HDPA - 43/2019

From GDPRhub
HDPA - 43/2019
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law:

Article 5(1)(a) GDPR

Article 5(2) GDPR

Article 58(2)(c) GDPR

Article 58(2)(d) GDPR

Article 58(2)(i) GDPR

Article 83(2) GDPR

Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 13. 1. 2020
Fine: EUR 15,000
Parties: ALLSEAS MARINE S.A.
National Case Number: 43/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language:

Greek

Original Source: HDPA (GR)

The HDPA issued an order to the Greek company managing dry bulk and container vessels, ALLSEAS MARINE S.A., to bring its processing operations with regard to the video surveillance it employed into compliance with the GDPR. The HDPA also issued a fine EUR 15,000 for violation of the data subject’s right to access and of the principles relating to data processing as foreseen under Article 5(1) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The Complainant was General Manager and DPO of the company ALLSEAS MARINE S.A., which according to his complaint processed without any prior notification and keeps processing his and his family's personal data, including sensitive data, infringing this way his right as employee to personal data. With his complaint he asked the HDPA to order the company to cease the processing of personal data, to give back to him all his personal data in digital form or hard copies and to impose an adequate fine. The personal data was mainly collected via a video surveillance system.

Dispute[edit | edit source]

The DPA had to assess whether the stored data was personal and whether any exceptions shall apply due to the employment relationship and context.

Holding[edit | edit source]

The HDPA found that the controller, acting as data controller in this case, failed to prove the lawfulness of installation and operation of the video surveillance system. The company did not provide technical information about that system and had not notified the HDPA for its installation as was provided for in Article 19(4)(a) of L. 2471/1997 which was in force until GDPR came into force. It, thus, violated the principle of accountability according to Article 5(2) GDPR and Article 5(1)(a) GDPR. The HDPA found that given these violations there is no reason to further examine whether there is a proper legal basis for the processing. It stressed, however, that even if the complainant had given his consent prior to the installation, the consent wouldn't be valid due to the imbalance of power between employer and employee. The HDPA finally:

a) ordered the company to comply immediately with the complainant's request to exercise his right to access and information regarding his personal data stored in a PC owned by the company;

b) ordered the company to bring its processing operations with regard to the video surveillance it employed into compliance with the GDPR within 1 month starting from the receipt of this decision;

c)ordered the company comply with the Article 5(1)(a) GDPR and Article 5(2) GDPR, as well as with the rest provisions of Article 5(1) GDPR and

d) issued a fine EUR 15,000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

There is no available machine translated decision. Please refer to the Greek original decision for details.