HDPA (Greece) - 7/2024: Difference between revisions

From GDPRhub
mNo edit summary
 
(9 intermediate revisions by 3 users not shown)
Line 11: Line 11:


|Original_Source_Name_1=HDPA
|Original_Source_Name_1=HDPA
|Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2024-03/7_2024/anonym.pdf
|Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2024-03/7_2024%20anonym.pdf
|Original_Source_Language_1=Greek
|Original_Source_Language_1=Greek
|Original_Source_Language__Code_1=EL
|Original_Source_Language__Code_1=EL
Line 61: Line 61:
}}
}}


The Hellenic DPA issued a warning and a compliance order to the controller under [[Article 58 GDPR|Article 58(2) GDPR]], to provide adequate notice of the geolocation tracking data of company vehicles used by employees outside of work hours.
The DPA found that a controller violated transparency principles by tracking geolocation data on a company vehicle outside of work hours and ordered the controller to bring its information disclosures into compliance with the GDPR.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The employee (data subject) submitted a complaint to the Hellenic DPA on 08 November 2018, raising concerns against company "X" (the controller), regarding the unlawful operation of the geolocation tracking system installed on the vehicle provided by the employer. The data subject complained that data from the geolocation tracking system was used by the controller to track vehicle outside working hours and that the data subject had not been adequately informed about this data processing.
A former employee (data subject) submitted a complaint to the Hellenic DPA (HDPA) on 8 November 2018 against its former employer, company "X" (the controller), claiming that the latter unlawfully operated the geolocation tracking system installed on the vehicle provided by the controller. The data subject complained that the controller used data from the geolocation tracking system to track the vehicle outside of working hours and that the data subject had not been adequately informed about this data processing.


The controller responded to the HDPA in regard to the complaint by justifying the purpose that the tracking was used to ensure the safety and protection of the employee's and company's vehicles and cargo. The tracking helped verify routes and ensure that the schedule set by the supervisors was followed. The controller stated that after being informed orally about how the geolocation tracking system works, the data subject freely considered the given options. The controller stated that the data subject didn't oppose the installation of the geolocation device and also agreed to it. The controller mentions that the data subject signed the car delivery protocol on 05 March 2015, which explicitly mentions the geolocation tracking device. Additionally, the controller refers to a court decision that found no illegality regarding the operation of the geolocation tracking system.
The controller argued that the purpose of the tracking was to ensure the safety and protection of the employee's and company's vehicles and cargo. The tracking helped verify routes and ensure that the schedule set by the supervisors was followed. The controller stated that after being informed orally about how the geolocation tracking system works, the data subject freely considered the given options. The controller also claimed that the data subject didn't oppose the installation of the geolocation device and also agreed to it. The controller noted that the data subject signed the car delivery protocol on 5 March 2015, which explicitly mentioned the geolocation tracking device. Additionally, the controller referred to a court decision that had found no illegality regarding the controller's operation of the geolocation tracking system.


=== Holding ===
=== Holding ===
The Hellenic DPA first takes into consideration the guidance from Opinion 2/2017 of the Article 29 Working Party, emphasising that monitoring employees' vehicle locations outside working hours may lack a legal basis due to the sensitivity of such data. However, if monitoring is necessary, it must be proportional to the risks, such as recording location only when vehicles leave predefined areas to prevent theft. Additionally, employers should only access location data in emergencies, and controllers must demonstrate GDPR compliance, including maintaining appropriate documentation.
The HDPA first considered the guidance from Opinion 2/2017 of the Article 29 Working Party, emphasising that monitoring employees' vehicle locations outside working hours may lack a legal basis due to the sensitivity of such data. However, to the extent that monitoring is necessary, it must be proportional to the risks, such as recording location only when vehicles leave predefined areas to prevent theft. Additionally, employers should only access location data in emergencies, and controllers must demonstrate GDPR compliance, including maintaining appropriate documentation.


Additionally, the HDPA also takes into consideration its 2014 Annual Report, where the use of geolocation systems in employee vehicles was addressed. Employers had an obligation to inform employees about the purpose, type, retention time, and access procedures regarding data processing. This obligation extends to data collected outside working hours, even before GDPR implementation, as per relevant laws.  
Additionally, the HDPA also took into consideration its 2014 Annual Report, which addressed the use of geolocation systems in employee vehicles. Under the Report, employers had an obligation to inform employees about the purpose, type, retention time and access procedures regarding data processing. This obligation extended to data collected outside working hours, even before GDPR implementation, as per relevant laws. In this case, however, the controller recorded the geolocation data of the vehicle outside of working hours without having informed the complainant that it would do so. 


Detailed information was provided orally to data subject at the request, with the result that it was not easily verifiable. For these reasons, the authority:
Although the location data was obtained before the GDPR came into force, the HDPA found that the obligation to inform the data subject should have been satisfied pursuant to the then-applicable national law, Article 11 of [https://www.syllogos.gr/nomothesia/3035-%CE%BD%CF%8C%CE%BC%CE%BF%CF%82-2472-1997-%CF%80%CF%81%CE%BF%CF%83%CF%84%CE%B1%CF%83%CE%AF%CE%B1-%CF%80%CF%81%CE%BF%CF%83%CF%89%CF%80%CE%B9%CE%BA%CF%8E%CE%BD-%CE%B4%CE%B5%CE%B4%CE%BF%CE%BC%CE%AD%CE%BD%CF%89%CE%BD N. 2472/1997], granting data subjects a right to information.


A) The HDPA issued a warning to the data controller, under Article 21 of  Greek Law <!-- see comment -->, to adapt the information on the operation of the geolocation tracking system in vehicles to be individual, complete, and clear and to be reasonably certified.
For these reasons, the HDPA ordered the controller to adapt information disclosures on the operation of the geolocation tracking system in vehicles to ensure that they are individual, complete, clear and reasonably certified pursuant to both [[Article 58 GDPR|Article 58(2) GDPR]]. and Article 21 of [https://www.dpa.gr/sites/default/files/2019-10/law_2472-97-nov2013-en.pdf N. 2472/1997].  


B) The HDPA issued a compliance order to the data controller under [[Article 58 GDPR|Article 58(2) GDPR]], to adapt the information on the operation of the geolocation tracking system in vehicles to be individual, complete, and clear and to be reasonably certified.
=== Comment ===
''Notably, the DPA focused only on the portion of the data subject's compliant concerning adequate information about the data processing. It did not address the data subject's claim that the controller was unlawfully processing geolocation data from the vehicle.''


== Comment ==
''Regarding a discrepancy in the HDPA's cited case law: in a portion of its published decision, the HPDA referred to Article 21 of Greek Law Ν.2472/2997. However, this appears to be an error as such a law doesn't exist. Instead, it is more likely that they intended to cite Greek Law Ν.2472/1997, which has been repealed as of 29 August 2019 by Article 84 of Greek Law 4624/2019.''
''The HDPA in its published decision referred to the Greek Law Ν.2472/2997, but this appears to be an error as such a law doesn't exist. Instead, it is more likely that they intended to cite Greek Law Ν.2472/1997, which has been repealed as of 29 August 2019 by Article 84 of Greek LAW 4624/2019.''


== Further Resources ==
== Further Resources ==

Latest revision as of 12:05, 5 April 2024

HDPA - 7/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 12 GDPR
Article 58(2)(c) GDPR
Type: Complaint
Outcome: Upheld
Started: 08.11.2018
Decided: 16.02.2024
Published: 04.03.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 7/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: inder-kahlon

The DPA found that a controller violated transparency principles by tracking geolocation data on a company vehicle outside of work hours and ordered the controller to bring its information disclosures into compliance with the GDPR.

English Summary

Facts

A former employee (data subject) submitted a complaint to the Hellenic DPA (HDPA) on 8 November 2018 against its former employer, company "X" (the controller), claiming that the latter unlawfully operated the geolocation tracking system installed on the vehicle provided by the controller. The data subject complained that the controller used data from the geolocation tracking system to track the vehicle outside of working hours and that the data subject had not been adequately informed about this data processing.

The controller argued that the purpose of the tracking was to ensure the safety and protection of the employee's and company's vehicles and cargo. The tracking helped verify routes and ensure that the schedule set by the supervisors was followed. The controller stated that after being informed orally about how the geolocation tracking system works, the data subject freely considered the given options. The controller also claimed that the data subject didn't oppose the installation of the geolocation device and also agreed to it. The controller noted that the data subject signed the car delivery protocol on 5 March 2015, which explicitly mentioned the geolocation tracking device. Additionally, the controller referred to a court decision that had found no illegality regarding the controller's operation of the geolocation tracking system.

Holding

The HDPA first considered the guidance from Opinion 2/2017 of the Article 29 Working Party, emphasising that monitoring employees' vehicle locations outside working hours may lack a legal basis due to the sensitivity of such data. However, to the extent that monitoring is necessary, it must be proportional to the risks, such as recording location only when vehicles leave predefined areas to prevent theft. Additionally, employers should only access location data in emergencies, and controllers must demonstrate GDPR compliance, including maintaining appropriate documentation.

Additionally, the HDPA also took into consideration its 2014 Annual Report, which addressed the use of geolocation systems in employee vehicles. Under the Report, employers had an obligation to inform employees about the purpose, type, retention time and access procedures regarding data processing. This obligation extended to data collected outside working hours, even before GDPR implementation, as per relevant laws. In this case, however, the controller recorded the geolocation data of the vehicle outside of working hours without having informed the complainant that it would do so.

Although the location data was obtained before the GDPR came into force, the HDPA found that the obligation to inform the data subject should have been satisfied pursuant to the then-applicable national law, Article 11 of N. 2472/1997, granting data subjects a right to information.

For these reasons, the HDPA ordered the controller to adapt information disclosures on the operation of the geolocation tracking system in vehicles to ensure that they are individual, complete, clear and reasonably certified pursuant to both Article 58(2) GDPR. and Article 21 of N. 2472/1997.

Comment

Notably, the DPA focused only on the portion of the data subject's compliant concerning adequate information about the data processing. It did not address the data subject's claim that the controller was unlawfully processing geolocation data from the vehicle.

Regarding a discrepancy in the HDPA's cited case law: in a portion of its published decision, the HPDA referred to Article 21 of Greek Law Ν.2472/2997. However, this appears to be an error as such a law doesn't exist. Instead, it is more likely that they intended to cite Greek Law Ν.2472/1997, which has been repealed as of 29 August 2019 by Article 84 of Greek Law 4624/2019.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

The Authority examined a complaint by a former employee according to which data from the system was used by the complainant to prove that the employee used the vehicle outside of working hours, in violation of the concession conditions, and that he had not been properly informed about the processing of his personal data through of this system.

The Authority addressed to the employer, as controller, a warning based on article 21 of Law 2472/1997 for the adaptation of the information on the operation of the geolocation system in vehicles so that it is individual, complete and clear and certified in a reasonable manner and order based on article 58 par. 2 item 3 GDPR, to adapt the information on the operation of the geolocation system in vehicles so that it is individual, complete and clear and can be certified in a reasonable way.

Sanctions: warning, compliance order