Data processing has been currently in the spotlight due to the uniform application of the General Data Protection Regulation [Regulation (EU) 2016/679] in all EU member-states, starting from 25.05.2018. Protection of the personal data of natural persons is not a new topic; however, the new legal framework revives the interest. The 25th of May 2018 is not an ending date, but actually the beginning of a new era.
As specialized on the field of data protection, MStR legal team already participated in various events on the topic, organized by Chambers, institutions and other organizations, and is offering a full range of legal services to enterprises so as to review their so far practices and face the new situation.
GDPR applies to all institutions seated in the European Economic Area (EEA), but also to those located outside EEA as long as their processing activities are related to the offering of goods and services to individuals within EEA or the monitoring of their behavior takes place in the EEA. Also, GDPR includes provisions for groups of companies and may apply even in cases where headquarters are outside EEA. At the same time, the flow of information between countries is an everyday phenomenon, whilst it has been widely noted that even non-European countries have already opted for local laws that resemble to European data protection law. Thus, the international aspect of the issue is uncontestable.
The Regulation introduces a new approach, mainly as regards the procedures, since it adopts a philosophy of continuous self-control by the data controllers themselves. The new framework includes certain, strict, obligations for the data controllers and processors, including documentation, risk assessment and preventive security measures, while it provides for a series of rights in favour of the individuals confirming some already existing and shaping new ones. Simultaneously, as regards the essence of the protection, the basic principles that have been adopted until today by the Greek national regulatory authority as well as by the EU bodies, more or less, remain valid.
Working place stands as one of the most interesting areas where legal issues related to data processing have risen and will continue to raise. On the one hand, the right of the employee to ensure a certain level of privacy and secrecy of communication at work needs to be protected, whilst, on the other hand, the legitimate interests of the employer to protect his business and property as well as the rights of third persons, which often result to monitoring methods, have to be taken into consideration.
Data processing issues may concern every area of work, including recruiting practices, surveillance of employees, security regulations, etc.
In the context of work, employees are almost never in a position to freely give, refuse or revoke consent, given the dependency that results from the employer / employee relationship. Given the imbalance of power, employees can only give free consent in exceptional circumstances, when no consequences at all are connected to acceptance or rejection of an offer. Thus, consent only exceptionally could be considered a legal ground for data processing in the working field.
On the other hand, the observance of the provisions of employment or social security laws consist a legal ground for processing, still if adequate safeguards exist. In any case, data processing at work must be a proportionate response to the risks faced by an employer, in other words, to serve a specific and clear purpose and be capable to strike a balance between each party’s rights and legitimate interests.
New technologies and more intrusive means of monitoring create new questions, which the so-far known as ‘data protection working party of article 29’ wished to address through its recent Opinion no 2/2017. In brief, recommendations of the working party focus to the principles of transparency and clear information to the employees, proportionality and data minimization, prevention rather than detection methods.
GDPR, at article 88, provides for the right of each country to adopt special provisions for data processing at work. Greece until today has not proceeded to a relevant law; however, a relevant draft-law which was published for discussion few months ago seems to adopt the basic principles that have been formed until today by the national regulatory authority and the Greek and EU case-law.