Editing Commissioner - 11.17.001.007.220

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 83: Line 83:
  
 
<pre>
 
<pre>
No. Fax: 11.17.001.007.220 August 6, 2020
 
  
 
 
                            Decision in the form of an Order in accordance
 
 
                          with the provisions of Article 58 (2) (d) of the GCC
 
 
 
SUBJECT: Complaint by OVIEK - Σ.Ε.Κ and Σ.Ε.Β.Ε.Τ.Τ.Υ.Κ. - PEO of employees
 
                          of KEO PLC, for possible violation of GKPD
 
 
Bearing in mind the provisions:
 
 
 
      (a) Articles 55 (1), 56 (2), 57 (1) (a) and 58 (2) (d) of General Regulation (EU) 2016/679; and
 
 
      (b) of article 19 (5) of Law 125 (I) / 2018,
 
 
 
the following Order is issued:
 
 
A. Facts:
 
 
1. On 14/10/2019, a complaint was submitted to my Office by representatives of OVIEK - S.E.K and
 
 
Σ.Ε.Β.Ε.Τ.Τ.Υ.Κ. - PEO (hereinafter Complainants) on behalf of the employees in the company KEO PLC
 
(hereinafter referred to as the complaint), in connection with the replacement and upgrade of the system
 
so that it is compatible with modern technology and software systems.
 
 
1.1. Specifically, the representatives of the employees of OVIEK - S.E.K and S.E.V.E.T.Y.K. - ΠΕΟ
 
in the Complaint, claim that both the content of the Policy Statement and its
 
 
Information leaflet entitled Upgrade of entry / exit time recording system, does not comply with
 
the provisions of General Regulation (EU) 2016/679 (hereinafter GCC).
 
 
1.2. In the form submitted to my Office, they were briefly mentioned as issues to
 
investigation of the use and duration of data retention, processing of personal data,
 
as well as the fact that the entry / exit card is an excessive measure.
 
 
 
2. On 17/10/2019, an Officer of my Office sent an email to his XXXXXXXX
 
Defendant's staff's complaint, asking for its position on their allegations
 
Complainants, until 11/11/2019, as well as a) Impact Assessment conducted for the
 
implications / risks of using such a System (Article 35 of the GIP), b) Activity Archive,
 
c) Posted Protection Policy and d) Details of the Data Protection Officer of KEO PLC.
 
 
 
Positions At the complaint represented by a lawyer and annexes:
 
 
3. The lawyer of the Defendant on the complaint, on 11/18/2019 sent a letter with her positions and views.
 
On 12/30/2019 my Office raised various issues that arose from the letter and
 
The attachments sent by the Defendant in the complaint are also listed below. On 14/02/2020, o
 
 
Defendant's lawyer sent a second reply letter to the complaint. Along with the two letters that
 
sent, attached a) the Employees' Personal Data Protection Statement and / or
 
Dealers, b) the Input / Output Time Recording System Upgrade Notice, c) the
 
Impact Assessment, the Activity Archive, d) the Privacy Statement in
 
relation with Job Applicants and e) the form KEO GENERAL DATA PROTECTION PRIVACY
 
POLICY, as Annexes.
 
 
 
3.1. The two letters of the Defendant, dated 18/11/2019 and 14/02/2020, refer to
 
including the following: 3.1.1. the union complaint does not appear to have been filed by an organization to which
 
includes in its statutory purposes the protection of personal data or has
 
submitted by the data subjects themselves. Therefore, this is not a legitimate complaint and
 
 
To this end, the Defendant reserves all its rights,
 
 
3.1.2. Defendant complained for the purpose of cooperating with my Office,
 
answer the Questionnaire dated 17/10/2019. In the case in which it is submitted
 
complaint in a lawful manner in the future or if it is informed in the future that such complaint
 
formally investigated, then the Defendant reserves the right to challenge the complaint
 
 
additional comments and positions in defense of its rights.
 
 
3.2. The Defendant on 3/10/2019, for the purposes of compliance with the GCC, sent via
 
e-mail and / or handed over to the Employees (Complainants) Statement
 
Privacy Policy.
 
 
 
3.3. He did the same on 9/10/2019, where for the purposes of implementing the mentioned measure, he sent
 
and / or delivered a separate notice regarding the replacement and installation of the new one
 
card swipe system.
 
 
3.3.1. In that notice, the Defendant informed its staff that through
 
new devices will collect, store and use the employee card number, the date
 
 
entry / exit, entry / exit time and low resolution photo of the employee to
 
in order to comply with working hours and compliance with contractual obligations
 
ultimate goal is time management and dealing with any complaints and disciplinary measures
 
misdemeanors.
 
 
3.4. For the information of my Office, attach the Privacy Statement
 
 
Employees and / or Agents and the Time Logging System Upgrade Notification
 
entry / exit, sent and / or delivered to employees, respectively.
 
 
3.5. Defendant's position is that the replacement and installation of this system
 
as well as the processing of such data is necessary for the execution of an agreement between it
 
The Complainant and the Complainants as well as for the satisfaction of the legal interest
 
 
sought by the controller (in this case the Defendant). In the sub
 
report processing applies, as stated, to at least one of the following cases
 
Article 6 of the GCC:
 
 
      “B) The processing is necessary for the execution of a contract of which the subject of
 
      data is a contracting party [] ..]
 
 
      (f) the processing is necessary for the purposes of the legitimate interests pursued by
 
 
      controller or third party ”
 
 
3.6. For the information of my Office, it has attached the Impact Assessment.
 
 
 
3.7. It is the position of the Defendant that the replacement and installation of the new system
 
A card can not be considered a faulty, unjustified or disproportionate action. THE
 
During the complaint, he had previously used the card flipping system while collecting
 
via this device the employee card number, date and time of entry / exit. The only
 
substantial change with the replacement and installation of the new system, is the collection and
 
save a low resolution photo of the employee and in this regard the Defendant
 
has reduced the retention time of the photo to one month in contrast to other data which
 
it is necessary, as he claims, to be kept for a longer period of time. In the past they had
 
 
cases where individuals used another employee's card for purposes
 
circumvention of schedule rules.
 
 
 
 
                                                                                                23.8. The retention period of the remaining data was set at 7 years after they were received
 
take into account the limitation periods that apply to contractual disputes under the Cyprus issue
 
Law. The Impact Report states that this issue will be re-evaluated and amended
 
 
if deemed necessary.
 
 
3.9. The range of data stored is limited to what is absolutely necessary, the number
 
employee card, the date and time of entry / exit and his low resolution photo
 
employee. In addition, access to these data has been restricted.
 
 
 
3.10. According to the Defendant, the present case does not concern video surveillance
 
and use of biometric systems but in the low resolution photo collection of the employee.
 
However, it considers it appropriate to refer by analogy to the following report of Opinion 2/2018 which
 
issued on 19/10/2018 based on Article 58 (3) (b) of the GCC for Video Surveillance in the area
 
work and the use of biometric systems,
 
 
 
      "Therefore, the use of biometric systems (facial recognition or facial recognition or
 
      fingerprinting) by employers, for arrival time control purposes and
 
      departure of employees to their place of work is prohibited. The controller
 
      must choose other means less intrusive / burdensome to human dignity than
 
 
      what the collection and use of fingerprints entails. As such means are for
 
      For example, the card ticking system, frequent / unannounced checks by
 
      Manager / Head in the card system, the presence of a supervisor in the area where
 
      the system works or alternatively the placement of a surveillance camera over it
 
      card machine ”.
 
 
 
3.11. The collection and editing of the low resolution photo of the employee in combination
 
with the card machine as a whole as applied by the Defendant, can not
 
to be considered an excessive measure. On the contrary it is a less burdensome and proportionate measure (unlike
 
surveillance camera which would continuously videotape the specific points and would not
 
was limited to the moments when an employee beats his card). It concludes that this measure
 
 
in line with the provisions of the GCP.
 
 
3.12. The Defendant complains when choosing the features of the mentioned system
 
card, had extensive conversations and consultations with the provider of that system with a view to
 
the best possible compliance with the GPA. For this purpose they requested and received legal
 
tips.
 
 
 
3.13. For the information of my Office, it has attached the Activity Archive of the Defendant
 
complaint.
 
 
3.14. At the time of the implementation of the GCP, there was a team, which consisted of its members
 
Management and the Personnel Department and which took all the necessary steps and measures for
 
 
Defendant's compliance with the GCC. At this stage the debts of the Protection Officer
 
Data (hereinafter referred to as DPA), is executed by XXXXXXXXXX
 
 
4. In a letter of the Office, dated 30/12/2019, to the lawyer of the Defendant, the
 
content of which is not an exhaustive list of the findings of my Office as well
 
several issues have emerged that need to be corrected in the forms submitted, the
 
 
the complaint sent a reply letter on 14/2/2020, stating the following:
 
 
4.1. Notes the position of my Office regarding the legality of the complaint and clarifies that the
 
report on whether the Employees in the Defendant made the assignment
 
in accordance with the Directive, "Complaints Procedure".
 
 
 
4.2. Wants to clarify that the low resolution photo associated with the reported
 
system is not biometric data. In other words, this system does not collect biometrically
 
characteristics which are unique, measurable, physical features used
 
                                                                                                  3in order to identify an individual. Therefore, they do not need to be found
 
other ways as the system used is not a collection and processing system
 
biometric data.
 
 
 
4.3. Considers the system in question, which includes taking low resolution photography
 
at the time of card entry and stroke, instead of biometric data or continuous
 
video recording, which will videotape the data subject for a few seconds during
 
attendance at work is a measure that takes into account the principle of proportionality.
 
 
 
4.3.1. The replacement and implementation of this system was deemed necessary for the better
 
implementation of the agreement between the Defendant and the Complainants (their subjects
 
and the satisfaction of the legitimate interest pursued by the controller
 
(Article 6 (b) and (f) of the GCC).
 
 
 
4.3.2. The placement of a camera that takes low resolution photos (keeping them for only
 
period of one month) and consequently their collection and processing is not an excessive measure
 
but it is a measure which takes into account the principle of proportionality.
 
 
4.3.3. The data collected by this system is necessary for the intended
 
purposes of processing, ie the monitoring and evaluation of compliance with labor
 
and compliance with contractual obligations with the ultimate goal of time management and
 
 
dealing with any complaints and disciplinary misconduct. Preserving photos for
 
a period of one month is a proportionate measure. Relevant, as he states, the reports in relation to
 
Opinion 2/2018 of my Office on page 3 of the letter dated 18/11/2019.
 
 
4.4. In relation to the Employees' Personal Data Protection Declaration form and / or
 
Delegates (hereinafter Statement) and other sub-issues, notes the following:
 
 
 
4.4.1. In no case has the Defendant's complaint been based on Article 6 (1) (a) of the GIP which
 
concerning securing the consent of data subjects (in this case
 
of the Complainants). The Defendant sent the complaint and / or delivered the Statement to its subjects
 
and what he was asking for was confirmation of receipt of those documents and assurance
 
compliance with the Transparency Principle.
 
 
 
4.4.2. On page 7 of the Declaration, it clarifies that consent is not a condition of the contract
 
employment, nor even for the special categories.
 
 
4.4.3. Page 4 of the Declaration clearly lists the cases concerning the conditions
 
 
of Article 6 with the relevant legal bases for elaboration and while there are specific legal bases
 
in that part of the Declaration, however, it lacks any reference to the consent that
 
provided for in Article 6 (1) (a) of the GCC.
 
 
4.5. The individual issues listed in the letter of my Office dated 30/12/2019 and
 
which as I have already mentioned do not constitute an exhaustive list of the findings of my Office as well
 
 
Several issues have emerged in the forms submitted, they are the following:
 
 
    to make clearer and more specific the way in which information is collected and
 
      for what reason. Generality, for example, we collect information about whether you have declared
 
      bankruptcy is not sufficient. White criminal record information should be relevant
 
      directly with the nature of the work.
 
 
    - there is confusing information, for existing employees and for potential ones
 
      employees. They need to be separated and specified as to whom.
 
    - the publication refers to protection policy and in general to the policy of the Defendant
 
      complaint. Is this policy published somewhere? Is it easily accessible?
 
    - the term particularly sensitive personal data is not testable, there is a special
 
 
      data category.
 
    - if the service provider is from a country within the EU it does not mean a third party.
 
                                                                                                      4 - if it is from a non-EU country then an Assignment Agreement must be concluded under Article
 
      28 ΓΚΠΔ.
 
  - The Knowledge Need Principle should be observed for all (employees and non-employees).
 
 
  procedures have been put in place for the exercise of access rights, deletion and
 
      restriction? Are they easily accessible?
 
  - data collection is done for a specific purpose and the necessary things are requested.
 
  - who is the Data Protection Officer of the Company? Contact info;
 
 
4.5.1. The Defendant gives her own position on the above, as follows:
 
 
 
  - considers that the Statement under the circumstances is quite clear, but is ready to proceed to
 
      further control it so as to consider the possibility of making changes to
 
      become even more understandable, especially on the point of how and why
 
      to whom the data are collected,
 
  with regard to the criminal record, clarifies that the provision existed for cases where for
 
 
      any reason an employee or agent voluntarily decides to provide it either
 
      such information shall be sent by a third party to the Defendant,
 
  - Recently, the External Auditors of the Complainant suggested that
 
      certificate where the nature of the subject's work requires the production of blank
 
      criminal record,
 
  - for the same reason there was the provision concerning whether someone would go bankrupt, such
 
      notification to be sent to the Defendant.
 
 
  - as provided in the Bankruptcy Law notification of any decree declaring the
 
      the debtor in bankruptcy is notified, inter alia, to the employer of the bankrupt,
 
  indeed in the Statement there are references to information collected at the stage before
 
      hiring someone. This is there to cover cases where such information is
 
      necessary to maintain and later, ie at the stage where one will become
 
      employed,
 
  - for people who simply remain "potential employees" there is a separate statement of protection
 
 
      data, which was attached as Annex A to the letter dated 14/2/2020. As a million
 
      therefore, no further separation should be made in the Declaration, which concerns
 
      people who have become employees,
 
  - there is a more general and concise document on personnel protection policy
 
      of the Defendant in relation to all employees / Complainants,
 
      as well as a form which can be given by the DPO of the Defendant in case
 
      requested by anyone (Annex B of the letter dated 14/2/2020). The
 
      This document will also be posted on the Defendant's website, where it already exists
 
 
      specific data protection policy for the use of the website.
 
  - the reason the term "sensitive personal data" was used is because it is used
 
      widely, such as for example by the European Commission itself on its website when
 
      provides explanations for the legal reasons for processing with reference to the GCC itself. also
 
      Such references also exist in the recitals (recitals) 10 & 51 of the GCP.
 
  - in any case it is clarified that the Defendant does not send information about
 
      non-EU employees.
 
 
  - the only service provider of the Defendant who personally processes the complaint
 
      data of its employees (Complainants) is the company that provides the SAP system
 
      ERP. A relevant award contract has been prepared between the Defendant and him
 
      provider, to be signed by 29/2/2020,
 
  - Defendant aims and seeks to establish and implement procedures and
 
      workplace culture that restrict access to information that concerns them
 
      employees (Complainants) in such a way that access is only available to persons who
 
      need to have access,
 
 
  - the Defendant has established procedures for exercising access rights,
 
      deletion and restriction, contained in a form which may be given by the DPO to
 
      case requested by any employee.
 
 
 
 
                                                                                                          5 - The Defendant understands that any information she collects and maintains about them
 
      subjects is why this has become necessary for employment purposes.
 
 
      That, after all, is the main purpose of the Defendant's compliance with the complaint,
 
    - The Defendant understands that full compliance with this principle in one
 
      workplace requires a change of culture from all parties involved and from all
 
      without exception,
 
    - until recently the DPO was XXXXXXXXXX, but which leaves the Defendant on
 
      complaint, therefore procedures for the appointment of a new DPO.
 
 
 
4.6. Further, in the entry / exit time recording system Upgrade form, which consists of
 
from almost three pages, all the necessary information regarding the replacement has been given
 
and installation of the new system so that staff can receive the necessary information about it
 
system.
 
 
 
4.7. In relation to the concern that arises as to whether the low resolution of the photo will exist
 
any special processing, the Defendant states that the low resolution photos
 
which will be collected by the input / output recording system, will not be transferred nor will
 
are stored in the SAP ERP software but on the Defendant's server with a limited complaint
 
access. The input / output time recording system is a completely separate system from SAP
 
ERP. Defendant confirms the complaint that no special treatment will be given to
 
 
low resolution photos.
 
 
4.8. The people of SAP ERP are employees of a third independent company, which provides the system
 
to the Defendant. This system stores all the data collected with
 
new devices, except for low resolution photos, and only the
 
individuals of the Personnel Department and the IT Department.
 
 
 
4.9. As stated in the Impact Assessment form that was conducted, SAP ERP individuals have
 
access to the software, only after the Defendant has authorized the complaint for purposes
 
software upgrade or repair of any software malfunction, the
 
which cannot be remedied by Defendant's IT department.
 
 
 
4.10. The Defendant considers that the time of one month for keeping the photos low
 
analysis, is accordingly legitimate.
 
 
4.10.1. With regard to the retention of data concerning the time and date of entry and
 
exit from the workplace, the retention period is currently set at 7 years,
 
provided that limitation periods under Cypriot law have been taken into account in relation to
 
 
contractual disputes (6 years) and civil offenses (3 years).
 
 
4.10.2. A legal dispute may arise in relation to an employee (Complainant)
 
concerning matters for which the limitation period of the transferable rights in accordance with
 
Cypriot Law amounts to 6 years and the entry / exit data to be a relevant testimony
 
in such cases.
 
 
 
4.10.3. It is possible for a case to arise with an employee (Complainant) and the Defendant
 
complaint, other than those contained in the jurisdiction of the Labor Disputes Tribunal,
 
for which the limitation period is shorter. For this reason, the Defendant received the complaint
 
legal advice, as to maintain such data for a period of 7 years, except of course in cases
 
where a case arises, where the case-related information will be retained for as long as
 
 
the case is pending.
 
 
4.10.4. The retention of these data for a period of 7 years is not excessive
 
period as the input / output elements in the workplace are not of such a nature as to
 
poses a serious threat to the rights and freedoms of data subjects
 
(Complainants). At the same time, it remains at the disposal of my Office to discuss and
 
 
 
                                                                                                    We will adjust this detail accordingly in the future as the system has just been set up
 
in application.
 
 
 
5. Then, on 12/3/2020, an Officer of my Office sent an e-mail to
 
DPO of the Complainants, making aware of the allegations of the Defendant, requesting
 
his positions and views until 13/4/2020.
 
 
Positions of Complainants represented by a lawyer:
 
 
 
6. On 13/4/2020, the Complainants' lawyer sent a letter with the positions and views of the
 
of its customers, as follows:
 
 
6.1. To answer the question of whether the Defendant is entitled to photograph them
 
 
Complainants / employees upon entering / leaving employment, the
 
legal framework within which the Defendant may make such a complaint
 
processing.
 
 
6.1.1. In accordance with the Principles set out in Article 5 of the GIP and concludes that the adoption of
 
measure of taking a photograph of the employee during his entry / exit procedure may be allowed,
 
only when the employer is able to justify the legality and necessity of the control and
 
 
monitoring and when there is no other less intrusive way of doing it
 
of the purposes it pursues.
 
 
6.1.2. The positions and the reasons put forward by the Defendant in the Complaint for its installation
 
upgraded card system with photo capture, can be satisfied with both
 
existing card system as well as the adoption of other methods, such as frequent unannounced
 
 
checks by a Chief in the card system or even in the presence of a supervisor at the place where
 
the card system works.
 
 
6.1.3. Further, the complaint was not indicated by the Defendant what the reasons were
 
it is necessary and / or necessary to upgrade the card system. Defendant complained to
 
merely stating the aims without substantiating the necessity which led her to it
 
 
decision.
 
 
6.1.4. As long as the photo that is taken identifies the employee, even though it is low
 
analysis falls within the interpretation of the term "personal data".
 
 
 
6.1.5. Given the Principle of Proportionality, taking a photograph of the employee is recommended
 
an intervention measure that restricts the right to privacy and does not serve either
 
the purposes for which the Defendant stated that she wanted to serve.
 
 
6.1.6. He expected the Defendant to file the complaint, as Processor, before upgrading the
 
card system, would try to strike a balance between its legitimate interest and
 
protection of its rights and the fundamental right to privacy
 
 
of its employees.
 
 
6.2. Regarding the data retention period, the retention time is defined as
 
necessary period of time to satisfy the purposes for which it is collected by the person in charge
 
data processing.
 
 
 
6.2.1. In this case, the Defendant informed the complainant that the data concerned
 
at the time and date of entry and exit to the workplace is 7 years. In his calculation
 
during this period, the limitation periods provided by Peri were taken into account
 
Limitation Law, ie 6 for contracts and 3 years for civil offenses.
 
 
 
6.2.2. The reasoning is correct but the calculation by the Defendant is wrong with
 
given that any difference arises in relation to the entry / exit hours of this employee
 
                                                                                                  7 will be reduced to a labor dispute and therefore the limitation period of the
 
labor disputes, amounting to 12 months.
 
 
 
6.3. In the SEP ERP software system, employee data is entered correctly. It must
 
but for the Defendant to explain and justify the complaint as to whether there is a reason to
 
data is stored on a KEO PLC server. In addition, the issue of a signatory is raised
 
award agreement between the Defendant and the company operating the SEP system
 
ERP.
 
 
 
6.4. Concluding, in the positions of the Complainants' side, he stated that the taking of a photograph of them
 
is not necessary to protect the legitimate interests of the Defendant
 
complaint, since it can be secured in less burdensome ways, while in any case the
 
The entry / exit card data retention period should be limited to a maximum of 2
 
years.
 
 
 
B. Legal analysis:
 
 
7. The photograph of a natural person, in so far as his identity is immediately or indirectly revealed,
 
constitute "personal data" as defined in Article 4 thereof
 
GPA, which states that "personal data" is "any information that concerns
 
identified or identifiable natural person (data subject) ".
 
 
7.1. The same article also defines as processing "any act or series of acts performed
 
with or without the use of automated media, in personal data or in sets
 
 
personal data, such as the collection, registration, organization, structure, h
 
storage, adaptation or modification, retrieval, retrieval of information, use,
 
transmission by disclosure, dissemination or any other form of distribution, association or combination,
 
restriction, deletion or destruction ".
 
 
7.2. Furthermore, the controller is defined as anyone (the natural or legal person, the
 
public authority, service or other body) which, ‘alone or jointly with another,
 
 
and how personal data is processed ".
 
7.3. In addition, it defines it as an "archiving system": any structured set of personnel data
 
 
which are accessible based on specific criteria, or as a whole
 
centralized or decentralized or distributed on a functional or geographical basis ".
 
 
8. Article 5 of the GPA sets out the Principles governing the processing of personnel data
 
character, as follows: '1. Personal data: '… (c) is appropriate, relevant and
 
limited to what is necessary for the purposes for which they are processed
 
("Data minimization");… (e) are kept in a form which allows them to be identified
 
 
data subjects only for the period required for the purposes of their processing
 
personal data; personal data can be stored for
 
longer intervals if personal data is processed
 
only for archiving purposes in the public interest, for scientific or historical purposes
 
for statistical purposes, in accordance with Article 89 (1) and provided that
 
 
appropriate technical and organizational measures required by this Regulation to ensure
 
rights and freedoms of the data subject ("restriction of the period
 
2. The controller is responsible and is able to prove the
 
compliance with paragraph 1 ("accountability") ".
 
 
8.1. Based on the Data Minimization Principle established by Article 5 (1) (c) of the GIP,
 
Defendant, in any case, must ensure that, personnel data
 
 
appropriate, relevant and limited to what is necessary for the purposes for which they are made
 
processed and based on the Principle of limitation of the storage period, which
 
Article 5 (1) (e) of the GIP, the data must be kept in a form which allows the
 
identification of data subjects only for the time required to achieve them
 
 
purposes of processing.
 
                                                                                                88.2. Recital 39 of the GCP Preface explains, inter alia, that “The data
 
should be adequate and relevant and limited to what is necessary for them
 
 
purposes of their processing. This requires in particular to ensure that storage space
 
personal data to be kept to a minimum. Staff data
 
should only be processed if the purpose of the processing cannot
 
achieved by other means ".
 
 
8.3. Recital 4 of the Preamble to the IGC explains that, “the right to protection of
 
personal data is not an absolute right; it must be valued in relation to
 
 
its function in society and be weighted with other fundamental rights, in accordance with its principle
 
proportionality ".
 
 
8.4. Further, Recital 47 explains that, “The legitimate interests of the
 
including those of a controller to whom they may
 
disclose personal or third party data may provide the legal basis for the
 
provided that they do not outweigh the interests or fundamental rights and
 
 
freedoms of the data subject, taking into account the legitimate expectations of the subjects
 
data on the basis of their relationship with the controller ".
 
 
8.5. Related to the issue are also, (a) Opinion no. 06/2014 on the meaning of law
 
interests of the controller issued on 9/4/2014 by the Working Group of Article 29
 
on data protection, (b) the Opinion of the Article 29 Working Party on GATT entitled
 
"Opinion 2/2017 on data processing at work", (c) paragraph 9 of Article 35 of the GCP, in which
 
 
It is stated that "Where appropriate, the controller shall consult the
 
data or their representatives for the intended processing, subject to protection
 
commercial or public interests or the security of processing operations "(d) Opinion 2/2018
 
issued by the Commissioner for Personal Data Protection under Article
 
58 (3) (b) of the GCC for Workplace Video Surveillance and the Use of Biometric
 
 
systems and (e) Directive 1/2011 issued by the Hellenic Data Protection Authority
 
Personal Use for the use of video surveillance systems to protect persons and
 
goods.
 
 
9. Article 35 (9) of the GPA concerning the Impact Assessment on data protection
 
stating that "Where appropriate, the controller shall consult the
 
data or their representatives for the intended processing, subject to protection
 
 
commercial or public interests or the security of processing operations ".
 
10. The Law on Limitation of Inviolable Rights of 2012, as amended (hereinafter N.
 
 
66 (I) / 2012).
 
 
11. In Article 12. (10A) of the Law on Annual Leave with Remuneration of 1967 (hereinafter Law 8/1967)
 
states that “An application to the Labor Disputes Tribunal shall be submitted within twelve months of
 
the date on which the right to apply arose or within nine months of
 
Fund response for redundant staff… »
 
 
C. Commentary:
 
 
12. It is the position of the Defendant's lawyer that the complaint that for his replacement and installation
 
card system as well as for data processing, at least one of the
 
the following cases of Article 6 of the GCC:
 
 
      “B) The processing is necessary for the execution of a contract of which the subject of
 
 
      data is a contracting party [] ..]
 
 
      (f) the processing is necessary for the purposes of the legitimate interests pursued by
 
      controller or third party… ”.
 
 
12.1. In order for Article 6 (1) of the GIP to be used as a legal basis,
 
explicit provision should be included in the employment contract signed between the Defendant
 
 
                                                                                                  9 the complaint and the data subjects (employees). Such data were not presented
 
in front of me.
 
 
12.1.1. But even if there was explicit provision in the employment contract this would be considered under
 
 
in the light of Article 7 (4) of the GIP and whether the consent of the data subject
 
(employee) is given freely. As mentioned in my Office letter dated
 
30/12/2019, the employer is considered to have a dominant position in the employment relationship, therefore the
 
employee consent is not considered free.
 
 
12.2. With regard to Article 6 (1) (f) of the GBER, I accept that it could be used as
 
legal basis, provided, however, that the processing of the data of the subjects (employees), ie the
 
taking and storing their photo obeys the Principles of Proportionality, Restriction
 
 
of the storage and accountability period and in any case does not take precedence over interests or
 
fundamental rights and freedoms of data subjects.
 
 
13. In the present case, therefore, I am called upon to consider
 
 
      (a) whether the installation of a camera by the Defendant in order to receive the complaint
 
      low resolution photograph of the data subject (employee) to identify
 
      that the employee who beats the card is the holder and not a third party, as a measure
 
      control, obeys the Data Minimization Principle and
 
 
      (b) whether the retention time of employees' entry / exit data (number
 
 
      employee card, date and time of entry / exit) for a period of seven years, for purposes
 
      for the settlement of labor disputes or for the exercise of legal rights, obeys its Principle
 
      Limit the Storage Period.
 
 
14. With regard to Question 13 (a), I take note of the following:
 
 
14.1. In the Impact Assessment carried out by the Defendant on page 5,
 
in the paragraph entitled STEP 3: Consultation process, it is stated that:
 
 
      "The advice of the subjects was not sought, nor of their representatives as the
 
      Recording and time data management has always existed as part of Management
 
 
      Staff ".
 
 
14.2. In the letter of the lawyer of the Defendant the complaint dated 18/11/2019, on page 2,
 
it is referred that:
 
      «…. In any case, KEO used to use the card flipping system in the past
 
      collecting through this device the employee card number, date and time
 
      input / output. That is, the only substantial change in the card flip system is
 
 
      collecting and storing the employee's low resolution photo and so on
 
      KEO has reduced the retention time of the photo to one month in contrast to others
 
      data which need to be retained for a longer period of time… "
 
 
14.3. In the Impact Assessment carried out by the Defendant on the complaint, on pages 5
 
and 6, in the paragraph entitled STEP 4: Proportionality and Necessity Assessment, states that:
 
 
      «1. Time recorders are necessary for the Company to be able to perform the
 
      contract with its employees and for the protection of its legal interest or
 
 
      third. Given the conditions of the Company there seems to be no other way
 
      processing with which the Company can adequately monitor and evaluate the
 
      observing working hours and detecting any disciplinary violations. It is noted that
 
      in the past there have been incidents where people have beaten another colleague's card. In every
 
      In this case, we consider that only the data are collected and stored through the devices
 
 
      which are necessary to serve the stated purposes ".
 
 
14.4. In addition, in the letter of the lawyer of the Defendant the complaint, date. 11/18/2019, on page 3,
 
it is referred that:
 
 
                                                                                                10 "επίσης We also consider it appropriate to refer to Opinion 2/2018 issued by the
 
      Office of the Personal Data Protection Commissioner pursuant to Article 58 (3) (b)
 
 
      of the General Regulation on Data Protection (Regulation (EU) 2016/679) on Video
 
      workplace monitoring and the use of biometric systems. Although the
 
      This case does not concern video surveillance and the use of biometric systems but
 
      concerns collection of low resolution photo of the employee we consider appropriate to
 
      refer by analogy to the following reference contained in this document: “As ex
 
 
      therefore, the use of biometric systems (facial recognition or
 
      fingerprinting) by employers, for arrival time control purposes and
 
      departure of employees to their place of work is prohibited. The controller
 
      must choose other means less intrusive / burdensome to human dignity than
 
      what the collection and use of fingerprints entails. As such means are for
 
 
      For example, the card ticking system, frequent / unannounced checks by
 
      Manager / Head in the card system, the presence of a supervisor in the area where
 
      the system works or alternatively the placement of a surveillance camera over it
 
      card machine ”. Therefore, we consider the collection and processing of the photo low
 
 
      analysis of the employee in conjunction with the card machine as a whole as it is
 
      implemented by our customers, can not be considered an excessive measure (in contrast
 
      for example with a surveillance camera that would continuously videotape the specifics
 
      points and would not be limited to the moments when an employee beats his card) to
 
      achievement of the above mentioned objectives of KEO. This measure is therefore consistent with
 
 
      provisions of the General Regulation on Data Protection… ".
 
14.5. In addition, in the letter dated. 14/2/2020, the lawyer of the Defendant states that:
 
 
      … Or our customers want to clarify that the low resolution photo is related
 
 
      with this system is not a biometric data. In other words, it does not collect this system
 
      biometric features which are unique, measurable, physical features which
 
      are used to identify an individual. It is therefore not considered
 
      other ways need to be found as the system used is not a system
 
      collection and processing of biometric data… ".
 
 
14.6. All of the above references contained in the Impact Assessment and its letters
 
 
Defendant's lawyer, explain that taking a low-resolution photo of
 
was the only practical solution for the purposes pursued by the
 
complaint to serve. I do not rule out that, in some cases, taking a photo or video,
 
as I mention in Directive 2/2018, when the card is struck, it may be mandatory.
 
However, in such cases, under the Accountability Principle, the employer should be in
 
 
able to prove that, there is no other less intrusive way to achieve it
 
intended purpose, namely the effective control of employees.
 
 
14.7. In the present case, the Defendant has not substantiated the complaint, nor has it arisen in
 
any stage that other ways and measures were applied by it, e.g. the
 
frequent / unannounced checks by the Manager / Manager on the card system, the presence of a
 
supervisor in the area where the system operates or even the camera, which would focus on their hands
 
 
employees at the time they hit the card and not in the face, and be judged as
 
ineffective or inadequate or insufficient to confirm the choice of
 
low resolution photography, as the most appropriate measure to serve the purposes set
 
Defendant seeks the complaint. In the context of employment, the monitoring measures set
 
reflect the employee's behavior should be proportionate to
 
 
risks faced and implemented in the least intrusive way.
 
 
14.8. Therefore, in relation to question (a) I ask in paragraph 11 above, the position of the Defendant that,
 
the installation of a camera in order to take a low resolution photo of their subject
 
(employee) to identify that the employee who beats the card is the holder and
 
not a third party, as a control measure, obeys the Data Minimization Principle,
 
 
 
                                                                                                11 rejected, as the Defendant did not take or consider any other less intrusive measures,
 
before the application of this measure.
 
 
15. As regards question 13 (b), I have regarded the following:
 
 
15.1. In the Impact Assessment carried out by the Defendant on page 2,
 
in the paragraph entitled Nature of Processing, it is stated that:
 
 
      "… The data in relation to the employee card number, time and date of entry and
 
 
      exit to the workplace may be maintained for a period of up to seven (7) years from
 
      date of their collection unless legal proceedings and / or a contractual dispute are pending where
 
      the data will be stored for a longer period for purposes of recommendation, exercise and
 
      advocacy νομ »
 
 
15.2. On page 5 of the same Impact Assessment, in the section entitled STEP 3: Advisory
 
Consultation process, it is stated that:
 
 
      "The advice of the data subjects was not sought, nor of their representatives
 
      as well as recording and managing time data has always existed as part of it
 
 
      Personnel Management… ».
 
 
15.3. Additionally, on page 7 of the same Impact Assessment, in the section entitled STEP 4:
 
Proportionality and Necessity Assessment states that:
 
 
      «7. Υπόλοι The remaining data was considered appropriate, at least at this stage, to be retained
 
      for a period of 7 years having regard to the limitation periods applicable to the breach
 
      contractual relationship under Cypriot law. As explained below the question of time
 
      will be re-evaluated in the near future and in particular after the appointment of a DPO ".
 
 
15.4. In the letter of the lawyer of the Defendant the complaint dated 18/11/2019, on page 3,
 
 
it is referred that:
 
      ". As for the retention of the remaining data, the retention period is at present
 
 
      stage is set at 7 years taking into account the limitation periods applicable under it
 
      Cypriot law regarding contractual disputes. But as explained in the Report
 
      Impact (Annex C) this issue will be re-evaluated and amended if deemed appropriate
 
      necessary. We also note that the range of data retained is limited
 
 
      in what is absolutely necessary, ie in the data concerning the employee card number, the
 
      date / time of entry / exit and low resolution photo of the employee.
 
      In addition, we note that, as explained in Annex C, access has been restricted
 
      in the specific data… »
 
 
15.5. In addition, in the letter dated. 14/2/2020, the lawyer of the Defendant states that:
 
 
      "… Regarding the retention of data concerning the time and date of entry and
 
      exit to the workplace, it is noted that the retention period is at this stage
 
      determined at 7 years taking into account the limitation periods based on the Cyprus problem
 
 
      Law regarding contractual disputes (6 years) and civil offenses (3 years). Of those
 
      we realize it is possible in relation to an employee to arise litigation
 
      disputes concerning matters for which the statute of limitations period
 
      according to Cypriot Law amounts to 6 years. Input details are possible and
 
      to be relevant evidence in such cases. That is, in relation to one
 
 
      an employee other than those listed in
 
      jurisdiction of the Labor Disputes Tribunal for which the limitation period is
 
      smaller. It is for this reason that we have advised our customers as they maintain such
 
      data for a period of 7 years except of course in cases where a case arises and
 
      such information should, if relevant, be kept for as long as the trial is pending.
 
 
      Finally, on this issue, we consider that objectively speaking the maintenance of such
 
      data for 7 years is not an excessive period as the data containing the time
 
      entry and exit to the workplace is not of such a nature as to create serious
 
                                                                                                  12 danger to the rights and freedoms of subjects (emphasis added).
 
      But at the same time we remain at your disposal to discuss and adapt
 
 
      depending on this detail in the future as the system has only recently been put into
 
      application…".
 
 
15.6. In summary, the Defendant claims that the data retention period of its employees
 
for a period of seven (7) years is absolutely necessary because, it may occur between the Defendant and the
 
conductive right of its employees, which, based on Law 66 (I) / 2012, as amended, provides
 
limitation periods of six (6) years for contracts and three (3) years for civil offenses. On the contrary, the
 
 
The complainants' lawyers argue that any dispute between the Defendant and the
 
its employees will be of a labor nature, which will have to be resolved before the Court
 
Labor Disputes, meaning, in accordance with the provisions of article 12 (10A) of Law 8/1967, as
 
amended, which, inter alia, provides that: “Application to the Labor Disputes Tribunal
 
shall be submitted within twelve months from the date on which it is to be submitted
 
 
application or within nine months of the response of the Fund to redundant staff ".
 
 
15.7. I am of the opinion that both positions suffer because neither Law 66 (I) / 2012 nor Law 8/1967
 
is a legal basis for determining the storage period of the data in question. And the
 
two Laws provide for periods during which respective rights can be exercised, however
 
do not, at the same time, create an obligation to retain certain data in order to exercise them
 
of rights. After all, if I accepted the positions that, these Laws could constitute
 
 
criterion for determining the storage time of the data in question, I would reach
 
paradoxical conclusion that, all the data collected by all processors who
 
falling within the scope of the GGP, should be stored for periods similar to these
 
provided for in their national laws for the settlement of labor and civil disputes, respectively,
 
which circumvents both the letter and the spirit of the GCP.
 
 
15.8. The data in question, ie the employee card number, the date and time of entry /
 
 
of each employee, are stored in the system installed by the Defendant, for a long time
 
specific purposes, namely the control of timetable and payroll and, on the basis of
 
the Beginning of the Storage Period, the only factor / criterion for determining the period
 
their storage, in a form that allows the identification of employees, must be the time
 
required to fulfill these purposes. Storing them for longer periods,
 
 
can only be done for archiving purposes in the public interest or for scientific purposes
 
or historical research or for statistical purposes. In this case, these purposes do not
 
are applicable or at least, the Defendant has not brought them before me. Hence her position
 
Defendant that, the period of storage of the data of its employees for a period of seven (7) years is
 
absolutely necessary, is rejected.
 
 
16. Furthermore, it should be borne in mind that the decision of the Defendant to establish the complaint
 
 
low resolution camera and its decision to keep the data of its employees for a period
 
seven (7) years of age, have been obtained without prior consultation with the staff or
 
their guilds.
 
 
16.1. Defendant's lawyer in the impact assessment assessment he sent states that no
 
the advice of neither the employees nor their representatives was sought as the recording and
 
Time data management has always existed as part of Personnel Management. The fact that the
 
 
Prior to the complaint, he previously collected and maintained data without justifying the time
 
This does not mean that he can continue to do so and that he could
 
in the context of this system upgrade to consult with stakeholders,
 
so as to correct any distortions of the past.
 
 
16.2. In addition to the fact that, pursuant to Article 35 (9) of the GIP, the Defendant, during the preparation of the
 
an impact assessment would be appropriate to seek the views of its officials or their representatives,
 
 
for measures it intended to take, this was also required by the Transparency Authority.
 
16.3. For transparency purposes, the participation of employee representatives is necessary (e.g.
 
 
trade unions) during the discussions that take place before measures are taken involving him
 
                                                                                                  13control and / or supervision of staff through the processing of their personal data.
 
Relevant is the following excerpt from the Opinion of the Article 29 Working Party, "Opinion
 
 
2/2017 on data processing at work »:
 
 
      «6.3 Transparency
 
      Effective communication should be provided to employees concerning any monitoring that takes
 
 
      place, the purposes for this monitoring and the circumstances, as well as possibilities for employees
 
      to prevent their data being captured by monitoring technologies. Policies and rules concerning
 
      legitimate monitoring must be clear and readily accessible. The Working Party recommends
 
      involving a representative sample of employees in the creation and evaluation of such rules and
 
      policies as most monitoring has the potential to infringe on the private lives of employees. ».
 
 
D. Conclusion - Conclusion:
 
 
17. In the light of the above and exercising the powers conferred upon me by the provisions of Article
 
 
58 (1) (d) I inform the Defendant of the complaint that:
 
17.1. In relation to the question (a) that I ask in par. 13 above, the installation of a camera by
 
 
Each in order to take a low resolution photo of the data subject (employee)
 
to identify that the employee who beats the card is the holder and not a third party, as
 
without taking into account or considering other less intrusive measures
 
before the implementation of this measure, violates the Principle of Data Minimization
 
 
and therefore can not be accepted.
 
17.2. In relation to question (b) that I ask in par. 13 above, the retention time of the data
 
 
entry / exit of employees (employee card number, date and time of entry / exit) for
 
period of seven (7) years, for the purposes of exercising legal rights, violates the Principle of
 
Limit the Storage Period.
 
 
17.3. Pursuant to Article 58 (2) of the GIP, I have the power to impose an administrative sanction on the
 
above violations, which includes the possibility of imposing an administrative fine on the basis of
 
Article 83 thereof. However, considering:
 
 
      (a) all the factors set out in Article 83 (2) of the GIP;
 
 
      (b) that, at all stages of the examination of this complaint, the Defendant had
 
 
      working with my Office,
 
      (c) that the case could have been avoided if the Defendant had consulted the
 
 
      measures taken by its officials or their representatives,
 
 
      (d) that the Defendant in the complaint has taken several measures to comply with the IGC, in particular as regards
 
      concerns the obligation to inform its employees and
 
 
exercising the powers conferred on me by the provisions of Article 58 (2). (d) of the GCC, I consider
 
more appropriate in the first phase, to give the Defendant the following order:
 
 
      (a) suspend the installation of the upgraded card flip system
 
      includes installing the camera and destroying the material collected if the
 
      download this and inform my Office of the actions and
 
 
      (b) to choose through transparent procedures, with the participation of their representatives
 
      employees, differentiated measures / solutions that are appropriate and sufficient and
 
 
      to ensure guarantees of legality, transparency, preservation, proportionality and
 
      security of personal data and as a draft of the en
 
      due procedures until 4/12/2020.
 
 
17.4. In case the Defendant does not comply with the above order within them
 
above deadlines, I will consider the need for stricter administrative measures
 
against her.
 
 
                                                                                                  14Irene Loizidou - Nikolaidou
 
 
Commissioner for Protection
 
 
Personal Data
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                                                                                            15
 
 
</pre>
 
</pre>

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: