HDPA (Greece) - 12/2021

From GDPRhub
Revision as of 09:51, 12 May 2021 by RRA (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HDPA (Greece) - 12/2021
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(c) GDPR
Article 6(1)(f) GDPR
Article 58(2)(g) GDPR
Article 83(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 17.02.2021
Published: 07.04.2021
Fine: 2000 EUR
Parties: «Ιγνατιάδης Νικόλαος και ΣΙΑ Ε.Ε.»
National Case Number/Name: 12/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: n/a

The Greek DPA fined a controller €2000 for violating employees' rights by using a surveillance camera at its premises without a legal basis, and in violation of the principle of data minimisation.

English Summary

Facts

The complainant made a complaint at the Greek DPA for the implementation of a security camera in his work place. The complainant stated that the camera was focused at his office and was used for surveillance purposes and not for security reasons. The company stated that the camera wasn't focused on the employee's office but was watching the all space especially the entrance of the premises. The DPA requested from the company to provide the documentation that could prove that the camera was not focuses on the complainant's office.

Dispute

Was the use of the camera lawful under articles 5 and 6 GDPR?

Holding

The DPA held that the use of the camera by the Company cannot be justified in the light of the principle of proportionality. The camera was not focused only on the entrance of the premises but instead it was watching as well the employee's offices, violating the principle of data minimization of the GDPR. Additionally the fact that the director of the company was able to watch in real time at any time the images taken form the camera, could not justify the necessity and emergence of having a surveillance camera for security reasons. based on these facts the DPA imposed a fine of 2000€ to the company for violating articles 5(1)(c) and 6(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

                                                             Athens, 07-04-2021
                                                              No. Prot.1023


                              DECISION 12/2021

                                   (Department)




     The Personal Data Protection Authority met at

Composition of the Department via video conference on 17-02-2021 at 10:00, after

invitation of its President to consider the case

refers to the history hereof. Presented by George Batzalexis,

Deputy Chairman, disabled by the President of the Authority Konstantinos

Menoudakou, and the alternate members Grigorios Tsolias and Evangelos

Papakonstantinou, as rapporteur, replacing the regular members

Charalambou Anthopoulos and Konstantinos Lambrinoudakis respectively, who,

although they were legally summoned in writing, they did not attend due to obstruction. The regular

member Spyridon Vlachopoulos, although legally summoned in writing, did not attend

due to obstruction. The meeting was attended by George, chaired by the President
Roussopoulos, Specialist Scientist-Auditor as Assistant Rapporteur and Irini

Papageorgopoulou, employee of the Administrative Affairs Department of the Authority,

as secretary.




     The Authority took into account the following:




     With the number prot. Γ / ΕΙΣ / 4943 / 12-07-2019the complaint of Support

to the Authority that from July 2018, "Ignatiadis Nikolaos and SIAEE." (hereinafter

and "Editor") installed a camera inside its offices


                                                                             1

1-3 Kifissias Ave., 11523 Athens
T: 210 6475 600 • E: contact@dpa.gr • www.dpa.gr business, which focused on his workplace. He even reports an incident

from which it appears that said camera was used to control ki

not for security purposes. The complainant claims that he objected
first after installing the camera orally and then

in writing with his out-of-court letter dated 22/02/2019.


     The complaining company was informed about the complaint with the no.
prot. C / EX / 4943-1 / 09-08-2019 document of the Authority, with which it was exposed

summarize the applicable institutional framework. With this document the company

was invited to submit to the Authority its views on both its legitimacy

operation of the video surveillance system as well as for the exercise of

rights of the complainant as a data subject.

     The company responded with the document number G / EIS / 6706 / 04-10-2019

stating, among other things, that the camera has been positioned so that it has

general view of the space focusing on the entrance of its offices so that it has

knowledge of who enters its premises. He states that the camera has
placed for safety reasons and not for employee surveillance, as in

accounting work, payments of money and securities, while the

area is burdened with property offenses. Its owner

company is located in an office from which it has no visual contact with the entrance

of the office. He also mentions that, in the past, he had an office associate
fall victim to theft, but without providing evidence to that effect. As for him

complainant, claims that he had not complained about the camera, which

he knew, while he did so only after his appeals to the Labor Inspectorate for

other issues did not work for him.

     The Authority with its latest document (with reference number C / EX / 6706-1 / 14-10-2019)

asked the company to clarify its answer on the basics

technical characteristics related to the operation of the system

video surveillance. Specifically, it was requested: a) to determine in which space it has

the control unit is installed, b) if there is a possibility of remote
internet access and surveillance and for which users, c) and with whom

thus ensuring that access to camera images is restricted only


                                                                              2suitable for authorized persons. Finally, to clarify the scope

of the camera, it was requested to provide a sample image, in electronic form and

at the highest possible resolution based on the characteristics of the device, so that
the supervised space emerges.


     The complaining company replied to the Authority with reference number.

Γ / ΕΙΣ / 7347 / 28-10-2019 its document, while following the reference number Γ / ΕΞ / 7347-
1 / 15-11-2019 document of the Authority provided a detailed sample image from

internal memory of the camera and from the mobile phone of its owner, meto

document no. G / EIS / 8057 / 21-11-2019. With these documents

states that the system does not have a logger, but transmits an image

exclusively on the cell phone of the company owner, who is the only one

can see the images via password. Access is also guaranteed due
of the fact that a legal representative of the company is connected to the internet by

separate internet supply line. The camera has minimal capability

not used in internal memory. From the

specifications of the equipment provided by the complainant company

It turns out that an innovator HD smart WiFi camera is used, while the
used memory card has a capacity of 16Gb. μο

submitted camera manual, can capture video in resolution

720p, has a built-in microphone and speaker, has control software

for both smartphones and PCs with Windows operating system.

     Following the above, the Authority proceeded to call the company for

section meeting, initially with reference number C / EX / 1806 / 09-03-2020

its document for 18-03-2020 and after the postponement of the meeting, for 15-

07-2020, with its document no. G / EX / 4486 / 29-06-2020.

company was informed that during the examination of the case the
legality of the operation of the video surveillance system on the premises

and that it must provide any document documenting the

compliance with the principles governing the lawful processing of data

personal.

     At the meeting of 15-07-2020, the complained company was present, through B.


                                                                            3 and the attorney Konstantinos Vervesos, while after receiving

deadline for submission by prot.pr / EIS / 5313 / 29-07-2020 memorandum. With this,

the company confirms what it had stated in its previous documents.

Briefly, in relation to the video surveillance system, it states that the system
was placed for security reasons as in the area (Acharnes Attica) is

crime is high. The camera was mounted on a wardrobe

in order to control the entry of offices and not for the purpose of surveillance

staff, and was never used for the latter purpose. The signal

was transmitted on the mobile phone of the legal representative of the company for

facility safety. Due to a malfunction, the camera has also been removed

no longer works. The company considers that the complaint is false and was made to
revenge by the complainant after his departure and its dissolution

employment contract.


     The Authority, after examining the data in the file, after hearing him
rapporteur and clarifications from the assistant rapporteur, who attended without

and withdrew after the discussion of the case and before

the conference and decision-making, after a thorough discussion,




                        THOUGHT ACCORDING TO THE LAW




     1. According to art. 4 items 1 of the General Regulation of Protection
Data 2016/679 (hereinafter referred to as "GKPD"), the audio and video data, if

refer to persons, constitute personal data.

Further, the capture of a face image, which is collected by a system

video surveillance, operating permanently, continuously or at regular intervals

intervals, indoors or outdoors,

recommends the processing of personal data in accordance with art. 4

item 2 of the GCC.
     2. Article 5 of the GPA sets out the processing principles governing

processing of personal data. Specifically, it is defined in



                                                                           4paragraph 1 that personal data, including: '(a)

are processed lawfully and lawfully in a transparent manner in relation to

data subject ("legality, objectivity, transparency"), (…), c)

are appropriate, relevant and limited to what is necessary for their purposes

processed ("data minimization") (…), f)

processed in such a way as to guarantee adequate safety
of personal data, including their protection against non

authorized or illegal processing and accidental loss, destruction or

wear, using appropriate technical or organizational measures

("Integrity and Confidentiality"). "

     3. Article 6 par. 1 GCP provides, inter alia, that: “H.

processing is only legal if and when at least one of the

the following conditions: (...) (f) processing is necessary for the purposes

of the legal interests pursued by the controller or a third party, except
if the interests or the fundamental ones prevail over these interests

rights and freedoms of the data subject enforcing the

protection of personal data (...) ". Further, according to

the reporting authority (Article 6 (2) GCC) the controller

responsibility and is able to demonstrate compliance with the above principles.

     4. The Authority has issued on the issue of the use of systems

video surveillance for the purpose of protecting persons and property

No 1/2011 Directive of the Authority, the provisions of which shall apply to
in combination with the new provisions of GKPD and law 4624/2019, by which

measures for the implementation of the GPA are defined. It is pointed out in this case that in

specific case, Law 4624/2019 does not apply, as the under consideration

termination concerns a period before its implementation. The European

The Data Protection Council issued guidelines No. 3/2019

lines 1 on the processing of personal data via

video recorder.The text itself provides detailed guidance on how

the GCP applies in relation to the use of cameras for various purposes.Basic

1
 https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-
personal-data-through-video_el

                                                                               5condition for the legality of processing through a system

Video surveillance is the observance of the principle of proportionality, as it is

specializes in articles 6 and 7 of the above Directive, but also in the Special Part
her. In particular, Article 7 of the Directive states that the system

video surveillance should not be used for surveillance

employees, except in special exceptional cases such as these

specified in the Directive. As an example it is mentioned that, in a typical space

business offices, video surveillance should be limited to areas

entry and exit, without supervising specific office rooms or
corridors. Exceptions may be specific sites, such as cash registers or

areas with safes, electromechanical equipment, etc., provided that

cameras focus on the good they protect and not on their premises

employees.

Furthermore, in accordance with Article 19 (2) of the aforementioned Directive, which

specifies the principle of proportionality in shopping malls and stores,

cameras may be placed at their entry and exit points

stores, cash registers and safes, warehouses
goods, while, according to article 19 par. 4 of the same Directive,

The operation of cameras in restaurants and leisure areas is prohibited

laboratories, toilets and places where employees work

store and are not accessible to the public. Furthermore, in Article 11 of

Directive 1/2011 of the Authority states that the controller must, between

among others, to take care to avoid irrational use of projection screens, and
avoid disseminating the material to illegal recipients.


     5. In this case, the use of the camera by

Complained company can not be documented adheres to its principle
proportionality. In particular, from the documents of the case file and

especially photographs depicting the range of the camera

it is found that a picture of the whole space is taken, without taking it is limited

at the entrance. There is therefore a breach of the principle of minimization

of the data, including a picture of employees leaving, who they are


                                                                           6 office spaces, in which, as a rule, no money is made

transactions, but accounting work. Further, it turned out to exist

Ability to monitor the camera in real time by its director
mobile company, even though he was absent from his facilities.

This surveillance is not an appropriate means of protecting persons and

goods, as it is practically impossible for the owner to intervene or preventively,

either repressive while increasing the risk of using the material for another purpose,

as for employee supervision. This processing, with the possibility

supervision of the site by the business owner, at all times, and
in fact without the existence of an incident that indicates an increased risk (e.g.

alarm), infringes excessively on the rights of supervised persons,

including "vulnerable" persons such as employees,

therefore it is carried out in violation of article 6 par. 1 f of the GKPD. From

the other components and specifications of the camera show that it does not

there was the possibility of receiving audio, as claimed in the complaint, while no
it turned out that there was recording, although there was the possibility of recording

a few hours to a day, depending on the type of video image compression.

     6. The Authority shall, without prejudice to the fact that it is responsible for processing

did not submit evidence of the legality of the processing, while such

information requested. As a mitigation it takes into account that it is very small
company (as shown by the number of employees), that according to

company statement the camera is no longer working, that it turned out to exist

other kind of dispute which does not concern personal data, that

is the first violation for this company and finally, the unfavorable one

economic situation due to the Covid-19 pandemic.

     7. Based on the above, the Authority unanimously agrees with Article
5 par. 1 c and article 6 par. 1f of the GCPD the conditions for enforcement are met

to the detriment of the controller, based on article 58 par

taking into account the criteria of article 83 par. 2 of the GCP, of the administrative

ratification, referred to in the operative part of this, which is deemed appropriate

with the gravity of the infringement.



                                                                              7 FOR THESE REASONS


The Authority imposes on "Ignatiadis Nikolaos and Co. EE" the effective,
proportionate and dissuasive administrative fine appropriate to

specific case according to its more specific circumstances, amounting to two

thousands of euros (2,000.00) euros, for the above violations

Article 5 (1) (c) and Article 6 (1) (f) of Regulation (EU) 2016/679.




       The Deputy Chairman The Secretary





        George Batzalexis Irini Papageorgopoulou



































                                                                          8