GREECE Law and Practice Contributed by: Semina Zavitsanou, Yannis Ragos, Maria Siraga and Panagiota Kelali, POTAMITISVEKRIS
Key Legal Safeguards • Necessity, Proportionality, Minimisation: The employer must narrowly define purpose, custo - dians, timeframes, and tools employed during an investigation. • Transparency: Employees must be notified via clear policies about how investigations are to be conducted and the tools used, explaining in clear language the scope, the means and rights of both the employer and the employee. • Special Considerations: Workplace CCTV foot - age can be used only for protection of persons/ property (not performance evaluation). Email/IT/ device monitoring must be targeted and necessary, and a clear Acceptable Use Policy and Access Policy defining the purposes, scope, methods and safeguards governing the employer’s access to the email/IT/devices as well as the retention periods must have been provided to the employees. • Compliance with telecommunications secrecy rules for traffic/content data is required. Risk Assessment, Security, and Rights • A DPIA must be conducted when high-risk pro - cessing is the case (eg, when the investigation involves employee monitoring, large-scale process - ing, special categories, profiling). • Security: The appropriate technical and organisa - tional measures must be implemented, such as limited access policies (need-to-know access), encryption, logging, segregation/chain of custody. • Rights: Employees maintain the rights afforded to them by the GDPR with very limited exceptions (see 7.3 Access ) only if a disclosure would serious - ly impair the investigation or others’ rights. Thus, the appropriate mechanism to enable employees’ exercise of rights of access/rectification/restriction/ objection must be in place. Accountability, Processors, Transfers, Retention The accountability principle mandates that the inves - tigation process must be documented. If an external party is engaged, the appropriate obligations under Article 28 must be implemented. If data transfers out - side the EEA are to take place, the appropriate mech - anisms/safeguards provided for in Articles 45–49 of the GDPR must be employed. The investigation data must be retained for the time period necessary to fulfil
whistle-blower framework, Law 4990/2022, including operating internal reporting channels). Regarding special category data (GDPR Article 9), if the investigation necessarily involves the processing of sensitive data (eg, health, union membership), an Article 9 GDPR legal basis should be employed in addition to Article 6 – most commonly, the necessity for the establishment, exercise, or defence of legal claims (Article 9 (2)(f)) or, where applicable, employ - ment and social security law requirements. GDPR Principles Employers must abide by the core GDPR principles: • proportionality, necessity, and minimisation – dem - onstrate that the data collection is strictly neces - sary for defined investigative purposes and that no less intrusive alternative exists; • transparency and notice – provide clear prior notices via policies on investigations and monitor - ing; for email/IT/device monitoring the Acceptable Use/Access Policies must define purposes, scope, methods, safeguards, and retention; • telecommunications secrecy – comply with rules governing traffic and communications content data; • data subject rights and restrictions – enable access, rectification, restriction, and objection, subject to lawful exceptions; and • security measures – implement appropriate tech - nical and organisational controls (need-to-know handling, role-based access, encryption, logging, evidence segregation, and secure workflows). 7.2 Specific Rules HR investigations must comply with the principles for lawful data processing under the GDPR, Greek Law 4624/2019, and HDPA guidelines and decisions, which necessitate clear, proportionate and document - ed controls throughout the investigation’s life cycle as well as prior notices. In addition to the rules described in 7.1 Collecting Personal Data ,ensuring the lawful - ness of data processing, employers must implement the following:
185 CHAMBERS.COM
Powered by FlippingBook