Koumentakis

Tag: data protection

  • GDPR: The next day: Biometric data and employment

    GDPR: The next day: Biometric data and employment

    The GDPR has been in place since May 25, 2018, and every day we reveal that adjusting to its requirements affects the philosophy and operation of a business. One such issue is the entry – control of employees by taking biometric data (e.g. fingerprints). Why is that so? Because while I can “clock on, on behalf of my colleague” so that my colleague “has a little bit more of morning sleep”, I cannot deceive the smart machine that “reads the fingerprints or the iris”. The GDPR sets strict barriers to such choices.

    Pursuant to Article 9 par.1 of the Regulation, the processing of biometric data is generally forbidden for the purpose of undeniably identifying a person. Such processing is permitted, exceptionally, with the explicit consent of the Subject and in any case in accordance with the consensus guidelines No. 259 / 28.11.2017, adopted by the European Data Protection Board. It is a crystallized position of the Working Party 29 that there can be no question of free consent in the case of a “power imbalance”, as is the case for the employer-employee relationship.

    Already since the application of Law 2472/1997, the Data Protection Authority has issued decisions on the processing of biometric data in the workplace. In these decisions, the position of the Greek Authority is developed that such processing is not necessary to achieve the employees’ time schedule compliance monitoring. As a result, such records constitute an excess, the abusive nature of which is not waived by any employee’s consent.

    The Decision 56/2009 of the DPA in a relevant case, is Indicative of the scope of the exception. According to this decision, the Authority did not find it illegal to use fingerprint recognition equipment because it concerned specific employees who would have special access to a particular site, which could be classified as the highest security due to compliance with “Certification Authority Keys” namely on the basis of the public interest. In fact, this decision deals with the issue in terms of authorization, substance, and legitimacy and not technical, as the specifications had already been met: (a) data encryption, (b) non-maintenance of data, and (c) non-connection to a central system.

     

    The decision 50/2007 is indicative of DPA’s consistent position

    The Decision 50/2007 for another case is indicative of the Authority’s consistent position. Although the company’s argument was based on the fact that “the system is based on the method of finger’s geometry and the data collected from it are recorded and stored in a file that is encrypted while fingerprints are neither collected nor stored”, the DPA has overtaken the specific arguments and insisted that “the introduction and use of biometric data is a processing of personal data of employees which is not necessary for the purposes of monitoring the entry and/ or exit to premises/buildings and observance of their entering and leaving hours and is therefore illegal”.

    Ultimately, receiving biometric data at a working environment is only possible by way of exception. Balancing the needs of the company and the requirements of the Regulation undoubtedly leads to choices that will also prevent the company from being harmed and employees’ rights not be affected.

    Petrini Naidou
    Senior Associate

    P.S. A brief version of this article has been published in Greek in MAKEDONIA Newspaper (February 24, 2019).

     

  • GDPR: The Next Day. The Regulation in the context of employment

    GDPR: The Next Day. The Regulation in the context of employment

    [vc_row][vc_column][vc_column_text] The European Regulation “on the protection of natural persons with regard to the processing of personal data”, adopted on 27 April 2016, is directly and across the board applicable (throughout Europe) since 25.5.2018.

     

    Basic declarations

    It is a “convenient” myth that we (should) expect for the Greek legislation to decide on how we adapt. There is a draft law (its consultation was completed in March 2018), but it has not yet been adopted nor is necessary to be. The Regulation applies as is.

    It is accurate and not a (malicious) exaggeration that all businesses process personal data. Sometimes even “sensitive”: Like those of their employees. Thus, businesses need to adapt according to their strengths and (in particular) depending on the potential impact of the data leakage they process, that is, depending on the number and degree of “sensitivity” of the data.

    It is also accurate that the Regulation is not entirely clear on all points. However, we have been armed with the relevant interpretative tools. Such as, for example, the views of the Working Party of the 29-member Group of Member States’ Data Protection Authorities.

     

    The role of GDPR in employment relationships

    What is the role that GDPR plays in the relationship between the Employer and the Employee and which are the main obligations of a business?

    1. To train the Employees on the processing of third-party data it processes in the context of the provision of its services, in the wide sense of awareness and cultivation of new habits.
    2. To re-approach the employment contracts with the addition of the employee’s obligations with regard to the development of a new corporate culture. (Which is) The adaptation of a new modus operandi, as such is required as mandatory by the Regulation.
    3. First of all, to inform employees on the processing of their data. In particular: for the categories of their data to be collected, their retention time, the purpose and the legitimate basis for their processing, their possible transmission to other organizations (or other countries), and above all for their rights as identified in Articles 15 to 22 of the General Regulation.

     

    The consent

    It is thus very important to be noted that the employers are obligated to inform their employees on the processing of their personal data which are necessary, thus, not to obtain their consent. Such consent would be contrary to the spirit (objective) of the Regulation for the following two reasons:

    (a) Consent must be the “last resort” of a legitimate base for processing as it presupposes true freedom of choice and is revocable. It would be misleading make an employee think that if he/she does not give or withdraw his/her consent, it is possible for the employer not to ask for or delete the necessary personal data of his/hers: In fact, the labor and insurance legislation as well as the performance of the employment contract impose the processing of specific personal data of the employee.

    (b) Consent must be given freely. The relationship between the employee with the business is characterized by a certain imbalance of powers, leading to a “forced” and therefore to an illegal consent.

     

    GDPR is a cumbersome Regulation which, however, carries a significant gift: Extrusion into a change of mentality.

    Petrini Naidou
    Senior Associate

    P.S. This article has been published in Greek in MAKEDONIA Newspaper (December 23, 2018)

  • Cyber and Internet Risk Insurance

    Cyber and Internet Risk Insurance

    [vc_row][vc_column][vc_column_text]

    Cyber and Internet Risk Insurance: The Importance of every Company and the Role of the Legal Advisor

    Coverage of the risks arising from the implementation of e-services and from the use of the internet constitutes a new insurance product. This product is expected to show strong growth in the coming years due to the continued development of technology. Further use of the internet and of social media, as well as the development of cloud computing, are parameters that highlight the importance of this new product. In addition, its aid factor is the very low – in proportion to the use and dissemination of Internet services – the number of companies and businesses that currently have insurance against this particular category of risks.

     

    The Necessity of Cyber and Internet Risk Insurance

    It has now been accepted that the development of technology as well as the wide use of the internet, form the ground for the development of criminal behavior, either through negligence or fraudulent one. Such criminal behavior is found both in the professional field and in the context of the privacy of citizens. Indeed, they are growing daily, as they are favored by the loopholes in the regulation of internet use. They are also favored by the corporate entities’ low insurance coverage of cyber and internet risks.

    In this context, it should also be borne in mind that today:

    (a) the protection of personal data and privacy is a fundamental human right, while

    (b) a rigorous legislative environment is built both in the European Union and particularly in Greece on the use of the Internet and cyberspace and, more specifically, on the protection of the personal data of persons and users of electronic services.

    However, it is generally recognized that the gap between e-reality and its legislative/ regulatory environment constitutes an additional risk for businesses. E-reality is changing, evolving and growing rapidly, while legislative initiatives attempt to follow cyber developments late and often incomplete.

    Consequently, there is no doubt that insurance against cyber and internet risks is now a necessity. This necessity concerns large companies, which are major targets for malicious actions. It also concerns smaller companies, which are more vulnerable to malicious actions and more vulnerable in dealing with the damage that can be caused by such.

     

    Choosing the Right Insurance Product

    In this corporate environment of the constantly evolving and changing e-reality, it is crucial to choose the appropriate insurance product against the specific category of risks.

    This choice can no longer be made based on the less expensive premium. Instead, this option should be part of an integrated corporate policy. This policy should aim to tackle offending/criminal behavior that have to do with the use of the internet and e-services. The concern for both the planning of an integrated corporate response and of the choice of the appropriate insurance product can only be the responsibility of the legal entity’s legal advisor.

    However, generally speaking, each company has to plan its reaction to cyber and internet risks and consequently to choose the appropriate insurance product, taking into account its object, the degree of penetration of electronic services in its operation and the type and the range of personal data it processes.

     

    The Insurance Market in Greece

    While checking the insurance programs offered by the insurance companies operating in Greece, one shall find wide variations and discrepancies in the coverage against cyber and internet risks. Specifically, it is noted that the largest insurance companies in Greece:

    (a) either do not provide insurance plans for such risks,

    (b) either includes coverage against specific risks within the framework of the electronic equipment insurance and as an optional and supplementary coverage of business insurance, i.e. not providing a specialized insurance program,

    (c) or have introduced specialized and innovative insurance programs, which combine insurance against these insurable risks with the provision of legal, technical and advisory services, forming a single package.

    It is therefore clear that, as far as tackling the dangers arising from the deployment of e-services and the use of the internet, the tools do exist.

    The company’s responsibility towards its entity, its partners or shareholders, its employees, and third parties is to choose the most appropriate tools. Additionally, the company is required to incorporate these tools into its Cyber Risk Management plan to address these breaches. Accordingly, the responsibility of the lawyer – legal counsel of the company is the evaluation of the offered insurance products and the assistance in choosing the optimal solution. In addition, the duty of the lawyer – legal counsel is also the maximum possible safeguard of the company through the control of the insurance contract. Finally, in the event of the insured risk occurring, the duty of the lawyer – legal counsel extends to the formation of a substantiated claim of the insured company for the fulfillment of the obligations of the insurance company.

     

    Petros Tarnatoros
    Senior Associate

     

    Υ.Γ. The article has been published in Greek in MAKEDONIA Newspaper (October 27, 2018).

     

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.