Commissioner - 11.17.001.007.220
|Commissioner - 11.17.001.007.220|
|Relevant Law:||Article 7(4) GDPR|
Article 35(9) GDPR
|National Case Number/Name:||11.17.001.007.220|
|European Case Law Identifier:||n/a|
|Original Source:||Office of the Commissioner for Personal Data Protection (in EL)|
|Initial Contributor:||Panayotis Yannakas|
The Cypriot DPA (Commissioner) asked the company KEO PLC to suspend their new employee time tracking system, due to a lack of compatibility with Article 7(4) and Article 35(9) GDPR.
KEO PLC decided to upgrade their ERP system, which upgrade was related with the module of recording when an employee started and ended their swift work. Until then, the card-swipe terminal only recorded an id number, as well as arriving and departing time, to and from the premises of the Company.
The new terminal included a tiny camera as a measure of the employees who swiped the cards of their colleagues too. Grounded on the concerns of the principle of proportionality, the right of privacy, as well as the right of public life, two trade unions submit a complaint against KEO PLC and before the Cypriot DPA.
The main questioning was if the particular data-processing is reasonable and consist a minimised processing under the meaning of what is absolutely necessary in order to achieve the aim pursued.
KEO Public Company alleges that upon receiving legal advice, they expanded the duration of processing and storage of these data which are tracked, inputted to or created by the new terminal. KEO’s intension of that change was the harmonisation with the limitation period for bringing an action to the court. Also, the KEO Public Company claimed that under the GDPR, there is no right which a trade union can exercise. They thought that the justiciability of GDPR is limited only limited to the natural persons who are the direct possess of the personal data.
Cypriot DPA totally dismisses the argument of the duration of storage of personal should be linked with the time-barred which someone is allowed to brings an action to the court. The DPA commented that if any other law could set a minimum duration for the storage of personal data, then the letter and the spirit of GDPR would be overlooked. The only eligible criteria shall satisfy the initial reason for collecting these personal data, which in the present case was ensuring that employees do not violate their employment contract.
The DPA hold that the Company could milder adopted measures of getting control over contravened the traditional swipe-card tracking system. Otherwise, the Company at least should had asked for the employees (or the representer of them) for their opinion and/or for their suggestion. Asking of the personal-data’s subject opinion is also a requirement of the Cypriot. For example, Article 35(9) of GDPR provides the possibility that impact assessment may include such an investigation.
The Cypriot DPA considered Article 7(4), which refers to a clear and explicit consent. As a more in-depth insight, we can state that if the consent gained through the performance of a service or other contract, the examination of the necessity of the personal data processing is an inseparable criterion. Due to an employment contract, the employer shall be considered hold a dominant position and any such consent de fact can be characterised explicitly agreement.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.