HDPA (Greece) - 43/2019: Difference between revisions

Revision as of 16:07, 30 January 2020

HDPA - 43/2019

Authority:	HDPA (Greece)
Jurisdiction:	Greece
Relevant Law:	Article 5(1)(a) GDPR Article 5(2) GDPR Article 58(2)(c) GDPR Article 58(2)(d) GDPR Article 58(2)(i) GDPR Article 83(2) GDPR
Type:	Complaint
Outcome:	Upheld
Decided:	n/a
Published:	13. 1. 2020
Fine:	EUR 15,000
Parties:	ALLSEAS MARINE S.A.
National Case Number:	43/2019
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language:	Greek
Original Source:	HDPA (GR)

The HDPA issued an order to the Greek company managing dry bulk and container vessels, ALLSEAS MARINE S.A., to bring its processing operations with regard to the video surveillance it employed into compliance with the GDPR. The HDPA also issued a fine EUR 15,000 for violation of the data subject’s right to access and of the principles relating to data processing as foreseen under Article 5(1) GDPR.

English Summary

Facts

The Complainant was General Manager and DPO of the company ALLSEAS MARINE S.A., which according to his complaint processed without any prior notification and keeps processing his and his family's personal data, including sensitive data, infringing this way his right as employee to personal data. With his complaint he asked the HDPA to order the company to cease the processing of personal data, to give back to him all his personal data in digital form or hard copies and to impose an adequate fine. The personal data was mainly collected via a video surveillance system.

Dispute

The DPA had to assess whether the stored data was personal and whether any exceptions shall apply due to the employment relationship and context.

Holding

The HDPA found that the controller, acting as data controller in this case, failed to prove the lawfulness of installation and operation of the video surveillance system. The company did not provide technical information about that system and had not notified the HDPA for its installation as was provided for in Article 19(4)(a) of L. 2471/1997 which was in force until GDPR came into force. It, thus, violated the principle of accountability according to Article 5(2) GDPR and Article 5(1)(a) GDPR. The HDPA found that given these violations there is no reason to further examine whether there is a proper legal basis for the processing. It stressed, however, that even if the complainant had given his consent prior to the installation, the consent wouldn't be valid due to the imbalance of power between employer and employee. The HDPA finally:

a) ordered the company to comply immediately with the complainant's request to exercise his right to access and information regarding his personal data stored in a PC owned by the company;

b) ordered the company to bring its processing operations with regard to the video surveillance it employed into compliance with the GDPR within 1 month starting from the receipt of this decision;

c)ordered the company comply with the Article 5(1)(a) GDPR and Article 5(2) GDPR, as well as with the rest provisions of Article 5(1) GDPR and

d) issued a fine EUR 15,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

There is no available machine translated decision. Please refer to the Greek original decision for details.

@@ Line 10: / Line 10: @@
 [[Category: Greece]]
 |-
-|Relevant Law:||[[Article 12 GDPR#3|Article 12(3) GDPR]]
+|Relevant Law:||[[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]
-[[Category:Article 12(3) GDPR]]
+[[Category:Article 5(1)(a) GDPR]]
-[[Article 12 GDPR#4|Article 12(4) GDPR]]
+[[Article 5 GDPR#2|Article 5(2) GDPR]]
-[[Category:Article 12(4) GDPR]]
+[[Category:Article 5(2) GDPR]]
-[[Article 15 GDPR#1|Article 15(1) GDPR]]
+[[Article 58 GDPR#2c|Article 58(2)(c) GDPR]]
-[[Category:Article 15(1) GDPR]]
+[[Category:Article 58(2)(c) GDPR]]
-[[Article 15 GDPR#3|Article 15(3) GDPR]]
+[[Article 58 GDPR#2d|Article 58(2)(d) GDPR]]
-[[Category:Article 15(3) GDPR]]
+[[Category:Article 58(2)(d) GDPR]]
-[[Article 16 GDPR]]
+[[Article 58 GDPR#2i|Article 58(2)(i) GDPR]]
-[[Category:Article 16 GDPR]]
+[[Category:Article 58(2)(i) GDPR]]
-[[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]
+[[Article 83 GDPR#2|Article 83(2) GDPR]]
-[[Category:Article 58(2)(b) GDPR]]
+[[Category:Article 83(2) GDPR]]
 |-
 |Type:||Complaint
@@ Line 32: / Line 32: @@
 |Outcome:||Upheld
 |-
-|Decided:||11.12. 2019
+|Decided:||n/a
 [[Category:2019]]
 |-
-|Published:||n/a
+|Published:||13. 1. 2020
 |-
-|Fine:||None
+|Fine:||EUR 15,000
 |-
-|Parties:||n/a
+|Parties:||[https://www.allseas.gr/en ALLSEAS MARINE S.A.]
 |-
 |National Case Number:||43/2019
@@ Line 51: / Line 51: @@
 Greek
 |-
-|Original Source:||[https://www.dpa.gr/portal/page?_pageid=33,15453&_dad=portal&_schema=PORTAL HDPA (GR)]
+|Original Source:||[https://www.dpa.gr/portal/page?_pageid=33%2C15453&_dad=portal&_schema=PORTAL&_piref33_15473_33_15453_15453.etos=2019&_piref33_15473_33_15453_15453.arithmosApofasis=&_piref33_15473_33_15453_15453.thematikiEnotita=-1&_piref33_15473_33_15453_15453.ananeosi=%CE%91%CE%BD%CE%B1%CE%BD%CE%AD%CF%89%CF%83%CE%B7 HDPA (GR)]
 |}
-The HDPA issued a reprimand to the Ministry of Mercantile Marine and Island Policy for infringement of the right of access.
+The HDPA issued an order to the Greek company managing dry bulk and container vessels, ALLSEAS MARINE S.A., to bring its processing operations with regard to the video surveillance it employed into compliance with the GDPR. The HDPA also issued a fine EUR 15,000 for violation of the data subject’s right to access and of the principles relating to data processing as foreseen under [[Article 5 GDPR#1|Article 5(1) GDPR]].
 ==English Summary==
 ===Facts===
-The Complainant was an employee at the Hellenic Ministry of Mercantile Marine and Island Policy and she claimed that the Ministry violated her right of access according to [[Article 15 GDPR|Article 15 GDPR]] and her right of rectification according to [[Article 16 GDPR|Article 16 GDPR]]. She was candidate for an executive position within the Ministry and asked via e-mail that all candidates are provided with the right of objection and the right for an internal administrative appeal. The Head of the Department replied to her that there was no right to objection in this phase and that all candidates have been treated equally. It also noted that the ranking lists of the candidates contain personal data and there is no legal obligation to publish them.
+The Complainant was General Manager and DPO of the company ALLSEAS MARINE S.A., which according to his complaint processed without any prior notification and keeps processing his and his family's personal data, including sensitive data, infringing this way his right as employee to personal data. With his complaint he asked the HDPA to order the company to cease the processing of personal data, to give back to him all his personal data in digital form or hard copies and to impose an adequate fine. The personal data was mainly collected via a video surveillance system.
 ===Dispute===
-Is there an obligation to publish ranking lists of candidates containing personal data?
+The DPA had to assess whether the stored data was personal and whether any exceptions shall apply due to the employment relationship and context.
 ===Holding===
-The ranking lists of the candidates contain personal data and there is no legal obligation to publish them. The HDPA invoked the obligations of the data controllers according to [[Article 12 GDPR#3|Article 12(3) GDPR]] and [[Article 12 GDPR#4|Article 12(4) GDPR]] when a data subject may exercise their right of access according to [[Article 15 GDPR#1|Article 15(1) GDPR]] and [[Article 15 GDPR#3|Article 15(3) GDPR]]. Then, it explained that the right of objection and the right to internal administrative appeal under public administrative law constitute different legal bases and imply different legal consequences from the right to rectification under [[Article 16 GDPR|Article 16 GDPR]]. Thus, the data subject can’t exercise them by exercising the right to rectification under [[Article 16 GDPR|Article 16 GDPR]]. Finally, the HDPA issued a reprimand to the Ministry according to [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] for the infringement of [[Article 12 GDPR|Article 12 GDPR]] and [[Article 15 GDPR|Article 15 GDPR]].
+The HDPA found that the controller, acting as data controller in this case, failed to prove the lawfulness of installation and operation of the video surveillance system. The company did not provide technical information about that system and had not notified the HDPA for its installation as was provided for in Article 19(4)(a) of L. 2471/1997 which was in force until GDPR came into force. It, thus, violated the principle of accountability according to [[Article 5 GDPR#2|Article 5(2) GDPR]] and [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. The HDPA found that given these violations there is no reason to further examine whether there is a proper legal basis for the processing. It stressed, however, that even if the complainant had given his consent prior to the installation, the consent wouldn't be valid due to the imbalance of power between employer and employee. The HDPA finally:
+a) ordered the company to comply immediately with the complainant's request to exercise his right to access and information regarding his personal data stored in a PC owned by the company;
+b) ordered the company to bring its processing operations with regard to the video surveillance it employed into compliance with the GDPR within 1 month starting from the receipt of this decision;
+c)ordered the company comply with the [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 5 GDPR#2|Article 5(2) GDPR]], as well as with the rest provisions of [[Article 5 GDPR#1|Article 5(1) GDPR]] and
+d) issued a fine EUR 15,000.
 ==Comment==