HDPA (Greece) - 7/2024: Difference between revisions

From GDPRhub
Line 77: Line 77:
Detailed information was provided orally to data subject at the request, with the result that it was not easily verifiable. For these reasons, the authority:
Detailed information was provided orally to data subject at the request, with the result that it was not easily verifiable. For these reasons, the authority:


A) The HDPA issued a warning to the data controller, under Article 21 of  Greek Law [See comment..], to adapt the information on the operation of the geolocation tracking system in vehicles to be individual, complete, and clear and to be reasonably certified.
A) The HDPA issued a warning to the data controller, under Article 21 of  Greek Law <!-- see comment -->, to adapt the information on the operation of the geolocation tracking system in vehicles to be individual, complete, and clear and to be reasonably certified.


B) The HDPA issued a compliance order to the data controller under [[Article 58 GDPR|Article 58(2) GDPR]], to adapt the information on the operation of the geolocation tracking system in vehicles to be individual, complete, and clear and to be reasonably certified.
B) The HDPA issued a compliance order to the data controller under [[Article 58 GDPR|Article 58(2) GDPR]], to adapt the information on the operation of the geolocation tracking system in vehicles to be individual, complete, and clear and to be reasonably certified.

Revision as of 09:24, 2 April 2024

HDPA - 7/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 12 GDPR
Article 58(2)(c) GDPR
Type: Complaint
Outcome: Upheld
Started: 08.11.2018
Decided: 16.02.2024
Published: 04.03.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 7/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: inder-kahlon

The Hellenic DPA issued a warning and a compliance order to the controller under Article 58(2) GDPR, to provide adequate notice of the geolocation tracking data of company vehicles used by employees outside of work hours.

English Summary

Facts

The data subject submitted a complaint to the Hellenic DPA on 08 November 2018, raising concerns against company "X" (the controller), regarding the unlawful operation of the geolocation tracking system installed on the vehicle provided by the employer. The data subject complained that data from the geolocation tracking system was used by the controller to track vehicle outside working hours and that the data subject had not been adequately informed about this data processing.

The controller responded to the HDPA in regard to the complaint by justifying the purpose that the tracking was used to ensure the safety and protection of the employee's and company's vehicles and cargo. The tracking helped verify routes and ensure that the schedule set by the supervisors was followed. The controller stated that after being informed orally about how the geolocation tracking system works, the data subject freely considered the given options. The controller stated that the data subject didn't oppose the installation of the geolocation device and also agreed to it. The controller mentions that the data subject signed the car delivery protocol on 05 March 2015, which explicitly mentions the geolocation tracking device. Additionally, the controller refers to a court decision that found no illegality regarding the operation of the geolocation tracking system.

Holding

The Hellenic DPA first takes into consideration the guidance from Opinion 2/2017 of the Article 29 Working Party, emphasising that monitoring employees' vehicle locations outside working hours may lack a legal basis due to the sensitivity of such data. However, if monitoring is necessary, it must be proportional to the risks, such as recording location only when vehicles leave predefined areas to prevent theft. Additionally, employers should only access location data in emergencies, and controllers must demonstrate GDPR compliance, including maintaining appropriate documentation.

Additionally, the HDPA also takes into consideration its 2014 Annual Report, where the use of geolocation systems in employee vehicles was addressed. Employers had an obligation to inform employees about the purpose, type, retention time, and access procedures regarding data processing. This obligation extends to data collected outside working hours, even before GDPR implementation, as per relevant laws.

Detailed information was provided orally to data subject at the request, with the result that it was not easily verifiable. For these reasons, the authority:

A) The HDPA issued a warning to the data controller, under Article 21 of  Greek Law , to adapt the information on the operation of the geolocation tracking system in vehicles to be individual, complete, and clear and to be reasonably certified.

B) The HDPA issued a compliance order to the data controller under Article 58(2) GDPR, to adapt the information on the operation of the geolocation tracking system in vehicles to be individual, complete, and clear and to be reasonably certified.

Comment

The HDPA in its published decision referred to the Greek Law Ν.2472/2997, but this appears to be an error as such a law doesn't exist. Instead, it is more likely that they intended to cite Greek Law Ν.2472/1997, which has been repealed as of 29 August 2019 by Article 84 of Greek LAW 4624/2019.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

The Authority examined a complaint by a former employee according to which data from the system was used by the complainant to prove that the employee used the vehicle outside of working hours, in violation of the concession conditions, and that he had not been properly informed about the processing of his personal data through of this system.

The Authority addressed to the employer, as controller, a warning based on article 21 of Law 2472/1997 for the adaptation of the information on the operation of the geolocation system in vehicles so that it is individual, complete and clear and certified in a reasonable manner and order based on article 58 par. 2 item 3 GDPR, to adapt the information on the operation of the geolocation system in vehicles so that it is individual, complete and clear and can be certified in a reasonable way.

Sanctions: warning, compliance order