The Government Gazette published the Presidential Decree 13/2025, entitled Protection of Personal Data during Telework in the Public Sector, in accordance with the provisions of paragraph 1 of Article 19 of Law 4807/2021, as currently in force.
In general, the use of telework in the public sector requires that public bodies ensure not only the smooth functioning of services but also the protection of the personal data they process.
It is recalled that telework in the public sector is primarily governed by the provisions of Law 4807/2021, as currently in force, by Presidential Decree 13/2025, as well as by Regulation (EU) 2016/679 (GDPR) and Law 4624/2019, as currently in force, with the Guidance 1/2022 of the Hellenic Data Protection Authority (HDPA) also proving useful.
I. Obligations of the Public Bodies
Public bodies, as data controllers, must, prior to issuing a telework decision:
a. Conduct a Data Protection Impact Assessment (DPIA). In the event that the public body utilizes a time-tracking system, the DPIA must demonstrate that no less intrusive measures were available and that this system will not pose a high risk to the rights and freedoms of the body’s teleworkers.
b. Establish policies on proper application usage, operational security of applications, and incident response for mitigating and remedying threats.
c. It is advisable to have a policy outlining the minimum criteria that the teleworkers’ “Workstation” must meet. In cases where it is not possible to provide an appropriate workstation, it is recommended to adopt a “Bring Your Own Device” (BYOD) policy.
They must promptly and appropriately inform the data subjects (for example, teleworkers, managers, third parties) in accordance with at least the provisions of Articles 13 and 14 of the GDPR.
They must be aware of the countries in which service providers’ servers are located, so as to apply the provisions of Chapter V of the GDPR in combination with the relevant case law of the European Data Protection Board (EDPB) and the corresponding acts of the European Data Protection Board (hereinafter “EDPB”).
They must provide clear instructions and training to teleworkers (in an accessible and understandable format) regarding the proper configuration and security of the workstation (e.g., policies, procedures, workspace arrangement, etc.), as well as offer specialized technical support.
They must implement secure access systems (such as VPNs), keep security software (e.g., antivirus, firewalls, etc.) up to date, and take measures to prevent unauthorized access or alteration of data.
They must equip teleworkers with an appropriate “Workstation” or approve the use of personal equipment (BYOD). However, it is essential that a risk assessment be carried out to ensure that the approved device meets the necessary specifications. Furthermore, the public body may restrict access to systems it deems “Critical” or “Sensitive.”
They must establish procedures for time tracking and recording (e.g., teleconferences). It is worth noting that the Presidential Decree allows bodies to take measures under “proportionate” monitoring of work. The monitoring tools should be included in the DPIA and accompanied by appropriate notification.
In the case of approving a teleworker’s request to work from a country outside the European Economic Area (EEA), the public body must, beforehand, conduct a Transfer Impact Assessment.
II. Measures during Teleconferences
The recording of teleconferences is, as a general rule, prohibited. By exception, recording is permitted when the content is likely to cause legal consequences for the participants and there is a corresponding obligation to keep minutes. In such cases:
- There must be prior notification to the participants (particularly via an information memo).
- The confidentiality of the recordings must be ensured (e.g., through encryption).
- The storage of teleconference recordings on employees’ personal devices is prohibited if those devices have been approved by the body (BYOD devices).
- The retention period of the recording must be defined by the body, with the principle of limiting the storage period being a fundamental criterion.
- Metadata (e.g., participant’s full name, connection time and date, IP address) shall be retained for 12 months.
- At the teleworker’s responsibility, any recordings made on a BYOD device must be deleted according to the relevant procedure established by the body. Such deletion must be accompanied by a written certificate addressed to the body.
III. Obligations of Teleworkers
Teleworkers are required to:
• Follow strictly the policies established by the body, ensuring the confidentiality and security of the data they process.
• Use exclusively the equipment provided for work or apply the prescribed measures when using personal devices.
• Ensure that their telework environment meets the security and ergonomic standards.
• Safeguard the confidential nature of the information they handle. This means taking specific measures to prevent the disclosure of sensitive information to unauthorized persons. An illustrative example is printing documents outside the body’s premises, for which the teleworker is responsible.
The implementation of telework in the public sector is accompanied by strict obligations regarding the protection of personal data. The proper application of security measures, along with the training and awareness of both the bodies and the employees, are crucial factors for the effective management of data and the protection of data subjects’ rights. By adopting these measures, it is ensured that telework is carried out in a secure environment, in compliance with the requirements of the GDPR and the relevant legal provisions.
In any case, the implementation of the above measures and ensuring compliance with the existing legal framework is a necessary step for protecting personal data in the public sector.
“Stergios Konstantinou & Associates – SGKLegal” Law Office provides specialized legal services in the field of personal data protection, the application of the GDPR, and telework. With extensive experience and in-depth knowledge of the regulatory framework, we offer comprehensive legal advice, representation, and support for:
- Providing DPO for public bodies,
- Conducting DPIAs as well as Transfer Impact Assessments (DTIA),
- Ensuring that bodies comply with the EU and national regulatory framework on personal data protection,
- Drafting and revising security and data protection policies,
- Addressing legal issues arising from the use of personal equipment (BYOD) and remote access to critical data.
If you require further legal guidance on implementing data protection measures or on addressing any legal issues in the field of personal data protection, our law firm is at your disposal to provide you with specialized and effective solutions.