HDPA (Greece) - 24/2022

From GDPRhub
Revision as of 16:32, 15 November 2022 by Kk (talk | contribs) (added machine translation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HDPA - 24/2022
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 2 GDPR
Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 15 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Decided: 29.04.2022
Published: 29.04.2022
Fine: 35.000 EUR
Parties: n/a
National Case Number/Name: 24/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Greek DPA (in EL)
Initial Contributor: Anastasia Tsermenidou

The Greek DPA imposed a fine of €35,000 on a controller for infringing the principles of legality, transparency and security, as well as failure to satisfy the right of access.

English Summary


The first complaint concerned a breach of the provisions concerning the control of the computer during the data subject's work and the second complaint concerned the failure to comply with the right of access. The employer (the controller) processed personal data of the employees on the basis of their contractual relationship and, in exercising its managerial right for the proper functioning of the organisation.


The DPA stated that employees have a reasonable expectation of privacy in a workplace, which is not removed by the fact that they use equipment, communications devices or any other professional facilities and infrastructure (e.g. electronic communications network, Wi-Fi, corporate e-mail addresses, etc.) of the employer. The fact that the public employer may be the owner of the means of electronic communication (e.g. computers) does not lead to a a denial of the employees' right to data protection.

According to the DPA, the controller was entitled to exercise control over the electronic means of communication provided to the employees for their work, provided that the relevant processing, was subject to the principle of proportionality, necessary for the fulfilment of the legitimate interest of the interest it pursues and provided that this clearly outweighs the rights and interests of the worker, without prejudice to the fundamental rights and interests of the worker, and their fundamental freedoms.

In conclusion, the DPA found an infringement of, among others, the principles of legality, transparency and security under Article 5(1)(a) and (f) GDPR, and Article 32(1)(2) GDPR, as well as failure to satisfy the right of access. The DPA imposed a €35,000 fine on the controller.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Athens, 29-04-2022
Original No: 977
DECISION 24/2022
The Personal Data Protection Authority met in a Chamber by teleconference on Wednesday
21-04-2021 at 10:30 a.m. at the invitation of its Chairperson, in order to examine the case
mentioned in the background of this document. In attendance were, the Deputy Chairman,
George Batzalexis, in the absence of the Chairman of the Authority, Konstantinos
Menoudakos, the regular member of the Authority, Konstantinos Lambrinoudakis, and the
alternate member of the Authority, Gregorios Tsolias, as Rapporteur, in place of the regular
member, Charalambos Anthopoulos, who, although legally summoned in writing, did not
attend due to his absence. Present without the right to vote were Stefania Plota, a lawyer-
specialist, as assistant rapporteur, who left after the discussion of the case and before the
discussion and the decision was taken, and Irini Papageorgopoulou, an official of the
Authority's Administrative Affairs Department, as secretary.
The Authority has taken note of the following:
By means of her complaints to the Authority under reference numbers C/EIS/6429/22-09-
2020 and C/EIS/7111/16-10-2020, A (hereinafter referred to as 'the complainant'), an
employee of the Secretariat of the Office ... attached to the Fire Services Administration of
Prefecture X (hereinafter referred to as 'the Fire Service Administration of Prefecture X'),
complains to the Fire Service Administration of Prefecture X. X, which at the time the
complaint was lodged was represented by the Commander, B (hereinafter 'the former
Commander'), on the one hand, by the first complaint for infringement of the provisions of
the Authority's competence, concerning the control of her computer during her work in the
above-mentioned service and, on the other hand, by the second complaint for failure to
comply with the right of access.
Ave. 1-3 Kifissia Street, 11523 Athens, Greece
T: 210 6475 600 - E: contact@dpa.gr - www.dpa.gr
In particular, the complainant states in the first complaint under consideration that on ... she
was given verbal instructions to work on a different office computer from the one she used
every day to meet official needs in a different place from the one she worked on every day.
On that day, as stated in the complaint, a check was carried out by the former administrator
on the office computer used by the complainant, during which she was not present and had
not received any oral or written information about the check and whether it concerned all
the computers in the service. Subsequently, on ..., the complainant received a summons No
... from the Director of Internal Affairs X to apologise, stating that, during a check of the
website visit history of the service computer she was using, she was found to have visited
social networking and entertainment websites several times during her working hours,
constituting disciplinary misconduct, by which the complainant was made aware of the
check carried out on the service computer she was using. On ..., the complainant submitted
complaint No. ... to the Director, following which she received the Extract of the Day of ...,
which was the subject of a disciplinary measure.
The Authority, in the framework of its examination of the above complaint, sent to the
I.P.Y.N.Y., the letter No. C/EX/6429-1/07-10-2020 for providing its views, in which the
Authority replied to the letter No. C/EX/6429-1/07-10-2020. C/EIS/6905/09-10-2020, it
stated, inter alia, that because on ... there was a need to process a fire safety case, the
Commander went to the complainant's office to use the protocol application to search for a
pending case on the Fire Safety Department's computer and found that the computer was
open in standby and power saving mode and immediately with the first movement of the
cursor, personal social networking and entertainment pages appeared on the screen, in a
large number of parallel open tabs and performed a history search to ascertain when the
pages had been open. It was also reported that the computer in question is not personal but
is intended to serve official needs, with programs and applications necessary for the affairs
of the Office. Finally, the Governor requested that the Authority inform him whether it is a
violation of personal data for a Head or Head of Service to access an official computer and
whether the permission of an employee is required for the Head of Service to use any of the
computers belonging to an agency.