HDPA (Greece) - 7/2024: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
Line 61: Line 61:
}}
}}


The DPA found that a controller violated transparency principles by tracking geolocation data on a company vehicle outside of work hours and ordered the controller to bring disclosures to data subjects into compliance with the GDPR.
The DPA found that a controller violated transparency principles by tracking geolocation data on a company vehicle outside of work hours and ordered the controller to bring its information disclosures into compliance with the GDPR.


== English Summary ==
== English Summary ==

Revision as of 10:03, 3 April 2024

HDPA - 7/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 12 GDPR
Article 58(2)(c) GDPR
Type: Complaint
Outcome: Upheld
Started: 08.11.2018
Decided: 16.02.2024
Published: 04.03.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 7/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: inder-kahlon

The DPA found that a controller violated transparency principles by tracking geolocation data on a company vehicle outside of work hours and ordered the controller to bring its information disclosures into compliance with the GDPR.

English Summary

Facts

A former employee (data subject) submitted a complaint to the Hellenic DPA (HDPA) on 8 November 2018 against its former employer, company "X" (the controller), claiming that it unlawfully operated the geolocation tracking system installed on the vehicle provided by the controller. The data subject complained that the controller used data from the geolocation tracking system to track the vehicle outside of working hours and that the data subject had not been adequately informed about this data processing.

The controller argued that the purpose of the tracking was to ensure the safety and protection of the employee's and company's vehicles and cargo. The tracking helped verify routes and ensure that the schedule set by the supervisors was followed. The controller stated that after being informed orally about how the geolocation tracking system works, the data subject freely considered the given options. The controller also claimed that the data subject didn't oppose the installation of the geolocation device and also agreed to it. The controller noted that the data subject signed the car delivery protocol on 5 March 2015, which explicitly mentioned the geolocation tracking device. Additionally, the controller referred to a court decision that had found no illegality regarding the controller's operation of the geolocation tracking system.

Holding

The HDPA first considered the guidance from Opinion 2/2017 of the Article 29 Working Party, emphasising that monitoring employees' vehicle locations outside working hours may lack a legal basis due to the sensitivity of such data. However, if monitoring is necessary, it must be proportional to the risks, such as recording location only when vehicles leave predefined areas to prevent theft. Additionally, employers should only access location data in emergencies, and controllers must demonstrate GDPR compliance, including maintaining appropriate documentation.

Additionally, the HDPA also took into consideration its 2014 Annual Report, which addressed the use of geolocation systems in employee vehicles. Under the Report, employers had an obligation to inform employees about the purpose, type, retention time, and access procedures regarding data processing. This obligation extended to data collected outside working hours, even before GDPR implementation, as per relevant laws. In this case, however, the controller recorded the geolocation data of the vehicle outside of working hours without having informed the complainant that it would do so.

Although the location data was obtained before the GDPR came into force, the HDPA found that the obligation to inform the data subject should have been satisfied pursuant to the then-applicable national law, Article 11 of N. 2472/1997, granting data subjects a right to information.

For these reasons, the HDPA:

  1. Instructed the data controller under Article 21 of N. 2472/1997 to adapt the information on the operation of the geolocation tracking system in vehicles to be individual, complete, and clear and to be reasonably certified.
  2. Issued a compliance order to the data controller under Article 58(2) GDPR, requiring it to adapt the information on the operation of the geolocation tracking system in vehicles to be individual, complete, and clear and to be reasonably certified.== Comment ==

The HDPA in its published decision referred to the Article 21 of Greek Law Ν.2472/2997, but this appears to be an error as such a law doesn't exist. Instead, it is more likely that they intended to cite Greek Law Ν.2472/1997, which has been repealed as of 29 August 2019 by Article 84 of Greek LAW 4624/2019.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

The Authority examined a complaint by a former employee according to which data from the system was used by the complainant to prove that the employee used the vehicle outside of working hours, in violation of the concession conditions, and that he had not been properly informed about the processing of his personal data through of this system.

The Authority addressed to the employer, as controller, a warning based on article 21 of Law 2472/1997 for the adaptation of the information on the operation of the geolocation system in vehicles so that it is individual, complete and clear and certified in a reasonable manner and order based on article 58 par. 2 item 3 GDPR, to adapt the information on the operation of the geolocation system in vehicles so that it is individual, complete and clear and can be certified in a reasonable way.

Sanctions: warning, compliance order