https://gdprhub.eu/api.php?action=feedcontributions&user=Eleni.papadopoulou&feedformat=atomGDPRhub - User contributions [en]2024-03-29T05:45:34ZUser contributionsMediaWiki 1.39.6https://gdprhub.eu/index.php?title=HDPA_(Greece)_-_4/2022&diff=22865HDPA (Greece) - 4/20222022-02-03T12:23:19Z<p>Eleni.papadopoulou: Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA (Greece) |DPA_With_Country=HDPA (Greece) |Case_Number..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Greece<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoGR.jpg<br />
|DPA_Abbrevation=HDPA (Greece)<br />
|DPA_With_Country=HDPA (Greece)<br />
<br />
|Case_Number_Name=4/2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=HDPA<br />
|Original_Source_Link_1=https://www.dpa.gr/el/enimerwtiko/prakseisArxis/epiboli-prostimoy-gia-peristatiko-parabiasis-prosopikon-dedomenon-kai-mi<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Started=<br />
|Date_Decided=30.11.2021<br />
|Date_Published=27.01.2022<br />
|Year=2021<br />
|Fine=9,100,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4 GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR<br />
|GDPR_Article_2=Article 5 GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR<br />
|GDPR_Article_3=Article 6 GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR<br />
|GDPR_Article_4=Article 12 GDPR<br />
|GDPR_Article_Link_4=Article 12 GDPR<br />
|GDPR_Article_5=Article 13 GDPR<br />
|GDPR_Article_Link_5=Article 13 GDPR<br />
|GDPR_Article_6=Article 14 GDPR<br />
|GDPR_Article_Link_6=Article 14 GDPR<br />
|GDPR_Article_7=Article 24 GDPR<br />
|GDPR_Article_Link_7=Article 24 GDPR<br />
|GDPR_Article_8=Article 25 GDPR<br />
|GDPR_Article_Link_8=Article 25 GDPR<br />
|GDPR_Article_9=Article 26 GDPR<br />
|GDPR_Article_Link_9=Article 26 GDPR<br />
|GDPR_Article_10=Article 28 GDPR<br />
|GDPR_Article_Link_10=Article 28 GDPR<br />
|GDPR_Article_11=Article 32 GDPR<br />
|GDPR_Article_Link_11=Article 32 GDPR<br />
|GDPR_Article_12=Article 35 GDPR<br />
|GDPR_Article_Link_12=Article 35 GDPR<br />
|GDPR_Article_13=Article 83 GDPR<br />
|GDPR_Article_Link_13=Article 83 GDPR<br />
<br />
<br />
|National_Law_Name_1=N. 3471/2006 Article (2)(3) and (2)(4)<br />
|National_Law_Link_1=https://www.lawspot.gr/nomikes-plirofories/nomothesia/n-3471-2006/arthro-2-nomos-3471-2006-orismoi<br />
|National_Law_Name_2=N. 3471/2006 Article (5)<br />
|National_Law_Link_2=https://www.lawspot.gr/nomikes-plirofories/nomothesia/n-3471-2006/arthro-5-nomos-3471-2006-kanones-epexergasias<br />
|National_Law_Name_3=N. 3471/2006 Article (6) <br />
|National_Law_Link_3=https://www.lawspot.gr/nomikes-plirofories/nomothesia/n-3471-2006/arthro-6-nomos-3471-2006-dedomena-kinisis-kai-thesis<br />
|National_Law_Name_4=N.3471/2006 Article (12)(1) and (12)(5) and 12(6)<br />
|National_Law_Link_4=https://www.lawspot.gr/nomikes-plirofories/nomothesia/n-3471-2006/arthro-12-nomos-3471-2006-asfaleia<br />
<br />
|Party_Name_1=Cosmote<br />
|Party_Link_1=https://www.cosmote.gr/hub/<br />
|Party_Name_2=OTE<br />
|Party_Link_2=https://www.cosmote.gr/cs/otegroup/en/corp_homepage.html<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Hellenic DPA fined the mobile telecommunications company COSMOTE 5,850,000€ and OTE 3,250,000€. The first for failing to carry out properly the data protection impact assessment under [[Article 35 GDPR#7|Article 35(7) GDPR]], for not complying with the principle of transparency under [[Article 5 GDPR#1|Article 5(1) GDPR]] and for not implementing properly the depersonalization procedure under [[Article 25 GDPR#1|Article 25(1) GDPR]]. The second for failing to implement the appropriate technical and organisational measures to ensure a level of security appropriate to the risk under [[Article 32 GDPR|Article 32 GDPR]].<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The mobile telecommunications company COSMOTE(part of the OTE group of companies) announced to HDPA that an incident of breach of personal data had occured and at the same time it made a public announcement concerning that issue. More specifically, the operating admnistrators of COSMOTE received a notification via an automated message as regards the exceedance of the storage capacity of a company's server where the data of the subscibers' calls was stored for the period of 1/9/2020-5/9/2020. Moreover, an online data movement of 30GB was discovered towards that server and an external IP address belonged to a Hosting Provider from Lithuania. After some research, COSMOTE found out that from that IP address an online hacking had also occured against OTE's website. The hacker obtained administrating access by using the password of an OTE's administrator. That password was taken by the hacker because of an incident involving unintentional disclosure of password information for the LinkedIn platform. Afterwards the hacker managed to hack the Big Data system of COSMOTE from which he exported the relevant file. It also occured that four more transfers of important amount of data information had taken place with the Lithuanian IP address being again the acceptor. However, the type of data transferred was not detected. The file leaked contained among others also subscribers' information as regards their age, their gender and their gross salary. The first action caused the incident was the installation of malware to one of the OTE's servers. Based on COSMOTE's wording, that server is not supposed to be a system storing clients' data information.<br />
<br />
=== Holding ===<br />
After reviewing the facts of the case the HDPA held that the processing and storage of data of conducted calls is permitted under article 6 of Directive 2002/58/EK only for purposes regarding issuing invoices for the offered services, marketing, offering services of extra value and for impairment fixing purposes. However, for the impairment fixing purposes not all the data processed were necessary, neither was the period during which they were stored. So, COSMOTE had no legal bases for processing. Moreover, the data protection impact assessment carried out by COSMOTE was not well documented, hence a breach under [[Article 35 GDPR#7|Article 35(7) GDPR]] occured. What is more, even though COSMOTE informed the subscribers for the impairment fixing purposes, that was not in compliance with the principle of transparency under Articles 5(1)(a), 13 and 14 GDPR since that notification was not transparent as for the period of time the data were about to be used. In addition, even though COSMOTE used the personal data for statistical purposes, the HDPA held that it did so by using pseudonymisation and not anonymous data. Accordingly, COSMOTE was in breach of [[Article 25 GDPR#1|Article 25(1) GDPR]] since it did not implement propre technical and organisational measures by design and default in order to assure a propre depersonalization process of data. Lastly, COSMOTE did not inform data subjects explicitly of all their personal data being processed for statistical purposes and net's optimization. For this reason COSMOTE was in breach of Article 5(1)(a), 13 and 14 GDPR.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
Summary<br />
Following the notification of an incident of personal data breach by COSMOTE (leakage of subscriber call data during the period 1/9/2020 - 5/9/2020), the Authority investigated the circumstances in which the incident took place and, in this context, examined the legality of keeping the leaked records as well as the security measures applied. It is a file that contains subscriber traffic data and which, on the one hand, is kept for the purpose of managing problems and failures for 90 days from the making of the calls, on the other hand, the file is "anonymous" (pseudonymized) and is kept for 12 months in order to draw statistical conclusions towards the optimal design of the mobile telephony network, after being enriched with additional simple personal data.<br />
<br />
The investigation of the case revealed a violation, by COSMOTE, of the principle of legality (articles 5 and 6 of Law 3471/2006) and the principle of transparency, due to unclear and lack of information of the subscribers (article 5 par. 1 a) and 13-14 of the General Data Protection Regulation - GCC), violation of article 35 par. 7 GCP due to incorrect conduct of the impact assessment, violation of articles 25 par. 1 due to incorrect implementation of the anonymization process, violation of article 12 par. 1 law 3471 / 2006 due to lack of security measures and violation of article 5 par. 2 in combination with articles 26 and 28 due to non-division of roles of the two companies in relation to the processing in question. OTE also found a breach of Article 32 of the ICCPR due to lack of security measures in relation to the infrastructure used in the context of the incident.<br />
<br />
For the identified violations and taking into account the criteria of article 83 par. 2 GKPD, the Authority imposed on COSMOTE a fine of a total amount of € 6,000,000, as well as a sanction of interruption of data processing and destruction, while on OTE imposed a fine of € 3,250,000 .<br />
</pre></div>Eleni.papadopoulouhttps://gdprhub.eu/index.php?title=HDPA_(Greece)_-_57/2021&diff=22233HDPA (Greece) - 57/20212022-01-16T17:44:11Z<p>Eleni.papadopoulou: /* Holding */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Greece<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoGR.jpg<br />
|DPA_Abbrevation=HDPA (Greece)<br />
|DPA_With_Country=HDPA (Greece)<br />
<br />
|Case_Number_Name=57/2021 <br />
|ECLI=<br />
<br />
|Original_Source_Name_1=HDPO<br />
|Original_Source_Link_1=https://www.dpa.gr/el/enimerwtiko/prakseisArxis/exetasi-kataggelion-shetika-me-azitites-tilefonikes-kliseis-gia-skopo-0<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=12.07.2021<br />
|Date_Published=31.12.2021<br />
|Year=2021<br />
|Fine=25,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 13 GDPR<br />
|GDPR_Article_Link_1=Article 13 GDPR<br />
|GDPR_Article_2=Article 14 GDPR<br />
|GDPR_Article_Link_2=Article 14 GDPR<br />
<br />
<br />
|National_Law_Name_1=N.3471/2006 Article 11<br />
|National_Law_Link_1=https://www.lawspot.gr/nomikes-plirofories/nomothesia/n-3471-2006/arthro-11-nomos-3471-2006-mi-zititheisa-epikoinonia<br />
<br />
|Party_Name_1=PLUS REAL ADVERTISMENT<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=eleni.papadopoulou<br />
|<br />
}}<br />
<br />
The Hellenic DPA fined a controller €25,000 for failing to provide information concerning their personal data to data subjects under [[Article 13 GDPR ]]and [[Article 14 GDPR]].<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Two individuals submitted complaints before the Hellenic DPA (HDPA) against advertising company PLUS REAL ADVERTISMENT(henceforth: PLUS REAL) for unlawful processing of personal data for purely marketing purposes. PLUS REAL used an automated mechanism making telephone calls in order to contact individuals for advertising and marketing purposes. As regards the first complaint, the individual received a phone call from an unknown number with a recorded message informing him he won a prize of 680,00 euros. After some seconds a human person was in line telling the individual he had to make an extra call and give a special code in order to win his prize, without giving him more details as for the real call charges. The individual made that second call and heard from recorded message that the call charges are bigger than the ones mentioned at the first call and that the line was occupied so he had to call again. After his third attempt, the individual spoke to a woman and realised that the prize was actually vouchers offered only in case the individual would make high cost purchases. As for the second complaint, the individual mentioned that he received a telephone call from an unknown number with a recorded message telling him he won money as prize for a competition, but the individuals did not manage to hear the name of the company referred. The Hellenic DPA asked integrated communication solutions companies MICROBASE and LEXITEL to whom the unknown numbers belonged and was informed that the owner was PLUS REAL.<br />
<br />
=== Holding ===<br />
After reviewing the facts of the case, the HDPA first stated that PLUS REAL is "controller" under [[Article 4 GDPR|Article 4(2)(7) GDPR]] because it processed personal data of individuals for conducting automated phone calls to them with recorded messages. Moreover, the HDPA held that PLUS REAL was in breach of GDPR provisions because it made these calls for advertising and marketing purposes and without previously granting the specific consent of data subjects . In addition, PLUS REAL failed to comply with [[Article 5 GDPR|Article 5(2) GDPR]] since it failed to prove that these calls never happened or that even though they happened, they were in compliance with law. Furthermore, PLUS REAL did not reveal to data subjects its identity as controller, and did not have a mechanism to respond to data subjects requests for information concerning their personal data. <br />
Therefor, the HDPA fined the controller, PLUS REAL, €25,000 under [[Article 58 GDPR|Article 58(2) GDPR]] and [[Article 83 GDPR|Article 83(5) GDPR]] for the breach of [[Article 13 GDPR]] and [[Article 14 GDPR]].<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Category<br />
Decision<br />
<br />
<br />
<br />
Date<br />
08/12/2021<br />
<br />
<br />
<br />
<br />
Transaction number<br />
52<br />
<br />
<br />
<br />
Thematic unit<br />
<br />
09. Promotion of products and services<br />
<br />
<br />
<br />
<br />
Applicable provisions<br />
<br />
Article 28: Perform the processing (arrangements)<br />
Article 32: Processing security<br />
Article 11.1: Unsolicited electronic communication<br />
<br />
<br />
<br />
<br />
Summary<br />
The Authority received 17 complaints regarding illegal telephone calls aimed at promoting products or services of the company ZENITH - Gas Supply Company of Thessaloniki, Thessaly SA. For this specific processing ZENITH has the position of controller, and One Way Private Company has the position of executor. The examination of the case revealed that due to an error in the implementation of the processor, telephone calls were made to subscribers who had been registered in register 11, in violation of article 11 of Law 3471/2006. The Authority imposed on the processing One Way Private Company a fine of 30,000 euros for violation of article 32 par. 2 and 4 of the GCP in combination with article 28 par. 3, c. He also imposed on the person in charge of processing ZENITH, the sanction of the reprimand for violation of article 28 par. 3 case c of GKPD.<br />
<br />
<br />
<br />
<br />
PDF Decision<br />
52_2021anonym.pdf272.69 KB<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Category<br />
Decision<br />
<br />
<br />
<br />
Date<br />
08/12/2021<br />
<br />
<br />
<br />
<br />
Transaction number<br />
52<br />
<br />
<br />
<br />
Thematic unit<br />
<br />
09. Promotion of products and services<br />
<br />
<br />
<br />
<br />
Applicable provisions<br />
<br />
Article 28: Perform the processing (arrangements)<br />
Article 32: Processing security<br />
Article 11.1: Unsolicited electronic communication<br />
<br />
<br />
<br />
<br />
Summary<br />
The Authority received 17 complaints regarding illegal telephone calls aimed at promoting products or services of the company ZENITH - Gas Supply Company of Thessaloniki, Thessaly SA. For this specific processing ZENITH has the position of controller, and One Way Private Company has the position of executor. The examination of the case revealed that due to an error in the implementation of the processor, telephone calls were made to subscribers who had been registered in register 11, in violation of article 11 of Law 3471/2006. The Authority imposed on the processing One Way Private Company a fine of 30,000 euros for violation of article 32 par. 2 and 4 of the GCP in combination with article 28 par. 3, c. He also imposed on the person in charge of processing ZENITH, the sanction of the reprimand for violation of article 28 par. 3 case c of GKPD.<br />
<br />
<br />
<br />
<br />
PDF Decision<br />
52_2021anonym.pdf272.69 KB<br />
<br />
<br />
<br />
</pre></div>Eleni.papadopoulouhttps://gdprhub.eu/index.php?title=HDPA_(Greece)_-_57/2021&diff=22232HDPA (Greece) - 57/20212022-01-16T17:36:15Z<p>Eleni.papadopoulou: Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA (Greece) |DPA_With_Country=HDPA (Greece) |Case_Number..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Greece<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoGR.jpg<br />
|DPA_Abbrevation=HDPA (Greece)<br />
|DPA_With_Country=HDPA (Greece)<br />
<br />
|Case_Number_Name=57/2021 <br />
|ECLI=<br />
<br />
|Original_Source_Name_1=HDPO<br />
|Original_Source_Link_1=https://www.dpa.gr/el/enimerwtiko/prakseisArxis/exetasi-kataggelion-shetika-me-azitites-tilefonikes-kliseis-gia-skopo-0<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=12.07.2021<br />
|Date_Published=31.12.2021<br />
|Year=2021<br />
|Fine=25,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 13 GDPR<br />
|GDPR_Article_Link_1=Article 13 GDPR<br />
|GDPR_Article_2=Article 14 GDPR<br />
|GDPR_Article_Link_2=Article 14 GDPR<br />
<br />
<br />
|National_Law_Name_1=N.3471/2006 Article 11<br />
|National_Law_Link_1=https://www.lawspot.gr/nomikes-plirofories/nomothesia/n-3471-2006/arthro-11-nomos-3471-2006-mi-zititheisa-epikoinonia<br />
<br />
|Party_Name_1=PLUS REAL ADVERTISMENT<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=eleni.papadopoulou<br />
|<br />
}}<br />
<br />
The Hellenic DPA fined a controller €25,000 for failing to provide information concerning their personal data to data subjects under [[Article 13 GDPR]]and [[Article 14 GDPR]].<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Two individuals submitted complaints before the Hellenic DPA (HDPA) against advertising company PLUS REAL ADVERTISMENT(henceforth: PLUS REAL) for unlawful processing of personal data for purely marketing purposes. PLUS REAL used an automated mechanism making telephone calls in order to contact individuals for advertising and marketing purposes. As regards the first complaint, the individual received a phone call from an unknown number with a recorded message informing him he won a prize of 680,00 euros. After some seconds a human person was in line telling the individual he had to make an extra call and give a special code in order to win his prize, without giving him more details as for the real call charges. The individual made that second call and heard from recorded message that the call charges are bigger than the ones mentioned at the first call and that the line was occupied so he had to call again. After his third attempt, the individual spoke to a woman and realised that the prize was actually vouchers offered only in case the individual would make high cost purchases. As for the second complaint, the individual mentioned that he received a telephone call from an unknown number with a recorded message telling him he won money as prize for a competition, but the individuals did not manage to hear the name of the company referred. The Hellenic DPA asked integrated communication solutions companies MICROBASE and LEXITEL to whom the unknown numbers belonged and was informed that the owner was PLUS REAL.<br />
<br />
=== Holding ===<br />
After reviewing the facts of the case, the HDPA first stated that PLUS REAL is "controller" under [[Article 4(2)(7) GDPR]] because it processed personal data of individuals for conducting automated phone calls to them with recorded messages. Moreover, the HDPA held that PLUS REAL was in breach of GDPR provisions because it made these calls for advertising and marketing purposes and without previously granting the specific consent of data subjects . In addition, PLUS REAL failed to comply with [[Article 5(2) GDPR]] since it failed to prove that these calls never happened or that even though they happened, they were in compliance with law. Furthermore, PLUS REAL did not reveal to data subjects its identity as controller, and did not have a mechanism to respond to data subjects requests for information concerning their personal data. <br />
Therefor, the HDPA fined the controller, PLUS REAL, €25,000 under [[Article 58(2) GDPR]] and [[Article 83(4) GDPR]] for the breach of [[Article 13 GDPR]] and [[Article 14 GDPR]].<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Category<br />
Decision<br />
<br />
<br />
<br />
Date<br />
08/12/2021<br />
<br />
<br />
<br />
<br />
Transaction number<br />
52<br />
<br />
<br />
<br />
Thematic unit<br />
<br />
09. Promotion of products and services<br />
<br />
<br />
<br />
<br />
Applicable provisions<br />
<br />
Article 28: Perform the processing (arrangements)<br />
Article 32: Processing security<br />
Article 11.1: Unsolicited electronic communication<br />
<br />
<br />
<br />
<br />
Summary<br />
The Authority received 17 complaints regarding illegal telephone calls aimed at promoting products or services of the company ZENITH - Gas Supply Company of Thessaloniki, Thessaly SA. For this specific processing ZENITH has the position of controller, and One Way Private Company has the position of executor. The examination of the case revealed that due to an error in the implementation of the processor, telephone calls were made to subscribers who had been registered in register 11, in violation of article 11 of Law 3471/2006. The Authority imposed on the processing One Way Private Company a fine of 30,000 euros for violation of article 32 par. 2 and 4 of the GCP in combination with article 28 par. 3, c. He also imposed on the person in charge of processing ZENITH, the sanction of the reprimand for violation of article 28 par. 3 case c of GKPD.<br />
<br />
<br />
<br />
<br />
PDF Decision<br />
52_2021anonym.pdf272.69 KB<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Category<br />
Decision<br />
<br />
<br />
<br />
Date<br />
08/12/2021<br />
<br />
<br />
<br />
<br />
Transaction number<br />
52<br />
<br />
<br />
<br />
Thematic unit<br />
<br />
09. Promotion of products and services<br />
<br />
<br />
<br />
<br />
Applicable provisions<br />
<br />
Article 28: Perform the processing (arrangements)<br />
Article 32: Processing security<br />
Article 11.1: Unsolicited electronic communication<br />
<br />
<br />
<br />
<br />
Summary<br />
The Authority received 17 complaints regarding illegal telephone calls aimed at promoting products or services of the company ZENITH - Gas Supply Company of Thessaloniki, Thessaly SA. For this specific processing ZENITH has the position of controller, and One Way Private Company has the position of executor. The examination of the case revealed that due to an error in the implementation of the processor, telephone calls were made to subscribers who had been registered in register 11, in violation of article 11 of Law 3471/2006. The Authority imposed on the processing One Way Private Company a fine of 30,000 euros for violation of article 32 par. 2 and 4 of the GCP in combination with article 28 par. 3, c. He also imposed on the person in charge of processing ZENITH, the sanction of the reprimand for violation of article 28 par. 3 case c of GKPD.<br />
<br />
<br />
<br />
<br />
PDF Decision<br />
52_2021anonym.pdf272.69 KB<br />
<br />
<br />
<br />
</pre></div>Eleni.papadopoulouhttps://gdprhub.eu/index.php?title=HDPA_(Greece)_-_52/2021&diff=21939HDPA (Greece) - 52/20212021-12-19T19:07:36Z<p>Eleni.papadopoulou: Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA (Greece) |DPA_With_Country=HDPA (Greece) |Case_Number..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Greece<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoGR.jpg<br />
|DPA_Abbrevation=HDPA (Greece)<br />
|DPA_With_Country=HDPA (Greece)<br />
<br />
|Case_Number_Name=52/2021<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Hellenic Data Protection Authority<br />
|Original_Source_Link_1=https://www.dpa.gr/el/enimerwtiko/prakseisArxis/exetasi-kataggelion-shetika-me-azitites-tilefonikes-kliseis-gia-skopo-0<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=23.06.2021<br />
|Date_Published=08.12.2021<br />
|Year=2021<br />
|Fine=30.000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4(7) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#7<br />
|GDPR_Article_2=Article 4(8) GDPR<br />
|GDPR_Article_Link_2=Article 4 GDPR#8<br />
|GDPR_Article_3=Article 28(1) GDPR<br />
|GDPR_Article_Link_3=Article 28 GDPR#1<br />
|GDPR_Article_4=Article 28(3) GDPR<br />
|GDPR_Article_Link_4=Article 28 GDPR#3<br />
|GDPR_Article_5=Article 32 GDPR<br />
|GDPR_Article_Link_5=Article 32 GDPR<br />
|GDPR_Article_6=Article 58(2) GDPR<br />
|GDPR_Article_Link_6=Article 58 GDPR#2<br />
|GDPR_Article_7=Article 83 GDPR<br />
|GDPR_Article_Link_7=Article 83 GDPR<br />
<br />
|EU_Law_Name_1=Guidlines 07/2020 EDPB<br />
|EU_Law_Link_1=https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-072020-concepts-controller-and_en<br />
<br />
|National_Law_Name_1=N. 3471/2006<br />
|National_Law_Link_1=https://www.lawspot.gr/nomikes-plirofories/nomothesia/n-3471-2006/arthro-11-nomos-3471-2006-mi-zititheisa-epikoinonia<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Eleni Papadopoulou<br />
|<br />
}}<br />
<br />
The Hellenic DPA fined a processor company 30.000€ and issued reprimand to a controller company for failing to grand an appropriate level of security of personal data in a procedure under article 32(2) GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Seventeen individuals submitted complaints before the HDPA against a gas supplier company(controller) for unlawful processing of personal data for purely marketing purposes. A gas supplier company(controller) signed a contract with another company(processor) which undertook the processing of personal data of the controller's customers for marketing purposes. The processor used an automated mechanism selecting randomly telephone numbers from a list of contact details of customers in order to contact individuals for marketing purposes. What was precluded from that list, were the telephone numbers of individuals who clearly waived their consent as regards the controller company having their contact details. However, due to a mistake done by one of the processor's employees many individuals who disagreed in having their personal data processed by the controller were not left out from that list and consequently, received calls from the processor for marketing purposes. <br />
<br />
=== Holding ===<br />
After reviewing the facts of the case, the HDPA first stated that the telephone number of an individual constitutes "personal data" under 4(1) GDPR since it turns a person identifiable. Moreover, the HDPA held that a gas supplier company who transferred the contact details of its customers to another company based on a contract signed between them, in order for the latter to conduct calls for marketing purposes, must be considered as "controller" under 24 GDPR and the latter company as "processor" under 28 GDPR. <br />
<br />
Furthermore, the HDPA stated that both the controller and the processor companies are in breach of the GDPR provisions. Specifically, the processor failed to implement appropriate technical and organisational measures for ensuring the appropriate level of security under 32 GDPR and it was his employee who did the relevant mistake. On the other hand, the controller was responsible for offering the appropriate tools and guidelines in order to prevent unlawful calls from being conducted and for supervising the processor's methods. Lastly, it was the controller's duty to act upon the individuals' complaints. However, the controller did not manage to meet the last condition and instead of addressing the problem and offering specific guidelines to the processor, he provided the latter only with general and inadequate guidelines.<br />
<br />
In that sense, the HDPA assessed that the processor must be fined 30.000€ under 58(2) και 83(4) GDPR for the breach of 32(2) and (4) and 28(3) GDPR. As for the controller, the HDPA issued reprimands under 58(2) GDPR for the breach of 28(3) GDPR.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Category<br />
Decision<br />
<br />
<br />
<br />
Date<br />
08/12/2021<br />
<br />
<br />
<br />
<br />
Transaction number<br />
52<br />
<br />
<br />
<br />
Thematic unit<br />
<br />
09. Promotion of products and services<br />
<br />
<br />
<br />
<br />
Applicable provisions<br />
<br />
Article 28: Perform the processing (arrangements)<br />
Article 32: Processing security<br />
Article 11.1: Unsolicited electronic communication<br />
<br />
<br />
<br />
<br />
Summary<br />
The Authority received 17 complaints regarding illegal telephone calls aimed at promoting products or services of the company ZENITH - Gas Supply Company of Thessaloniki, Thessaly SA. For this specific processing ZENITH has the position of controller, and One Way Private Company has the position of executor. The examination of the case revealed that due to an error in the implementation of the processor, telephone calls were made to subscribers who had been registered in register 11, in violation of article 11 of Law 3471/2006. The Authority imposed on the processing One Way Private Company a fine of 30,000 euros for violation of article 32 par. 2 and 4 of the GCP in combination with article 28 par. 3, c. He also imposed on the person in charge of processing ZENITH, the sanction of the reprimand for violation of article 28 par. 3 case c of GKPD.<br />
<br />
<br />
<br />
<br />
PDF Decision<br />
52_2021anonym.pdf272.69 KB<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Category<br />
Decision<br />
<br />
<br />
<br />
Date<br />
08/12/2021<br />
<br />
<br />
<br />
<br />
Transaction number<br />
52<br />
<br />
<br />
<br />
Thematic unit<br />
<br />
09. Promotion of products and services<br />
<br />
<br />
<br />
<br />
Applicable provisions<br />
<br />
Article 28: Perform the processing (arrangements)<br />
Article 32: Processing security<br />
Article 11.1: Unsolicited electronic communication<br />
<br />
<br />
<br />
<br />
Summary<br />
The Authority received 17 complaints regarding illegal telephone calls aimed at promoting products or services of the company ZENITH - Gas Supply Company of Thessaloniki, Thessaly SA. For this specific processing ZENITH has the position of controller, and One Way Private Company has the position of executor. The examination of the case revealed that due to an error in the implementation of the processor, telephone calls were made to subscribers who had been registered in register 11, in violation of article 11 of Law 3471/2006. The Authority imposed on the processing One Way Private Company a fine of 30,000 euros for violation of article 32 par. 2 and 4 of the GCP in combination with article 28 par. 3, c. He also imposed on the person in charge of processing ZENITH, the sanction of the reprimand for violation of article 28 par. 3 case c of GKPD.<br />
<br />
<br />
<br />
<br />
PDF Decision<br />
52_2021anonym.pdf272.69 KB<br />
<br />
<br />
<br />
</pre></div>Eleni.papadopoulouhttps://gdprhub.eu/index.php?title=HDPA_(Greece)_-_7/2021&diff=21276HDPA (Greece) - 7/20212021-11-14T18:43:14Z<p>Eleni.papadopoulou: Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA (Greece) |DPA_With_Country=HDPA (Greece) |Case_Number..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Greece<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoGR.jpg<br />
|DPA_Abbrevation=HDPA (Greece)<br />
|DPA_With_Country=HDPA (Greece)<br />
<br />
|Case_Number_Name=7/2021<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Greek DPA<br />
|Original_Source_Link_1=https://www.dpa.gr/el/enimerwtiko/prakseisArxis/prosbasi-ton-ypopsifion-stis-ekloges-toy-dsa-sta-stoiheia-epikoinonias<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
<br />
|Type=Advisory Opinion<br />
|Outcome=<br />
|Date_Decided=14.10.2021<br />
|Date_Published=01.11.2021<br />
|Year=2021<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(7) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#7<br />
|GDPR_Article_2=Article 4(10) GDPR<br />
|GDPR_Article_Link_2=Article 4 GDPR#10<br />
|GDPR_Article_3=Article 6(1)(e) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1e<br />
|GDPR_Article_4=Article 6(4) GDPR<br />
|GDPR_Article_Link_4=Article 6 GDPR#4<br />
|GDPR_Article_5=Article 21 GDPR<br />
|GDPR_Article_Link_5=Article 21 GDPR<br />
<br />
<br />
|National_Law_Name_1=Article 103 etc from National Law 4194/13(Lawyers' Code)<br />
|National_Law_Link_1=https://www.lawspot.gr/nomikes-plirofories/nomothesia/n-4194-2013/arthro-103-nomos-4194-2013-eklogiko-dikaioma<br />
|National_Law_Name_2=Article 11§3,4 from National Law 3471/06 <br />
|National_Law_Link_2=https://www.kodiko.gr/nomothesia/document/155678/nomos-3471-2006<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Eleni.papadopoulou<br />
|<br />
}}<br />
<br />
The Greek DPA decided that the Athens Bar Association candidates are allowed under the GDPR provisions to collect and process the personal data of the members, but only under some specific terms and conditions. Which are they? <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Having as a cause the forthcoming Bar Association elections, the Athens Bar Association asked the Hellenic Data Protection Authority(HDPA) whether or not the Association's register department decision to provide the Association's candidates with the personal data(contact details) of the Association's members would be in compliance with the GDPR provisions.<br />
<br />
=== Holding ===<br />
After reviewing the facts of the case, the Greek DPA held that:<br />
1. Each candidate is considered to be a 'third party'(Article 4(10) of the GDPR) in relation to the Association as regards his contact with the members as he is a separate 'controller'. <br />
2. The actions taken for the unhampered operation of the Bar Association are encompassed within the meaning of '...performance of a task carried out in the public interest or in the exercise of official authority vested in the controller '(Article 6(1)(e) of the GDPR) and as such, the transmission of the personal data and their processing by the third parties, does not need the consent of the data subject in order to be legal. <br />
3. Even though the data subjects(members) did not give particularly their consent for their personal data to be given to third parties(candidates), this action is permitted under the Article 6(4) of the GDPR, since it is deemed to be a purpose relevant to the main one to which they agreed at the stage of registration.<br />
4. In order for the transmission of the Association's members' personal data to the Association's candidates to be conducted legally, what is needed is that each candidate must grant the members the 'right to object' to the processing of their personal data at any time. Specifically, the 'right to object' must be given even prior to the personal data transmission, for the purposes of compliance with the Article 21 of the GDPR. <br />
5. Each candidate must take appropriate and specified measures as regards the processing of the personal data he collected, in order for his behaviour to be compliant with the Article 6(4) of the GDPR and declare the exact period of time after which those personal data will be deleted. <br />
6. In general, each candidate bears all the responsibilities a 'controller' has under the GDPR provisions. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Category<br />
Opinion<br />
<br />
<br />
<br />
Date<br />
01/11/2021<br />
<br />
<br />
<br />
<br />
Transaction number<br />
7<br />
<br />
<br />
<br />
Thematic unit<br />
<br />
16. Other<br />
<br />
<br />
<br />
<br />
Applicable provisions<br />
<br />
Article 4.10: Third (definition)<br />
Article 6.1.e: Legal basis for fulfillment of public duty<br />
Article 21: Right of objection<br />
Article 11.3: Use of previous contact details for electronic communication<br />
Article 11.4: Conditions for sending an e-mail<br />
<br />
<br />
<br />
<br />
Summary<br />
Following a question from the Athens Bar Association to the Authority as to whether it is in accordance with the legislation on personal data protection, the Authority provided the candidates with the contact details of the Lawyers - members of the DSA, the Authority considered that a) the candidate for the DSA is a third party, as he is a separate controller (he completely determines the means, even if the purpose is of the association), b) the membership of the DSA is not a given of special categories (related to professional status by law), c) the legality of the transfer may be based on Article 6.1.e of the GCC - public interest in the operation of the DSA and in the conduct of recruitment in such a way as to ensure the visibility of all candidates, d) the subjects have not been informed at the collection stage, but there may be an application of Article 6.4 GCP, as the purpose is relevant to the original, e) the DSA for the transmission must take measures (such as setting conditions for the use of data corresponding to those of promotional messages in articles 11 par. 3 and 4 of Law 3471/2006), which should be precisely determined by him, and in ) each candidate, as the controller, must satisfy any submitted right of objection of the members-subjects of the data.<br />
<br />
<br />
<br />
<br />
PDF Decision<br />
gnomodotisi 7_2021anonym.pdf278.93 KB<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Category<br />
Opinion<br />
<br />
<br />
<br />
Date<br />
01/11/2021<br />
<br />
<br />
<br />
<br />
Transaction number<br />
7<br />
<br />
<br />
<br />
Thematic unit<br />
<br />
16. Other<br />
<br />
<br />
<br />
<br />
Applicable provisions<br />
<br />
Article 4.10: Third (definition)<br />
Article 6.1.e: Legal basis for fulfillment of public duty<br />
Article 21: Right of objection<br />
Article 11.3: Use of previous contact details for electronic communication<br />
Article 11.4: Conditions for sending an e-mail<br />
<br />
<br />
<br />
<br />
Summary<br />
Following a question from the Athens Bar Association to the Authority as to whether it is in accordance with the legislation on personal data protection, the Authority provided the candidates with the contact details of the Lawyers - members of the DSA, the Authority considered that a) the candidate for the DSA is a third party, as he is a separate controller (he completely determines the means, even if the purpose is of the association), b) the membership of the DSA is not a given of special categories (related to professional status by law), c) the legality of the transfer may be based on Article 6.1.e of the GCC - public interest in the operation of the DSA and in the conduct of recruitment in such a way as to ensure the visibility of all candidates, d) the subjects have not been informed at the collection stage, but there may be an application of Article 6.4 GCP, as the purpose is relevant to the original, e) the DSA for the transmission must take measures (such as setting conditions for the use of data corresponding to those of promotional messages in articles 11 par. 3 and 4 of Law 3471/2006), which should be precisely determined by him, and in ) each candidate, as the controller, must satisfy any submitted right of objection of the members-subjects of the data.<br />
<br />
<br />
<br />
<br />
PDF Decision<br />
gnomodotisi 7_2021anonym.pdf278.93 KB<br />
<br />
<br />
<br />
</pre></div>Eleni.papadopoulouhttps://gdprhub.eu/index.php?title=User:Eleni.papadopoulou&diff=21271User:Eleni.papadopoulou2021-11-14T13:07:28Z<p>Eleni.papadopoulou: </p>
<hr />
<div>I am a qualified lawyer, member of the Bar Association of Thessaloniki(Greece), and specialised in International Commercial Law(L.L.M.) and European Union Law(L.L.M.). [https://www.linkedin.com/feed/ LinkedIn Profile]</div>Eleni.papadopoulouhttps://gdprhub.eu/index.php?title=User:Eleni.papadopoulou&diff=21270User:Eleni.papadopoulou2021-11-14T13:02:19Z<p>Eleni.papadopoulou: Added my LinkedIn profile</p>
<hr />
<div>[https://www.linkedin.com/feed/ LinkedIn Profile]</div>Eleni.papadopoulou