HDPA - 31/2020

From GDPRhub
HDPA - 31/20
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 5 GDPR
Article 6 GDPR
HDPA Directive 1/2011
HDPA Directive 115/2001
Type: Complaint
Outcome: Rejected
Decided: 04.09.2020
Published: n/a
Fine: None
Parties: n/a
National Case Number/Name: 31/20
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Panayotis Yannakas

An employee had submitted a complaint to the Greek Data Protection Authority about the video surveillance in the store in which she had worked. The Greek DPA held that a CCTV system shall be handled as subject to Article 4(1) and Article 4(2) of GDPR. The Greek Office before finishing his judgment, goes through the principle of proportionality and finds that in these facts the merchant had not violated employees' rights when he installed the surveillance system.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant was working in one of the merchant's stores where a CCTV system was installed and active. The employer repeatedly had assured (to the employees) not only that the field of view of the cameras was the cash registers, but also that the CCTV did not capture any sound at all.

The complainant began to believe that more cameras had been installed in the store and they were recording sound as well. Therefore, the she submitted the following complaint to the Greek DPA. She also brought a court action with which she claimed damages for the unlawful processing. She claimed that some of the cameras were scoped to the WC room and the changing rooms.

During the hearing, the employer declined any allegation regarding the sound recording. He also submitted a detailed list of all the cameras with recording samples for each one and clarified all the ways he used to inform visitors and staff for the existence of that CCTV system, including notices signs and brochures, as well as the entire company's policy of the personal data protection in written form.

Dispute[edit | edit source]

The Greek DPA deals with certain requirements of lawfulness of CCTV systems.

Holding[edit | edit source]

The Greek Data Protection Officer argued four points.

First, under Article 4(1), the Greek DPA Office confirms that visual and sound data may be considered personal data when identifiable information relating to natural persons are included.

Second, indoor and outdoor video surveillance in areas which persons are invited to visit fulfils the definition of processing as per Article 4(2) GDPR.

Third, the Greek DPA concludes that a genuine adoption of the concept of proportionality on such circumstance shall also examine (a) the lawfulness, fairness and transparency of the processing; without underestimating aspects as (b) how further the processed goes in a manner that is incompatible with announced, specified, explicit and legitimate purposes or (c) minimizing the amount of data to what is absolutely necessary with those purposes.

Fourth, the Board concluded that the contested CCTV system was compatible with the requirement of Article 6(f) GDPR according to which a data processing is lawful when it is strictly necessary for the purposes of the legitimate interests pursued by the controller, except where fundamental rights of the data subject override such interests.

The Greek DPA found that merchant collected only the strictly necessary data in order to increase the security level of the store and protect it against thieves.

Comment[edit | edit source]

The content of the decision seems modest. In particular, it is not clear which reasons the Authority has considered to reject the complainant's allegations concerning the sound recording and the cameras' field of view.

Back to 2011 the Greek DPA issued a national directive for the CCTV at workplaces, and that national directive was also a reference to that decision. Relative highlights of the Greek DPA's Directive 1/2011 is that the CCTV (i) shall be used as a supervising tool only when it is absolute necessary in terms of employees' safety (i.e. factories) or in strictly critical workplaces, like banks and military buildings. A regulated exemption is when (ii) the purpose of the camera is to protect cash registrars or when the camera field of view is limited to the entrance of an area. Last and not least, under the National Directive 1/2011, (iii) data for a CCTV shall not be use to monitoring employees effectiveness and performance.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.