The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
Greece implemented the GDPR through Law 4624/2019 which went into effect September 2019. This law applies to the automated and partially automated processing of personal data, including data in archiving systems by public or private entities. Under the new Law, the processing of personal data is permitted in the context of employment for certain purposes, including:
Processing personal data via CCTV systems is only permitted in workplaces if necessary for the protection of persons and goods. Employees must be informed of the installation and operation of CCTV systems in writing (written or electronic notice).
Note that under Law 4624/2019, the above applies to employees (with any employment relationship, work or service contract regardless of the contract’s validity) as well as job applicants.
In April 2020, the Hellenic Data Protection Authority (HDPA) issued no. 2/2020 guidelines to address data safety measures in the context of remote work due to COVID. The measures include considerations for the use of email, messaging applications, terminal devices and storage while working from home. They also address network access and teleconferences. These guidelines are supplemented by Decision no. 32/2021 and the Guidelines no. 1/2021, issued on 04/08/2021 on the protection of personal data in the context of teleworking. The guidelines include the employee’s right to disconnect outside of work hours, safety measures relating to bring your own device (B.Y.O.D.) policies, prohibiting the requirement of web cameras, the transfer of data to third countries and the distinction between the employee’s personal and professional life.
Employers are obligated to protect home teleworkers’ professional and personal data as well as inform them of actions and procedures necessary for this purpose, pursuant to Labor Law 4808/2021. Per the HDPA, if personal data is transferred to third countries during work from home, the data controller can either use tools and platforms that comply with GDPR provisions regarding data transfers to third countries or use the standard contractual clauses approved by the Europe Commission, per the HDPA.