HDPA (Greece) - 2/2023
|HDPA - 2/2023|
|Relevant Law:||Article 4(7) GDPR|
Article 5(1) GDPR
Article 5(1)(a) GDPR
Article 13 GDPR
Article 31 GDPR
Article 57(1)(f) GDPR
Article 58(2)(b) GDPR
Article 2 of Joint Ministerial Decision (Greek) 6632/2021
|National Case Number/Name:||2/2023|
|European Case Law Identifier:||n/a|
|Original Source:||HDPA (in EL)|
|Initial Contributor:||George Grigoriadis|
The Greek DPA issued a reprimand on a hotel for unlawfully making and retaining a copy of a guest's Covid-19 vaccination certificate, in violation of Articles 5(1)(a) and 13 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
When registering at the data controller's hotel, the data subject was required to present a Covid-19 certificate. The hotel employee made a photocopy of the certificate, despite the data subject's protests. The data subject considered the processing of their personal data to be unlawful and lodged a complaint with the Greek DPA. In the complaint, the data subject asked the following questions to the DPA: (i) whether the data controller had the right to retain a copy of the vaccination certificate; (ii) the number of persons that would have access to the certificate; (iii) the time that the certificate would be stored; and (iv) how the certificate would be deleted after the retention period.
In view of the lack of direct response by the controller, the HDPA requested the information and reminded it of its duty of cooperation under Article 31 GDPR. The controller then replied that: (i) it informed the data subject as to specific measures adopted for the prevention of Covid-19 and as to the maintenance of records for public safety reasons, with the exception of data related to health; (ii) the copy of the vaccination certificate was made with the only purpose of keeping the Head of the Hotel's reception up to date as they were not there when the data subject arrived; (iii) the copy of the certificate was kept only for the necessary time period and was not shared with any third party, being immediately shredded upon the arrival of the Head of the reception; (iv) the employee was taken aback by the deletion request and refused to do so and during their stay in the hotel, the data subject did not the deletion of the copy again. Moreover, the controller claimed that at the time of the processing there were strict regulations requiring the presentation of the certificate as a condition to gain access to indoor places.
Holding[edit | edit source]
The Greek DPA stressed that the existence of a legal basis for the processing of personal data does not relieve the data controller of the obligation to comply with the principles set forth in Article 5(1) GDPR. If any of these principles is violated, the processing of such data is considered illegal. The DPA clarified that the Joint Ministerial Decision in force at the time of the facts obliged data controllers to keep records of the details of people staying at the hotel, but did not impose the presentation of a vaccination certificate as a condition for accommodation. In addition, the DPA highlighted that controllers are obliged to adequately inform the data subject regarding the retention period and the way of erasing the data even if this information was not requested by them. In the case at hand, the DPA found that the controller failed to comply with this obligation. For these reasons, it issued a reprimand on the controller for violating Articles 13 and 5(1)(a) GDPR. On the other hand, it rejected the complaint regarding the access request, given that the data subject did not demonstrate that they had made the request.
Comment[edit | edit source]
The decision seems contradictory and silent on the legal issue in question. A vaccine certificate is health data, which can only be processed in the hypotheses listed by Article 9(2) GDPR. Therefore, the retention of a copy of the vaccination certificate could not be done based on the legitimate interest of the controller. The decision states that there was no legal obligation to retain the document, but seems to accept the claim that the copy was made by the employee to be presented to the head of reception. We understand that, in the absence of legal obligation, the only possibility would be to protect the vital interest of the other hotel guests. However, the decision does not discuss this issue and focuses on the aspect of the right to information.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
The President of the Personal Data Protection Authority as a one-person body according to article 17 par. 1 of Law 4624/2019 (Government Gazette A΄ 137), in the context of the powers provided for in articles 4 par. 3 and 10 par. 4 of the Regulation of Operation of the Authority (Government Gazette B΄879/25.02.2022) met via teleconference on Monday 19 December 2022 in order to examine the case, which is mentioned below in the history of this decision. Present without the right to vote were Anastasia Tritaki, legal auditor - lawyer and Irini Papageorgopoulou, employee of the administrative affairs department, as secretary. The Authority took into account the following: With the no. Authority C/EIS/5379/23-08-2021 complaint, A (hereinafter: complainant) complained before the Authority that upon his arrival at the Renaissance Hanioti Resort hotel of the company G. Voevodas & Co. SA. (hereinafter: complainant), the receptionist asked him to show his vaccination certificate against Covid-19 and then proceeded to make a photocopy of it. According to his claims, the complainant pointed out to the employee that making a photocopy of his Covid-19 vaccination certificate was not legal, but, as he reports2, the employee replied that she did not know that and kept the copy. The complainant states that he did not take any further action, as his arrival at the facilities of the complained company was late at night and there was no alternative for his accommodation in case the employee refused to allow him access to his accommodation room, if he insisted on do not keep the copy. The complainant raised before the Authority the question whether the complained company had the right to keep the copy of his vaccination certificate against Covid-19, as well as a question regarding the period of time that the copy would be kept by the persons who would have access to it and the manner in which destruction of the copy would take place. The Authority, in the context of examining the above complaint, first called with no. prot. C/EXE/2021/07-09-2021 (under 2) relat.) its document the complained company, to state its views on it. Due to the lack of response to the above request, the Authority called again with the no. First Authority G/EXE/1150/18-05-2022 and no. Authority Prot. C/EXE/2375/27-09-2022 reminder documents (under 3) relat.) the complained company to provide its views on the complained, reminding the obligation of the controller to cooperate with the Authority in accordance with article 31 GDPR, while the sending of the last document was preceded by a telephone communication between the Authority and the complained-about company in which the company indicated the use of a different e-mail address for the sending. With the no. Authority letter C/EIS/10733/05-10-2022) its response (under 4) relat.), the complained company argued before the Authority, among other things: a) that according to special health protocols on the basis of which the tourism businesses in the context of taking measures against Covid-19, keeps a record for public health reasons, with the exception of medical data, a fact about which, according to his claims, the complainant was informed, upon his arrival, b) that the copy of the complainant's vaccination certificate3 against Covid-19, created exceptionally and for the sole purpose of informing the hotel's head of reception, who was absent at the time of the complainant's arrival at the hotel, c) that the above copy was kept in its file only for the absolutely necessary period of time, and after the arrival of the head of the reception it was destroyed, while the complainant's data was not disclosed to any third party, d) that it is a surprise for the complained company that the complainant's claim that he requested the destruction of the copy and the complainant denied this, e) that the complainant did not return during his stay or upon his departure regarding the specific matter, while the complained company, due to workload, failed to provide the complainant with information that it had destroyed the copy within 12 hours, and apologizes for this omission, f) that, finally, regarding the lack of response to the Authority's requests for clarification, for reasons unknown to it, the complained-about company had not received electronically or by mail the under no. Authority draft C/EXE/2021/07-09-2021 and G/EXE/1150/18-05-2022 documents of the Authority. Following the examination of the information of the file, the Authority sent letter no. Prot. Authority C/EXE/ 3049/28-11-2022 summons for hearing to the complained-about company G. Voevodas & Co. SA. in order to attend, via teleconference, a hearing before the President of the Authority, on Monday, December 5, 2022 regarding the discussion of the above complaint. During the above meeting, B, the Chief Executive Officer of the complainant, appeared on behalf of the complainant and requested the postponement of the meeting to a new date in order to be able to present the legal representative of the company and its attorney. The President of the Authority accepted the adjournment request and fixed the discussion on a new date on Monday, December 19, 2022 at 10.00 am. During the meeting before the President of the Authority on Monday, December 19, 2022, the complained-about company was present through the power of attorney of Iulianna Papatheoharis, ... . The complainant, after orally developing her 4 points of view, was given a deadline to submit a written memorandum to further support her allegations and timely submitted, through her attorney, on 23/12/2022 the no. prot. G/EIS/12802/23-12-2022 memorandum. During the above hearing, but also with the no. prot. C/EIS/12802/23-12-2022 following the hearing of her memorandum, the complainant, after repeating the allegations she previously raised before the Authority, further argued that on the date of the event in question (16-8-2021 ) measures and restrictions to deal with the COVID-19 pandemic prevailed, as well as very strict terms and conditions for the entry of travelers regardless of nationality to Greece, and specifically, Law 4806/2021 (Government Gazette A΄95/10-6-2021 ) by which the PNP of 30-5-2021 was sanctioned, which provided for the issuance of a vaccination certificate, no. D1a/49351/2021 (Government Gazette B' 3590/2021) Ministerial Decision, according to which it was determined that for entry into Greece, the presentation of a vaccination or disease certificate is required, as well as the no. D1a/49762/2021 (Government Gazette Β΄3660/7-8-21) Ministerial Decision regarding the obligation to show a vaccination/disease certificate for entering closed spaces, catering facilities, etc. The complainant also stated that due to the strictness of health protocols that had been imposed by law to deal with the COVID-19 pandemic and in particular for the operation of hotel units, had adopted the practice of sending a relevant email message 7 days before the customer's arrival at the hotel, confirming his reservation and informing him of the obligation to show the relevant vaccination certificate (with the 2nd dose completed 14 days before arrival) or to perform a PCR test or Rapid Test.) This took place, according to the claims of the complainant and to the complainant, informing him about the due to obligation. On arrival, the complainant produced his certificate, a photocopy of which was taken and kept for a few hours to show to the head of reception, and was immediately destroyed, never shared with any third party. The complainant added, finally, that she did not have the opportunity5 to inform the complainant about the destruction of the document, because he did not make any relevant complaint to the receptionist, nor did he complain to any other hotel manager throughout his stay , while in a different case the explanations could have been given immediately on behalf of the complainant and the complainant himself would have found that the relevant photocopy was destroyed. The Authority, after examining the elements of the file and what emerged from the hearing before it and the memorandum of the complained company, CONSIDERED ACCORDING TO THE LAW 1. Because of the provisions of articles 51 and 55 of the General Data Protection Regulation 2016/679 (GDPR) and Article 9 of Law 4624/2019 (Government Gazette A΄ 137) it follows that the Authority has the authority to supervise the implementation of the provisions of GDPR, Law 4624/2019 and other regulations concerning the protection of individuals from processing personal data. In particular, from the provisions of articles 57 par.1 item. f) of the GDPR and 13 par. 1 item g) of Law 4624/2019 it follows that the Authority has the authority to deal with A's complaint against G. Voevodas & Co. SA, as the above complaint concerns the registration/storage of data in a filing system within the meaning of the article 4 pc. 2) and 6) GDPR, therefore for processing falling within the regulatory scope of articles 2 par. 1 of the GDPR and 2 of Law 4624/2019. 2. Because according to the provisions of Article 4(7) of the GDPR, a data controller is defined as "the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and the manner of processing personal data; where the purposes and manner of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State". According to the Guidelines 07/2020 of the EDPS regarding the concepts6 of controller and processor1, any processing of personal data carried out by employees in the field of activities of an organization can be considered to be carried out under the control of the said organization. Employees who have access to personal data within an organization are generally not considered "controllers" or "processors", but "persons acting under the supervision of the controller or processor" within the meaning of Article 29 of GDPR2, therefore in this case the complained company G. Voevodas & Co. SA. is the controller. 3. Because according to the provisions of article 5 paragraph 1 of the GDPR regarding the principles that should govern the processing of data, personal data should, among other things, a) be processed lawfully and legitimately in a transparent manner in in relation to the data subject ("lawfulness, objectivity and transparency"), b) to be collected for specified, express and lawful purposes and not to be further processed in a manner incompatible with these purposes ("purpose limitation"), c ) to be appropriate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimization"). In order for personal data to be lawfully processed, i.e. processed in accordance with the requirements of the GDPR, the conditions for applying and observing the principles of article 5 paragraph 1 GDPR3 must be met cumulatively. The existence of a legal basis (art. 6 GDPR) does not exempt the data controller from the obligation to observe the principles (art. 5 par. 1 GDPR) regarding the legitimate character, necessity and proportionality and the principle of minimization. In the event that any of the principles provided for in article 5 par. 1 GDPR is violated, the processing in question appears as 1 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 2.0, Adopted on 07 July 2021, https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf 2 Above, para. 19 and footnote 9. 3 CJEU, C- 496/17, Deutsche Post AG v. Hauptzollamt Köln1, 16 January 2019, §§ 57.7 illegal (subject to the provisions of the GDPR) and the examination of the conditions for applying the legal bases of article 6 GDPR4 is omitted. Thus, the unlawful collection and processing of personal data in violation of the principles of Article 5 GDPR is not cured by the existence of a legitimate purpose and legal basis (cf. GDPR 38/2004, GDPR 43/2019). In addition, the CJEU with its decision of 01-10-2015 in the context of the case C-201/14 (Smaranda Bara) considered as a condition of the legitimate and legal processing of personal data the information of the subject of the data before the processing thereof5 . The recognition and selection of the appropriate legal basis from those provided for in Article 6 para. 1 GDPR is closely linked to the principle of legitimate or fair processing as well as to the principle of purpose limitation, and the controller must not only choose the appropriate legal basis before the start of the processing, but also to inform in accordance with article 13 par. 1 sec. c GDPR for the use of the data subject, as the choice of each legal basis exerts a legal influence on the application of the rights of the subjects6. 4. Because, further, in accordance with article 13 of the GDPR: "1. When personal data relating to a data subject is collected by the data subject, the data controller, upon receiving the data 4 Compare StE 517/2018 para. 12: "[...] in order for the personal data to be lawful processing, it is required in any case that the conditions of article 4 par. 1 of law 2472/1997, which, among other things, stipulate that the data must be collected and processed in a legitimate and legal manner, for clear and legal purposes ... If the conditions of article 4 par. 1 of law 2472/1997 (legal collection and processing of data for clear and legitimate purposes) are met, it is further examined whether the conditions of the provision of article 5 par. 2 of law are also met. 2472/1997 [legal bases]'. Also, see SC in Plenary 2285/2001 par. 10: "[...] Only if the above basic conditions are met, the provisions of articles 5 and 7 of Law 2472/1997 apply, which impose as a further additional, in principle, condition of legal processing of personal data of a specific person, his consent". 5 CJEU, C-201/14, Smaranda Bara etc. v. Casa Naţională de Asigurări de Sănătate and others, 1 October 2015, in particular 34. 6 See Guidelines 2/2019 of the European Data Protection Board "on the processing of personal data under Article 6 (1) (b) GDPR in the context of the provision of online services to data subjects" pp. 4-67 par. 1, 12, 17-20 as well as APD Decisions 26/2019, sc. 6, APD 12/2022, sc. 6.8 of a personal nature, provides the data subject with all the following information: a) the identity and contact details of the controller and, where applicable, the representative of the controller, b) the contact details of the data protection officer, where applicable, c ) the purposes of the processing for which the personal data are intended, as well as the legal basis for the processing, d) if the processing is based on Article 6 paragraph 1 letter f), the legitimate interests pursued by the controller or by a third party . in the case of the transmissions referred to in article 46 or 47 or in article 49 paragraph 1 second subparagraph, reference to appropriate or suitable guarantees and the means to obtain a copy of them or where they were made available. 2. In addition to the information referred to in paragraph 1, the controller, when receiving the personal data, provides the data subject with the following additional information necessary to ensure fair and transparent processing: a) the time period for which the personal data will be stored or, when this is impossible, the criteria that determine the period in question, b) the existence of the right to submit a request to the data controller for access and correction or deletion of the personal data or limitation of the processing concerning the data subject or right to object to the processing, as well as the right to data portability, c) when the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent of any time, without prejudice to the legality of the processing based on consent before its withdrawal, d) the right to submit a complaint to a supervisory authority, e) whether the provision of personal data9 constitutes a legal or contractual obligation or a requirement for the conclusion of a contract , as well as whether the data subject is obliged to provide the personal data and what possible consequences would be the failure to provide such data, f) the existence of automated decision-making, including profiling, referred to in article 22 paragraphs 1 and 4 and, at least in these cases, important information about the logic followed, as well as the importance and intended consequences of said processing for the data subject. 3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject, prior to such further processing, with information about that purpose and any other necessary information, as mentioned in paragraph 2. 4. Paragraphs 1, 2 and 3 do not apply, when and if the data subject already has the information. ", and according to recital 39 of the GDPR: "Every processing of personal data should be lawful and fair. It should be clear to natural persons that personal data concerning them is collected, used, taken into account or otherwise processed, as well as to what extent the personal data is or will be processed.(…) ", while according to recital 60 of the GDPR: "The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data is processed. Furthermore, the data subject should be informed whether he is being profiled and what its consequences are. If personal data is provided10 by the data subject, the data subject should also be informed whether he is obliged to provide the personal data and the consequences, when he does not provide said data. (…)" 5. Because the data controller has an obligation towards the subject unsolicited information7, in the sense that this obligation does not depend on request of the data subject, but instead the controller must comply with it proactively, regardless of whether the data subject will express an interest in the update8. 6. Because, in this case at the time of the events (night time of August 16, 2021), under no. D1a/G.P.oc. 50907/2021 K.Y.A. "Emergency measures protection of public health from the risk of further spread of the coronavirus COVID-19 throughout the Territory, for the period from Monday, August 16 2021 at 6:00 a.m. until Monday, August 23, 2021 at 6:00 a.m." (Government Gazette B' 3793). In addition, at the time of the events, the operation of the hotels in its context taking measures against the Covid-19 coronavirus, was regulated in particular by the no. 6632/2021 K.Y.A. "Replacement of no. 1881/29.05.2020 of joint ministerial decision "Special protocols of health content based on which tourist businesses operate in the context of taking measures against him of the COVID-19 coronavirus" (B' 2084), as amended with no. 8958/15.06.2020 (B' 2370), 9418/ 23.06.2020 (B' 2498) and 16192/2020 (B' 4687) similar decisions." (Government Gazette B' 1632), as it was amended by the under no. 10197/2021 K.Y.A. "Amendment of sub No. 6632/16.04.2021 of joint ministerial decision entitled "Replacement of under no. 1881/29.05.2020 of joint ministerial decision entitled "Special protocols health content on the basis of which the tourist businesses operate in the context of taking measures against the COVID-19 coronavirus" (B' 1632) and 7 See in Kon/no N. Christodoulou, Personal Data Law, 2nd edition, Law Library, par. 366, p. 119. 8 Handbook on European legislation on the protection of personal data, EU Agency for Fundamental Rights and Council of Europe, ed. 2018, 2019, p. 258.11 correction of an error published in Vol. B' 1996/2021" (Government Gazette B' 2504). According with article 2 par. 1-2 of the said 6632/2021 C.Y.A.: "For the hotels of sub-para. aa' of para. a' of par. 2 of article 1 of Law 4276/2014, Annex I applies, which is an integral part of this. 2. For the other categories of accommodation (except for organized tourist camps) is applied Annex I, which is an integral part of this, depending on provided services of the accommodation.". According to the “Special protocol health-related operation of tourist accommodation except for of organized tourist camps" which is contained in Annex I thereof same K.Y.A. (Government Gazette B' 1632), a record of accommodation and a book of covid- 19: "For the purposes of public health protection actions, the management/administration of the facility keeps a record of staff members and all persons who stayed at the accommodation - name, nationality, date of arrival and departure, contact information (address, telephone, e-mail) - to enable communication with the close contacts of any case of COVID-19, who may be identified after the fact (…) Pay attention to the General Regulation on Personal Data Protection (GDPR) and that all have been informed visitors that a record is kept for reasons of public health protection. (…)" (A/A E of Annex), while at the same time a Protocol is defined for the Reception Service (A/A G of the Annex). 7. Since, from the general overview of the provisions contained in the above C.Y.A., and in particular the measures contained in the "Special sanitary protocol content operation of tourist accommodations other than organized ones of tourist camps" which is contained in Appendix I of no. 6632/2021 K.Y.A. (Government Gazette B' 1632), no obligation arises from tourist accommodations to maintain a record of vaccination/ illness/ diagnosis data covid-19 check of hotel customers, for entry and stay them in the hotel premises. 12 8. Because however in this case, as agreed by the parties, it took place record/store complainant's vaccination data in system archiving, even for a limited period of time, the legality of which considered in light of the principles enshrined in Articles 5 and 6 GDPR. 9. Because, as it appears from the complaint and admitted by complained of, the complainant was not informed in accordance with them terms of article 13 GDPR, regarding the registration/storage of the data vaccination and the subsequent destruction of the copy of the certificate his vaccination. 10. Because, as mentioned above (sec. 5-6) the provision of information to the complainant in relation to said processing is a right of the subject of data and at the same time obligation of the controller, while at the same time is a constituent element for the observance of the principles of legality, of objectivity and transparency of processing. 11. Since, the Authority, from all the elements of the file and of what emerged from the hearing procedure and the filed memorandum, finds that the registration/storage of the complainant's vaccination data constitutes unlawful processing, which took place in violation of its principles legality, objectivity and transparency of processing, such as these are protected by article 5 par. 1 item a) GDPR, in conjunction with Article 13 GDPR. 12. Because, since a lack of compliance with the provisions of article 5 par. 1 item a) GDPR principles and given that, according to what is set out in paragraph 3, it is required cumulatively to fulfill the conditions of application and compliance with the principles of article 5 par. 1 GDPR9, regarding personnel data character to be subject to legal processing, the examination of the fulfillment of the 9 See as above, under 7.13 other authorities of legal data processing based on article 5, as well as h examination of the conditions for applying the legal bases of article 6 GDPR10. 13. Because, to the extent that the above-mentioned complaint concerns the one involved with it violation of rights to access and delete his data complainant, it is found that they have not been submitted by the complainant data documenting the submission of a relevant request to the person in charge processing, so as to determine the time and subject of the relevant request, therefore, the complaint is considered vague and is not considered in this part. 14. Because the Authority considers that, in relation to the established violation of the provisions of of articles 5 par. 1 item a) and 13 GDPR, he may exercise his powers article 58 par. 2 GDPR its corrective powers in combination with the resulting ones from article 4 par. 3 item d) of the Regulation of Operation of the Authority (Government Gazette Β΄879/25.02.2022) powers of the President, and in particular to reprimand according to article 58 par. 2 item b) of the GDPR to the complained company for the above infringement FOR THOSE REASONS The beginning a) finds that the registration/storage of his vaccination data complainant in a filing system, constitutes a violation of its principles legality, objectivity and transparency of processing, such as are protected by article 5 par. 1 item a) GDPR, in conjunction with Article 13 GDPR and b) directs a reprimand, according to article 58 par. 2 b) GDPR, to the complained company for as the above violation, for the reasons that are extensively analyzed in its rationale present.