Not Just Watching the Dog

In Decision 21/2025, the Hellenic Data Protection Authority (HDPA) revisits a recurring misconception: that the General Data Protection Regulation (GDPR) does not apply to private households. The case involved a couple who operated a restaurant and lived on the same premises, which they monitored using a set of security cameras. A neighbouring property owner filed a complaint after discovering that at least one of the cameras recorded not only the couple’s own premises but also his adjoining land and a portion of a public street.

The HDPA reviewed the footage and found that the cameras included a rotating surveillance device with fields of view extending beyond the private domain. Despite the couple’s claim that one camera merely recorded their stable, the evidence suggested otherwise.

The Authority ruled that this type of surveillance no longer falls within the GDPR’s limited household exemption. Whenever monitoring captures public space or third-party property, it triggers full compliance obligations: lawful basis under Article 6, transparency under Article 12, data minimisation, and above all, respect for the rights of data subjects under Articles 15 et seq. GDPR.

In the operative part of the Decision, each of the two individuals was fined a total of €3.000, comprising €2.000 for infringing the principles of lawfulness, purpose limitation, and accountability under Article 5 GDPR, and €1.000 for failing to comply with the data subject’s right of access under Article 15 GDPR.

But what about domestic stuff? Although the facts of the case centred on a neighbour, the ruling serves as a strong reminder for private individuals, who use surveillance tools to monitor baby sitters, cleaners, gardeners, or other domestic workers at their household. Even in one’s home, recording another person, particularly in the context of a work relationship, is considered data processing.

This means that any surveillance carried out within a household must have a clearly documented legal basis, such as freely given consent or a legitimate interest that can be properly justified. The monitoring must be proportionate to its purpose, limited in scope, and objectively necessary. The person being monitored must be informed in a transparent way, and their rights, including access and objection, must be fully respected. Any recordings must be securely stored, with access strictly controlled.

Crucially, when private individuals monitor third parties with whom they are contractually related, they are considered data controllers under Article 4 par. 7 GDPR. Simply being a private household does not exempt one from compliance.

If a nanny can be dismissed for breaching trust, then the same standard should apply to employers, who secretly monitor them without a valid legal basis and without informing them, as the law requires.

Hellenic Data Protection Authority’s Take on Law 4624/2019

Under the threat of hefty financial sanctions, Greece enacted hastily Law 4624/2019 (“Greek GDPR Law”) last summer, in order to align the domestic data protection framework with the GDPR. The Greek GDPR Law also provided for specific rules on certain topics based on the GDPR’s broad opening clauses, permitting EU member states such as Greece to enact national legislation.

Following a period of uncertainty, the Hellenic Data Protection Authority (“HDPA”) published Opinion 1/2020, whereby they reviewed certain key or contested aspects of the Greek GDPR Law and provided much needed clarity on their compatibility with the Regulation.

In fact, by reiterating Commission’s guidance on the direct application of GDPR dated 24.01.2018, the HDPA stressed that when adapting their national legislation, Member States have to take into account the fact that any national measures which may create an obstacle to the direct applicability of GDPR and this way jeopardise its simultaneous and uniform application throughout EU are contrary to Union Law.

Repeating the text of regulations in national law, opined the HDPA, is also prohibited, unless such repetitions are strictly necessary for the sake of coherence and in order to make national laws comprehensible to those to whom they apply. In fact, reproducing the text of GDPR mot-à-mot in national specification law should be exceptional and justified, and cannot be used to add additional conditions or interpretations to the text of the regulation. This was not the case, however, with Greek GDPR Law, where several GDPR provisions were repeated verbatim and exceptions were introduced without any particular justification.

More particularly, HDPA pointed out that the interpretation of the Regulation should be left to the European courts (meaning the national courts and ultimately the European Court of Justice) and not to the Member States’ legislators. The national legislator can therefore neither copy the GDPR text when this is not necessary in the light of the criteria provided by the case law, nor interpret it or add additional conditions to the rules directly applicable under GDPR, said the Athority. If they did so, commercial entities throughout the Union would again be faced with fragmentation and would not know which rules they have to obey.

In view of the above, the HDPA noted that they shall not be applying Greek GDRP Law provisions, which: (a) are deemed not in line with GDPR, and/or (b) are not based on opening clauses, which make it possible for Member States to lay down specific national arrangements.

As regards personal data of employees, in particular, the HDPA clarified that the national legislator is not allowed to introduce new grounds for lawful processing other than those already set out in Art. 6 GDPR. In fact, processing under the GDPR framework can be lawful only on the basis of one of six specified conditions set out in Article 6(1)(a) to (f). Identifying the appropriate legal basis is of essential importance and controllers must take into account the impact on data subjects’ rights when identifying the appropriate lawful basis so as to fully respect the principle of fairness.

In this context, the Authority stressed that Art. 6 par. 1 (b) GDPR, which has been chosen by Greek legislator as the main processing legal ground, may sometimes be actually unfit in the employment environemnt. In fact, activities such as processing of biometric data, geolocation, monitoring of electronic media, whistleblowing policies ect. should be based on Art. 6 par. 1 (e) GDPR (processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or Art. 6 par. 1 (f) (processing necessary for the purposes of a legitimate interest) instead. This way, employees are able to challenge separate processing activities and perform their rights under GDPR, without the terms of their employment contract being challenged.

The matters handled with Opinion 1/2020 were not exhaustive and that is why HDPA explicitly reserved judgment on the compatibility of all other Greek GDPR Law provisions, which have not yet come under the spotlight.

As the case may be, it remains to be seen how Greek GDPR Law provisions shall be interpreted by Greek courts, once challenged by stakeholders, who are all those affected by the new rules (the business community and other organisations processing data, the public sector and citizens). The dust has not settlled yet, the winds of data regulation keep blowing strongly.

Air (Hera orders Aeolus to release the winds) (Aeneid I) by Charles Dupuis (1718)