Teleworking during the pandemic: Cybercrime and personal data
Originally published: www.taxheaven.gr (in Greek)
Date: 17/07/2020
Aimilios Koronaios
Attorney at Law
LL.M. (Aberdeen), LL.M. (Athens)
Ι. General
The great challenge of the coronavirus pandemic -COVID19 in international terminology-, which continues to affect humanity as a whole, is bringing about rapid changes in our way of life to date. Established behavior and attitudes of decades changed overnight in the effort to successfully manage the crisis. In the labor sector, the mass transition to a new model of organization and provision of work, the so-called teleworking, is considered an important development. Teleworking, based on the use of information technology, especially telecommunications, is certainly not novel. In Greece, however, its intensity and extent during the period we are going through is unprecedented. Its unprecedented expansion increases the incentives for committing cybercrime and its perpetrators find their victim more easily. In this context, serious issues of personal data protection arise for both teleworkers-victims of cybercrime and persons whose data are involved in one way or another in teleworking. The first line of defense against this new reality, the relevant challenges and concerns, is the consistent compliance with current legislation on personal data protection, in particular with the obligation of businesses and organizations to adopt appropriate security measures.
ΙΙ. Teleworking
Α. Definition and key features
Teleworking is defined as the form of organization and / or provision of work using information technology, within the framework of a contract or employment relationship, where work, which could be performed at the employer’s premises, is performed, on a regular basis, from distance1. A teleworker is defined as an employee who performs teleworking in accordance with the above definition2. Teleworking is impossible without the use of digital technology, which is why it is considered the key to the digital transformation of the economy.
With regard to the place of teleworking, it can be at home, when provided by the teleworker’s home, or mobile, when provided by other temporary premises while travelling, or by telecentre, when provided by specially organized premises made available to teleworkers of various companies3. Teleworking is increasingly provided via a corporate network connection, to enable access to the necessary corporate files to perform work. In order to successfully provide work, a number of tele-collaboration applications are used, such as teleconferencing applications.
Examination of data regarding teleworking before the coronavirus demonstrates that it had been limited. According to a 2017 survey, teleworkers in the European Union accounted for about 17% of all employees, with Denmark in first place with 37% and Greece in the penultimate position with 9%4. Greece’s ranking was considered negative, attributed to the general difficulties of adapting to new developments, at a time when the strong expansion of teleworking became a demand due to its positive characteristics5.
In 2020, teleworking amidst the coronavirus expanded significantly in both the European Union and Greece. According to an April 2020 survey, the following countries ranked first with a positive answer by over 40% to the question “Did you start working from home as a result of the coronavirus”, Finland with 59%, the Netherlands with 53.9%, Denmark with 46.7%, Ireland with 43.4%, Sweden with 41.8%, Austria with 41.5% and Italy with 40.8% 6. In Greece, the percentage was 26%7, significantly higher than before.
Teleworking has mutual benefits for both businesses and employees8. For the former, these include the increase of productivity, an attractive profile for younger employees, the reduction of expenses for the business, the reduction of unscheduled absences of the employees9. For the latter, it includes the reduction of their expenses e.g. reduction of travelling, as well as a more balanced life, due to the more efficient management of professional and personal obligations10. The weak points of teleworking are the possibility of prolonged working hours and the blurring of the distinction between professional and personal life11.
Β. The regulatory framework
Teleworking at European level is governed by the European Framework Agreement on Telework (2002). This Agreement was transposed into Greek law for the first time by virtue of the National General Collective Bargaining Agreement of 2006 and 2007 (NGCBA 2006-2007), while it is now an integral part of those that followed. The NGCBA 2006-2007 provides in article 4 that the parties decide on the immediate application of the European Framework Agreement on Telework, concluded by the European Trade Union Confederation (CES), the Union of Industrial and Employers’ Confederations of Europe (UNICE), the European Association of Craft, Small and Medium-Sized Enterprises (UEAPME) and the European Centre for Public Enterprises (CEEP). The text of the Framework Agreement on Telework is even annexed to the NGCBA 2006-2007 as Appendix B, and it is explicitly provided that it constitutes an integral part thereof. The above Agreement sought to establish a general framework for teleworking to be implemented by the participating States12, and especially guidelines for ensuring the rights of teleworkers13. More specifically, according to the provisions thereof, teleworking is of voluntary character14. As a general rule, the employer is responsible for the provision, installation and maintenance of regular teleworking equipment, unless the teleworker uses his/her own equipment15. In the same line, if teleworking is provided on a regular basis, the employer is responsible for the costs directly incurred by teleworking, in particular those related to communication16.
At the level of statutory law, a relevant provision is included in article 5 of Law 3846/201017. In particular, according to par. 1 thereof, when drawing up an employment contract for teleworking, the employer is obliged to deliver in writing within eight days to the employee all the information related to the performance of the work. This information relates to the hierarchy of the employee with his/her superiors in the business, his/her detailed duties, the way of calculating his/her remuneration, the way of measuring the working time, the reimbursement of the costs associated with work, such as telecommunications, equipment and device failures. If the contract contains an agreement on tele-readiness, its time limits and the response deadlines of the employee shall be defined. Furthermore, according to par. 2 of the above article, if regular work is converted into teleworking, the relevant contract shall stipulate an adjustment period of three months, during which either party, after observing a period of fifteen days, may put an end the teleworking and the employee shall return to work in a position similar to the one he/she previously held. Regarding the cost of teleworking, according to par. 3 of the above article, the employer assumes in each case the costs caused to the employee by this form of work and in particular telecommunications, provides the employee with technical support to provide his/her work and undertakes to reimburse the repair costs of the devices used to perform it or to replace them in case of failure. This obligation of the employer also applies to devices belonging to the employee, unless otherwise specified in the contract or employment relationship. The contract or employment relationship shall also define the manner of monetary compensation by the employer for the use of the employee’s home as a workplace.
More recently and in the midst of the pandemic, article 4 par. 2 of Legislative Content Act of 11.3.202018 provided for the possibility for employers to impose on the basis of their own decision teleworking to employees.
The above-mentioned regulatory framework for teleworking is currently considered to be totally inadequate, especially after its rapid expansion as a result of the new conditions. For this reason, it is recommended to adopt special regulations which will concern, among others, the costs of the employee for his/her material equipment and communication, as well as the remuneration of the tele-readiness, i.e. the constant availability of the tele-employee19.
ΙΙΙ. Cybercrime
The expansion of teleworking in the midst of the pandemic provided a solid basis for the subsequent prediction of a corresponding increase in cybercrime. This is because the adoption of remote means of work significantly increases the number of potential victims for cybercriminals. This being said, already in March 2020, Europol predicted a relative risk due to the increase in the number of employers who activate the possibility of teleworking and by this allow access to their information systems20. In the same line, the Council of Europe, at the same time, underlined that the growing emphasis during the pandemic for work purposes put on, inter alia, computer systems, mobile devices and the internet, has led cybercriminals to try to exploited it to their advantage21.
What tools do cybercriminals use in the context of their criminal activity in relation to the pandemic? These are in particular: a) phishing campaigns and malware installation through supposedly genuine websites and documents that provide information about the pandemic, in order to gain illegal access to personal data, b) installation of ransomware on mobile phones through the installation of pseudo-applications, which claim to provide information about the pandemic, so that money can then be extorted, and c) illegal access to corporate networks through attacks on teleworkers22.
In Greece, this situation led the National Transparency Authority to issue a special Guide for the protection against fraudulent techniques associated with COVID-1923. It underlines that the pandemic creates new opportunities for illegal activities, especially fraud24. Furthermore, it is pointed out that the practices and tricks of cybercriminals include manipulation and deception through the internet, that is, through “social engineering”, using phishing and other methods, aimed at illegal acquisition of access to passwords25. Especially in the context of “phishing” scams, cybercriminals present themselves as so-called representatives of national and global health authorities, e.g. of the World Health Organization and the Centers for Disease Control and Prevention, in order to achieve the installation of the malicious software by the teleworker and then gain illegal access to personal data26.
A corresponding briefing was also held by the Directorate of Cybercrime Prosecution (DCP) regarding attempts of fraud via the internet on the occasion of the coronavirus27. After noting that during the pandemic numerous complaints by citizens have been lodged and that Interpol and Europol have published updates on a number of cyber-frauds based on attempts to exploit the widespread concern about the coronavirus, the DCP presented basic elements of the cybercrime methodology28. This includes phishing, i.e. deceptive emails, which allegedly come from national or global health authorities, with links or attachments that are supposed to be related to the pandemic. In reality, however, these messages contain malware, the installation of which enables illegal access to personal data29.
At the same time, a number of international, European and national organizations have issued instructions on the necessary security measures to be taken, among others by teleworkers, to protect themselves from cybercriminals30. A selective list of the most important regarding Greece will be presented hereinbelow.
It is recalled that cybercrimes, such as the above are criminal acts that fall within the ambit of article 292B of the Greek Penal Code on obstruction of the operation of information systems (prosecuted ex officio), article 370 par. 2 of the Greek Penal Code on unlawful access to an email or electronic correspondence of another person (prosecuted upon a prior complaint by the victim), article 370B of the Greek Penal Code on unlawful access to an information or data system (prosecuted upon a prior complaint by the victim), article 370C of the Greek Penal Law on unlawful conduct in relation to state, scientific, professional or business secrets of the public or private sector (prosecuted upon a prior complaint by the victim) and article 386A Greek Penal Law on computer fraud (usually prosecuted upon a prior complaint by the victim). Depending on the circumstances, extortion under article 385 of the Greek Penal Law may also be established.
IV. The protection of personal data
Α. The regulatory framework
Teleworking is inextricably linked to the processing of personal data. This is because it requires data, especially of customers, suppliers, associates, but also of teleworkers themselves, to be processed, i.e., among other things, collected, stored, used and transmitted remotely. Thus, during teleworking, personal data is often on a constant “journey” to and from the premises of each organization or business. This “journey”, however, makes them a primary target of cybercriminals, who seek illegal access to them, in order to then further use them for their criminal activity, e.g. for illegal access to bank accounts, for extortion, etc. It is thus becoming apparent that teleworking poses new risks to the protection of personal data due to the increased use of telecommunications and the widespread use of electronic devices, often even personal devices of the teleworker.
It is emphasized that in cases where the teleworker becomes a victim of cybercrime, not only the principle of confidentiality of personal data is violated, as an unauthorized third party gains access to them, but also the principle of the availability of personal data e.g. via the use of ransomware, which makes it impossible to access them until the price required by the cybercriminal is paid.
So what is the relevant regulatory framework for the protection of personal data and the obligations of organizations and businesses, as well as teleworkers, in order to shield themselves against cybercrime?
First of all, a special provision on personal data in the context of teleworking is contained in the aforementioned European Framework Agreement on Telework (2002), as transposed in Greek legislation by virtue of NGCBA 2006-2007. Under article 5 thereof, entitled “Data Protection” it is up to the employer to take appropriate action, in particular with regard to software, to ensure the protection of data used and processed by the teleworker for professional purposes. Thus, the employer informs the teleworker about all the applicable provisions and rules of the business regarding data protection, whereas it is up to the teleworker to comply with these rules.
Furthermore, as concerns organizations and businesses that adopt teleworking, and regarding the personal data processed by their teleworkers, it is noted that according to article 24 par. 1 GDPR31, the controller must apply appropriate technical and organizational measures in order to ensure and be able to demonstrate that processing is carried out in accordance with the GDPR. According to the provisions of par. 2 of the above article, no specific technical and organizational measures are provided, except for the implementation of appropriate personal data protection policies. However, as defined in the above regulation, the appropriateness and specific content of these measures is determined by the nature, scope, context and purposes of the processing, as well as the risks of different probability and severity regarding the rights and freedoms of natural persons. Thus, the controller is required to select the appropriate technical and organizational measures, but in the context specified in article 24 GDPR. The controller is also obliged to review them and update them, when deemed necessary, in accordance with article 24 par. 1 last indent GDPR.
In the same direction, according to article 32 par. 1 GDPR, the respective controller and the processor must implement appropriate technical and organizational measures in order to ensure the appropriate level of security against the risks to personal data. According to par. 2 of the above article, for the assessment of the appropriate level of security, the risks arising from the processing are taken into account, in particular from accidental illegal destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or otherwise processed. In contrast to article 28 GDPR, a more detailed indication of proposed measures is made here, which includes: a) the pseudonymization and encryption of personal data, b) the ability to ensure the confidentiality, integrity, availability and reliability of systems, c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical event, d) the process for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure the safety of processing. As for the other measures, the same paragraph provides that the appropriate technical and organizational measures are selected taking into account the latest developments, implementation costs and nature, scope, framework and purposes of processing, as well as the risks of different probability of occurrence and seriousness regarding the rights and freedoms of individuals.
In conclusion, the organizations and businesses that adopt teleworking have the responsibility to predict and implement the appropriate technical and organizational measures to ensure the security of personal data processed by teleworkers. The latter are in turn obliged to apply the relevant measures in a strict manner.
B. Proposed security measures
In April 2020, the Greek Personal Data Protection Authority (Greek DPA) published Guidelines for the adoption of security measures in the context of teleworking32, due to the expanded adoption of teleworking by organizations and businesses. The aim is to raise the awareness of controllers, processors, employees and the public about the risks associated with the processing of personal data, but also the obligations of all persons involved33. According to the Greek DPA, the business that adopts teleworking must: a) define and adopt specific procedures related to the protection of personal data for teleworking and b) inform, train and assist employees in the implementation of the above procedures34. The relevant text also emphasizes the increased importance of the obligations of each organization or business for the protection of personal data of teleworkers, due to their increased expectation for the protection of their privacy, stemming from the fact that they provide work from their home35.
The content of the procedures proposed by the Greek DPA is specified with respect to four areas: a) network access, b) use of e-mail / messaging applications, c) use of terminal / storage media, d) teleconferencing36.
For network access, the measures proposed by the Greek DPA are summarized as follows: a) ensuring that there is no possibility of insecure remote access to the institution’s information systems resources, b) defining and limiting the resources to which remote access is available to the absolutely necessary, c) connection to the company’s computer systems through a “remote desktop” service only via VPN, d) use of secure WPA2 protocol with strong password, when the teleworker connects to the internet via wireless network, e) avoidance of storage of files with personal data in web storage services37.
For the use of e-mail / messaging applications, the measures proposed by the Greek DPA are summarized as follows: a) the avoidance –in principle- of using personal e-mail for teleworking purposes, b) the avoidance –in principle- of using messaging applications for teleworking purposes, where they contain personal data, the leakage whereof would create risks38.
For the use of terminal device / storage media, the measures proposed by the Greek DPA are summarized as follows: a) the installation in the teleworking device of a system against viruses (antivirus) and firewall, as well as their regular updating, b) the installation in the teleworking device of the latest software and operating system updates, c) the use of the latest versions of internet browsers, with no history keeping or deletion after teleworking, d) the segregation of personal data relating to teleworking on the teleworking device, e) the use of appropriate encryption procedures for files containing personal data, f) the use of procedures for backing up files with personal data, g) the locking of the teleworking device39.
For teleconferencing, the measures proposed by the Greek DPA are summarized as follows: a) the use of platforms that support security services, such as encryption, b) the protection of the link of the scheduled teleconferencing, e.g. by not publishing it on the internet, c) the study of relevant terms of use and protection of personal data40.
In addition to the Greek DPA, the relevant specific guidelines for adopting security measures published by the Ministry of Digital Government as well as by the Association of Businesses and Industries, are also worth mentioning.
According to the Ministry of Digital Government, the document entitled “Tips for safe work from home”, published in March41, summarizes in particular the following measures: a) the use of applications that provide full encryption in communication for sending sensitive information, b) the activation of the possibility of connection with two-step identification for each account that the teleworker maintains, c) the activation on the mobile phone of the function allowing access to online services using biometric data, d) the non-circulation of addresses and instructions through social networks for participation in video conferencing, e) the non-use of open wireless networks, which are more vulnerable to malicious acts, f) the use of strong passwords and security software on the equipment in question.
According to the Association of Businesses and Industries, the document entitled “Teleworking: Q&A and Implementation Guide”, published in March42, outlines in particular the following measures: a) the use of a “Virtual Private Network” (VPN) , b) the strict restriction of computers connected to corporate systems, c) the control of access to prohibited websites by teleworking computers, in accordance with the respective policy, d) the imposition of restrictions on software programs installed on teleworking computers, e) restrictions on the movement of data and related storage media used and (f) restrictions on information systems accessible to the teleworker.
In summary, the key aspects of all the above safety measures lies in the elaboration of the appropriate procedures / policies while simultaneously adopting the appropriate measures, in informing and educating the teleworkers about them and then in their systematic implementation. In this way, the obligations set out in articles 28 and 32 GDPR, as well as article 5 of the aforementioned European Framework Agreement on Telework (2002), can be substantially fulfilled by organizations and businesses adopting teleworking, resulting in the successful repulsion of cybercriminals and the protection of personal data during teleworking. It should be noted, however, that, as is clear from the wording of the above-mentioned GDPR regulations, the respective security measures are required to be individualized, according to the criteria they set thereunder.
C. A digression: the electronic monitoring of the teleworker
As a digression from the main axis hereof, teleworking raises another important issue in the field of personal data, in addition to the major issue of their security due to cybercrime. This is the electronic monitoring of the teleworker by his/her employer43. This issue is raised due to the repeated electronic communications between employee and employer and consequently due to the large volume of personal data of the employee which can now be processed44, either voluntarily or involuntarily by the organization or business. Thus, programs used, e.g. for teleconferencing, enable the employer to digitally record his/her communication with teleworkers and, therefore, record the voice, the face, the behavior and also the household environment of teleworkers, as captured on the camera used, or further digitally analyze the attention demonstrated by the participating teleworkers in the teleconference45. These cases, which need to be examined on a case-by-case basis, are governed by the GDPR and the relevant legal framework, with emphasis on articles 5 and 6 GDPR on the principles of personal data processing and the legality of processing. The relevant Guidelines of the Greek DPA and the former Working Group of article 2946 are also applied. The relevant decisions of the Greek DPA to date is also very enlightening in this regard47.
It should be noted, however, that according to par. 5.4.1 of Opinion 2/2017 of the former Working Group of article 29 on the processing of data at work48, entitled “Monitoring of home and remote working”49, the use of software that has the ability e.g. of recording the sequence of keyboard characters and mouse movements of the teleworker, recording snapshots of the teleworker, recording the applications used and the time of use by the teleworker, as well as the activation of webcams and collection of recorded material of the teleworker leads to disproportionate processing of personal data. Thus, according to the same Opinion 2/2017, it is extremely unlikely that the employer has a legal basis within the context of a legal interest for such processing of personal data.
For their part, teleworkers must also show increased sensitivity for the protection of their personal data during the teleworking period, e.g. not to use professional equipment they have received for teleworking needs e.g. a corporate computer for personal use, as well as to turn off the computer camera and microphone when they do not need to be turned on50.
V. Epimeter
In May, Facebook announced that it intended to adopt teleworking on a permanent basis – at a time when 95% of its staff were employed remotely during the pandemic – predicting that teleworking would concern permanently at least half of its staff within the next decade51. In this context, its staff was invited to notify accordingly the company by the beginning of 202152. According to the social media giant, the remuneration of each teleworker will be determined taking into account the living cost in the area where he/she lives53. Other tech giants, such as Google and Amazon54, are also gearing up for teleworking, albeit not in the same depth of time. A similar attitude with Facebook seems to be adopted by Twitter55. At the same time, amid the pandemic, in the UK, the rate of cybercrime attacks on teleworkers rose from 12% in March, before the adoption of strict measures to tackle the pandemic, to more than 60% a few weeks later56. The above facts show that teleworking has come to stay, as well as the consequent increased cybercrime activity against teleworkers. Times have changed for the protection of personal data, in a manner which has not yet been fully revealed. The first concern of organizations, businesses and teleworkers is to adopt and implement the appropriate technical and organizational security measures, so that the new reality won’t bring about a strong blow to the right to protection of personal data. After all, failure to protect personal data will certainly undermine any attempt to expand teleworking, these two being in a complementary relationship. In a second stage, the adoption of a new holistic legislative framework for teleworking in Greece needs to be examined. Regarding the latter, the Government recently announced a relevant legislative initiative.
The enactment of the new legislation and the new issues that it will inevitably raise in the relevant debate are therefore highly anticipated.
__________________________
1 European Foundation for the Improvement of Living and Working Conditions, <https://www.eurofound.europa.eu/observatories/eurwork/industrial-relations-dictionary/telework>, last access on 14.7.2020.
2 ibid.
3 Association of Businesses and Industries, Special Report on telework, 2.5.2019, p. 3, <http://www.sev.org.gr/Uploads/Documents/52083/SR_TELEWORK_final.pdf>, last access on 14.7.2020.
4 ILO and Eurofound, Working anytime, anywhere: the effects on the world of work, 2017, p. 15, <https://www.eurofound.europa.eu/publications/report/2017/working-anytime-anywhere-the-effects-on-the-world-of-work>, last access on 14.7.2020.
5 Association of Businesses and Industries, Special Report on telework, 2.5.2019, p. 1, <http://www.sev.org.gr/Uploads/Documents/52083/SR_TELEWORK_final.pdf>, last access on 14.7.2020.
6 Eurofound, Living, working and COVID-19 e-survey, <https://www.eurofound.europa.eu/data/covid-19/working-teleworking>, last access on 14.7.2020.
7 ibid.
8 Association of Businesses and Industries, Special Report on telework, 2.5.2019, p. 2, <http://www.sev.org.gr/Uploads/Documents/52083/SR_TELEWORK_final.pdf>, last access on 14.7.2020.
9 ibid.
10 ibid.
11 ΕU Parliament, What Europe does for me; – Teleworkers, <https://what-europe-does-for-me.eu/el/portal/2/B55>, last access on 14.7.2020.
12 European Framework Agreement on Telework (2002), p. 1.
13 ΕU Parliament, What Europe does for me; – Teleworkers, <https://what-europe-does-for-me.eu/el/portal/2/B55>, last access on 14.7.2020.
14 European Framework Agreement on Telework (2002), p. 3.
15 ibid.
16 ibid.
17 “ Guarantees for work safety and other provisions”, Government Gazette Α’ 66/11.05.2010.
18 “”Urgent measures to address the adverse effects of COVID-19 and the need to limit its spread”, Government Gazette Α’ 55/11-03-2020.
19 Aristotle University of Thessaloniki Professor: Insufficient legal framework for teleworking – Why there is a need for more specific regulations – What Dimitris Zerdelis says, iefimerida.gr, 18.3.2020, <https://www.iefimerida.gr/ellada/kathigitis-apth-aneparkes-nomothetiko-plaisio-tilergasia>, last access on 14.7.2020.
20 Europol, Press Release, How criminals profit from the COVID-19 pandemic, 27.3.2020, <https://www.europol.europa.eu/newsroom/news/how-criminals-profit-covid-19-pandemic>, last access on 14.7.2020.
21 Council of Europe, News, Cybercrime and COVID-19, <https://www.coe.int/en/web/cybercrime/-/cybercrime-and-covid-19>, last access on 14.7.2020.
22 ibid.
23 National Authority for Transparency, COVID-19 Scam Protection Guide, 2020, p. 2.
24 ibid.
25 ibid.
26 National Authority for Transparency, COVID-19 Scam Protection Guide, 2020, p. 3.
27 The Directorate for Cybercrime Prosecution informs citizens about fraudulent attempts and cases of spreading false news, via the internet, on the occasion of the coronavirus (COVID-19), 2020, <https://cyberalert.gr/%ce%b7-%ce%b4%ce%b9%ce%b5%cf%8d%ce%b8%cf%85%ce%bd%cf%83%ce%b7-%ce%b4%ce%af%cf%89%ce%be%ce%b7%cf%82-%ce%b7%ce%bb%ce%b5%ce%ba%cf%84%cf%81%ce%bf%ce%bd%ce%b9%ce%ba%ce%bf%cf%8d-%ce%b5%ce%b3%ce%ba%ce%bb/>, last access 14.7.2020.
28 ibid.
29 ibid.
30 See, amongst others, Commission Nationale de l’Informatique et des Libertés, Les conseils de la CNIL pour mettre en place du télétravail, 12.5.2020, <https://www.cnil.fr/fr/les-conseils-de-la-cnil-pour-mettre-en-place-du-teletravail>, last access on 14.7.2020. Relevant guidelines from the European Data Protection Board are also expected. See European Data Protection Board, Press Release, Twentieth plenary session of the European Data Protection Board – scope of upcoming guidance on data processing in the fight against COVID-19, <https://edpb.europa.eu/news/news/2020/twentieth-plenary-session-european-data-protection-board-scope-upcoming-guidance-data_el>, last access on 14.7.2020.
31 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), O.J. L 119/4.5.2016, p. 1 et seq., commonly known as General Data Protection Regulation (GDPR). Indicative bibliography: Ι. Ιgglezakis, General Data Protection Regulation (Regulation 2016/679), 2nd edition, 2018· V. Sotiropoulos, Data Protection Officer, 2nd edition, Sakkoulas Publications, 2019· L. Kanellos, The GDPR Handbook, Nomiki Vivliothiki, 2020.
32 Guidelines of the Personal Data Protection Authority for the adoption of security measures in the context of teleworking, 15.4.2020, <https://www.dpa.gr/pls/portal/docs/PAGE/APDPX/HOME/FILES/KATEFTHINTIRIES%20GRAMMES_TILERGASIA.PDF>, last access on 14.7.2020.
33 Greek DPA, Press Release – Guidelines of the Personal Data Protection Authority for the adoption of security measures in the context of teleworking, 15.4.2020, <http://www.dpa.gr/APDPXPortlets/htdocs/documentDisplay.jsp?docid=65,70,126,25,55,137,17,157>, last access on 14.7.2020.
34 Guidelines of the Personal Data Protection Authority for the adoption of security measures in the context of teleworking, 15.4.2020, p. 1, <https://www.dpa.gr/pls/portal/docs/PAGE/APDPX/HOME/FILES/KATEFTHINTIRIES%20GRAMMES_TILERGASIA.PDF>, last access on 14.7.2020.
35 ibid.
36 Guidelines of the Personal Data Protection Authority for the adoption of security measures in the context of teleworking, 15.4.2020, p. 1-3, <https://www.dpa.gr/pls/portal/docs/PAGE/APDPX/HOME/FILES/KATEFTHINTIRIES%20GRAMMES_TILERGASIA.PDF>, last access on 14.7.2020.
37 Guidelines of the Personal Data Protection Authority for the adoption of security measures in the context of teleworking, 15.4.2020, p. 1-2, <https://www.dpa.gr/pls/portal/docs/PAGE/APDPX/HOME/FILES/KATEFTHINTIRIES%20GRAMMES_TILERGASIA.PDF>, last access on 14.7.2020.
38 Guidelines of the Personal Data Protection Authority for the adoption of security measures in the context of teleworking, 15.4.2020, p. 2, <https://www.dpa.gr/pls/portal/docs/PAGE/APDPX/HOME/FILES/KATEFTHINTIRIES%20GRAMMES_TILERGASIA.PDF>, last access on 14.7.2020.
39 Guidelines of the Personal Data Protection Authority for the adoption of security measures in the context of teleworking, 15.4.2020, p. 3, <https://www.dpa.gr/pls/portal/docs/PAGE/APDPX/HOME/FILES/KATEFTHINTIRIES%20GRAMMES_TILERGASIA.PDF>, last access on 14.7.2020.
40 ibid.
41 Ministry of Digital Government, Press Release – Tips for Safe Work at Home, 30.3.2020, <https://mindigital.gr/archives/1291>, last access on 14.7.2020.
42 Association of Businesses and Industries, Teleworking: Q&A and Implementation Guide, March 2020, <https://www.sev.org.gr/Uploads/Documents/52761/SEV_Thlergasia%20(1B).pdf>, last access on 14.7.2020.
43 In general on this problematic, see., amongst others, I. Igglezakis, Supervision and monitoring of electronic communications in the workplace, DiΜΕΕ 1/2005, p. 55 et seq.
44 O. Proust and S. Crouzet, The risks of online employee monitoring during the COVID-19 crisis, 14.4.2020, <https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/the-risks-of-online-employee-monitoring-during-the>, last access on 14.7.2020.
45 ibid.
46 Guideline 115/2001 of the Greek DPA on data processing of workers, <http://www.dpa.gr/pls/portal/url/ITEM/BD66D8402E549E88E040A8C07C242BC7>, last access on 14.7.2020· Opinion 2/2017 of Article 29 Working Group on data processing at work, <https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=610169>, p. 19-20, last access on 14.7.2020..
47 Greek DPA, Decision of thematic section “Work relationships”, <https://www.dpa.gr/portal/page?_pageid=33%2C15453&_dad=portal&_schema=PORTAL&_piref33_15473_33_15453_15453.etos=-1&_piref33_15473_33_15453_15453.arithmosApofasis=&_piref33_15473_33_15453_15453.thematikiEnotita=171&_piref33_15473_33_15453_15453.ananeosi=%CE%91%CE%BD%CE%B1%CE%BD%CE%AD%CF%89%CF%83%CE%B7>, last access on 14.7.2020.
48 Opinion 2/2017 of Article 29 Working Group on data processing at work, <https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=610169>, p. 19-20, last access on 14.7.2020.
49 Opinion 2/2017 of Article 29 Working Group on data processing at work, <https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=610169>, p. 19-20, last access on 14.7.2020.
50 O. Proust and S. Crouzet, The risks of online employee monitoring during the COVID-19 crisis, 14.4.2020, <https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/the-risks-of-online-employee-monitoring-during-the>, last access on 14.7.2020.
51 Facebook makes teleworking permanent, Kathimerini, 23.5.2020, <https://www.kathimerini.gr/1079540/article/oikonomia/die8nhs-oikonomia/monimopoiei-thn-thlergasia-h-facebook>, last access on 14.7.2020.
52 ibid.
53 ibid.
54 ibid.
55 Facebook and Twitter “push” workers to permanent teleworking, newmoney.gr, 22.5.2020, <https://www.newmoney.gr/roh/diethni/facebook-ke-twitter-sprochnoun-tous-ergazomenous-se-monimi-tilergasia/>, last access on 14.7.2020.
56 Cybercrimes against teleworkers increased – Amidst the lockdown, LiFO, 24.5.2020, <https://www.lifo.gr/now/tech_science/283584/ayksithikan-oi-kyvernoepitheseis-kata-ergazomenon-se-tilergasia-en-meso-lockdown>, last access on 14.7.2020.