Today’s blog provides an overview of the GDPR’s expectations regarding employer/employee relations; specifically in terms of company policies on communication and security.
If you work or have worked in the corporate world then you’re no stranger to the fact that in order to protect the organization, most companies have in place internal policies and procedures which speak to communications, internet usage, security access and personal data protection. Meanwhile across the board, more and more companies are utilizing video surveillance for a host of security and protective measures. But do these policies and video surveillance systems comply with the GDPR? Employer/Employee relations are key when it comes to GDPR compliance.
A recent investigation by the Hellenic DPA in regards to the lawfulness of access to and inspection of deleted employee emails as well as the use of surveillance on company premises offers a prime opportunity to delve into some of the GDPR mandates.
The Ηellenic DPA in response to a complaint conducted an investigation regarding the lawfulness of personal data processing on a server of ‘ALLSEAS MARINE S.A.’, as well as the lawfulness of access to and inspection of deleted emails of a senior manager for whom there was suspicion that he had committed unlawful acts against the company’s interests.
According to the EDPB article the Hellenic Data Protection Authority deemed that Allseas Marine S.A had in fact complied with the requirements of the GDPR and that its internal policies and regulations provided for a ban on the use of the company’s electronic communications and networks for private purposes, and for the possibility of carrying out internal inspections. As such, the Hellenic DPA found that the company had a legal right under Articles 5(1) and 6(1)(f) of the GDPR to carry out an internal investigation searching and retreating employee’s emails.
However as it related to Allseas Marine’s utilization of a closed-circuit video surveillance system, the DPA determined that the system had been installed and operated illegally. Further, the recorded material submitted to the Authority was considered illegal. The EDPB article further noted that the Hellenic Authority found that the company did not satisfy the employee’s right of access to his personal data contained in his corporate PC.
As a result of its investigation the Hellenic DPA also determined that the company did not satisfy the employee’s right of access to his personal data contained in his corporate PC.
In response to these GDPR infringements the Hellenic DPA has therefore mandated Allseas Marine S.A to take several corrective measures in order to comply with the GDPR. Allseas Marine was also fined €15,000.