GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in Greece
Greece implemented the GDPR through Law 4624/2019 which went into effect September 2019. This law applies to the automated and partially automated processing of personal data, including data in archiving systems by public or private entities. Under the new Law, the processing of personal data is permitted in the context of employment for certain purposes, including:
- when necessary for the performance or execution of the employment contract;
- with the employee’s freely given consent, taking into account the circumstances of the consent and the employee contract. Consent should be provided in writing or electronically and, must be clearly distinguished from the employment contract. The employee should be informed electronically or in writing of the purpose of the processing and the right to withdraw consent;
- processing sensitive personal data (ex. health data) when necessary to exercise rights or fulfill a legal obligation under labor laws or social security laws and the legitimate interest of the data subject (i.e., the employee) doesn’t override the purpose of the processing. Explicit consent must be obtained when processing special categories of personal data;
- on the basis of collective agreements.
Processing personal data via CCTV systems is only permitted in workplaces if necessary for the protection of persons and goods. Employees must be informed of the installation and operation of CCTV systems in writing (written or electronic notice).
Note that under Law 4624/2019, the above applies to employees (with any employment relationship, work or service contract regardless of the contract’s validity) as well as job applicants.
COVID Safety Guidelines
In April 2020, the Hellenic Data Protection Authority (HDPA) issued no. 2/2020 guidelines to address data safety measures in the context of remote work due to COVID. The measures include considerations for the use of email, messaging applications, terminal devices and storage while working from home. They also address network access and teleconferences.
These guidelines are supplemented by Decision no. 32/2021 and the Guidelines no. 1/2021, issued on 04/08/2021 on the protection of personal data in the context of teleworking. The guidelines include the employee’s right to disconnect outside of work hours, safety measures relating to bring your own device (B.Y.O.D.) policies, prohibiting the requirement of web cameras, the transfer of data to third countries and the distinction between the employee’s personal and professional life.
Employers are obligated to protect home teleworkers’ professional and personal data as well as inform them of actions and procedures necessary for this purpose, pursuant to Labor Law 4808/2021. Per the HDPA, if personal data is transferred to third countries during work from home, the data controller can either use tools and platforms that comply with GDPR provisions regarding data transfers to third countries or use the standard contractual clauses approved by the Europe Commission, per the HDPA.