HDPA (Greece) - 12/2022

From GDPRhub
HDPA (Greece) - 12/2022
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 13 GDPR
Type: Complaint
Outcome: Upheld
Decided: 09.03.2022
Published: 23.03.2022
Fine: 2000 EUR
Parties: n/a
National Case Number/Name: 12/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Cesar Manso-Sayao

The Greek DPA issued a fine of €2000 against a private school because its director constantly attended and monitored an employee's online courses without adequately informing her of the legal basis to do so, and despite her objection, in violation of Articles 5(1)(a), 5(2) and 13 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

An online course teacher of foreign languages in a private school filed a complaint against the Greek DPA (Hellenic Data Protection Authority - HDPA), because the school's director was constantly monitoring her lessons by attending and intervening in the Zoom calls where the sessions were taking place.

The teacher stated that the employer’s presence in her online lessons via Zoom made it difficult for her to express herself and to perform, and that she felt that her freedom of speech and her status as a teacher were being infringed. The teacher also claimed that not only had she not consented to this monitoring, but in fact had expressly objected to it on numerous occasions. Furthermore, the teacher claimed that she was never was informed by employer of the type of personal data collected in the process of monitoring her lessons, the purpose of the processing in question, who had access to those data, and her right of access to the data concerning her. Finally, she claimed that the purposes of continuous monitoring relied on by the employer, namely to ensure the quality of the courses, the actual attendance of pupils, and the technical functioning of the platform, could have been achieved by less intrusive means, and that therefore the principle of proportionality was not respected in the contested processing.

The employer on the other hand, justified the continuous monitoring of the online course in order to ensure the satisfaction of the school's customers (in particular the parents of the underage pupils), and for reasons regarding the technical functionality of the courses. The employer also stated that the monitoring activity did not include any recording of the sessions. Additionally, the employer stated that the employee was aware of the Privacy Policy related to the tutorials, and that the consent form provided to all employees for the monitoring of the lessons was not signed due to the employee’s own negligence.

Holding[edit | edit source]

The HDPA stated that with regards to the processing of personal data in the context of employment relations, this is permitted only for purposes directly related to the employment relationship, and insofar as it is necessary for the fulfilment of mutual obligations arising from that relationship, whether these obligations arise from the law or from a contract. Furthermore, the HDPA noted that in the case of employment relationships, the inherent power imbalance of the parties means that employees are rarely in a position to freely give valid consent for the processing of their personal data, and therefore employers should rely on a legal basis other than consent in these cases. Therefore, the HDPA held that, in this case, not only had the employee expressly objected to this processing, but that even if this consent had been given, this could not be relied on by the employer as a valid legal basis.

The HDPA also held that the employer had not satisfied the employee’s right to objection to the monitoring of the lessons. The HDPA explained that although the employer’s response to this objection was based on the grounds of legitimate interest in the exercise of its managerial right, the employer had not been able to establish that the actual attendance to the online courses was in fact an appropriate and necessary means for the exercise of this legitimate interest. Additionally, the HDPA found that the employment contracts analysed this case, did not mention the monitoring of lessons, nor the specific legal basis for this processing.

Therefore, the HDPA held that the employer’s failure to previously determine a valid legal basis for this processing violated of the principle of lawfulness, fairness and transparency under Article 5(1)(a) GDPR, and the principle of accountability under Article 5(2) GDPR. Additionally, the HDPA held that the employer’s failure to inform the employee of the processing and its corresponding legal basis was in breach of its legal obligations under Article 13 GDPR. As a result, the HDPA issued a fine of €2000 against the school.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

  Athens, 09-03-2022 Ref. No .: 617 DECISION 12/2022 (Department) The Personal Data Protection Authority met in a composition of the Department by teleconference on 08-02-2022 at the invitation of its President, in order to examine the case. referred to in the history hereof. Attended by George Batzalexis, Deputy Chairman, disabled by the President of the Authority, Konstantinos Menoudakos, the regular members Charalambos Anthopoulos, Konstantinos Lambrinoudakis and Spyridon Vlachopoulos, as rapporteur. The meeting was attended, by order of the President, by Kyriaki Karakasi, legal auditor-lawyer, as assistant rapporteur and Irini Papageorgopoulou, employee of the administrative affairs department of the Authority, as secretary. The Authority took into account the following: With no. prot. form of the relevant recruitment announcement) at the tuition center of the complainant, delivering the relevant courses through the "ZOOM" platform. According to the complainants, the employer was attending these courses of her employee, intervening in them, in fact, despite the successive, explicitly expressed objections of the latter. In particular, in the context of the συνο submitted electronic conversation between the employer and the complainant 1-3 Kifissias Ave., 11523 Athens, Tel: 210 6475600, Fax: 210 6475628, contact@dpa.gr / www.dpa.gr, - employee, the The latter finds the existence of a problem in the continuous attendance of her course by the complainant and stresses the need to find a solution by proposing other ways of dealing with the relevant supporting reasons for attending the reasons put forward by the employer. The same objection to the constant attendance of her online courses by the respondent was expressed in the context of the από electronic conversation, with the complainant insisting on the need for constant monitoring on her part of the online courses delivered to the students of her tutoring center for prevention loss of clients due to possible defects in the provision of teaching services by the respective teachers - employees. These objections of the complainant are repeated in the συνο also submitted electronic conversation of the latter with the complained employer, without interrupting, according to the complainant, the continuous monitoring of the online courses in question until the date of submission of the complaint. The complainant, after invoking articles 5, 6, 12, 13, 21 GCP, article 7 of law 4624/2019, Opinion 2/2017 of the Working Group of article 29 as well as case law of the ECtHR, excludes consent as well as the legal interest of the employer as the legal basis of the disputed processing by the complained employer, while it also mentions the principle of proportionality with which the tele-surveillance must comply. The Authority, in the context of the examination of the above complaint, with the no. prot. G / EX / 1913 / 19-08-2021 her document, asked the employer in question for clarifications on the complainants. After that, with the no. prot. C / EIS / 6071 / 23-09-2021 its reply document (following the no. prot. the complainant, after confirming the fact that the complainant objected to the constant attendance of her course as an employer, justifies the possibility of students, as well as the technical perfection of the whole process. She denies the 2nd, recording of the conferences concerning the complainant, while she admits that she did not actually have time to attend the online lessons of all the employees in her tutoring center. Subsequently, in the context of further investigation of the disputed complaint, the Authority summoned before it both parties with the no. prot. . The above parts were presented to the complainant after her lawyer, Despina Skentou, with AM…, and the complainant after her lawyer Georgios Diolatzis, with AM…. B was also present at the teleconference as a witness of the accused and a working teacher at the latter's tutoring center, to whom questions were asked during the said hearing. Following that hearing, both parties submitted Memoranda on time. In particular, the complainant with no. prot. problems that arose. The complainant points out that by constantly attending classes as a participant, the employer did not in fact have the ability to manage these problems, while the platform administrator alone allowed her to control the course and the students' attendance, without requiring her continuous presence as a participant. lessons. In addition, the complainant states that she never consented to the unreasonable interception of the online courses, expressing her explicit objection to it, while never taking part concern. Finally, he claims that the objectives invoked by the employer of continuous monitoring, namely the assurance of the quality of the courses, the actual presence of the students and the technical functionality of the 3 platform, could have been achieved by milder means and therefore the principle was not respected. proportionality in the processing in question. The complainant with the with no. G / EIS / 7891 / 02.12.2021 Her memorandum after the relevant documents, which she submitted to the Authority, stated, inter alia: as an employer did not sign the statement of consent signed by the other employees (the relevant statements are submitted as relevant after the above Memorandum). According to the complainant, the reason she installed five computers in her home to attend classes in each of the five classes of her tutoring as a participant was to address the technical problems that arose and the general coordination indicating that it was not possible to monitor all five at the same time. The complainant then admits that the students' relatives either called her or sent her a text message (sms) or viber application in order to be addressed when a technical problem arose. The complainant concludes that there is no violation of the complainant's personal data, as she did not follow what the latter said, admitting that her image was still visible through the computer. In addition, the complainant refers to the complainant's indirect and presumed consent to the disputed processing, while the petitioner subsequently consented to her written messages despite the fact that she did not sign the statement of consent, which the complainant admitted to . He also points out that the allegations of the complainant show that there was information about the treatment in question by the employer, while, finally, allegations are made to challenge the relationship of dependence that the complainant-employer had with the complainant-employee during her stay. The Authority, after examining the facts of the case, after hearing the rapporteur and the clarifications from the assistant rapporteur, who appeared without voting rights and left after the discussion of the case and before the conference and the decision, after a thorough discussion , 4, THOUGHT IN ACCORDANCE WITH LAW 1. Because, with article 5 par. 1 of the General Regulation (EU) 2016/679 for the protection of natural persons against the processing of personal data (hereinafter GCC) are set the principles that should govern a processing. In particular, paragraph 1 provides: '1. Personal data: a) are processed lawfully and lawfully in a transparent manner in relation to the data subject ("legality, objectivity and transparency"), b) are collected for specified, explicit and legitimate purposes and are not further processed further processing for archiving purposes in the public interest or for the purposes of scientific or historical research or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89 (1) ("limitation of purpose"); c) appropriate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimization"), (d) they are accurate and, where necessary, updated; all reasonable inaccurate, in relation to the purposes of the processing ("accuracy"), e) retain personal data for only the time required for the purposes of the processing of personal data; personal data may be stored for longer periods, provided that the personal data the public interest, for the purposes of scientific or historical research or for statistical purposes, in accordance with Article 89 (1) and if appropriate technical and organizational measures apply to this Regulation to safeguard the data subject in a way that guarantees the appropriate security of personal data, including their protection against unauthorized or unlawful processing and accidental loss, destruction or deterioration, using appropriate techniques or ("integrity and confidentiality") ".  According to the principle of accountability introduced by the second paragraph of the same article, the controller is explicitly defined as "responsible and able to demonstrate compliance with paragraph 1 (" accountability "). This principle, which is the cornerstone of the FGM, implies the obligation of the controller to be able to demonstrate compliance. In addition, it enables the controller to be able to legally control and document a processing carried out in accordance with the legal basis provided by the GPA and national data protection law. 2. Because, the article 6par. Processing is only lawful if and when at least one of the following conditions applies: (a) the data subject has consented to the processing of personal data for a specific purpose; (b) processing is necessary for the performance of a contract to which the data subject is a party; "processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, unless those interests are preceded by the interest or fundamental rights and freedoms of the data subject which require the protection of the data of a personal character, in particular". Paragraph 1 of Article 21 of the ICCPR provides for the right of objection: or (f), including profiling under those provisions. establishment, exercise or support of legal claims ". 6.3. Because, in addition, according to article 4p. 2 of the GISProcessing means "any transaction or sequence of operations performed with or without the use of automated means, in personal data or in personal data sets, such as collection, registration, organization, structure, storage, adaptation or modification 'the retrieval, search for information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction'. Article 13 of the GCC provides: '1. When personal data relating to a data subject are collected by the data subject, the controller, upon receiving the personal data, shall provide the data subject with all of the following information:. (c) the purposes of the processing for which the personal data are intended, as well as the legal basis for the processing; (d) if the processing is based on Article 6 (1) (f), the legitimate interests pursued by the controller or by third,…. 2. In addition to the information referred to in paragraph 1, the controller shall, when receiving personal data, provide the data subject with the following additional information necessary to ensure fair and transparent processing: (a) the period for personal data or, where this is not possible, criteria that determine the period in question; (c) where the processing is based on Article 6 (1) (a) or Article 9 (2) (a), the existence of the right to withdraw its consent at any time, without prejudice to the lawfulness of the processing relied on consent before d) the right to lodge a complaint with a supervisory authority; (e) whether the provision of personal data constitutes a legal or contractual obligation or requirement for the conclusion of a contract; (f) the existence of automated decision-making; 7, including the profiling referred to in Article 22 (1) and (4) and, the importance and the intended consequences of such processing for the data subject '. 4. Because the processing of personal data should be intended to serve the person. The right to the protection of personal data is not an "absolute right", it must be assessed in relation to the functioning of society and the establishment of fundamental rights in accordance with the principle of proportionality 1. 5. Because, according to the must be concise and fair. It should be clear to individuals what data of a personal nature they are about to be collected, used, taken into account or otherwise processed, and to what extent the data is or will be processed. This principle requires all information and communication regarding the processing of such personal data to be easily accessible and comprehensible and to use clear and simple language. This principle concerns in particular the information of the data subjects regarding the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in relation to such natural persons and their right to receive confirmation and to obtain disclosure of the relevant personal data subject to processing. Individuals should be informed of the existence of risks, rules, guarantees and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes of the processing of personal data should be clear, lawful and determined at the time of collection of personal data. Personal data should be This requires in particular to ensure that the storage period of personnel data 1 Cf. Ait. Sk. 4 GPA as well as Decision APD 43/2019, sk. 2 8, character to be kept to a minimum. Personal data should only be processed if the purpose of the processing cannot be achieved by other means. To ensure that personal data is not kept longer than necessary, the controller should set deadlines for their deletion or periodic review. Every reasonable measure should be taken to ensure that inaccurate personal data is corrected or deleted. Personal data should be processed in such a way as to ensure the appropriate protection and confidentiality of personal data, inter alia, and to prevent any unauthorized access to and use of such personal data or equipment. 6. In order for personal data to be legally processed, ie processed in accordance with the requirements of the GCP, the conditions for the application and observance of the principles of Article 5 par. 1 GCP, as shown by the recent decision of Court of Justice of the European Union (ECJ) of 16-01-2019 in case C496 / 2017 Deutsche Post AG v. Hauptzollamt Koln. The existence of a legal basis (art. 6 GGP) does not release the controller from the obligation to comply with the principles (art. 5 par. 1 GGP) regarding the legality, necessity and proportionality as well as the principle of minimization. In case one of the the principles set out in Article 5 (1) of the GIPA, such processing is presented as illegal (subject to the provisions of the GIPD) and there is no need to consider the conditions for the application of the legal bases of Article 6 of the GIPD. Thus, the violation of the principles of 2 «57. However, any processing of personal data must comply, on the one hand, with the principles of data quality set out in Article 6 of Directive 95/46 or Article 5 of Regulation 2016/679 and, on the other , to the basic principles of lawful data processing referred to in Article 7 of that Directive or Article 6 of that Regulation (cf. Decisions of 20 May 2003, Österreichischer Rundfunk and Others, C-465/00, C-138 / 01 and C-139/01, EU: C: 2003: 294, paragraph 65, as well as 13 May 2014, GoogleSpain and Google, C-131/12, EU: C: 2014: 317, paragraph 71) '. 9, article 5 of the GCC. Monthly collection and processing of personal data is not cured by the existence of a legal purpose and legal basis. 3 Furthermore, the controller, in the context of his observance of the principle of fair or just processing of personal data, must inform the data subject that he is going to process his data in a lawful and transparent manner and be in a position to at any time to prove its compliance with these principles (accountability principle according to article 5 par. 2 in combination with articles 24 par. 1 and 32 GCP). 5 The identification and selection of an appropriate legal basis provided for in Article 6 (1) of the GIP is closely linked to the principle of fair or equitable treatment and to the principle of limitation of purpose, and the controller must not only processing, but also to update no. 13 par. 6 In particular, the selection of the legal basis for the processing of personal data must take place before the start of the processing, and the controller is obliged on the basis of the principle of accountability (see no. 5 par. 2 in conjunction with 24 and 32 GPA) to select the appropriate legal basis from those provided for in Article 6 (1) GPA, as well as to be able to demonstrate in the context of internal compliance compliance with the principles of Article 5 1 1 GPA, including self-explanatory and strict obsolescence.  In addition, the GFC has adopted a new compliance model, centered on the above-mentioned accountability principle, in which the controller is required to design, implement and generally adopt the necessary procedures and policies for to be 3Bl. Decision 26/2019 APD, sk. 5. Cf. Decision 38/2004 APD. 4See regarding WEU C496 / 17 ibid. par. 59 and WEU C-201/14 of 01-10-2015 par. 31-35 and especially 34 as well as a relevant reference in Decision 26/2019 APD, sk. 5. 5 6Βλ. in this regard APD Decisions 26/2019, sk. 6 and APD 43/2019, sk. 5. See Guidelines 2/2019 of the European Council on Data Protection “ontheprocessing of personal data under Article 6 (1) (b) GDPR in the context of the provision of online services to data subjects” pp. 4-67 par. 1, 12, 17- 20 as well as Decision APD 26/2019, sk. 6. 10, in accordance with the relevant legislative provisions. In addition, the controller is responsible for the further duty to prove on his own and at all times his compliance with the principles of article 5 par. 1 GIS. It is no coincidence that the FSAP incorporates accountability (already referred to in Article 5 (2) FSAP) in the regulation of the principles (Article 5 (1) of the FSAP) governing the processing, giving it the function of a Compliance Mechanism , essentially reversing the "burden of proof" as to the legality of the processing (and generally adhering to the principles of Article 5 (1) of the GIP), leaving it to the controller to substantiate of invoking and proving the legality of the processing 7. 7. Because the Authority, regarding the processing of personal data in the context of labor relations, interpreting the provisions of Law 2472/1997 has issued no. 115/2001 Directive on the processing of personal data in employment relations, in the framework of which it has accepted, inter alia, that, as is clear from the principle of purpose, the collection and processing of personal data of employees is permitted only for related purposes directly to the employment relationship and as long as it is necessary for the fulfillment of the obligations established by both parties in this relationship, whether they arise in isolation or from the contract. Furthermore, the Principle accepted in its directive that the consent of the employees could not lift the ban on exceeding the purpose and that in the case of employment relations, the inherent inequality of the parties and the generally dependent employment relationship . In the context of the application of the GIP, the consent is provided as one of the legal bases for the processing of personal data (article 6 par. 1 par. 4 par. 10 11 GPA and in compliance with the principles provided by article 5 par. 1 GPA. 7 8See. in this regard APD Decisions 26/2019, sk. 7 and APD 43/2019, sk. 6. See p.10 of with no. 115/2001 of the Directive of the Authority. 9See similarly page 10 of no. 115/2001 of the Directive of the Authority. 10 See APD 26/2019, sk. 10 11 However, in the light of the GCC, the above finding that employees are rarely able to give, refuse or withdraw their consent is still valid, given the dependence that arises from the relationship between employer and employee. Therefore, except in exceptional cases, employers should rely on a legal basis without consent - such as the need to process the data in the context of their legitimate interest. Accordingly, the European Council for Data Protection considers that in any case where such processing is not necessary for the performance of the contract, such processing takes place legally only if it is based on another appropriate legal basis 11. 8. Employee monitoring is possible not only because of the use of special technologies but also because employees need to use electronic applications provided by the employer, which process personal data. Before using any monitoring tool, a proportionality check should be performed to see if all the data is necessary, if such processing exceeds the general privacy rights of employees and the workplace, and what minimum necessary. The controller must always weigh the existing risks, the extent of these risks, the existing alternatives for dealing with these risks and, on the other hand, the insults to human personality and privacy from the use of such methods. Furthermore, as stated above, data processing at work must be proportionate to the risks faced by the employer. The latter must take into account the principle of data minimization when deciding on the use of new technologies. 11 12See. APD 26/2019, sk. 13. See Opinion of OE article 29, 2/2017, p. 18. 13See. Opinion of OE article 29, 2/2017, p. 28. 14 See. Opinion of OE article 29, 2/2017, pp. 28-29. 12.9. In the context of the present case, the complainant - employer, who attended the online lessons given to the students of her tutoring center by the complainant, has the status of the person in charge of processing no. 4 par. 7 GIP, in the context of the above processing, consisting in the modern processing of personal data by automated means, ie 15 video and audio monitoring of the complainant, determines the purposes and the way of processing the above personal data and therefore becomes obliged to comply first with the principles introduced in Article 5 of the GIP as well as with its other consequent obligations in the context of the regulatory protection of personal data. The above-mentioned processing was already opposed by the complainant, exercising the relevant right of objection as a data subject according to article 21 par. . In particular, it is noted that from the above written messages it was clear the complainant's opposition to the constant attendance of her online course by her employer and was expressed in an indisputable manner, as evidenced by her conversations with the complainant. Besides, the relevant objection is directly acknowledged by the complainant herself in her reply to the Authority with reference number G / EIS / 6071/2021. , other ways to replace the continuous monitoring as above, as shown by all the data in the file. It is noted that in the από e-mail of the complainant to her employer she directly states that the presence of the latter in her online courses makes it difficult for her to express and perform while she feels that her freedom of speech and her status as a human being and teacher are being violated. . The fact that it refers only narratively to the body of the complaint in question that it was initially dealt with with 15Prl. EDPB, Guidelines 3/2019 on processing of personal data through video devices, adopted on 10 July 2019, p. 5, available: (https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_201903_videosurveillance.pdf) 13, good faith from the complainant the processing in question, does not imply the indirect consent of the employee, as incorrectly assumed by the complainant in no. prot. Furthermore, the fact that the complainant in the context of the complaint in question alleges the relationship of dependence under the employment contract which bound her to the complainant precisely in order to demonstrate the weakening of consent as a valid legal basis for the proceedings in question cannot, logically necessity, to be considered as a presumed consent, rejecting the allegations of the opposite of the accused. None of the complainant's messages to the Authority submitted to the Authority may be Her consent was obtained for the above processing, and much more than the moment when, in the exercise of the right of objection to the complainant - responsible for processing, alternative ways were formulated as means milder, according to the complainant, than the possibility of continuous monitoring In any case, it is noted that even if the employer obtains the complainant's consent to the processing from some of her individual proposals in a discussion that undoubtedly focuses on the latter's opposition to the processing in question, she can not establish consent as a legal basis, as consent must be express in the sense that there must be no doubt as to the intention of the person concerned to give his consent. In other words, the statement in which that person expresses his or her consent should not leave room for ambiguity as to his or her intention 16 while it should be obvious that the data subject consents to the processing in question. 17 16 See Opinion 15/2011 of the Article 29 on the definition of consent, WP187.13 July 2011, p.25.  17See in this regard EDPB, Guidelines 5/2020 on consent under Regulation 2016/679, 4 May 2020, p. 21, (para. 75). 14,10. Because, in addition to the above, it is also noted that, taking into account the controller - employer already from her initial response (no. Prot. G / EIS / 6071 / 23.09.2021) before the Authority, that the complainant expressed her opposition to her constant presence in the online courses, she recognized the exercise of the relevant right of objection, responding, in fact, to it. It therefore ruled out consent as the legal basis for the processing in question 18 and it should be noted at this point that even if consent is secured, it does not in any way negate or reduce the controller's obligations to comply with the principles governing processing, which are enshrined in the GIP, in particular in Article 5 thereof, as regards objectivity, necessity and proportionality. Therefore, even if the processing of personal data is based on the consent of the data subject, then this does not legitimize the collection of data that is not necessary in relation to a specific processing purpose and the processing will be fundamentally unfair. However, in any case the consent can not be considered a legitimate legal basis in this case, as long as the consent of the employee is required, and there is actual or potential related damage resulting from the non-consent, the consent is not valid because it is not given freely. It is noted in this connection that in the context of employment there is a de facto imbalance of power. Given the dependency of the employer-employee relationship, it is unlikely that the data subject will be able to refuse to give his employer consent to the processing of his data without fear or real risk of suffering negative consequences due to 18Vl. EDPB, Guidelines 5/2020 on consent under Regulation 2016/679, 4 1920 2020, pp. 38-39. See EDPB, Guidelines 5/2020 on consent under Regulation 2016/679, 4 May 2020, p. 6 (par. 5). 20See Opinion 15/2011 of the Article 29 on the definition of consent, WP187.13 July 2011, p. 16 as well as EDPB, Guidelines 5/2020 on consent under Regulation 2016/679, 4 May 2020, p. "Opinions issued by the Article 29 Working Party on Consent, in cases consistent with the new legal framework, are still relevant, as the GATT codifies the existing ΓΚΠΔ ». See even with no. 43 recital of the GCC. 15, of his denial. Therefore, in the context of related processing operations, the legal basis can not be the consent of employees (Article 6 (1) (a) GCC), due to the nature of the relationship between employer and employee 22. under a relevant employment contract drawn up between the complainant and the complainant is in no way invalidated by the allegations made by the complainant-employer, in particular by the complainant's possibility of being suspended for from health-based preference to continue e-learning in May 2021, when there was now more optional and non-optional teaching. states that it is given in writing and explicitly upon information, information which does not appear to exist from the data in the case file under consideration. The respondent, in response to the above-mentioned explicit opposition of the complainant, expressed her refusal to stop the controversial processing of the online courses of the latter, citing, inter alia, reasons related to the need to control the quality of services of the latter, and many probably since the employer herself is judged by both the children and their parents, as explicitly mentioned in one of the conversations between the two parties involved before the Authority. In addition, in with no. prot. others and the defendant, while admitting that he intervened during the lessons and whenever he deemed it appropriate in order to discipline the students. Besides, with the 21Bl. in this regard EDPB, Guidelines 5/2020 on consent under Regulation 2016/679, 4 May 2020, p. 10, (par. 21). See and APD 26/2019, sk. 9. 22See. in this regard See Opinion 2/2017 (WP249) on the processing of data at work, 8 June 2017, p. 16, no. prot. There was a problem connecting it (pp. 2-3 of the above memo). In fact, the employer herself admits that although there was the possibility of continuous attendance of the online courses, however it was not possible to attend them at the same time, so when a problem arose, she was informed either by phone or via email (vi) or via email (vi). 3 of the Defendant's Memorandum). 11. It follows from the above grounds put forward by the complainant, on which the proceedings in question are based, and to the exclusion of consent as a legal basis, that they refer to the legal basis of the case referred to in paragraph 1. of the article 6 provided by the complainant, the legal basis of article 6 par. Normal use of the platform can not be accepted, unless there is a clear and specific description, that it includes the processing that involves the possibility of continuous monitoring of video and audio data of the employee by the complainant throughout the online courses. online courses of the complainant is considered by it to be necessary for the purposes of its legal interests as a responsible process that seems to be organized around the core of the right of management. Therefore, there is a clear reference on an alien basis for this treatment. 12. Because, in addition, the Policy submitted by the complained employer does not clearly and precisely define the legal basis for the processing in question, ie the continuous monitoring of video and audio data of the employees by the complained-employer throughout the online courses. In fact, it is noted in this connection that in the context of a security policy, in addition to the above, the technical and 17 organizational security measures should be specifically specified, which should be taken by the controller, in case of monitoring by the the online courses of its employees, in order to ensure the effective protection of the personal data of the latter 23 in accordance with and in accordance with the provisions of Articles 25 and 32 of the GCC. However, it appears from the foregoing that there was no briefing under Article 13 of the GIP, including consequently the briefing on the legal basis of the proceedings in question by the employer and the seizure of the complainant's personal data in question. This, as long as the legal basis of article 6 par. 1b'GPD (performance of the contract), without specifically addressing the disputed processing of the continuous the employer's attendance of the online courses of her employees, while at the same time from the answers presented to the Authority the employer's right of objection exercised by the complainant, is proposed as the legal basis of the 1 f) GPD), but without substantiating whether the attendance of the complainant's courses by the complainant is indeed an appropriate and necessary means for the exercise of the complainant's managerial right. And with no. prot.

In addition, it is noted that in the additions submitted by the complainant on
of individual employment contracts (other than that of the complainant, which does not

existing) on the processing of employees' personal data,

there is no reference to the processing in question and its legal basis.

13.Because it is then actively established that there is no clear

the legal basis for the proceedings in question, in so far as the employer

refers in parallel to the aforementioned legal bases, in breach of the principle

2See indicative relevant report on the website of the Authority (www.dpa.gr:
_asfaleia_proswpikwn / politiki_asfaleia_proswpikwn

                                           18, of lawful, lawful and transparent processingArticle 5par.1a’GKPD.In particular,

the complainant made a false impression as to the legal basis on it

which the processing in question was founded, with the result that there is no clear and

accurate relevant information of the employee - complainant, in violation of

of the above provisions as well as Article 13 of the ICCPR, as far as

of the file does not appear to have informed the complainant on her behalf

reportedly responsible processing and in particular upon receipt of the above personnel

of the data much more so since in the context of the submitted by

the complained Policy does not mention the disputed processing, which consists of

Employer's ability to monitor their video and audio data

its employees throughout the courses they deliver through it

zoom platform. At the same time, this ambiguity deprives the Authority of the possibility

checking the correctness of the choice of legal basis, thus violating the principle

of accountability .5

14. Because, in this case, and in accordance with the above, the complainant - employer

did not satisfy the complainant's right to object, while

carried out the disputed processing in violation of the provisions of articles 5 par. 1 f.

a), 5 par. 2 and 13 of the GCP, as they are specified in detail in the aforementioned

without, however, clearly defining the legal basis on which it is based

the last one under Article 6 of the GIP is based.

15. Because the violation of the basic principles of processing in conjunction with non

establishing a legal basis for the latter, as set out in detail above,

draw the imposition of administrative sanctions of article 83 par. 5 lit. α΄ του ΓΚΠΔ

while the violation of the rights provided in articles 12-22 of the GCP

subject to the imposition of the relevant sanctions under Article 83

par. 5 lit. b of the GCP.

    According to the GCC (Ait.Sk.148) in order to strengthen the enforcement of the rules

of this Regulation, penalties, including administrative fines,

should be imposed for any violation of this Regulation, in addition to or

24Cf. in relation to APD 26/2019, sk. 24.
25 See in relation to APD 26/2019, sk. 24.

                                            19, instead of the appropriate measures imposed by the supervisory authority in accordance with

these Rules.

16. In view of the above, the Authority considers that there is a case for exercising the

article 58 par. 2 of the GCC its corrective powers in relation to the established ones


17. The Authority further considers that the imposition of a corrective measure is not sufficient for

restoration of compliance with the provisions of the FGMP that have been violated and that

should, on the basis of the circumstances established, be imposed in its application

provision of article 58 par. 2 ed. i) of the GPDAdditionally and efficient, proportional and

a deterrent administrative fine under Article 83 of the GIPP to both
restoration of compliance, as well as for the cancellation of illegal behavior.

18. Further Authority, taking into account the criteria for measuring the fine

Article 83, paragraph 2 of the GCPD, paragraph 5

implementation in the present case and the Guidelines for implementation and

the determination of administrative fines for the purposes of Regulation 2016/679 which

issued on 03-10-2017 by the Article 29 Working Group (WP253), as well as the

facts of the case under consideration and in particular:

      i. The fact that the complainant in her capacity as an employer violated

           the provisions of article 5 par. 1 ed. principles of jurisdiction,

           objectivity and transparency, ie violated a fundamental principle of the GIP

           for the protection of personal data.

     ii. The fact that the observance of the principles provided by its provision

           article 5 par. 1 ed. a) of the GPA is of capital importance, and primarily, the
           principle of quality, so that its absence becomes unlawful from the outset

           processing, even if the other principles of processing have been observed many

           This is not the case where no clarity and precision has been established

26 See OE 29, Guidelines and the implementation and setting of administrative fines for them

purposes of Regulation 2016/679 WP253, p. 6

                                             20, of the legal basis for the disputed Article 6 of the GIP

           processing, as mentioned above.

     iii. The fact that the complainant with the aforementioned vaguely to
           determination of the legal basis for the processing in question was deprived at the same time

           from the Authority the possibility to check the correctness of the relevant choice

           thus violating the principle of accountability, while at the same time not

           has been able to prove that it has complied with Article 13 of the GIP

           its obligation to be informed, as specified above.

     iv. The fact that the processing of personal data in violation of the GCP
           through the illegal basis and the relevant appropriate previous

           in this case affected one (1) natural person as the subject of

           personal data, whose right to object is exercised

           was not satisfied.

      v. The fact that the above substantiated violations of the GCPD do not

           it is proved without a doubt that they are attributed to the deceit of the accused
           employer but in her negligence due to ignorance of the provisions of the GCP.

     vi. The absence of previously established violations of the complainant

           employer as a relevant audit shows that it has not been imposed on her

           to date administrative sanction by the Authority.

    vii. The fact that from the data brought to the attention of the Authority and based on
           which found the above violations of the GCP, the person in charge

           did not cause material damage to the complainant.

    viii. The fact that the violation of the provisions on the basic principles of

           processing as well as the rights of the subjects is subject, according

           with the provisions of article 83 par. 5 ed. a 'and b' GKPD, in the upper

           envisaged category of the administrative fine grading system.
19. In view of the above, the Authority unanimously decides that it should be imposed on

the employer complained of as responsible for the processing referred to in the operative part

administrative sanction, which is considered proportionate to the gravity of the infringement.

                                             21, FOR THESE REASONS

   The beginning

   Imposes on the alleged controller C the effective,
proportionate and dissuasive administrative fine appropriate to the specific

case, according to its more specific circumstances, amounting to two thousand (2,000)

for the non-satisfaction of the right of objection as well as for the above

Violations of Articles 5par.1per.a ', 5par.2 and 13

above were specialized, according to articles 58 par. 2 lit. θ΄ και 83 παρ. 5 στοιχ. a'

and β΄ ΓΚΠΔ.

          The Deputy Chairman The Secretary

            George Batzalexis Irini Papageorgopoulou