The Hellenic Data Protection Authority (HDPA) issued two fines of €1000 each, against the American College of Greece for violating a data subject's rights to access and erasure.
The HDPA examined a complaint of a former employee of the American College of Greece against the latter for the violation of the right to access and right to erasure of personal data of the former. The HDPA, after examining the merits of the case, decided that the American College of Greece partly violated the complainant's right to access their data and, for this reason, it ordered the College to proceed with the provision or said data, that the College violated the deadlines provided for responding to a request for access to personal data and, for this reason, a fine of €1000 was imposed, and that the College violated the deadlines provided for responding to a request for erasure of data and, for this reason, a fine of €1000 was imposed.
English Summary
Facts
The data subject was under the employment of the College for a certain period of time, during which two female students of the College filed a complaint against the complainant regarding the latter's posts on social media that violated the College's Code of Conduct due to their homophobic and racist content. After this event, the College decided to move the complainant to a different position, while reacting to this situation the complainant argued that he had suffered a defamation by the College and requested the altering of the situation. The College asked the complainant to appear to the new position, something the complainant never did, but, nevertheless, the College continued paying the complainant's salary up to the ending point of their contract.
Then, the data subject/complainant filed a request to the American College of Greece, asking for access to and copies of their personal data the latter is keeping in its records given the employment relationship between the two, while they specifically requested access to the two complaints made by the two students. With the same request, the data subject asked for the erasure of their personal data from the College's records, since the reason for which the data had been collected and were being kept was no longer valid, since the employment relationship between the complainant and the College had expired. In addition, with the same request, the complainant revoked their - possibly given silently - consent for the keeping and processing of their personal data by the College. The complainant claimed that there was no response from the College to their request. The HDPA requested the College's response to the situation. The latter claimed that the request under question only came into its attention via the HDPA's request for response to the claims. It justified this situation by mentioning that the employee who received the request was not in a good state of health, while the period when the request was filed was a period of heavy workload at the College. The College further underlined that, as soon as the request came to its attention, it contacted the complainant and:
i) fulfilled their right to access their data by informing them for all data currently kept by the College and for providing information on how to get copies of all personal data, but not for the data referring to the personal information of one female student of the College who had filed a complaint against the data subject/complainant regarding the latter's behaviour, since the student expressed her not willingness for her name and complained to be known. The College also sent a question to the HDPA regarding the existence or not of their legal responsibility to provide access to the details of the complaint made by the student who expressed her not willingness to be known, as well as regarding the conditions under which such an access should be provided. This question, as the HDPA found, was never answered.
ii) informed the complainant that the right to erasure could only be partly fulfilled, since some of the personal data being kept by the College must continue being kept due to the existence of the legal necessity for their existence, in order for the College to be able to fulfil some of its legal responsibilities, according to the provisions of Article 17(3)f GDPR, 250-253 Civil Law Code, and 95 Law 4387/2016. Moreover, the College claimed that it had the right to deny the fulfilment of the complainant's right to access and erasure, according to article 12(5)b GDPR, since the respective request has been made in a manifestly unfounded or excessive and repetitive manner.
Answering to the College's claims, the complainant argued that the College is not fulfilling their rights to access and erasure, as well as that the College is not properly justifying the excessive or unfounded manner of the complainant's requests based on the said GDPR article. Additionally, the complainant argued that their right to access had never been fulfilled as their relevant request to the College was only answered by the latter with the explanation that the College had sent a question to the HDPA regarding the legality of fulfilling such a request, but with no information being provided later on by the College. Thus, the complainant underlined that, under Article 55 of Law 4629/2019, the College had the legal responsibility, as a data processor, to inform the data subject for all the data being kept and processed and to fulfil the data subject's right to access before fulfilling their right to erasure.
Dispute
Whether the American College of Greece violated the complainant's right to access and erasure of their personal data?
Holding
The HDPA confirmed its jurisdiction to rule on the complaint regarding a possible violation of the rights to access to and erasure of personal data, according to Articles 51,55,57,58 GDPR and Articles 9,13,15 of Law 4624/2019. On the contrary, it underlined its lack of jurisdiction to rule on the dispute of the complainant and the American College of Greece as regards the conditions of the employment relationship between them.
The HDPA, after presenting the principles of data processing of Article 5(1) GDPR, underlined that, based on Article 5(2) GDPR, it is the data processor's responsibility to conform and to be able to prove their conformity with these principles at all times and by themselves (principle of accountability).
Additionally, the HDPA stated that, in accordance with Article 8(1) of the Charter of Fundamental Rights of the EU, Article 9A of the Greek Constitution, and the Recital 4 of GDPR, the right to protection of personal data is not an absolute right, but a right that should be perceived always in connection to its function within society and a right that should be weighted in connection to other fundamental rights, always according to the principle of proportionality.
Furthermore, the HDPA referred to Articles 12 and 15 GDPR regarding the right to access personal data, while it also underlined the restrictions to this right that Articles 23 GDPR and 33 Law 4624/2019 provide. More specifically, Article 33 mentions that the right to access cannot be fulfilled when:
"1) [...] b) the data i) were recorded just because they could not have been erased due to legal provisions for the necessity of their keeping or ii) exclusively serve purposes of protection or control of data, and the provision of information would require a disproportional effort and the necessary technical and organisational measures render the processing of the data impossible for other purposes.
2) The reasons for the denial of provision of information to the data subject should be justified. The denial must be justified to the data subject, unless the provision of the real and legal reasons on which the denial is based would put the purpose of the denial into danger. [...]
4) The right to information on their data according to Article 15 GDPR does not apply, to the degree that through the provision of information other information, that according to a legal provision or to their nature, especially due to a third party's interest, must remain confidential, would be revealed. "
Adding to this, the HDPA noted its past Decision 73/2010, where it judged that "the information of who is complaining against the accused constitutes an information that refers to the latter and is included in the right to access [...] . More specifically, the right to know the source of the data means that the data processor must inform the data subject of the source of the data (HDPA Decisions 4/2005, 39/2005). The HDPA has ruled that the "source" can also be a third party (natural person) (HDPA Decisions 4/2003 & 43/2003, where it is underlined that the accused has the right to access the text of the complaint and to know - when the complaint is eponymous - the name of the complainant, without the matter of whether the complainant is a third party or not being examined). After all, the knowledge of the source of the data is necessary for the data subject to be able to exercise their further rights [...]. Therefore, the HDPA underlined that the name of the female student in included in the content of the term personal data for which the data subject has the right to access, according to Article 15(1)g GDPR.
Thus, the HDPA held that the College as a data controller, according to Article 4(7) GDPR, fulfilled the right to access of the complainant via the provision of copies of the data being kept. But, as concerns the non provision of the information for the complaint made by the second female student, the College violated Article 15 GDPR regarding the right to access, since it connected the provision of access to those with the consent of the female student, without examining Article 15 GDPR or Article 33 Law 2462/2019. In addition, from the merits of the case, there is no evidence for the existence of any danger faced by the female student nor is there any claim by the College or the female student for such a danger, given as well that the College did not pursue a disciplinary process against the complainant, while it also continued their salary payments even though the complainant denied to work in the new position where they were transferred. {Here there was a separate opinion of one member of the HDPA, highlighting that the text of the female student's complaint should have been provided to the complainant but with the covering of all relevant data pointing to the female student's identity.}. Additionally, the College's claim for the sickness of their employee and the work overload have no effect over the responsibility of the College to respond to the complainant's request, while there is also no effect on this responsibility from the fact that the HDPA did not answer to the College's request for its Opinion, since the HDPA did not have jurisdiction to impose to the data processor the provision to a third person of data nor had a complained been filed to the HDPA by th data subject (the female student) so as to open up the HDPA's jurisdiction (Article 5 Law 2472/1997, HDPA Opinions 4/2009, 6/2013, HDPA Decision 8/2019).
Furthermore, the HDPA held that the complainant's claim that the College did not prove the unfounded or excessive character of their request is of no meaning, since the College responded to their request, even though with delay. The HDPA also held that the complainant's claim for the implementation of Article 55(5) Law 4624/2019 is unfounded, as its provisions cannot be implemented in this case.
Lastly, the HDPA referred to Article 17 GDPR on the right to erasure and the restrictions of this non-absolute right provided in par.3 of the said Article and in Article 34 Law 4624/2019. Thus, the HDPA underlined that in the case under question the College as a data processor fulfilled the complainant's right to erasure. The HDPA held that there is, in this case, a legal case of exception from the right to erasure concerning the data referring to the complainant's employment relationship with the College that the latter is required to be keeping based on Article 17(3)b & e GDPR. Additionally, the HDPA held that the College has the legal right to keep the data referring to the two complaints made by the students according to Articles 17(3)e GDPR and 34(1) Law 4624/2019.
Therefore, the HDPA held that the College partly fulfilled the data subject's right to access, since it did not provide information on the second female student's complaint, including her name, in violation of Articles 5,15 GDPR, 33 Law 4624/2019. Thus, the HDPA, making use of its corrective powers of Article 58(2)c GDPR, ordered the College to provide the complainant with the relevant information.
Additionally, the HDPA held that the College fulfilled the right to access but in violation of the deadlines for such a fulfilment provided by Article 12(3) & (4) GDPR. For this reason, an administrative fine of 1000 EUR was imposed (83(5)b GDPR).
Lastly, the HDPA held that the College fulfilled the complainant's right to erasure but in violation of the deadlines provided for such a fulfilment by Article 12(3) & (4) GDPR. For this reason, an administrative fine of 1000 EUR was imposed (Article 83(5)b GDPR).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.