EMPLOYER: GDPR, GPS, EMAILS, COMPUTERS

Employer obligations under the GDPR regarding the use of GPS, monitoring of corporate emails, and computers.

1. Is my employer entitled to monitor my computer?

The employer is entitled to inspect the stored data found on the employee’s computer, where such access (processing) is strictly necessary for the satisfaction of the legitimate interest pursued by the employer in their capacity as data controller, and on condition that this clearly overrides the rights and interests of the employee, without prejudice to the latter’s fundamental freedoms (see decisions 37/2007 and 34/2018). The legitimate interest pursued by the employer may consist, among other things, of the exercise of the managerial right, from which derive the ancillary duties of loyalty and provision of information, as well as the monitoring against the leakage of know-how, confidential information, or commercial and/or business secrets. In particular, such legitimate interest may consist of the employer’s safeguarding of the smooth operation of the business through the establishment of mechanisms for monitoring employees, as well as the need to protect the business and its assets from significant threats, such as preventing the transfer of confidential information to a competitor or securing confirmation or proof of criminal acts by the employee. However, employees must be informed in advance by the employer–data controller, in an appropriate and clear manner, of the introduction and use of monitoring methods at the stage of collection of their personal data, of the supervision of their work, of the purpose of processing their data, and of any other information necessary for ensuring fair and lawful processing.

Furthermore, when the employer monitors the employee’s electronic communications, beyond observing all principles for the protection of personal data so that such monitoring is lawful and justified, the employer must not only inform the employee in advance, but also bring to their attention an intelligible, clear, and accurate statement of the surveillance Policy and Procedures.

2. Is my employer entitled to monitor me by means of a video surveillance system?

No employee monitoring system should be used for the surveillance of employees within the workplace, save for special exceptional cases where this is justified by the nature and conditions of the work and is necessary for the protection of the health and safety of employees or for the protection of critical infrastructure premises (e.g. military factories, banks, high-risk facilities). For example, in a typical office workspace of a business, video surveillance must be limited to entry and exit areas, without monitoring specific office rooms or corridors. Video surveillance may also be permitted in special areas, such as cash desks or premises with safes, electromechanical equipment, etc., on condition that the cameras focus on the asset they protect and not on the employees. Likewise, in special premises, such as areas with electromechanical installations, the shift supervisor or the safety officer may monitor in real time the operators of high-risk machinery, with a view to intervening immediately should a safety incident occur. The data collected by the video surveillance system must not be used as a criterion for evaluating employee productivity, and employees must be informed in advance in writing, either in paper or electronic form, of the installation and operation of such a system within the workplace.

3. Is my employer entitled to install a Global Positioning System (GPS) in my car, mobile phone, or any other device I use?

The installation of a geolocation system does not infringe upon the employee’s private sphere where it does not aim at monitoring the employee, but at the more efficient operation of the business (e.g. through the optimisation of the route followed) and at strengthening employee safety. Where installation has been carried out in order to assist employees in quickly finding their destination, the system must be installed exclusively for that purpose, and the employee must retain the right to deactivate it at will. Evaluation of the employee’s professional productivity, based on the monitoring of their conduct by technical means, constitutes, in principle, excessive processing and infringes the principle of proportionality. In particular, the Hellenic Data Protection Authority (HDPA), through a series of decisions, has held that for the operation of a geolocation system to be in compliance with the provisions on the protection of personal data, the following conditions must be met:

1. the employee must follow a predetermined route within specific working hours, geolocation must take place within the limits of that specific predetermined route, and the employee must not use the vehicle outside working hours;
2. the data retention period must not exceed that which is necessary for the achievement of the processing purpose and, in any event, must not exceed one month;
3. the data controller must take the necessary security measures for the protection of the data and ensure that access to the retained data is granted only to duly authorised persons;
4. appropriate pseudonymisation or encryption techniques must be applied;
5. the employer must inform employees of the processing purpose, the type of data recorded, the retention period, and the procedure by which the employee may exercise the right of access; and
6. the employee must have the right of access to the data collected.

4. Is my employer entitled to monitor my electronic communications?

The employer, in exercising the managerial right, subject to the self-evident requirement of compliance with the principles of Article 5(1) GDPR and on the basis of specific procedures and safeguards laid down prior to processing, within the framework of organising internal compliance in accordance with the principle of accountability, is entitled to exercise control over the electronic means of communication provided to employees for their work, provided that the relevant processing, in observance of the principle of proportionality, is strictly necessary for the satisfaction of the legitimate interest pursued and on condition that this clearly overrides the rights and interests of the employee, without prejudice to the latter’s fundamental freedoms pursuant to Article 6(1)(f) GDPR, and after the employees have been duly informed in advance and an intelligible, clear, and accurate statement of the Policy and Procedures for monitoring electronic means of communication has been brought to their attention. Moreover, the data controller–employer must have drawn up and implemented an internal Regulation for the proper use and operation of the IT and communications equipment and network by employees (data subjects), which must be communicated to the employees–data subjects.

• See also article Professional Vehicle Drivers
• See also article Termination of Employment Contract
• See also article Severance Compensation
• See also article Modification of Employment Terms
• See also article Withholding of Labour
• See also article Annual Statutory Leave
• See also article Employee Remuneration
• See also article Additional Work – Overtime
• See also article Employer Obligations

FREQUENTLY ASKED QUESTIONS ON EMPLOYER: GDPR, GPS, EMAILS, COMPUTERS

1. What am I facing when my employer monitors my computer and emails?

This is processing of personal data governed by the General Data Protection Regulation (GDPR) and the decisions of the Hellenic Data Protection Authority (HDPA). The employer is entitled to monitoring only where there is a specific legitimate interest that clearly overrides the rights of the employee, with prior clear notice and a written surveillance Policy. Where notice is missing, where the monitoring extends to private correspondence, or where the data are used abusively for evaluation or dismissal, the processing is unlawful and gives rise to rights of compensation and protection.

2. What can I do if my privacy at work is being violated?

There are parallel avenues of protection. First, the right of access to the data and the right to information on the purpose of processing are exercised. Subsequently, a complaint is filed with the Hellenic Data Protection Authority (HDPA), which imposes administrative fines and corrective measures. In parallel, a lawsuit is filed before the competent Court of First Instance for pecuniary compensation for infringement of personality rights and for damages. Where the monitoring is combined with termination of the employment contract, the dismissal may be held abusive and void, with entitlement to wages for default and reinstatement.

3. How long does the pursuit of my rights take?

A complaint to the Hellenic Data Protection Authority (HDPA) is generally examined within a period of six months to two years, depending on caseload and the complexity of the matter. A lawsuit before the Single-Member Court of First Instance is usually concluded within one to two years at first instance. In urgent cases, where monitoring is ongoing or there is a risk of dismissal, interim measures are sought, which are heard within a few weeks. Tort claims are subject to a five-year statute of limitations from the time the employee became aware of the infringement.

4. What documents and evidence do I need?

The following are gathered: the employment contract, any internal Regulation on the use of equipment, the surveillance Policy received by the employee, and any notice concerning cameras, GPS, or email monitoring. Significant evidence includes written instructions of the employer, messages or emails proving the use of the data against the employee, witness statements of colleagues, and a copy of the employer’s response to a request for access under the GDPR. In cases of video surveillance, photographs of the cameras and any informational signs—or the absence thereof—are used.

5. What are my chances in a complaint and a lawsuit?

The chances are strong where lack of prior clear notice, excessive collection of data, or use of data for a purpose other than that originally declared can be shown. The Hellenic Data Protection Authority (HDPA) has repeatedly held to be unlawful the monitoring of employees without a written Policy, the surveillance of offices by means of cameras, and the use of GPS outside working hours. Courts generally award pecuniary compensation for moral damages, while dismissals based on unlawfully collected data are held void, since such data are deemed inadmissible evidence.

6. What is the role of the lawyer in such cases?

The lawyer first assesses whether the monitoring is lawful by examining compliance with the principles of necessity, proportionality, and transparency under the GDPR. The lawyer drafts an extra-judicial notice to the employer, files a complaint with the Hellenic Data Protection Authority (HDPA), and brings a lawsuit for infringement of personality rights and damages. In parallel, the lawyer represents the employee in labour disputes arising from abusive dismissal based on unlawful monitoring. The firm’s experience in cybercrime and data protection ensures a combined legal strategy for the substantive vindication of the employee.