ΚΕΟ PLC – Complaint Upheld (Cyprus, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Cypriot DPA upheld a complaint against KEO PLC for using a camera in their employee time-tracking system without proper justification. This decision matters because it emphasizes the need for companies to use the least intrusive methods for monitoring employees. Businesses should evaluate their data processing practices to ensure they respect privacy rights.
What happened
KEO PLC installed a camera in their employee time-tracking system without adequately considering less intrusive options.
Who was affected
Employees of KEO PLC who were monitored by the new time-tracking system with a camera.
What the authority found
The Cypriot DPA ruled that KEO PLC's use of a camera in the time-tracking system was not justified and violated principles of proportionality and necessity under GDPR.
Why this matters
This decision highlights the importance of proportionality in employee monitoring and the need for companies to consider less intrusive alternatives. It serves as a warning to businesses to carefully assess the necessity and impact of their surveillance methods.
GDPR Articles Cited
KEO PLC decided to upgrade its ERP system, whose upgrade was configured with the module of recording when an employee started and ended their work. Until then, the card-swipe terminal only recorded an ID number, as well as arriving and departing times, to and from the premises of the Company. The new terminal included a tiny camera as a measure of the employees who swiped their colleagues' cards too. Grounded on the concerns of the principle of proportionality, the right of privacy, as well as the right of public life, two trade unions submitted a complaint against KEO PLC and before the Cypriot DPA. The main questioning was if the particular data-processing is reasonable and consists of a minimised processing under the meaning of what is absolutely necessary in order to achieve the aim pursued. Starting with the Complainant, they argued on an enlarged general line of argument and points of law. Firstly, they claimed that there was documentation for the impending upgrade system including the privacy policy and specific information on the changes between the old and new ERP system. Secondly, they were of the opinion that before any changes, the Company should have sought less intrusive methods of employee time tracking. Thirdly, The Complainers stated that the resolution of the camera is irrelevant; it's enough that data produced an identifiable natural person. KEO Public Company alleges that upon receiving legal advice, they expanded the duration of processing and storage of these data which are tracked, inputted to, or created by the new terminal. KEO's intension of regarding change was the harmonisation with the limitation period for bringing an action to the court. Also, KEO Public Company claimed that under the GDPR, there is no right that a trade union can exercise. They thought that the justiciability of GDPR is limited only to the natural persons who are the direct possessor of the personal data. Cypriot DPA totally dismisses the argument that the durati
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for ΚΕΟ PLC in CY
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. ΚΕΟ PLC - Cyprus (2020). Retrieved from cookiefines.eu
Last updated: