HDPA (Greece) - 41/2021

From GDPRhub
Revision as of 13:14, 29 September 2021 by FA (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HDPA (Greece) - 41/2021
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(c) GDPR
Article 9(2)(h) GDPR
Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 21.09.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: 41/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Greek
Original Source: Greek DPA (in EL)
Initial Contributor: Florence D'Ath

The Greek DPA found that a nursing home had unlawfully recorded its employees in violation of the principle of data minimisation and of the right to information. The Greek DPA instructed the nursing home to adjust the visual fields of some cameras and to destroy the already recorded material.

English Summary[edit | edit source]

Facts[edit | edit source]

An employee working in a nursing home lodged a complaint with the Greek DPA (HDPA) because the CCTV cameras installed in the nursing home were filming the premises, including the employees and residents, in an intrusive manner.

Holding[edit | edit source]

After reviewing the facts of the case, the Greek DPA found the following violations:

  • violation of Article 9(2)(h) GDPR (processing of special categories of data): according to the applicable data protection law, the processing of data, including sensitive health data, is allowed when necessary for the purpose of preventive or occupational medicine, health or social care systems, or other health-related reason. Before initiating such processing, however, the controller must receive an authorization, in the form of a committee decision consisting of competent medical and nursing staff. In this case, however, the HDPA found that the nursing home had installed the camera without the prior approval of such committee, which is a necessary condition for documenting the need for supervision and the possibility of relying on Article 9(2)(h) GDPR;
  • violation of Article 13 GDPR (the obligation to inform data subjects): the HDPA also found that the installation and operation of the cameras took place without prior notification of the employees in written or electronic form, and that the limited information which was provided to them did not cover the requirements of Article 13 GDPR. In particular, the information was too general, and the given purpose of the processing did not accurately relate to the given legal basis and the type of data (i.e. special categories of data);
  • violation of Article 5(1)(b) GDPR (principle of data minimisation): finally, the HDPA found that the cameras were installed in violation of the principle of data minimization as the employees' movements and position were recorded.

It was noted by the HDPA that the nursing home had conducted a data protection impact assessment (DPIA), in accordance with Article Article 35 GDPR. The HDPA found however that the controller had failed to properly address the issues identified by the DPIA.

Following the intervention of the HDPA, a series of modifications were made to the operation of the CCTV system. In addition, the HDPA instructed the nursing home to adjust the cameras installed in the kitchens so that they would focus exclusively on entry and exit areas. Finally, the HDPA also instructed the nursing home to destroy the material that had already been recorded.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.



  
    

  
  
    
  
    Category
              Decision
          

  
    Date
              21/09/2021

          

  
    Transaction number
              41
          

  
    Thematic unit
          
              11. Labor Relations
              
      

  
    Applicable provisions
          
              Article 5.1.c: Principle of data minimization
          Article 13: Information collected by the data subject
              
      

  
    Summary
              The Authority reprimanded a controller in connection with the operation of a video surveillance system in a nursing home. After a complaint from an employee, it was found that: a) the installation of the cameras took place without a decision of a committee consisting of competent medical and nursing staff, which is a necessary condition for documenting the need for supervision and the possibility of applying the provision no. 9 par. 2 sub-paragraph h ', b) the installation and operation of the cameras took place without prior notification of the employees in written or electronic form and the information provided does not cover the obligations of art. 13, as it is general and the purpose of the respective processing is not related to the legal basis and the type of data, c) cameras were installed in violation of the principle of minimization as the image was taken from employee positions. The controller had conducted a data protection impact assessment without properly addressing the issues. Following the intervention of the Authority, a series of modifications were made to the operation of the system, while the Authority also instructed to adjust the cameras installed in the kitchens so that they focus exclusively on entry and exit areas and to destroy the collected material.

          

  
    PDF Decision
              41_2021anonym.pdf349.81 KB
          

  


    
  
    Category
              Decision
          

  
    Date
              21/09/2021

          

  
    Transaction number
              41
          

  
    Thematic unit
          
              11. Labor Relations
              
      

  
    Applicable provisions
          
              Article 5.1.c: Principle of data minimization
          Article 13: Information collected by the data subject
              
      

  
    Summary
              The Authority reprimanded a controller in connection with the operation of a video surveillance system in a nursing home. After a complaint from an employee, it was found that: a) the installation of the cameras took place without a decision of a committee consisting of competent medical and nursing staff, which is a necessary condition for documenting the need for supervision and the possibility of applying the provision no. 9 par. 2 sub-paragraph h ', b) the installation and operation of the cameras took place without prior notification of the employees in written or electronic form and the information provided does not cover the obligations of art. 13, as it is general and the purpose of the respective processing is not related to the legal basis and the type of data, c) cameras were installed in violation of the principle of minimization as the image was taken from employee positions. The controller had conducted a data protection impact assessment without properly addressing the issues. Following the intervention of the Authority, a series of modifications were made to the operation of the system, while the Authority also instructed to adjust the cameras installed in the kitchens so that they focus exclusively on entry and exit areas and to destroy the collected material.

          

  
    PDF Decision
              41_2021anonym.pdf349.81 KB