct possessor of the personal data.
Holding[edit | edit source]
Cypriot DPA totally dismisses the argument that the duration of storage of the personal data should be linked with the time constraint with which someone is allowed to bring an action to the court. The DPA commented that if any other law could set a minimum duration for the storage of personal data, then the letter and the spirit of the GDPR would be overlooked. The only eligible criteria shall satisfy the initial reason for collecting these personal data, which in the present case was ensuring that employees do not violate their employment contract.
The DPA holds that the Company could adopted milder measures of getting control over contravening the traditional swipe-card tracking system. Otherwise, the Company at least should have asked for the employees (or their representatives) for their opinions and/or for their suggestions. Asking the personal data subject’s opinion is also a requirement of the Cypriot. For example, Article 35(9) of GDPR provides the possibility that impact assessment may include such an investigation.
The Cypriot DPA considered Article 7(4), which refers to a clear and explicit consent. To deliver an in-depth insight, we can state that if consent was gained through the performance of a service or other contract, the examination of the necessity of the personal data processing is an inseparable criterion. Due to an employment contract, the employer shall be considered to hold a dominant position and any such consent can not be characterised as an explicit agreement.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.