HDPA (Greece) - 31/2020

From GDPRhub
(Redirected from HDPA - 31/2020)
HDPA - 31/20
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 5 GDPR
Article 6 GDPR
HDPA Directive 1/2011
HDPA Directive 115/2001
Type: Complaint
Outcome: Rejected
Decided: 04.09.2020
Fine: None
Parties: n/a
National Case Number/Name: 31/20
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Panayotis Yannakas

An employee had submitted a complaint to the Greek Data Protection Authority about the video surveillance in the store in which she had worked. The Greek DPA held that a CCTV system shall be handled as subject to Article 4(1) and Article 4(2) of GDPR Regulation. That judgment does not mean that any CCTV surveillance in workplaces and under any circumstances is forbidden; the Data Protection Officer seems to make an obiter dictum legal comment and not a ratio decidendi of that decision.

The Greek Office, before finishing, its his judgment, goes through the principle of proportionality and finds, that in these facts, the merchant had not violated employees' rights when he installed the surveillance system.

English Summary


The Complainant was working in one of the merchant's stores where a CCTV system was installed and active. The employer repeatedly had assured the employees that not only was that the field of view of the cameras the cash registers, but also that the CCTV did not capture any sound at all.

The Complainant began to believe that more cameras had been installed in the store and that they were recording sound as well. Therefore, she submitted the following complaint to the Greek DPA. She also brought a court action with which she claimed damages for the unlawful processing. She claimed that some of the cameras were scoped to the WC room and the changing rooms.

During the hearing, the employer declined any allegation regarding the sound recording. He also submitted a detailed list of all the cameras with recording samples for each one and clarified all the ways he used to inform visitors and staff of the existence of that CCTV system, including notices, signs and brochures, as well as the entire Company's policy of the personal data protection in written form.


The Greek DPA deals with certain requirements of lawfulness of CCTV systems.


The Greek Data Protection Officer argued four points:

First, under Article 4(1), the Greek DPA Office confirms that visual and sound data may be considered personal data when identifiable information relating to natural persons is included.

Second, indoor and outdoor video surveillance in areas which persons are invited to visit fulfils the definition of processing as per Article 4(2) of the GDPR.

Third, the Greek DPA concludes that a genuine adoption of the concept of proportionality in such circumstance shall also examine (a) the lawfulness, fairness, and transparency of the processing without underestimating aspects as (b) how much further the process goes in a manner that is incompatible with announced, specified, explicit and legitimate purposes or (c) minimising the amount of data to what is absolutely necessary within those purposes.

Fourth, the Board concluded that the contested CCTV system was compatible with the requirement of Article 6(1)(f) GDPR according to which, a data processing is lawful when it is strictly necessary for the purposes of the legitimate interests pursued by the Controller, except where fundamental rights of the data subject override such interests.

The Greek DPA found that the merchant collected only the strictly necessary data in order to increase the security level of the store and protect it against thieves.


The content of the decision seems modest. In particular, it is not clear which reasons the Authority has considered to reject the Complainant's allegations concerning the sound recording and the cameras' field of view.

Back as far as 2011, the Greek DPA issued a national directive for the CCTV at workplaces, and that national directive was also a reference to that decision. Relative highlights of the Greek DPA's Directive 1/2011 is that the CCTV (i) shall be used as a supervising tool only when it is absolutely necessary in terms of employees' safety (i.e., factories) or in strictly critical workplaces, such as like banks and military buildings. A regulated exemption is when (ii) the purpose of the camera is to protect cash registers or when the camera’s field of view is limited to the entrance of an area. Last but not least, under the National Directive 1/2011, (iii) data for a CCTV shall not be used to monitor employees' effectiveness and performance.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.