On 26 August 2019 the Greek Parliament passed the Greek Law on the implementation of the European General Data Protection Regulation 2016/679 (GDPR). The new Law 4624/2019 came into effect on 29 August (publication in the Gov. Gaz. A’137/29-08-2019). Article 27 of this Law contains specific provisions regarding processing of personal data by employers.
First of all, it should be noted that employers should be compliant with all general provisions of the law and the GDPR regarding processing of personal data, with the law specifically stating that they should especially ensure compliance with the general principles for the processing of personal data set out in the GDPR.
Regarding personal data of employees in particular, the law provides that they may be processed for the purposes of their employment contract, provided that this processing is strictly necessary.
By way of exception, the law provides that the processing of an employee’s personal data may be based on consent, provided though that this consent derives from a free choice made by the employee, taking specifically into account the level of dependence/independence in the specific working relationship and the circumstances under which the consent was given. In addition, when consent is exceptionally chosen as a legal basis for the personal data processing, it should be provided in a written or electronic form and must be clearly distinguished from the employment contract. The employer should also inform the employee in a written or electronic form regarding the purpose of the processing of personal data and of his right to withdraw consent.
Special categories of personal data (such as data related to health) may be processed for specific legal reasons only.
The above apply to all employees regardless of the specific kind of employment relationship or contract and of the validity of the contract, as well as to job applicants and to former employees.
Decision 26/2019 of the Greek DPA
In addition to the above, with regards to the legal basis of processing of employees’ personal data, particular attention should also be given to the recent Decision 26/2019 of the Greek Data Protection Authority (DPA), which imposed a significant fine of 150.000 € to an employer (the company “PWC Business Solutions”) due to unlawful processing of its employees’ personal data.
Specifically, the Greek DPA found in this case that the company’s employees were, unlawfully, required to provide consent to the processing of their personal data, even though consent was not the proper legal basis for this processing, that the company created a false impression that it was processing their data under the legal basis of consent, while in fact the processing had a different legal basis about which the employees had never been informed, and that the company was not able to demonstrate its compliance with the GDPR.
The DPA stated in this decision that the data controller (i.e. in this case, the employer) must choose the appropriate legal basis for processing of personal data before initiating the processing, this choice should be documented and justified internally in compliance with the GDPR, and the data subjects should be informed about the use of this specific legal basis.
Once the initial choice of legal basis has been made it is impossible to choose a different legal basis. If consent is the legal basis and the data subject withdraws his/her consent, it is not possible to continue processing under a different legal basis.
In addition, according to the DPA, the principles of the GDPR provide that consent may be used as the legal basis only where no other legal basis can apply.
What is more, the DPA states that consent of data subjects in the context of employment relations cannot be regarded as freely given, as there is an inherent imbalance between the parties.
In this case, the choice of consent as the legal basis was deemed to be inappropriate, as the processing of personal data was made for purposes related with the performance of employment contracts, compliance with legal obligations or legitimate interests of the company.
The DPA further concluded that the company, in violation of the transparency principle, falsely created the impression to its employees that it was processing their data under the legal basis of consent, and did not inform them of the actual legal basis of processing.
Finally, the DPA found in this case that the company could not provide internal documentation and justification regarding the choice of the legal basis used, and that it had tried to transfer its compliance obligations to its employees by asking them to acknowledge, by a signed statement, that their personal data processed by the company were relevant and appropriate in the context of their employment relationship. The company was thus also found to be violating the accountability principle.
To sum up, special attention should be given by all employers regarding their compliance with the personal data protection law. It should be particularly ensured that the personal data of employees are lawfully processed under the provisions of the GDPR and the relevant provisions of national law.
Video Surveillance Systems
As a final note, the new Greek law on personal data also includes a specific provision regarding the processing of personal data through a closed-circuit recording system within the workplace. According to this provision, the operation of such a surveillance system, regardless of whether the workplace is publicly accessible or not, shall be permitted only if it is necessary in order to protect persons and goods. The employees should be informed in writing, either in written or electronic form, regarding the installation and operation of a closed-circuit recording system within the workplace. Data collected through a closed-circuit recording system cannot be used as criteria for evaluating employee performance. Of course, all general provisions of the Law and the GDPR regarding processing of personal data also additionally apply to video surveillance systems. Depending on the case, if personal data are deemed to be put to serious risk because of the surveillance, a Data Protection Impact Assessment may also have to be conducted.