HDPA (Greece) - 6/2024

From GDPRhub
HDPA - 6/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4(7) GDPR
Article 5(1) GDPR
Article 5(2) GDPR
Article 12(1) GDPR
Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started: 23.07.2022
Decided: 10.01.2024
Published: 16.02.2024
Fine: 2.000 EUR
Parties: n/a
National Case Number/Name: 6/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: Hellenic Data Protection Authority (in EL)
Initial Contributor: Nikolaos.Konstantis

The DPA fined a controller €2,000 for illegally using geolocation data of their employee outside the latter’s working hours.

English Summary

Facts

The data subject was called on the phone by his employer ("controller") during their regular leave. The controller used the data from the geolocation system installed in the company car because the data subject did not answer their phone calls for 3 times. The controller declared that they were concerned for the employee's health due to a previous accident.

The data subject lodged a complaint with the Hellenic DPA ("HDPA") considering that this processing was illegal and that he was not given clear information regarding the use of this geolocation data.

The controller argued that the use of the car had been granted to the data subject for meeting official needs and only within working hours. The controller brought to the attention of the DPA the actions it took after the incident was reported, in order to exclude any possible future misuse of the tracking systems in question. These actions included the installation of new geolocation systems, with the ability to be disabled by users, the designation of a responsible operator, the updating of the user instructions and the drafting of new installation and operation notification documents.

Holding

The DPA held that the company failed to comply with Article 5(1) GDPR as they processed the data subject's personal data illegally, due to the use of his vehicule tracking outside of working hours and for the purpose of locating the data subject for the lack of legal basis.

The DPA also found a breach of Article 12 and 13 GDPR as the controller gave incomplete information regarding the function of the system installed in the vehicule, as well as the fact that he was not entitled to use it outside of working hours.

The HDPA therefore imposed a €2,000 fine on the controller.

Comment

Comment from the initial contributor: The DPA took into account the Opinion 2/2017 of the Article 29 Working Party, according to which "there is likely to be no legal basis for monitoring the location of employees' vehicles outside of agreed working hours. However, if such a need exists, a use that is commensurate with the risks should be considered. For example, this could mean that, to prevent vehicle theft, the location of the vehicle is not recorded outside of working hours, unless the vehicle leaves a wider location (region or even country). In addition, the location will only be displayed in emergency situations – the employer activates location visibility, accessing data already stored by the system, when the vehicle leaves a pre-defined area.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

DECISION 6/2024 (Department) The Personal Data Protection Authority convened, upon the invitation of its President, in a regular meeting in the composition of the Department at its headquarters on 10/01/2024, in order to examine the case referred to in the history of this . The meeting was attended by teleconference by Georgios Batzalexis, Deputy President, in opposition to the President of the Authority, Konstantinos Menoudakos, and was attended by the alternate member Georgios Kontis, as rapporteur, as well as the alternate members Demosthenes Vougioukas and Maria Psalla, in place of the regular members Konstantinos Lambrinoudakis and Grigorio Tsolia who did not attend due to disability although they were legally summoned in writing. The meeting was attended, by order of the President without the right to vote, Georgia Panagopoulou, specialist scientist - auditor as assistant rapporteur and Irini Papageorgopoulou, employee of the Authority's administrative affairs department, as secretary. The Authority took into account the following: With the no. prot. C/EIS/9056/23-07-2022 his complaint, A (hereinafter the complainant), is directed against the company "X", (hereinafter the complainant). According to the complaint, the complainant was an employee of the complainant in the position of employee-salesperson and complains of illegal processing of his personal data through the geolocation system operating in a vehicle provided to him by the complainant. More specifically, he states that during his regular leave he was called by the complainant at 1-3 Kifisias Ave., 11523 Athens T: 210 6475 600 E: contact@dpa.gr www.dpa.gr and he did not answer the calls calls. The complainant's sales manager used the data from the geolocation system installed in the company car and appeared at the supermarket where the complainant had gone shopping. He states in the complaint that the installation and updating of the geolocation system in the car had taken place two weeks before. The Authority sent the complainant with no. prot. C/EXE/2101/24-08-
2022 document with which it informed about the content of the submitted complaint and invited her to submit in writing her views on the complaint, with special reference to the issues of informing employees and operating the system outside of working hours. The company with no. prot. C/EIS/10069/13-09-2022 replied that he had properly informed the complainant about the geolocation system and that the vehicle was not allowed to be used out of hours. The alleged use of the geolocation system was made because the complainant did not answer their phone calls for three days, and there was concern for the employee's health due to a previous health incident. Then the Authority, in order to complete the examination of the case, called with no. prot. C/EXE/2800/07-11-2022, C/EXE/2737/31-10-
2022 documents, the complainant and the complained company, respectively, at the meeting of the Department on 16/11/2022. At the meeting of 11/16/2022, A, and on behalf of company "X" Theodoros Sidiropoulos with AMDS ..., and George A. Kastritseas with AMDS ... attended the meeting via video conference. During the hearing the parties developed their views and were given a deadline to submit a memorandum. Subsequently, the complainant filed the no. prot. C/EIS/12031/24-11-2022 her memorandum, while the complainant did not file a memorandum. During the hearing, the complainant repeated what was stated in his complaint. The accused, both during the hearing and with the from with 2 no. prot. C/EIS/12031/24-11-2022 her memorandum argued that since the use of the car that had been granted to the complainant referred to the coverage of official and only needs within working hours, there was no technical possibility of deactivating the geolocation system in question car. He states that the complainant was informed about the installation of the GPS system in question with the letter of 12/07/2022, which is attached to the memorandum. The memorandum also mentions the actions taken by the complainant after reporting the incident, in order to exclude any possible future misuse of the above geolocation systems: 1. The existing geolocation systems were removed so that new ones were installed, which will allow the disabling them by their users. 2. The manager-legal representative of the company was designated as the responsible operator of the geolocation systems, given that the alleged act committed by the defendant against the complainant was done without the knowledge of the complainant and without any prior advice. 3. The instructions for the use of the geolocation system by its users were updated and 4. New documents were drawn up informing the users of the installation and operation of the system, where they are informed about a) the purposes for which they were installed and operate and regarding b) the retention time of the data collected per day through the above geolocation systems and c) the rights of the users. The Authority, after examining the elements of the file and after hearing the rapporteur and the clarifications from the assistant rapporteur, who was present without the right to vote, after a thorough discussion, DECIDED IN ACCORDANCE WITH THE LAW 1. From the provisions of articles 51 and 55 of General Data Protection Regulation (Regulation (EU) 2016/679 - hereinafter, GDPR) and Article 9 of Law 4624/2019 (Government Gazette A΄ 137) it follows that the Authority has the authority to supervise the implementation of the provisions of the GDPR, this law and other regulations that 3 concern the protection of the individual from the processing of personal data. In particular, from the provisions of articles 57 par. 1 item f of the GDPR and 13 par. 1 item g΄ of Law 4624/2019 it follows that the Authority has the authority to take charge of the complainant's complaint against the complainant and to exercise, respectively, the powers granted to it by the provisions of Articles 58 of the GDPR and 15 of Law 4624/2019. 2. Article 5 par. 1 of the General Regulation (EU) 2016/679 for the protection of natural persons against the processing of personal data (hereinafter GDPR) sets out the principles that must govern a processing. According to article 5 par. 1 a) and f) GDPR "1. Personal data: a) are processed lawfully and legitimately in a transparent manner in relation to the data subject ("legality, objectivity and transparency"), [...] f) are processed in a way that guarantees appropriate data security of a personal nature, including their protection from unauthorized or illegal processing and accidental loss, destruction or damage, by using appropriate technical or organizational measures ("integrity and confidentiality")", while as pointed out in the Preamble of the Regulation, "The data personal data should be processed in a way that ensures the appropriate protection and confidentiality of personal data, including to prevent any unauthorized access to such personal data and the equipment used to process it or the use thereof of the personal data and the equipment in question" (App. Sk. 39 in fine). Furthermore, according to the principle of accountability which is expressly defined in the second paragraph of the same article and constitutes a cornerstone of the GDPR, the data controller "bears the responsibility and is able to demonstrate compliance with paragraph 1 ("accountability")". This principle entails the obligation of the controller to be able to demonstrate compliance with the principles of art. 5 par. 1. 4 3. Because according to the provisions of article 4 par. 7) GDPR, as controller means "the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of processing personal data; when the purposes and manner of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State". According to the EDPS Guidelines 07/2020 regarding concepts, any processing of personal data carried out by employees in the field of activities of an organization can be considered to be carried out under the control of that organization. Employees who have access to personal data within an organization are generally not considered "controllers" or "processors", but "persons acting under the supervision of the controller or processor" within the meaning of Art. 29 of the GDPR, therefore in this case the complainant is the data controller. 4. Regarding the transparency of processing, Article 12 para. 1 GDPR states that: "The controller shall take the appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communication in the context of Articles 15 to 22 and of article 34 regarding the processing in a concise, transparent, understandable and easily accessible form, using clear and simple wording, especially when it comes to information addressed specifically to children. The information is provided in writing or by other means, including, if appropriate, electronically. When requested by the data subject, the information may be given orally, provided that the identity of the data subject is proven by other means.' Mandatory information provided is provided for in Article 13 GDPR for the case where the data is collected by the subject and in Article 14 GDPR for the case where the data has not been collected by the subject. In particular, this information includes at least "a) the identity and contact details of the data controller and, where applicable, of his representative, b) the contact details of the data protection officer, where applicable, c) the purposes of the processing for the for which the personal data are intended, as well as the legal basis for the processing, d) the relevant categories of personal data, e) the recipients or categories of recipients of the personal data, f) as the case may be, that the data controller intends to transmit personal data to a recipient in a third country or international organization and related information, g) the period for which the data will be stored, or, if this is impossible, the criteria that determine said period, h) information about the rights of the subject according to articles 15-22 GDPR. As long as the data has not been collected by the subject, in accordance with article 14 par. 2 sec. f) GDPR, it is required to provide the data subject as information "the source from which the personal data originates and, as the case may be, whether the data originated from sources to which the public has access". The information is provided either at the time of collection of the data, when this is done by the subject (Article 13 GDPR) or within the time period defined in par. 3 of Article 14 GDPR, in the event that the data has not been collected by the subject.
5. In Opinion 2/2017 of the Article 29 Working Group on processing
data at work1
, paragraph 5.7 states that due to
sensitive nature of location data, there is unlikely to be a legal
basis for tracking the location of employees' vehicles outside of it
agreed working hours. However, if there is such a need, you should
to consider use that will be proportionate to the risks. For example, this will
could mean that, to prevent vehicle theft, its location
vehicle is not recorded outside working hours, unless the vehicle
leave a wider location (region or even country). Furthermore, the
https://www.dpa.gr/el/enimerwtiko/thematikes_enotites/eidikoiskopoi/ergasiakess
xeseis/sxetika_eur
1
6
location will only be displayed in emergency situations – the employer
enables location visibility by accessing data they already have
stored by the system when the vehicle exits a predetermined
area.
6. The complainant, as controller for his location data
employee's vehicle must be able to demonstrate compliance
with the principles of art. 5 par. 1 of the GDPR, observing the appropriate provision
documentation. The Authority did not check this documentation, but examined it
contained in said complaint concerning the specific use of
given these in the specific incident.
7. From the facts presented above it follows that an employee
of the complainant made use of his geolocation data
vehicle apparently outside working hours, since the complainant was in
lawful license for the purpose of locating the place where the complainant was, such as
evidenced by the fact that said employee appeared in that position.
8. Therefore, the Authority finds the following violations on its part
complainant, as controller:
a) illegal processing of the complainant's personal data, due to
of the use of his vehicle tracking data outside of working hours and
for the purpose of locating the complainant.
b) incomplete information of the complainant, in violation of articles 5 par. 1 sec.
a and of articles 12 and 13 and 5 par. 2 sec. b of the GDPR, regarding the function
of the system installed in the vehicle granted to him,
notwithstanding that he was not entitled to use it outside working hours,
a fact that the complainant admitted and took corrective actions
henceforth.
9. Based on the above, the Authority considers that there is a case to exercise the v
the article 58 par. 2 of the GDPR corrective powers in relation to
found violations and that should, based on the circumstances that
7
were established, to impose, pursuant to the provision of article 58 par. 2 sec.
i of the GDPR, effective, proportionate and dissuasive administrative money
fine according to article 83 of the GDPR, both to restore compliance, as
and for the punishment of unlawful conduct. Furthermore, the Authority took into account
the criteria for measuring the fine defined in article 83 par. 2 of the GDPR,
paragraph 5 sec. a' of the same article that applies to the present
case, the Guidelines for implementation and determination
administrative fines for the purposes of Regulation 2016/679 issued
on 03-10-2017 by the Article 29 Working Group (WP 253) and
Guidelines 04/2022 of the European Protection Board
Data for the calculation of administrative fines under the General
Regulation, as well as the actual data of the case under consideration and
in particular the criteria listed below.
a) that the violation of the legality of the processing falls under the provision of par.
5 of article 83 GDPR,
b) that the incident appears to be isolated, as it has not been imposed by
the Authority sanctioning the accused for a similar violation in the past,
c) that the breach directly affected a data subject;
d) that the violation is due to an individual action of an employee,
FOR THOSE REASONS
THE BEGINNING
A. It imposes, on "X" as controller, based on article 58 par. 2 sec.
i) of the GDPR, an administrative fine of two thousand (€2,000) euros, for the
established violation of the principles of the legality of the processing according to art
5 par. 1 a) of the GDPR.
B. Addresses, based on article by article 58 par. 2 item II GDPR, reprimand, at
"X", as controller for the incomplete information in violation of
of articles 5 par. 1 sec. a and of articles 12 and 13 and 5 par. 2 sec. b of the GDPR.
8
The President The Secretary
Georgios Batzalexis Irini Papageorgopoulou