Our law firm with experience in data protection and communications privacy issues due to its cooperation with large multinational telecommunications groups, pharmaceutical companies and many other sectors, undertakes with certified DPOs the compliance of your company with GDPR – General Data Protection Regulation and the provision of related services.
Personal data, or “personal data” is defined as any information relating to an identified or identifiable natural person ( called a “data subject”. An identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
WHAT CONSTITUTES PROCESSING OF PERSONAL DATA
Processing of personal data constitutes any operation or set of operations which is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The new GDPR regulation creates a new concept and position in businesses the Data Protection Officer or in English Data Protection Officer (DPO).
Under the GDPR there is an obligation for some businesses to appoint a DPO i.e. a Data Protection Officer.
Our firm’s lawyers provide Data Protection Officer ( DPO services ) to a number of businesses.
EMPLOYEES AND PERSONAL DATA
In an employment relationship by definition the employer is in a position of power over the employee. This often leads some employers to violate the law on the protection of employees’ personal data in trying to protect the interest of their business.
In view of the implementation of the GDPR, businesses must be particularly careful in how they process their employees’ personal data given that now the GDPR recognises more rights to the data subject and threatens with heavy fines.
We list below some cases brought before the Data Protection Authority in recent years that have to do with the protection of employees’ personal data.
1/ Carrying out a check on the computer used by the employee at his/her place of work, without prior information and in his/her absence.
The Personal Data Protection Authority, in its decision number 34/2018, held that the employee’s use of a computer belonging to the employer and for which he has been expressly informed beforehand that its use for non-work purposes is prohibited does not in itself constitute a legitimate reason for surveillance or control of the personal data processed by the employee, but requires specific information to be provided to the employee.
The new GDPR further strengthens the information rights of personal data subjects.
2/ Right of an employer to use medical information from the former employee’s file in order to refute a compensation claim brought against the former employee.
After the termination of the employment contract, the employee brought an action against the employer seeking an award of financial compensation on account of the damage to his health caused by the work duties assigned to him.
The employer submitted a request to the Data Protection Authority to be allowed to use medical information from the file of his former employee kept by the employer in his capacity as a data controller in order to counter the claim for damages.
The Data Protection Authority, in its decision number 5/2016, held that the principle of proportionality of data was met, in accordance with the provisions of Article 4 para. 1(b) of Law 2472/1997, since the information requested is sufficient to prove the defendant’s claim that it fully complied with the medical recommendations and instructions that were given from time to time to its former employee and thus it is not at fault for the alleged damage to his health which, according to the defendant, is linked to the performance of the tasks assigned to him.
The new GDPR classifies health data under Article 9 i.e. the special category of sensitive personal data and places particular restrictions on its processing.
3/ Employee’s right to receive full copies of his/her personal and disciplinary file from the employer.
A, an employee of Bank X, lodged a complaint against the Bank, requesting that the Data Protection Authority oblige the Bank to provide him with full copies of his personal and disciplinary file.
The Authority, in its Decision No. 37/2016, held that the employee, as a subject of personal data, always has the right to request information and to obtain copies of the contents of the documents in the file of the controller, and this is because it is necessary to know the contents of the documents in the file in order to exercise his rights. If, however, the data subject demonstrably possesses specific documents and identifies them in his request, he should explain to the controller why he is requesting their disclosure.
The new GDPR further enhances the information rights of data subjects by providing them with a copy of their personal data and sets short compliance deadlines for the controller.
4/ Prohibition of the installation and operation of a biometric system to control the observance of working hours by employees.
By its Decision No 127/2012 and in application of the principle of proportionality, the Authority has authorised the use of biometric systems to control access to workplaces only in cases of particularly critical installations and for the sole purpose of protecting persons and property within them. On the contrary, in all other cases, it has imposed the suspension of the operation of biometric systems, considering that their use is not in accordance with the principle of proportionality. Of course, there is a legitimate interest for the controller to check that its employees keep working hours, but the use of a biometric system introduces a burdensome and disproportionate processing (storage of biometric fingerprints for an indefinite period of time in a central database) for the purpose for which it is intended, without this being necessary, as the check can be adequately carried out by other less intrusive alternative means, such as magnetic cards without biometric data.
The new GDPR makes specific reference to biometric personal data by defining it and placing particular restrictions on its processing. The principle of proportionality is also fully adopted by the new regime of the General Data Protection Regulation ( GDPR ).