In terms of regulatory guidance, the DPA has recently focused on the following areas:
1. Reservations of the new national data protection law
In its Opinion 1/2020, the DPA expressed serious reservations on the compatibility of several provisions of the new Greek Law 4624/2019 with the GDPR and stated that it will not apply these statutory provisions. The provisions that have received the most negative criticism from the DPA are mainly the ones that (i) establish additional bases for the further processing of personal data, (ii) limit extensively the rights of the data subjects, especially in the context of the freedom of expression, such as for journalistic purposes, and (iii) relate to the legal bases on the processing of employees’ personal data. Given that the Greek privacy community has also raised similar concerns on the validity and clarity of the provisions of the new law, it is likely that the Greek State initiates actions for the legislative reform of the law.
2. Cookies and similar technologies
The guidance of the DPA dated 25 February 2020 on cookies and similar technologies, which came as a response to the failure of many website owners to comply with the existing framework, clearly adopts the approach of the CJEU on Planet 49 case, thus it includes no surprises. In its guidance, the DPA identifies the cookies that require the consent of the website visitors, including cookies for online advertising and third-party analytics. Moreover, the DPA states that website owners can provide the required information and obtain consent by using appropriate mechanisms, such as pop-ups or banners, and that information can be given through multiple layers, as long as specific information about the categories of cookies and similar technologies is given. Finally, the DPA sets examples of bad practices in relation to the above and calls website owners to comply with the guidance within a grace period of 2 months.
3. Processing of personal data in the context of Covid-19
The DPA has been one of the first European authorities to respond to the challenges that have arisen in the Covid-19 era. In its guidelines issued on 18 March 2020, the DPA explains that the right to the protection of personal data is not an absolute right and should be balanced against other fundamental rights deserving protection. Having as a starting point that the data protection legislation should not be seen as an obstacle against the introduction of the necessary measures to combat the pandemic and that no processing activity can prima facie be considered as prohibited in these special conditions, the DPA sets forth the legitimate bases that could be relied upon by employers for the processing of their employees data for ensuring the health and safety of employees in the workplace. Interestingly, the DPA makes reference on the use of temperature screening and questionnaires which are provided to employees, suppliers and visitors and concludes that the generalised and systematic temperature screening that results in the creation of the health profile of employees would most likely not pass the proportionality principle.
4. Security measures for teleworking
In an effort to raise awareness on the risks arising from teleworking, the DPA reminds the employers via its guidelines dated 15 April 2020 that they should adopt specific procedures on teleworking, by taking into consideration the nature and severity of risks, as well as to adequately inform and train the employees, so as to ensure the effective implementation of these procedures. Moreover, the DPA recommends the adoption of specific security measures to ensure secure remote access to the network, the installation of antivirus, firewalls and updated software versions in the devices used by employees, the use of virtual machine for teleworking and the implementation of backup procedures for archives containing personal data. It also recommends avoiding the use of personal email accounts and messaging applications. As regards teleconferences, employers should use platforms that implement end-to-end encryption and always protect the meeting link, in order to keep the meeting private.
5. Requirements for the accreditation of the certification bodies and the bodies monitoring codes of conducts
Following the Guidelines 4/2018 of the European Data Protection Board (EDPB), the DPA has very recently established additional requirements to the ones set forth in ISO 17065 for the accreditation of the certification bodies. Pursuant to the DPA’s decision 8/2020, these requirements have been submitted to the EDPB so that the latter may issue its opinion under the consistency mechanism established by the GDPR and will not be publicly available until this procedure is completed.
On the same basis and following the Guidelines 1/2019 of the EDPB, the DPA has also decided on the criteria for accreditation of bodies that monitor compliance with codes of conducts. These are based on the EDPB’s guidelines 1/2019, as stated in the DPA’s relevant decision 9/2020, and will not apply to codes of conduct for transfers of personal data as per Article 40(3) of the GDPR, for which additional guidelines from the EDPB are expected. The DPA has submitted the proposed accreditation criteria before the EDPB under the consistency mechanism, so these criteria shall be published only upon completion of this procedure.
Article provided by: Mary Deligianni (Zepos & Yannopoulos, Greece)
Dr. Tobias Höllwarth (Managing Director INPLP)