By Evaggelia Patsialou, Firm: kremalis.gr

The Hellenic Data Protection Authority (‘HDPA’) has imposed a fine on an employer for unlawful video surveillance and violation of employees’ rights of information and access during an audit.

Background

An employee of a maritime service provider filed a complaint before the HDPA claiming unlawful processing of his personal data, as well as unauthorised access and control of the company’s electronic communication systems. Specifically, the employer, which had justified suspicions that the complainant had committed criminal offences, specifically embezzlement (based on emails regarding money transfer and bank statement analysis), carried out an audit during the employee’s absence, which resulted in the recovery of electronic files deleted by the complainant.

The complainant alleged that the company did not have privacy policies or policies regarding the management of infringement incidents and also argued that he had never been informed of his rights as a data subject.

HDPA findings

The HDPA considered that the employer had a legitimate right, in accordance with Article 6 (f) and recital 47 of the GDPR, pursuant to the controller’s interests to conduct a review of its records as there were reasonable suspicions of wrongdoing, which were confirmed by the audit. It also turned out that the employer had explicitly informed its employees, in accordance with its corporate policies and employee regulations, that any use of information and communication systems for private purposes was prohibited and that the company had the right to conduct audits of these information and communication systems. Therefore, it appeared that the processing of personal data that took place on the company’s server was in accordance with Articles 5 and 6 GDPR.

Despite this, the HDPA considered that the company infringed the employee's rights of information and access (Article 15 GDPR) in relation to the personal data stored on his computer, by failing to thoroughly inform him of his rights relating to information and access as well as his rights under Article 12 (4) GDPR (right to be informed about failure to take action on request).

Moreover, the company was found to have operated a video surveillance system without providing information on the exact time of its operation, the number and locations of cameras, how the recording material was recorded and processed, and also without documenting the legality of the processing. Furthermore, the HDPA had not been notified regarding the installation of this CCTV, as required under former Law 2472/1997.

Concluding, the HDPA (in its decision 43/2019) imposed a fine of EUR 15,000.00 on the employer for unlawful operation of CCTV, acknowledging that the company violated the principles of accountability under Article 5 (1)a and (2) and legality under Article 6 of the GDPR.