HDPA (Greece) - 24/2022
|HDPA - 24/2022|
|Relevant Law:||Article 2 GDPR|
Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 15 GDPR
Article 32 GDPR
|National Case Number/Name:||24/2022|
|European Case Law Identifier:||n/a|
|Original Source:||Greek DPA (in EL)|
|Initial Contributor:||Anastasia Tsermenidou|
The Greek DPA imposed a fine of €35,000 on a controller for infringing the principles of legality, transparency and security, as well as failure to satisfy the right of access.
English Summary[edit | edit source]
Facts[edit | edit source]
The first complaint concerned a breach of the provisions concerning the control of the computer during the data subject's work and the second complaint concerned the failure to comply with the right of access. The employer (the controller) processed personal data of the employees on the basis of their contractual relationship and, in exercising its managerial right for the proper functioning of the organisation.
Holding[edit | edit source]
The DPA stated that employees have a reasonable expectation of privacy in a workplace, which is not removed by the fact that they use equipment, communications devices or any other professional facilities and infrastructure (e.g. electronic communications network, Wi-Fi, corporate e-mail addresses, etc.) of the employer. The fact that the public employer may be the owner of the means of electronic communication (e.g. computers) does not lead to a a denial of the employees' right to data protection.
According to the DPA, the controller was entitled to exercise control over the electronic means of communication provided to the employees for their work, provided that the relevant processing, was subject to the principle of proportionality, necessary for the fulfilment of the legitimate interest of the interest it pursues and provided that this clearly outweighs the rights and interests of the worker, without prejudice to the fundamental rights and interests of the worker, and their fundamental freedoms.
In conclusion, the DPA found an infringement of, among others, the principles of legality, transparency and security under Article 5(1)(a) and (f) GDPR, and Article 32(1)(2) GDPR, as well as failure to satisfy the right of access. The DPA imposed a €35,000 fine on the controller.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 29-04-2022 Original No: 977 DECISION 24/2022 (Department) The Personal Data Protection Authority met in a Chamber by teleconference on Wednesday 21-04-2021 at 10:30 a.m. at the invitation of its Chairperson, in order to examine the case mentioned in the background of this document. In attendance were, the Deputy Chairman, George Batzalexis, in the absence of the Chairman of the Authority, Konstantinos Menoudakos, the regular member of the Authority, Konstantinos Lambrinoudakis, and the alternate member of the Authority, Gregorios Tsolias, as Rapporteur, in place of the regular member, Charalambos Anthopoulos, who, although legally summoned in writing, did not attend due to his absence. Present without the right to vote were Stefania Plota, a lawyer- specialist, as assistant rapporteur, who left after the discussion of the case and before the discussion and the decision was taken, and Irini Papageorgopoulou, an official of the Authority's Administrative Affairs Department, as secretary. The Authority has taken note of the following: By means of her complaints to the Authority under reference numbers C/EIS/6429/22-09- 2020 and C/EIS/7111/16-10-2020, A (hereinafter referred to as 'the complainant'), an employee of the Secretariat of the Office ... attached to the Fire Services Administration of Prefecture X (hereinafter referred to as 'the Fire Service Administration of Prefecture X'), complains to the Fire Service Administration of Prefecture X. X, which at the time the complaint was lodged was represented by the Commander, B (hereinafter 'the former Commander'), on the one hand, by the first complaint for infringement of the provisions of the Authority's competence, concerning the control of her computer during her work in the above-mentioned service and, on the other hand, by the second complaint for failure to comply with the right of access. 1 Ave. 1-3 Kifissia Street, 11523 Athens, Greece T: 210 6475 600 - E: email@example.com - www.dpa.gr 2 In particular, the complainant states in the first complaint under consideration that on ... she was given verbal instructions to work on a different office computer from the one she used every day to meet official needs in a different place from the one she worked on every day. On that day, as stated in the complaint, a check was carried out by the former administrator on the office computer used by the complainant, during which she was not present and had not received any oral or written information about the check and whether it concerned all the computers in the service. Subsequently, on ..., the complainant received a summons No ... from the Director of Internal Affairs X to apologise, stating that, during a check of the website visit history of the service computer she was using, she was found to have visited social networking and entertainment websites several times during her working hours, constituting disciplinary misconduct, by which the complainant was made aware of the check carried out on the service computer she was using. On ..., the complainant submitted complaint No. ... to the Director, following which she received the Extract of the Day of ..., which was the subject of a disciplinary measure. The Authority, in the framework of its examination of the above complaint, sent to the I.P.Y.N.Y., the letter No. C/EX/6429-1/07-10-2020 for providing its views, in which the Authority replied to the letter No. C/EX/6429-1/07-10-2020. C/EIS/6905/09-10-2020, it stated, inter alia, that because on ... there was a need to process a fire safety case, the Commander went to the complainant's office to use the protocol application to search for a pending case on the Fire Safety Department's computer and found that the computer was open in standby and power saving mode and immediately with the first movement of the cursor, personal social networking and entertainment pages appeared on the screen, in a large number of parallel open tabs and performed a history search to ascertain when the pages had been open. It was also reported that the computer in question is not personal but is intended to serve official needs, with programs and applications necessary for the affairs of the Office. Finally, the Governor requested that the Authority inform him whether it is a violation of personal data for a Head or Head of Service to access an official computer and whether the permission of an employee is required for the Head of Service to use any of the computers belonging to an agency.