Commissioner (Cyprus) - 11.17.001.007.220

From GDPRhub
Revision as of 22:29, 4 November 2020 by Panayotis.Yannakas (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Cyprus |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoCY.jpg |DPA_Abbrevation=Comissioner |DPA_With_Country=Comissioner (Cyprus) |Case_N...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Comissioner - 11.17.001.007.220
LogoCY.jpg
Authority: Comissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 7(4) GDPR
Article 35(9) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 06.08.2020
Published: 22.10.2020
Fine: None
Parties: ΚΕΟ PLC
National Case Number/Name: 11.17.001.007.220
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: Office of the Commissioner for Personal Data Protection (in EL)
Initial Contributor: Panayotis Yannakas

A Company decides to modernise their employee time tracking system. Among other features, the new swipe-card terminal included a camera too. Cypriot DPA decided and asked that the Company shall suspended the new ERP system, due to lack of compatibility with General Personal Data Regulation.

English Summary

Facts

KEO PLC decided to upgrade their ERP system, which upgrade was related with the module of recording when an employee started and ended their swift work. Until then, the card-swipe terminal only recorded an id number, as well as arriving and departing time, to and from the premises of the Company.

The new terminal included a tiny camera as a measure of the employees who swiped the cards of their colleagues too. Grounded on the concerns of the principle of proportionality, the right of privacy, as well as the right of public life, two trade unions submit a complaint against KEO PLC and before the Cypriot DPA.

Dispute

The main questioning was if the particular data-processing is reasonable and consist a minimised processing under the meaning of what is absolutely necessary in order to achieve the aim pursued.

Starting with complainers, they argued on an enlarged general line of argument and points of law. Firstly, claimed on the poor accompanying documentation for the impending upgrade system, including the privacy policy and specific information on the changes between the old and new ERP system. Secondly, they were of the opinion that before any changes, the Company should have sought for less intrusive methods of employee time tracking. Thirdly, complainers stated that the resolution of the camera is irrelevant; it’s enough the produced data concerning an identifiable natural person.

KEO Public Company alleges that upon receiving legal advice, they expanded the duration of processing and storage of these data which are tracked, inputted to or created by the new terminal. KEO’s intension of that change was the harmonisation with the limitation period for bringing an action to the court. Also, the KEO Public Company claimed that under the GDPR, there is no right which a trade union can exercise. They thought that the justiciability of GDPR is limited only limited to the natural persons who are the direct possess of the personal data.

Holding

Cypriot DPA totally dismisses the argument of the duration of storage of personal should be linked with the time-barred which someone is allowed to brings an action to the court. The DPA commented that if any other law could set a minimum duration for the storage of personal data, then the letter and the spirit of GDPR would be overlooked. The only eligible criteria shall satisfy the initial reason for collecting these personal data, which in the present case was ensuring that employees do not violate their employment contract.

The DPA hold that the Company could milder adopted measures of getting control over contravened the traditional swipe-card tracking system. Otherwise, the Company at least should had asked for the employees (or the representer of them) for their opinion and/or for their suggestion. Asking of the personal-data’s subject opinion is also a requirement of the Cypriot. For example, Article 35(9) of GDPR provides the possibility that impact assessment may include such an investigation.

The Cypriot DPA considered Article 7(4), which refers to a clear and explicit consent. As a more in-depth insight, we can state that if the consent gained through the performance of a service or other contract, the examination of the necessity of the personal data processing is an inseparable criterion. Due to an employment contract, the employer shall be considered hold a dominant position and any such consent de fact can be characterised explicitly agreement.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.