HDPA (Greece) - Opinion 2/2020 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 35(1) GDPR Article 36(1) GDPR |
Type: | Advisory Opinion |
Outcome: | n/a |
Started: | |
Decided: | 08.04.2020 |
Published: | 08.04.2020 |
Fine: | None |
Parties: | Supreme Council For Civil Personnel Selection (ASEP) |
National Case Number/Name: | Opinion 2/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Greek |
Original Source: | HDPA (in EL) |
Initial Contributor: | n/a |
The HDPA issued an opinion requested by the Supreme Council For Civil Personnel Selection (ASEP) on the basis of Article 36 GDPR regarding the online publication of tables with the ranking and the appointment of candidates for civil service positions.
English Summary
Facts
The Supreme Council For Civil Personnel Selection (hereinafter ASEP) uploads on its website tables with the ranking and the appointment of candidates, which includes personal data and possibly special categories of personal data. ASEP asked the HDPA for a prior consultation according to Article 36(1) and 36(3)(b) GDPR after it carried out a DPIA, which showed that the mentioned publication would possibly result in high risk for the rights and freedoms of individuals, despite any measures ASEP would take to mitigate the risk.
ASEP claimed that there is the legal basis of Article 6(1)(e) GDPR -public interest and exercise of official authority vested in it, which falls within the exception of Article 9(2)(j) GDPR. It also claimed that it took some measures to mitigate the risks, while implementing certain technical measures such as a system which would require a password would undermine the transparency that is required by law in this procedure and would be overly costly.
Holding
The HDPA found that the calculation of the cost of possible technical measures was based on empirical calculations and not on specific technical data. It is of the opinion that adequate measures such as a unique password for each candidate can be implemented with lower cost and are advisable; that the columns where sensitive data is added, such as "disability 50%" should be replaced with general headlines such as "special categories" without disclosing what the special category is; that identification data, such as name and surname, should be not visible when people other than the candidates access the tables; the tables should be published only for a time period that is absolutely necessary to the purpose of the publication; and that these measures should be applicable both with regard to the online publication of the tables and the hard-copy publication at the Authority's premises.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
This is an available machine translated decision. Please refer to the Greek original decision for details.
Correct recurrence Athens, 08-04-2020C/ΕΞ/2342/08-04-2020 PERSONAL DATA PROTECTION AUTHORITY OPINION 2/2020 The Personal Data Protection Authority met, at the invitation of its President, to a regular meeting at Headquarters in 10-3-2020 as a result of 29-10-2019, 21-01-2020 and 25-02-2020 meetings in order to adopt an opinion as provided for in Article 36 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (GDPR).The Chairman, Konstantinos Menukos, and the regular members Spyridon Vlactopoulos, as rapporteur, Konstantinos Lamprinyoudakis, as rapporteur, Mr Konstantinos Lamprinyoudakis, also appeared as rapporteur, Mr Haralambos Anthopoulos and Emmanouil ΔPaterakakis, in the replacement of the member of Eleni Martsoukou, who, although duly invited in writing, did not attend because he was prevented from attending. The meeting was also attended by an order from the President of Ms Alikaakou and Mr E. Skouglos, Assistant Rapporteurs, who, having provided the necessary clarifications and before the discussion on the decision, left the room. An official from the Department of Administrative Affairs, as secretary, was also present as a secretary. The Authority took note of the following: Letter with referenceDocument Ref. no C/ΕΙΣ/9647/03-12-2018, the Supreme Council for Civil Personnel Selection (ASEP) submitted a request to the Authority for consultation under Article 36 of the GDPR regarding residual processing risk Which refers to the posting on its internet site ( www.asep.gr) of ranking lists and of the appointors, which may include special categories of data. In particular, the ASEP requested the opinion of the Authority because the Data Protection Impact Assessment (DPIA) carried out by it, indicated that, after risk mitigation measures were adopted, the processing, through that suspension of special categories of data, could result in a high risk to the rights and freedoms of individuals. In the request, ASEP states the following: The ASEP shall publish the results of its tendering procedures and display them on its website and on the ‘Diavgeia’ programme. Specifically, in the procedure for filling posts by means of a written procedure, Article 17 (10) of Law 2190/1994, as replaced by Article 13 (1) of Law 3801/2009 and paragraph 11 of that article, provides that the results of the (written) competitions are to be registered on the ASEP website and the final tables of successful or successful candidates, drawn up on the basis of the success tables and containing a number equal to the number of posts advertised, shall be published in the Government Gazette and shall be valid for three years. Correspondingly, in the procedure for filling posts in order of priority, Article 18 (9) of Law 2190/1994, as replaced by Article 13 (2) of Law 3801/2009, provides that the list of priority lists of candidates shall be entered on the ASEP website. Each candidate shall have the right to be informed of the reasons for the order in which the order of priority of the candidate and its associated candidates has been established. That statement of reasons is based on the list of priority elements and criteria in question, on the basis of which the order of priority of each candidate has been established. Furthermore, Article 5 (2) of Law 3469/2006 provides that the Government Gazette shall publish, inter alia, the scoreboards of public and general public sector staff notices. Also, with regard to the ‘Diavgeia’ programme, in Article 2 (4),13) Law 3861/2010 states that the internet shall be posted on, inter alia, lists of successful candidates, successful candidates and runners-up of staff selection notices, in cases where their publication is provided for by the legislation in force, and further in Article 5 (b) of the same Article it is stipulated that no acts shall be suspended, including sensitive personal data, as laid down in the applicable legislation. In accordance with of Law 2190/1994, special categories of data within the meaning of Article 9 of the GDPR can be found in the above tables, as indicated in the consultation request, in accordance with Article 14 of Law. In particular, the ranking tables may include lists of specific categories of posts, some of which contain special categories of data. In particular, the ASEP shall draw up lists for persons with disabilities, persons who have a child, sibling or spouse or are the children of persons with disabilities, returning emigrants and expatriates under Law 2790/2000, as well as Greek nationals coming from the Muslim minority in Thrace. Accordingly, in the appointing tables of the ASEP, a column includes a column indicating the special function of the successful candidate as originating from a specific category. According to the ASEP, with the publication in the Government Gazette and posting on “Diavgeia” and on the ASEP website of the above tables, acts which constitute processing operations, the special categories of data are disseminated on a large scale and, as such, may result in a high risk to the rights and freedoms of data subjects (Article 35 (1) and 3b of the GDPR).For this reason, the ASEP has already taken steps to eliminate the relevant risk with regard to the ‘Diavgeia’ and the Government Gazette. In particular, the ranking tables shall no longer be posted on the ‘Diavgeia’ website and the dashboards shall be posted, as they have been deleted from them, which may provide information on specific categories of data of specific candidates. The tables to be appointed to the National Printing Office shall be published in the same manner. As regards the posting on its website, the ASEP states that it is not entitled to take measures as a result of the legislation in force. In particular, the tables above have to be displayed on its website without any distinction being made in the type of tables (general tables and lists of special categories).On the contrary, a special reference is made in the Law to the listing of all the elements and criteria in the priority list, on the basis of which the order of priority of each candidate has been established. Therefore, in order to ensure the principles of equal opportunity to participate, objectivity, meritocracy, publicity and transparency, ASEP considers that the lists of special categories should be posted as they are, without any differentiation and in the same way as the general tables, that is to say, with the heading of the relevant table of the category of the category concerned (for example. List of Muslims) and the recording of all the elements on the basis of which these candidates have been evaluated and the personal details by which they can be identified (name, ID, etc.).Accordingly, the dashboards should be posted by including those elements that may provide information on specific categories of data of specific candidates. In accordance with the ASEP request in question, the processing operations described above are necessary for the performance of a task carried out in the public interest and in the exercise of the power conferred on the ASEP (see Article 6 (1) (e) of the GDPR), as well as Decision No 62/2004 of the Authority, under the previous legal regime. In particular, the processing of the lists containing special categories of data is necessary for reasons of substantial public interest (Article 9 (2) (g) of the GDPR).By means of that method of disclosure, ASEP considers that it is ensured that all participants, as having a legitimate interest in raising an objection against the tables, but also any third party, can check, if the candidate who relies on a particular quality (disability, religion, etc.) for classification in a particular category, is in fact in possession of that status, on the basis of which it is appointed. Thus, apart from the fact that the conditions for the effective exercise of the rights of candidates having a legitimate interest are safeguarded, the best possible way and the public interest in ensuring full transparency of recruitment are served. According to this request, the ASEP has taken measures to mitigate the risk resulting from the suspension on its website. In particular, it took care to ensure that all the data available on its website not be searchable by search engines. The conditions of use also include the explicit prohibition of the reproduction/republication of any content of the ASEP portal containing personal data or records containing personal data in such a way that such data can be found by search engines and a possible breach is subject to the penalties provided for. Furthermore, ASEP considers that it is not effective to take measures to restrict the suspension of the data in question on its website, since, in the context of the replacement of successful candidates, candidates are likely to be invited to be appointed only after the competition has been carried out and that the definitive results are available (in several cases even after 8 years).In this case, according to the Supreme Court of Auditors, the principle of transparency requires the possibility of demonstrating, through the ranking list initially posted, the legality of the call to compensate for the ranking immediately following the ranking and not some of the other grades of the former. The ASEP considered the possibility of further technical risk mitigation measures. In particular, it has been examined whether the lists can be entered on its website, so that participants can be able to access this notice by entering a password. This solution was not preferred by ASEP, on the one hand, because the ASEP considered that it was not compatible with the provisions referred to above, which were intended to ensure a substantial public interest and, on the other hand, because it was assessed as very costly (estimated costs: EUR 5.000-7.000 depending on the safeguards which will be required) on the grounds that, according to the allegations made by ASEP, technical interventions in its system are required. In the context of the examination of this request, a meeting was held on 11/02/2019 between representatives of the ASEP and of the assistants rapporteur, during which discussion took place on relevant issues. As a follow-up to this meeting, the ASEP was sent letter ref. Request C¬ /ΕΞ/1421/21 02-2019, requesting information addressed to the Authority on the following: • Documentation of the need for posting of lists with special categories of posts, including special categories of data, accessible not only to the co-applicants, taking into account that for the publication of the respective tables in the Government Gazette, which is also electronically available, the ASEP has omitted the experts categories of data. • A detailed description of the type of data contained in each category of tables and a relevant sample. • Definition of the period of posting of the corresponding lists and the appointment of the appointing authority on the website of the site or, if that is not possible, of the criteria which determine the period in question. • Description of the measures (Article 36 (3) (c) of the GDPR) concerning the rights of data subjects (at least, the information and access rights) in relation to the processing referred to in the request for consultation. • Description of the technical interventions required in the IT system for the access of the associated candidates to the classification tables of the special categories of data using a code, the justification of the initially estimated implementation costs (EUR 5.000-7.000), as well as the very costly assessment of it. • Submission of any relevant recommendation/direction from the DPO. The ASEP replied to that document by letter ref. Document Ref. c/ΕΙΣ/5223/25-07-2019. In this document, the ASEP maintains that the concept of recruitment transparency serves primarily the essential public interest and secondly in the interest of the participants in the recruitment process. It also points out that it is necessary to persuade all citizens to depoliticise the State, as this is a particularly sensitive issue for Greek society. Furthermore, ASEP stresses that transparency is achieved only by quoting the lists of all those elements that were a criterion for the selection/selection of a specific candidate (Article 18 of Law 2190/1994), including special categories of data. According to the ASEP claims, any consideration of restricting access to the ranking lists of the special categories among the co-applicants in the contract notice would lead to problems. The first relates to the case where identical lists are available, both by ASEP, and the corresponding public recruitment agency, as in the case of the appointment of special education teachers (Article 61 of Law 4586/2019).In this case, any adjustments to the ASEP in the mode of suspension of the results on the basis of any suggestions made by the Authority would imply the existence of scoreboards with different elements with a risk of having an issue and for the results themselves. In particular, two different tables would be observed for the same competition, i.e. a table containing special categories of data available on the website of the public entity for recruitment, in this case the Ministry of Education, Research and Religious Affairs, and a table without these categories on the ASEP website. Of course, it would obviously also involve disclosure of the special categories of data by cross-checking the data in the two tables and finally retaining the residual risk in question. The second problem relates to the recruitment of seasonal staff. In particular, the usual practice of the respective recruiting bodies is to display ranking lists, which may include special categories of data (other than the posting referred to in Article 21 (11B) of Law 2190/1994 at the shop of the service concerned) and on their website in different ways, such as the posting of the lists as having all the identification data or suspension of the name and concealment of the latter’s two last digits. In this respect, ASEP stresses that many of the above bodies address queries to the ASEP as to how the results are to be posted, that is to say, on the notice board of their service and/or on their website. With regard to the above case of double postings by different bodies, the ASEP acknowledges and points out that there should be a uniform treatment of all these cases of results, whether they are posted by operators, or by the ASEP. With regard to risk mitigation measures, the ASEP shall inform the Authority in its above letter that it intends to limit the period of suspension to the minimum necessary to achieve the objectives pursued and referred to in the relevant legislation, taking into account, in particular, the provisions on the time of validity of the lists of successful candidates (Article 17 (11) of Law 2190/1994).Furthermore, ASEP states that it has on its website under the heading “Personal data protection” a detailed description of the rights of the data subjects and how they can be exercised. As regards intervention in the IT system of the ASEP, in order to allow access to the relevant tables only to the co-applicants of the relevant notice, the ASEP, although it considers the relevant application perfectly desirable as it will provide the possibility of management, puts forward a major question of the economic costs of such a measure. In particular, the ASEP notes that the costs of implementation are considered to be particularly high in the ASEP budget, since the minimum chargeable cost of EUR 7.000 (the start price) could be reached under conditions, taking into account their experience with outputs in corresponding management environments, EUR 15.000-20.000. Having examined the documents in the case, after having heard the rapporteurs and assistant rapporteurs, who subsequently departed, and after a detailed discussion, adopts the following OPINION A. Article 35 (1) of the GDPR provides that “Where a type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the proposed processing operations on the protection of personal data. The Authority, on the basis of paragraph 4 of this Article, has drawn up and published a list of types of processing operations subject to the requirement for a data protection impact assessment (Decision 65/2018, Government Gazette 1622/Β72019, available on the Authority’s website). In accordance with Article 36 (1) of the GDPR, “1. The controller shall seek the opinion of the supervisory authority prior to processing where the data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of risk mitigation measures by the controller.’; Paragraph 2 of the same Article provides that “ Where the supervisory authority is of the opinion that the intended processing referred to in paragraph 1 contravenes this Regulation, in particular if the controller has not specified, or adequately mitigate the risk, the supervisory authority shall provide advice in writing to the Controller [...]’.Whereas paragraph 3 specifies the elements to be provided by the HR to the Authority at the consultation stage, namely ‘(a) where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the work, in particular as regards processing within a group of undertakings, (b) the purposes and means of the intended processing, (c) the measures and safeguards to protect the rights and freedoms of data subjects pursuant to this Regulation; (d) where applicable, the contact details of the data protection officer; (e) the data protection impact assessment referred to in Article 35; and (f) any other information requested by the supervisory authority.’; Article 9 GDPR allows, by way of exception, the processing of special categories of personal data where, inter alia, “[...] g) processing is necessary for reasons of substantial public interest, Union or Member State law, which is proportionate to the objective pursued, respects the essence of the right to data protection and provides for appropriate and concrete measures to safeguard the fundamental rights and the interests of the data subject [...]”. In accordance with Article 2 (4),13 of Law 3861/2010 (DIAVGEIA Programme) ‘4. The following shall be posted on the internet: [...] (13) lists of successful candidates, successful candidates and runner-up in the selection of staff selection notices, in cases where publication is required by the legislation in force.’;Article 5 of the same law provides that “The posting of the operations referred to in Article 2 on the Internet and the organisation of the consultation shall be without prejudice to the rules on the protection of individuals with regard to the processing of personal data. Acts shall not be suspended, including sensitive personal data as defined in the applicable legislation. Chapter C of Law 2190/1994 on the recruitment system in the public sector, and in particular Article 14 “Scope — Mode of recruitment”, provides that a certain percentage of the advertised posts is filled by five specific categories of candidates and is defined as ‘6.[...] The allocation of posts to the operators for all five groups: (a) children of large families and children of large families; (b) parents with three children and children; (c) repatriated Greeks and expatriates under Law 2790/2000; (d) persons with disabilities with a disability rate of at least fifty per cent (50 %); and (e) persons with a disability with a disability rate of at least fifty per cent; and (e) persons with a disability with a disability rate of sixty-seven per cent (67 %) or more, shall be carried out in a first step on the basis of the exact percentages corresponding to fifteen per cent (15 %), ten percent (10 %), two percent (2 %), ten percent (10 %), five percent (5 %) expressed as a whole number. If the total of the available posts is not filled by means of the first allocation, the remaining posts shall be allocated to the bodies in a second phase, with those bodies where the added position gives the smallest increase to fifteen per cent (15 %), ten percent (10 %), two percent (2 %), ten percent (10 %), five percent (5 %) in each of the five groups respectively.7Five per thousand (5 %) of the posts of regular staff and staff under a contract of employment governed by private law of an indefinite duration by category PE, TE, DE and HR, shall be advertised by pan-Hellenic competitions organised by the Supreme Council for Civil Personnel Selection (ASEP), shall be covered by Greek nationals, who come from the Muslim minority in Thrace and who are themselves registered in the municipal registers of the municipality of Thrace or another municipality of the country, to which they have been transferred from a municipality of Thrace. The Supreme Council for Civil Personnel Selection (ASEP) shall allocate the posts corresponding to the above percentage by Prefecture, body and category. "’.In accordance with Article 17 “Tender procedure — pass tables — Appointment”, paragraph 10 (replaced by Article 13 (1) of Law 3801/2009) and 11 of the same Law “10. The texts of the tenderers in the written procedure shall be sent to the Central Committee which, after checking the correctness of the registrations of the marks in the situations concerned, shall draw up the lists of the classifications and send them to the ASEP, in order to make them public. The results of the competitions are available on the ASEP website. At the same time the ASEP shall send a notice of registration to the press release for publication. In the light of those lists the persons concerned may lodge an objection within a time-limit of ten (10) days. That time limit shall run from the day following the registration on the ASEP website. In addition, this time-limit is specified and refers expressly both to registration on the ASEP website and to the relevant notice in the press. [...] The final lists of successful candidates or pre-learned candidates and the marks awarded to the participants in the special written test (Directorate-General for Knowledge and Skills) shall be sent by the ASEP for publication in the Government Gazette (Series III (C)). "11. The pass tables are valid only for the filling of the posts advertised. The lists of success tables and the order of their candidates, together with their declaration of preference, shall draw up the lists of successful candidates, which shall include a number of staff to be appointed equal to the number of posts advertised. The lists of suitable candidates shall be published in the Government Gazette (ASEP) and shall be valid for three years.’Furthermore, Article 18 (9) of the same Law, as the first subparagraph of this paragraph was replaced by Article 13 (2) of Law 3801/2009, states that “9. The list of candidates for this Article shall be entered on the ASEP website. At the same time the ASEP shall send the press release announcing the relevant registration.’ Article 25 ‘Reallocation of percentages of special categories to the system for the recruitment of Law 2190/1994’ (9) of Law 4440/2016 states that ‘9. The total number of points when participating in recruitment procedures under a fixed-term employment contract governed by private law on the basis of notices in accordance with the procedure and the criteria laid down in Article 21 of Law 2190/1994 (GG I 28) shall be increased by: (a) in the case of persons referred to in point (c) of paragraph 6 in proportion to the degree of invalidity, which shall be multiplied by the coefficient three (3), (b) for the persons referred to in point (d) of paragraph 6 in proportion to the degree of invalidity, which shall be multiplied by the coefficient two (2).’; In accordance with Article 57, ‘Criteria for an educational list of general education teachers’ of Law 4589/2019 (Criteria for a ranking table of educational general education), ‘ The value table A shall be established on the basis of the following predetermined and objective criteria, in descending order of overall score, as indicated by the cumulative grading of those criteria, as follows: [...] c) Social criteria: (AA) Number of children: three (3) units for each minor child for whom the applicant has parental responsibility and custody or is unmarried and has not yet reached the age of twenty-third (23th) year of age or studies in a foreign HEI, or fulfils the military obligation and has not reached the age of Twenty-fifth (25). (bb) Invalidity of fifty per cent (50 %) or more than the candidate or spouse, if the married life has lasted for at least four (4) years, or a child: the product of the units obtained by multiplying the percentage of the invalidity rate by a factor of four tenths (0,4) of the unit. In the case of invalidity of a number of persons referred to in the previous paragraph, only the higher invalidity rate of one of them shall be taken into account. The tenderer’s disability shall be awarded points in so far as they are not attributable to any proportion of mental health conditions.’ B. the Authority, took note of the above provisions and the purposes of posting the ranking lists and appointing candidates on the ASEP website as well as the latter’s allegations, including the costs related to the technical implementation of the access of the co-applicants by means of an individual access/code account. In this respect the ASEP claims that the cost is high with a variation of between EUR 5.000 and EUR 20.000, but the assessment is however based on an empirical calculation rather than on specific technical data. It should be pointed out, moreover, that there is already a technical possibility for each citizen’s access to the system on the website of the ASEP, using an individual access account and enabling it to be connected via the Secretariat-General for IT Systems. In any case, and in particular with regard to the protection to be provided through this measure, it seems feasible to limit the costs to the smallest possible, in order to implement the minimum required management functionality. In view of the above, the Authority delivers the following opinion: By posting the above mentioned ranking lists and to be appointed on the ASEP website, the constitutional right to transparency is met. However, in order to comply with the rules on the protection of personal data as laid down in the GDPR and Law 4624/2019, this suspension should be carried out under the following conditions: 1. The co-applicants who participate in the relevant tables of competitions shall have access to all the information (both the candidates and the other candidates), which, according to the above provisions, must contain the lists of the ranking lists and the appointors, using an individual access account. In other words, the ASEP shall provide a unique individual account of access to the participants in the above invitations to tender, with specific information in the relevant notices. 2. The general public (other than co-applicants) will be able to be informed of the results of these competitions through the posting of the mixed ranking lists (with general and specific positions) and to be appointed without an explanatory indication of the specific category to which the tenderer belongs (e.g. a person with a disability of 50 %).Therefore, the ASEP, to this extent, should replace the heading of the column/columns referring to specific categories of data (such as “disability of the same”) with a more general heading (such as “Specific category”), from which the specific category of data is not revealed. Furthermore, the ASEP must remove the special categories of data from the fields in the relevant column (such as the invalidity rate).These tables may remain the identification data. 3. The general public (other than co-applicants) will be able to be informed of the results of these competitions by posting the special categories and appointing candidates without the identification data (name, father’s name, father’s surname, master’s name, ID), but also the other information. Therefore, the ASEP shall delete the above mentioned identification data. 4. With regard to the time taken to keep the post in question, it is proposed that this time be limited to what is necessary and necessary and in accordance with the purpose of the suspension originally intended. It should be noted that the ASEP, when consulted with the Authority, has not made clear the criteria for the need to keep the tables in question in time, but in any event it should not exceed the time limits referred to in the provisions on the validity of the lists of appointing candidates (see Article 17 (11) of Law 2190/1994). 5. Finally, the above proposed measures apply by analogy to the publication of the lists in question and by the public service provider in question, either at the store of its service or on its website. That measure is proposed in order to ensure the uniform suspension of the lists in question and, in particular, 6. avoid keeping the remaining risk under consideration by cross-checking data from other tables. the Secretary Konstantinos Menukos