Collection of Personal Data – 8/2021
Originally published: newspaper “Estia” (in Greek)
Date: 29/04/2021
Aimilios Koronaios
Attorney at Law
LL.M. (Aberdeen), LL.M. (Athens)
HDPA – Surveillance of Employees I
The Hellenic Data Protection Authority (HDPA) imposed a fine of 2,000 euros on a company for illegal camera operation. The video surveillance system did not have a recorder, but transmitted an image to the mobile phone of the owner of the company. In this case, the HDPA considered that the system in question was operating illegally, as it was not limited to areas that were necessary for the protection of persons and property. Instead, it illegally received images from the employees’ offices, where the accounting operations was carried out. The possibility of real-time control of the camera by the director of the company via mobile phone was also considered problematic. In this way, among other things, the risk of using the material for unauthorized surveillance of employees increased.
Cyprus – Forgotten vault
An old, locked vault, built into a wall, occupied the Office of the Commissioner for Personal Data Protection of Cyprus. The vault was located in an area that was used in the past by the bank as a store by its new tenant, who notified the Bank. Bank staff went to the scene and opened the vault, which contained files of former and current customers. This was followed by a notification from the bank to the Commissioner’s Office, given that the existence of the personal data of its customers in the vacant, former store for about four years, until it was rented again, constituted a breach incident. The Office of the Commissioner examined the case and imposed a fine of 25,000 euros on the bank.
El Salvador – New legislation
El Salvador recently passed a law on the protection of personal data, in order to ensure their confidentiality and proper use. Adopting the international trend, fines of significant amount are provided for offenders, which are determined by calculating the minimum monthly wage. The new law will enter into force one year after its publication.
European Union – Artificial Intelligence
The European Commission has announced a proposal for a Regulation on the European approach to artificial intelligence. It is recalled that artificial intelligence is the ability of a machine to act like the human mind, understanding, analyzing and learning from data. According to the proposal for a Regulation, artificial intelligence systems are classified into four categories: a) unacceptable risk, which will be prohibited, e.g. an artificial intelligence system that allows the “social rating” of citizens by governments, b) high risk, which will be subject to strict obligations, e.g. an artificial intelligence system that assesses the creditworthiness of citizens and deprives them of the opportunity to take loans, c) low risk, which will be subject to transparency obligations, e.g. artificial intelligence system in a chatbot, (d) minimal risk, which will generally be allowed, e.g. artificial intelligence system in video games. The road to the final adoption of the proposal for a Regulation by the European Parliament and the Member States is expected to be long.
Spain – Surveillance of apartments
The owner of three apartments in Spain decided to install four cameras in the building without obtaining the permission of the other owners of the building. The cameras, which monitored common use areas, operated on the grounds that they were necessary, as two of the apartments were rented to tourists. No relevant signs had been posted about their operation. The Spanish Data Protection Authority considered that the system had been installed illegally, as the other owners of the building had not agreed, nor had information signs been posted indicating, inter alia, the identity of the person making the recordings in question. For these reasons, the owner in question was fined 3,000 euros.
Romania – Surveillance of Employees II
The case of illegal surveillance of employees through a video surveillance system also concerned the Romanian Data Protection Authority. The company used cameras for the purpose of protecting goods. As part of the operation of the system in question, the areas with wardrobes were monitored, as well as the dining rooms of the employees, where they took their breaks and spent any free time. The supervisory authority considered that the video surveillance of the above areas was not necessary to achieve the purpose of protection of goods. This goal could be achieved with less intrusive means to employee privacy. For these reasons, a fine of approximately 5,000 euros was imposed on the company