Legal Insight
March 2022
Ψαράκης Ιωάννης (ΜΔΕ ΙΙΙ, υπ. ΔΝ)
(Republished from Οικονομικό Ταχυδρόμο)
Summary: About a year ago we reported on the Data Protection Impact Assessment (DPIA) Study. There we emphasized its great importance and noted its inverse adoption by businesses in Greece. In today's article, we will present the first decision of the Data Protection Authority (DPA), in which it ruled that a DPIA is mandatory prior to a processing operation.
Around the end of February 2022, the decision of the Data Protection Authority (DPA) No. 5/2022 was published.
The case examined concerned a well-known dairy company and the installation by it of a video surveillance system in certain areas of its factory. The CPVO - following a complaint from an employee - examined the legality of this act in the light of personal data protection law.
The key takeaway from this decision relates to the Data Protection Impact Assessment (DPIA). As we observed about a year ago, the DPIA "seems to have not received in our country the attention its (great) importance deserves". This observation has been confirmed in the case at hand.
To recall, with the help of a general definition - which is also adopted by the General Data Protection Regulation 2016/679 EU (GDPR) itself - the obligation to draft the DPIA exists in those cases where "processing operations are likely to result in a high risk to the rights and freedoms of natural persons". This may be due to a number of reasons, such as, for example, due to the use of new technologies in the processing, after, of course, taking into account the data being processed and the purpose for which it (i.e. the processing) is planned to take place.
Safe ports - i.e. where no DPIA is required - are few and far between, while grey areas are numerous. Of course, in order to provide a more coherent set of processing operations requiring a DPIA, each national authority issues a list which is, however, indicative. However, as the DPA itself states in the relevant list issued, the obligation to carry out a DPIA is neither waived nor altered in every case of processing which "is likely to present a high risk to the rights and freedoms of natural persons", i.e. even if the case in question is not included in the (nonetheless indicative) list. It is therefore quite unclear when it would be considered that a DPIA was or was not mandatory for the Controller to carry out a DPIA. For this reason, in view of the fines that are threatened, but also because it is a form of "self-checking" and a useful caveat before processing operations start (thus it will significantly help in preventing and identifying any security gaps already before processing), we had said that, with regard to the preparation of the DPIA, the phrase "better safe than sorry" applies.
In the case of the well-known dairy company, the DPAA held that the installation of the video surveillance system should have been accompanied by a DPIA, which would have analysed a number of specific issues, based in particular on an assessment of the necessity and proportionality of the intended processing operation.
The main reason why the complainant dairy company had this obligation as a Data Controller was that its case "met" two of the criteria of the relevant guidelines: employees are indeed vulnerable data subjects, due to the increasingly unequal power relationship (between them and the employer company) but it was also a case of systematic real-time monitoring, via a special monitor located in a guardhouse, by the shift supervisor.
The point of general interest is that the affirmation of these criteria are found, not infrequently, in many cases in which a workplace is monitored. This finding, combined with the fact that there are other possible criteria leading to the obligation to prepare a DPIA, leads us to believe that in the future there will be increased interest, on the part of DPOs, in the preparation of Data Protection Impact Assessment Studies (DPIAs).
The DPIA decision, of course, considered other individual issues and came to several other interesting judgments. For example, to the dairy's claim that the installed cameras had special software that filled the screen with a black background (using a "matrix") at points outside the machines (and thus that it did not receive an image from workers) it held that "[... ] the setting of the application of the black background of the cameras using the iVMS 4200 software, although the company refers to it as permanent, can at any time and in an easy way be reversed or changed, also by the relevant system settings, so that the image received from the cameras is displayed on the viewing/monitoring screen without any coverage or with coverage of other parts (cf. CPD 23/2021, cf. CPD 87/2015)".
The DPIA , in the circumstances of this case, did not impose an administrative fine, but only obliged to prepare a DPIA on the basis of the guidance provided in the decision. Of course, product of the time it is expected that the DPIA's treatment of similar cases﮲ will be more severe﮲ these "first decisions" under the GDPR seem to have also a "warning" character for Data Controllers (but also Processors, as the case may be), especially in cases of breaches first introduced by the GDPR (such case is the obligation to prepare DPIA).
The decision of the Data Protection Authority No. 5/2022 is available here.