GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in Greece
Greece implemented the GDPR through Law 4624/2019 which went into effect September 2019. This law applies to the automated and partially automated processing of personal data, including data in archiving systems by public or private entities. Under the new Law, the processing of personal data is permitted in the context of employment for certain purposes, including:
- when necessary for the performance or execution of the employment contract;
- with the employee’s freely given consent, taking into account the circumstances of the consent and the employee contract. Consent should be provided in writing or electronically and, must be clearly distinguished from the employment contract. The employee should be informed electronically or in writing of the purpose of the processing and the right to withdraw consent;
- processing sensitive personal data (ex. health data) when necessary to exercise rights or fulfill a legal obligation under labor laws or social security laws and the legitimate interest of the data subject (i.e., the employee) doesn’t override the purpose of the processing. Explicit consent must be obtained when processing special categories of personal data;
- on the basis of collective agreements.
Processing personal data via CCTV systems is only permitted in workplaces if necessary for the protection of persons and goods. Employees must be informed of the installation and operation of CCTV systems in writing (written or electronic notice).
Note that under Law 4624/2019, the above applies to employees (with any employment relationship, work or service contract regardless of the contract’s validity) as well as job applicants.