HDPA (Greece) - 26/2024

From GDPRhub
Revision as of 14:13, 9 November 2024 by Inder-kahlon (talk | contribs) (links fixed)
HDPA - 26/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 2(3) GDPR
Article 5(1)(a) GDPR
Article 5(1)(d) GDPR
Article 12(2) GDPR
Article 16 GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started: 16.11.2021
Decided: 03.09.2024
Published: 07.10.2024
Fine: 28,000 EUR
Parties: Δ.Ε.Η. Α.Ε. (Public Power Corporation)
Δήμο Αθηναίων (Municipality of Athens)
National Case Number/Name: 26/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: inder-kahlon

The DPA has imposed a €25,000 fine on Greece's largest electricity provider for violations of data subjects' rights, specifically Article 16 GDPR, Article 17 GDPR, and Article 5 GDPR. Additionally, the Municipality of Athens was also fined €3,000 for violation of Article 12(3) GDPR.

English Summary

Facts

The data subject submitted a request for rectification and erasure of personal data related to immovable assets that did not concern him. The controller (Δ.Ε.Η. Α.Ε.) confirmed the rectification and erasure of the personal data. However, from December 2020 to July 2021, the data subject continued to receive calls from law firms and collection agencies regarding outstanding bills for properties that were not his, neither owned nor rented by him. The data subject subsequently submitted another erasure request, asking for the removal of his tax number from the bills. Despite the controller's confirmation that the erasure request had been fulfilled, the data subject continued to receive harassing calls from collection agencies and law firms regarding unpaid bills. He also received a payment notice from the municipality of Athens regarding the unpaid bills. The data subject lodged a complaint, stating that neither the law firms nor the municipality had notified the controller, nor the controller informed the relevant parties involved that these bills do not concern him. As per the data subject, this demonstrated a lack of appropriate technical and organisational measures on the part of the controller.

The controller asserts that the issue arose from the complainant's failure to update the ownership information through the proper channels, resulting the erasure being applied only to the e-bill system. Consequently, data concerning the complainant continued to be processed by law firms and collection agencies acting on behalf of the controller to collect outstanding debts. The controller further explained that its disclosure of the complainant’s data to the municipality was done as per the Greek Law 3979/2011, in order to meet its legal obligations.

The municipality which had not provide a timely response to the complainant’s request under Article 12(3) GDPR for information on the sources of data and other relevant information, stated that it had received the complainant’s data through usual channels for the purpose of collecting unpaid property and municipal taxes.

Holding

The authority determined that the company (Δ.Ε.Η. Α.Ε.) was the data controller, while the collection agencies operated as data processors under the controller's direction for the collection of outstanding debts. Although the controller responded to the data subject’s rectification and erasure request with a confirmation, it failed to clarify that the erasure was limited to only the e-bill.

The municipality received the personal data from the controller for collection of its own fees, as such it acted as a data controller for the data it received. The authority found that the municipality violated Article 12(3) GDPR by failing to notify the data subject electronically regarding actions taken in response to the data subject’s requests, which were submitted via email.

In exercising its corrective powers, the authority took particular note of the nature and gravity of these infringements, which concern the core principles of lawfulness and accuracy of processing. These principles are fundamental to the protection of personal data under the GDPR. For these reasons, the authority:

a) Imposed a fine of seven thousand five hundred euros (€7,500) on (Δ.Ε.Η. Α.Ε.), as the data controller, for the violation of the data subject’s right to rectification under Article 16 GDPR, Article 12(2) GDPR and Article 12(3) GDPR.

b). Imposed a fine of seven thousand five hundred euros (€7,500) on (Δ.Ε.Η. Α.Ε.), as the data controller, for the violation of the data subject’s right to erasure under Articles 17(1)(b) GDPR, Articles 17(1)(c) GDPR, Articles 17(1)(d) GDPR and Articles 12(2) GDPR and Article 12(3) GDPR.

c). Imposed a fine of ten thousand euros (€10,000) on (Δ.Ε.Η. Α.Ε.), as the data controller, for violating the principles of lawfulness and accuracy in data processing under Article 5(1)(a) GDPR and Article 5(1)(d) GDPR.

D. Imposed a fine of three thousand euros (€3,000) on the Municipality of Athens, as the data controller, for violating Article 12(3) GDPR.

Comment

In Greece, electricity bills often include various non-electricity charges, such as a subscription fee for ERT (Ελληνική Ραδιοφωνία Τηλεόραση - ERT), Greece's state-owned radio and television broadcaster. The bill also include municipal taxes and the Real Estate Tax (Τέλος Ακίνητης Περιουσίας - ΤΑΠ). Failure to pay an electricity bill can have serious consequences, such as complications in selling property, as a certificate confirming no outstanding Real Estate Tax is usually required.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details. 

Athens, 03-09-2024 Prot. No.: C/EXE/2299 DECISION 26/2024 (Department) The Personal Data Protection Authority met at the invitation of its President in a teleconference meeting on Monday 12-20-2023 at 10:00, in order to examine the case referred to in the present history. The Deputy President of the Authority, Georgios Batzalexis, standing in for the President of the Authority, Constantinos Menoudakos, the regular member of the Authority, Konstantinos Lambrinoudakis, as rapporteur, and the alternate members of the Authority, Maria Psalla, in place of the regular member, Grigorio Tsolia, who, if and Demosthenes Vougioukas was also legally summoned, he did not attend due to disability. Present without the right to vote were Stefania Plota, specialist scientist-lawyer, as assistant rapporteur and Irini Papageorgopoulou, employee of the Authority's administrative affairs department, as secretary. The Authority took into account the following: A (hereinafter "complainant") submitted the no. prot. C/EIS/8390/29-06-2022 request for review of the no. No. C/EIS/7496/16-11-2021 of complaint against PPC for violation of the right to correction/deletion, which was terminated with no. prot. C/EXE/1078/09-05-2022 document of the Authority. Specifically, the complainant on ... applied to PPC S.A. the correction/deletion of his information from the company's systems for properties that he is "neither owner, 1 nor tenant", except for the X beach property, which he owns. The company responded to the complainant on … that his personal data has been successfully corrected in its computerized system. However, from December 2020 until July 2021, the complainant, as he states, received regular telephone calls from law firms and collection companies regarding overdue debts to PPC for real estate services, in which, according to claims, his data should have been deleted and on ... he sent a new request to PPC to delete his data and specifically his VAT number from the disputed benefits that do not concern him. Also, the complainant received the cash call of the Municipality of Athens with the date of issue ... for property debts on the street ..., amounting to ... euros. The Authority with no. prot. C/EXE/389/14-02-2022 document forwarded the complaint to PPC for the provision of opinions and the company with no. prot. C/EIS/3598/09-03-2022 its response to the Authority stated, presenting relevant correspondence with the complainant, that the latter was obliged, as the company had already informed him in most cases, to restore the actual and legal status of the benefits, for which he has by his own action been declared (in the e-bill application) as a contact person, so that the details of the "real beneficiaries" can be corrected/replaced. Then the Authority sent the no. prot. C/EX/1078/09-05-2022 document to the complainant, highlighting what was reported by PPC S.A., according to which in order to enable the satisfaction of the request for correction/deletion of the complainant's information, it was requested to be activated towards the correct and complete restoration of the historicity of the benefits in question, in accordance with the current normative and regulatory framework of electricity. In conclusion, the Authority stated that it has currently completed the examination of the case, noting in relation to the above that, in the event of doubt as to the legal status of the said properties and the real beneficiaries, a dispute arises, for the resolution of which the competent authorities are in principle civil courts, and that of course, it can be taken over, if and as long as, following the relevant court decision, a field is left in the context of which it is competent. Subsequently, the complainant requested a review of the said case. In addition, the complainant submitted a second one, no. prot. C/EIS/7862/09-06-2022, supplementary complaint against the law firms "Sioufas and Associates", "Andrikopoulos and Associates", "Papavasiliou-Balli and Associates", "Frangou", the Debtors Information Company "Paladino" SA" (hereafter EEO) and the Municipality of Athens, which is also notified to PPC S.A. for a lack of appropriate organizational and technical measures and illegal processing without a legal basis, according to his claims, due to the constant phone calls from the first defendants about overdue real estate debts, for benefits for which he had been declared as a contact person, and for the no. first ... cash call of the Municipality of Athens with date of issue on ... for debts to PPC related to supply, for which, as stated, PPC had to ... accept that it does not concern the complainant. Specifically, with regard to the telephone harassment received by the complainant from the law firms and the EEO, he states that PPC S.A. on ... informed him that she had successfully deleted his data from the property benefits in the street ... and ... and on ... confirmed with a new message that the only property that concerns him is X's. However, as the complainant states, from in December 2020 through January 2022, while informing PPC, the law firms and the EEO in every phone call that he had nothing to do with the properties, he continued to receive calls about arrears related to the disputed benefits, and despite exercise of the right of correction/deletion in PPC S.A. it is proved, with the electronic message from DEDDIE, according to which the complainant's tax number continues to be presented in eleven (11) benefits that do not concern him, that PPC SA. he has not deleted his information from said benefits. Also, with regard to the above-mentioned cash invitation from the Municipality of Athens, the complainant sent an email to the Municipality of Athens on ... to be informed about the sources of the data, whether he has informed PPC as he was owed and how many benefits were wrongly his VAT number is mentioned and on 3... he exercised the right to delete his information via email, but the Municipality of Athens has not responded to any of the complainant's emails, within the deadlines provided by law. Finally, the complainant states that the law firms, the EEO and the Municipality of Athens, while they had been informed by him that he was no longer related to the benefits in question, did not inform PPC of the incorrect entry of his information, stating again that, since PPC had already informed him of the successful deletion of his personal data in November 2020, it should have informed the other involved bodies accordingly, attributing the above to a lack of appropriate technical and organizational measures. In view of the above, from the files of the two complaints, it appears that the second complaint concerns the same issues against PPC SA. and the Municipality of Athens and is complementary to the first complaint, as its main subject is the processing of personal data by PPC and its refusal or possible inability to disassociate the complainant's contact information from the disputed benefits that have overdue debts and which , according to the complainant, they do not concern him. Therefore, the Authority considered the request for review of the first and main complaint against PPC S.A. due to relevance. and the related second complaint against the Municipality of Athens but also against PPC and the aforementioned processors on behalf of and on behalf of PPC, as it emerged from the data in the files in question that in principle there is no question of organizational or technical issues for the processors , since PPC, although it initially stated to the complainant that it would grant his request to disassociate himself from the disputed benefits, subsequently refused to grant it and was the one that gave the orders to assign the complainant's case to its affiliates/processors for its account (see PPC's response to the first complaint no. prot. C/EIS/3598/09-03-2022). Subsequently, the Authority sent to the Municipality of Athens and PPC the no. prot. C/EXE/2219/09-09-2022 document to provide opinions, and the Municipality of 4 Athens, with the no. prot. C/EIS/11034/14-10-2022 his response to the Authority stated that until 2019 he received the files by electronic message and since 2020 the e-bill application has been activated, therefore in the case in question the debt was sent by the from ... email of PPC. From ... "Proposal for kon A" of the Department of Remunerative Fees & TAP of the Municipality to the President of the Finance Committee on the subject of "Deletion of entries with data ... and ... from uncollected Municipal Fees - Municipal Tax and TAP through PPC statements of confirmed income S.A. in the name of Mr. A" it is stated that a debtor mismatch was found for the disputed connection during the update of the data certified by PPC, as shown by the image of the Municipality's certified debts by PPC, but also by the Register of Natural and Legal Entities of AADE and recommends the deletion of said records, of a total amount of …€ that have been charged against the complainant for the property on the street … and will look for the real debtor. Subsequently, the Data Protection Officer (hereinafter DPO) of the Municipality of Athens submitted to the Authority no. prot. C/EIS/103012/25-10-2022 document, in which he mentions all the history of the case and the actions taken, concluding that the Municipality is awaiting the decision of the Finance Committee for the deletion of the mistakenly certified amount in complainant.  PPC SA with the no. first C/EIS/10683/04-10-2022 document states that according to the provisions of the law 25/1975 (Municipal fees), of n. 1080/1980 (Municipal Taxes), of n. 2130/1993 (Real Estate Tax) and the law 1730/1987 (ERT), the PPC is obliged to contribute with the electricity bills the amounts of Municipal Fees, Municipal Taxes, TAP and the retributive fee of ERT and to then return them to the beneficiaries, i.e. the Municipalities and ERT and in particular, in accordance with what is provided by law. 3979/2011, the complainant's data was forwarded to the Municipality of Athens for the fulfillment of the aforementioned legal obligation of PPC SA. Subsequently, the Authority with no. first C/EX/2773/02-11-2022 document she forwarded the no. first C/EIS/11034/14-10-2022 response of the Municipality of 5 Athens to PPC and invited it to present its views on it, taking into account the statement of the complainant to the company from ... that he has submitted to PPC S.A. from October 2020 the required supporting documents, in order to prove the ownership or non-ownership of the properties in question. The complained company with no. first C/EIS/12315/06-12-2022 document, reiterated the client's obligation to notify the change of his data, concluding that the only way to satisfy the complainant's deletion request is to correct/replace the data of the real beneficiaries. Subsequently, the company with no. first C/EIS/12729/21-12-2022 her document states that the complainant "following the decision APDPX 1078/09.05.2022, followed the instructions for the transfer of electricity supplies and now the staff of the TIN (...) are assigned only the supply of of his house in X. In addition, we would like to clarify that the events described in the above-mentioned complaint took place before the issuance of the decision APDPX 1078/09.05.2022 and for as long as Mr. A kept benefits in his VAT number that did not belong to him". In view of the above, the Authority invited, with the no. first G/EX/1612-21-06-2024, G/EX/1615/21-06-2024 and G/EX/1613/21-06-2023 documents i. the complainant, A, ii. the company PPC SA, and iii. the Municipality of Athens, as legally represented, in a hearing via teleconference before the Authority (composed of a Department) on 28-06-2023, in order to investigate the complaints in question. At the meeting, the request for postponement of the complainant was discussed, which was accepted by the Department and a new date of discussion was set on 07-19-2023, without the sending of new calls. Complainant A was present at the said meeting, followed by his attorneys Emmanuel Laskaridis (AMDSA ...) and Andromachis Bardas (AMDSA ...), on behalf of PPC SA. its legal advisers Maria Lambrinou (AMDSA ...), Ioanna Voulgaridou (AMDSA ...), the YPD B and C and D from the Office of the YPD and on behalf of the Municipality of Athens its legal advisor Georgios Galanis (AMDSA ...). During this meeting, those present, after developing their opinions, submitted the 6 complainant, PPC S.A. and the Municipality of Athens under no. first C/EIS/5930/21-08-2023, C/EIS/6016/25-08-2023 and C/EIS/5715/03-08-2023 memoranda respectively. The complainant, in addition to what he had mentioned before the discussion, points out with the post-hearing memorandum that although PPC S.A. with the e-mails from ... and ... to him, assuring him that his information has been successfully deleted and its systems have been updated accordingly, the document from ... PPC S.A. states that he himself, following the decision APDPX 1078 /09-05-2022 followed the instructions for the transfer of benefits and now only the provision of his house to X is assigned to the TIN staff, and it comes in full contradiction with the company's document from ..., in which he claimed that PPC could not proceed with the deletion of his data from the benefits that did not concern him and he had not provided any supporting documents. Also, with regard to the satisfaction of the right to erasure by the Municipality of Athens, the complainant states that the Municipality has not responded to his legitimate request, apart from the email from the Ministry of Internal Affairs that 11 services have his VAT number but no telephone numbers of. As regards the law firms and debt collection companies, while they had been informed by the complainant about the illegal processing of his data, they did not delete his data, while they never confirmed the existence of the debt and the identity of the debtor and for the period of time that he received telephone calls calls, they called him repeatedly, resulting in the disturbance of personal and family peace, while the dissemination of his data discredits him and offends the his personality. The Municipality of Athens reported that, in the context of Article 43 of Law 3979/2011 par. 1b, according to which the municipal cleaning and lighting fees […], the tax on electrified premises […] and the real estate tax […], are borne by the person liable to pay the electricity bill and if the person liable does not pay the amount, the electricity supplier interrupts the supply and if the reconnection of the electricity is not requested within three months of its interruption, the supplier informs the relevant municipality of the details of the debts, in order for it to proceed with their collection, and given that there were unpaid municipal fees for the property on the street ..., 7th PPC sent the Municipality the accounting statements of uncollected municipal fees and TAP in December 2018. In this file it appeared for the provision of the above property to 2 floor as the debtor E with VAT number... and in order to be informed the Municipality searched for his residential address with TIN through the online services of KEDE for the provision of data of natural persons of non-tax content by AADE, based on a decision by which local authorities have been given access for this purpose. The check revealed that the name E did not correspond to the VAT number of the alleged debtor, as the said VAT number corresponded to the complainant and also, for E, his VAT number was searched and no entry in the AADE was found. Therefore, the Municipality proceeded to certify the debt to the complainant and in 2021 to send the relevant notices for the debts from cleaning, lighting and TAP fees based on the data that, due to access through the KEDE application, was registered in the AADE. Subsequently, with the e-mail of the Municipality's YPD, the cancellation request was made known, since there are reasons for incorrect billing, and the Financial Committee approved the cancellation of the amounts that were incorrectly billed under no. ... Act and after checking the files of the T.K.F., D.F., and T.A.P. application, it is confirmed that there is no association of the complainant's name with the provision of the property on the street ... . The Municipality of Athens points out that PPC never informed it of the non-existence of the said debts of the complainant, while in the financial management application of the Municipality of Athens, there is a record of the complainant with VAT number..., which was created due to other transactions with the Municipality of Athens and the deletion of these personal details cannot be done because keeping a history of transactions with the Municipality is mandatory. As for whether there has been a response to the complainant's e-mail from ... to the Municipality's DPO, it states that the DPO informed the complainant in detail in regular telephone communications about the above. PPC SA with its post-hearing memorandum points out that the only thing that could be considered to be contributed as a new element by the complainant with the treatment request is the correspondence of PPC representatives with the current 8 managers of the properties in question, which proves the over-effort of PPC to assist the complainant. The company mentions in particular the following in the substantive issues: i. regarding the complainant's relationship with the benefits in question, emphasis is placed on the apartment building on the street ..., where the applicant and members of his family as well as A.E. with the information "Partners A.A.E." (whose representative was the complainant) were the owners of 30 horizontal properties and surprisingly there are only 7 meter-services energizing 121 independent horizontal properties. Accordingly, in the street ..., one of the benefits corresponds to the name of the deceased father of the complainant, and PPC is rightly bothering him for this as well, as it is a permanent debt relationship, which is inherited and, since no certificate has been presented to PPC waiver within 4 months from the date of death, the heir becomes the universal successor of the legatee and is charged with the inheritance debt. Also, in 1993, when the complainant was the manager of the two apartment buildings, in order to avoid the process of changing the name in the benefits, as it was required to present certificates of electrical installations, death certificates, etc. documents, he did not mention the death of the originally contracted persons and asked for his own VAT number to be entered on the 30 benefits and at the complainant's meeting with the legal department and its DPO, he was asked to provide a responsible statement, stating that he is not related to the disputed benefits and the complainant refused. In addition to the above, on ..., the complainant filled in the TIN when upgrading his ebill accounts, and although he had the opportunity to correct them by providing the necessary documents, he did not do so and since then he did not act until some of the users stopped paying the their ratio on the value of electricity.  Therefore, the claim of the complainant that it was not related to the benefits corresponding to the properties of streets … and … does not correspond to reality. ii. Regarding the calls received by the complainant, PPC states that during the discussion before the Authority, the complainant claimed that PPC called him twice a day, for two years, i.e. 768 calls, while the company claims that "the calls they made 9 the debtor information companies authorized by PPC on its contact numbers amount to only 21, which were carried out over a period of 7 months, from 24-11-2020 to 01-07-2021, in accordance with the provisions of the relevant legislation (see Law 3758/2009) and related to all benefits in the complainant's details". PPC provided the Authority with a table for 9 benefits, "in which are listed the partners of PPC who were assigned the management of the disputed benefits as well as the date of assignment and revocation of this assignment", among which are law firms and EEO. Finally, the company states that it has sent relevant information letters to the addresses of the properties in question and to the names of the original contractors. iii. Regarding the right to erasure, the complained company adds that, as long as there are overdue debts from the supply of electricity, it legally does not erase the personal data, as they are necessary for the establishment, exercise and support of its legal claims, either judicially or administratively or extrajudicially procedure to seek the collection of its claims, while the complainant insists on exercising the right of erasure, although still is a customer of PPC, so his personal data is required for issuing an account and PPC cannot satisfy this right, as the conditions of 17.3.b GDPR are met in combination with article 3 D II of the Law. 1040/1980 (Government Gazette 76/A/3/4/1980), according to which PPC SA is obliged to maintain the data of its customers. The company states that the complainant "without understanding the above, instead of solving the issue that arose due to the mismatch of benefits with the actual users and proceeding with the process of disconnecting them from the customer record in the ebill update environment, turned the procedural issues of bad management on his part of the things that concern him, in matters of personal data processing and protection. The applicant, wanting to stop PPC's harassment for the overdue benefits of which he was the administrator, but without taking the necessary actions as analyzed above, thought that he would achieve his goal by disconnecting the benefits in question from his 10 ebill account . He was led to this conclusion by himself, without the suggestion of any PPC official. If he had consulted someone in charge of PPC, he would have been informed that the details of the benefits can only be changed by drawing up a contract and that ebill is an informative environment. The only information that a user can change in ebill is the contact information and which benefits they wish to monitor. Mr. A, on ... of ... he requested the ebill department to disconnect the benefits for which he was previously an administrator, calling this action "deletion of his VAT number" from the benefits. Mr. ST, who took over the request in Customer Care, proceeded to disconnect the benefits from the ebill tab and informed Mr. Oh that his request was completed. Yes, Mr. F acting with exemplary courtesy corrects mr. Oh, and he calls his action a "successful fix" and not a delete. Naturally, the arbitrary action of Mr. Ah didn't stop the hassles. This resulted in the unacceptable behavior of Mr. A, who instead of asking what is the proper procedure to follow to stop the harassment, makes baseless accusations based on false facts. More specifically: He complains about the continuation of the harassment while no representative of PPC told him that the disconnection of the benefits that he was formerly an administrator from ebill implies the cessation of harassment for debts from the benefits that correspond to him. After all, the customer's debts continue to exist until the point of changing his name or other action that disconnects him from the respective service. He claims to have produced E9 when he had only produced E1. However, even if he had made his E9 known to us, this does not make him "irrelevant" to the disputed benefits, as we have already proven above. Furthermore, he hid his E9 on purpose, as this proves the relationship with his father and his real estate." iv. After many efforts and personal engagement of members of the legal service and the office of the Ministry of Internal Affairs, where more than the maximum diligence and work was done in order to collect the legally possible and permissible 11 items corresponding to the disputed benefits, PPC managed to establish the current state of the benefits . The Authority, after examining the elements of the file, after hearing the rapporteur and the clarifications from the assistant rapporteur, who was present without the right to vote, after a thorough discussion, DECIDED IN ACCORDANCE WITH THE LAW 1. Because, from the provisions of articles 51 and 55 of the General Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR") and Article 9 of Law 4624/2019 (Government Gazette A΄ 137) it follows that the Authority has the authority to supervise the implementation of the provisions of the GDPR, this law and other regulations concerning the protection of the individual from the processing of personal data. In particular, from the provisions of articles 57 par. 1 pc. f of the GDPR and 13 par. 1 pc. g΄ of Law 4624/2019 it follows that the Authority has the authority to deal with the complaints under consideration and to exercise, respectively, the powers granted to it by the provisions of Articles 58 of the GDPR and 15 of Law 4624/2019. 2. Because, according to article 4 par. 7 of the GDPR, a data controller is defined as "the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of personal data processing", and with the . 8 of the GDPR, the processor is defined as "the natural or legal person, public authority, agency or other entity that processes personal data on behalf of the data controller" 3. Because, Article 5 of the GDPR defines the processing principles that govern the processing of personal data and in paragraph 1 that the personal data, among others: "a) are processed lawfully and legitimately in a transparent manner in relation to the data subject ("legality, objectivity, transparency"), (...) d) accurate and, where necessary, updated; all reasonable steps must be taken to immediately delete or correct personal data that is inaccurate, in relation to the purposes of processing ("accuracy")'. According to paragraph 2 "the controller is responsible and is able to demonstrate compliance with paragraph 1 ("accountability")." 4. Because, according to article 16 GDPR "The data subject has the right to demand from the data controller without undue delay the correction of inaccurate personal data concerning him. Bearing in mind the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including through a supplementary statement. 5. Because, according to the provision of article 17 par. 1 GDPR "The data subject has the right to request from the controller the deletion of personal data concerning him without undue delay and the controller is obliged to delete personal data without undue delay if one of the following reasons applies: b ) the data subject withdraws the consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing, […], c) the data subject objects to the processing in accordance with Article 21(1) and there are no compelling and legitimate grounds for the processing or the data subject objects to the processing in accordance with Article 21 paragraph 2, d) the personal data were processed unlawfully". 6. Because, according to the provision of article 18 par. 1 of the GDPR "1. The data subject has the right to obtain from the data controller the limitation of the processing, when one of the following applies: a) the accuracy of the personal data is disputed by the data subject, for a period of time that allows the controller to verify the accuracy of the personal data, b) the processing is unlawful and the data subject objects to the deletion of the personal data and requests, instead, the restriction of use c) the controller no longer needs the personal data for the purposes of the processing, but such data is required by the data subject for the establishment, exercise or support of legal claims, d) the data subject objects to the processing in accordance with Article 21 paragraph 1, pending verification of whether the controller's legitimate reasons prevail over the data subject's reasons.  7. Because, according to the provision of article 12 par. 2 GDPR: "The data controller shall facilitate the exercise of the rights of the data subjects provided for in Articles 15 to 22. In the cases provided for in Article 11 paragraph 2, the data controller shall not refuse to act at the request of the data subject to exercise his rights under Articles 15 to 22, unless the controller proves that he is unable to ascertain the identity of the data subject" and par. 3 "The data controller shall provide the data subject with information on the action taken upon request pursuant to articles 15 to 22 without delay and in any case within one month of receipt of the request. This deadline may be extended by a further two months if necessary, taking into account the complexity of the request and the number of requests. The data controller shall inform the data subject of said extension within one month of receipt of the request, as well as of the reasons for the delay. If the data subject makes the request by electronic means, the information shall be provided, if possible, by electronic means, unless the data subject requests otherwise.' 8. Because, according to n. 3758/2009 "Debtor information companies for overdue claims and other provisions", as amended and in force, first of all, it is provided that creditors have the right to grant to debtor information companies (CEOs) data on overdue claims against the latter, without the their consent, for the prescribed legal purposes: a. informing the debtors about the 14 existence of their overdue debts and b. the negotiation of the time, manner and other terms of their repayment (i.e. the arrangement or settlement of debt), at the behest and on behalf of the lenders (see, in particular, articles 3 par. 3, 4 par. 2, 8 par. 3 of Law 3758/2009, as amended and in force). With reference to the obligation to inform, it is noted that according to the 3/2020 decision Holom. CA (also see decision 958/2022 decision CA) it was accepted (contrary to the Authority's decision 98/2017) that in the event of data being made available to processors, belonging to one of the recipient categories (e.g. EEO) for which information has been provided, there is no obligation for the data controller to provide a new special information to the subject, i.e. also at the time of making the personal data available to specific EEO. Furthermore, the aforementioned law regulates the operating framework of debtor information companies and the more specific obligations that this service entails for both the above companies and for lenders and establishes the control mechanism of the said debtor information service. In this context, the general supervision of the debtor information service, whether it is carried out by the debtor information companies, or by the lender itself, is the responsibility of the Ministry of Development/General Directorate of Consumer Protection/General Secretariat of Trade and Consumer Protection, according to with article 10 par. 1 of n. 3758/2009, as amended and in force, while the Authority has special exceptional competence for specific violations of the law. 3758/2009, according to article 10 par. 1 pc. c' of n. 3758/2009. 9. Because, according to established jurisprudence of Authority 3 regarding complaints of harassment by a law firm, as well as the assignment of a case to a law firm for out-of-court or judicial debt claims, processing for which consent, approval or authorization is not required 1 See . indicative APD Annual Report 2022, under the thematic section "Debtor Information Companies", p. 73 ff. 2See APD Annual Report 2022, under the thematic section "Debtor Information Companies", p. 73 ff. 3See indicatively APD decision 49/2011 and APD Annual Report 2022, under the thematic section "Debtor Information Companies", p. 74. 15 of the debtor (see art. 6 par. 1 items b and f, art. 9 par. 2 item f of the GDPR), and for complaints about repeated harassment and/or offensive behavior of a lawyer, the relevant bar association. 10. Because, in the case under consideration, from the elements of the file, the hearing of the parties involved, as well as the submitted memoranda, it appears that the issues that the Authority considers should be investigated in the context of the considered complaint and within its competences, that: A. regarding PPC SA: i. the complained company processed personal data of the complainant, as the owner/manager of real estate with services electrified by the company, having the no. 4 par. 7 GDPR status of data controller, since the company determines the purposes and manner of processing the personal data of its customers included in filing systems, and therefore becomes liable to comply with the principles introduced by Article 5 GDPR. ii. The other companies, i.e. lawyers and EEO, act on the order of PPC and its own assignment to them of the cases in order to claim debts. iii. The complainant, as the manager of the properties and the son of one of the owners and possibly an heir, had initially linked his VAT number to the benefits in question, in 2018 he filled in his VAT number during the upgrade of his ebill accounts and then, after the telephone harassment on 17-11-2020, the complainant submits a request to the complained-about company to delete his VAT number from the PPC accounts for properties he claims do not belong to him and on ... he receives a response from the company that "your personal information has been corrected in our computer system successfully". However, although on ..., on ... and on ..., the complainant informs the company that he continues to receive phone calls about debts, on ... the company informs him that, using his VAT number, the only property that appears in his name is the property to X. Because the 4 See indicatively APD Annual Report 2022 with the references therein to decision 49/2011 APD, in Opinion. 598/2012 NSK in the DSA Press Release from 14-11-2014. 16 harassment continued until January 2022, the complainant requested on ... from PPC the details of the law firms and on ... of the "collection companies" that called him, which he received, as well as a record of the calls he has received from the above. In view of the above, as regards the right of correction/deletion exercised by the complainant towards the company being complained about, it appears that the latter assures the complainant that his information has been corrected, without, however, clarifying to him further whether this correction has been made only in ebill platform in terms of contact details or in the "tabs" of the benefits in question. The claims of the complained-about company that the complainant himself should have investigated and realized the difference between its systems, while he had written communication with representatives of the company assuring him of the deletions and apologizing for the inconvenience to its partners, did not is consistent with the controller's obligation to facilitate the subject in exercising the right to rectification/deletion. Also, the company itself should inform the complainant that instead of the E9, which was requested, it provided the E1, and this could prevent it from considering the merits of his request, even if the production of the E9 would not proved to be unrelated to the benefits, as reported by PPC. While PPC has initially assured the complainant of the correction of his data, giving him the misleading impression that the right of correction/deletion he had exercised has been satisfied, it continues to share his data with its partners for the settlement of the debts of the above benefits, and in its opinions to the Authority, both in the original complaint and in the supplementary one, it refuses to satisfy the said request, insisting, relying on the fact that each owner must inform PPC himself about the ownership status of the properties, that the complainant is related to the benefits in question for the reasons he mentions. And in the final document before the hearing, PPC, without giving a clear picture, states that the problem has been remedied, without knowing the exact point in time when the historicity of the ownership status of the disputed benefits was restored and with what actions. Therefore, the Authority considers that the rights of correction and erasure were not satisfied properly and in a timely manner only after the related complaints and the intervention of the Authority and there is a violation of articles 16 and 17 par. 1 pc. b', c' and d' of the GDPR in combination with article 12 par. 2 and 3 of the GDPR. iv. With regard to the complaints received by the complainant from PPC's partners, it should be noted that from the table provided by the company it appears that the last date of revocation of the assignments of the cases concerning the debts of the benefits in question was ... and specifically from law firms "Sioufas and Associates", "Fragou" and from the company "Palladino", which date is the same as the one mentioned by the complainant in his supplementary complaint, that he also received a call on 04-01-2022 from the "Sioufas and Associates" office. Also, in

description of the calls submitted to the Authority with its partners

of the company being complained about, the complainant's statements about
the questioning of the correlation of his data with the benefits, so that

PPC may be informed, as it has been informed in this case about the

requests of the complainant, according to the correspondence between the same

and PPC. Therefore, the responsibility for the nuisance to the complainant

is borne by PPC, which acts as a data controller, and not by
cooperating with it EEO and law firms, which acted

following the relevant assignment of the case. Therefore, the controller,

since he had clear knowledge of the complainant's challenge to the association

of his VAT number with the disputed benefits, from which the debts had arisen,

should have stopped further processing of his data

complainant, i.e. the transmission/notification/disposal to others up to and including
resolution of the issue (see no. 18 GDPR). In view of the above, the Authority considers that the

PPC, as controller, is responsible for the processing of

given by the complainant regarding the harassment he received from him

November 2020 until January 2021 and it is established that PPC

did not prove, based on the principle of accountability (no. 5 par. 2 GDPR) of the person in charge

processing that is required to demonstrate its compliance with the authorities


                                                                           18 of no. 5 par. 1 of the GDPR, how was the restoration carried out

historicity of the ownership status of the disputed benefits, with which

actions and at what exact time, violating its principles
legality and accuracy of the processing of the data of article 5

par. 1 item a and d of the GDPR.

   B. Regarding the Municipality of Athens:

   i. pursuant to article 43 of Law 3979/2011 par. 1b "municipal fees

cleaning and lighting [...], the tax on electrified premises [...] and the

immovable property fee [...] shall be borne by the person liable for its payment
electricity consumption bill and are contributed by

PPC or the alternative electricity supplier, in installments equal to

number of annual accounts.[…] Those carried out by PPC or the

each alternative supplier's collections are attributed to the beneficiary municipality,

based on a relevant settlement statement within the second month from expiry

of the month to which the accounts are accounted for.[…] If the debtor does not
the electricity supplier pays the above collected amounts

of energy interrupts the supply of electricity and does not

reconnects until the amount owed is paid. Unless requested by

obliged to reconnect the electricity within three months of its interruption, o

electricity supplier notifies the relevant municipality of their details
of his debts, in order for him to collect them." From the above

provisions of the law, it follows that the Municipality acts against the subject and

processes the personal data concerning it for the

serving his own purposes and collection through PPC

is carried out only to facilitate the system of collection of

municipal fees and T.A.P.. PPC by virtue of the above law forwarded them
data to the Municipality of Athens in order to collect the debts himself

that concerned him. Therefore, the Authority considers that the Municipality of Athens is established

responsible for processing the personal data of the obligees

in payment of the fees and taxes that concern the Municipality and are collected

with the electricity bill, as in the case under consideration.




                                                                          19 ii. The complainant, after receiving the debt notices from the Municipality

   of Athens for cleaning and lighting fees and T.A.P., sent to

   Data Processing Manager of the Municipality the messages from ... and ...

   email, exercising access and deletion rights

   respectively. From the data in the file it appears that the Municipality of Athens did not

   informed the complainant by electronic means, if the requests
   were submitted via electronic messages, as appropriate, for the actions that

   have been carried out, following the exercise of his rights. Therefore, the

   Authority finds a violation of article 12 par. 3 of the GDPR.

   11. Because, based on the above, the Authority considers that there is a case to

   exercise its corrective powers according to articles 58 par. 2 i and 83 GDPR

   imposition of fines. To determine the fines, which the Authority considers

   effective, proportionate and dissuasive, the criteria are taken into account

   measurement defined in article 83 par. 2 of the GDPR that are applicable
   in the present case, as these have been specifically interpreted by

   Guidelines 4/2022 of the ESPD for the calculation of administrative

   of fines.

   12. Because, during the evaluation of the data, the Authority receives in particular

   bearing in mind that the nature and seriousness of the violations concern its basic principles

   legality and accuracy of processing, which are fundamental to

   the protection of personal data, according to the GDPR.


   Based on the above, the Authority unanimously decides that it should be imposed on

reported company PPC S.A. and to the complained Municipality of Athens, as

data controllers, the administrative sanctions referred to in the ordinance, the

which are considered proportional to the gravity of the violations.



                             FOR THESE REASONS

   The Authority



   5
   https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042022-calculation-
   administrative-fines-under_en - version 2.1


                                                                              20 A. Enforces PPC SA, as data controller, based on article 58 par. 2

section i of the GDPR, a fine of seven and a half thousand euros (€7,500) for the

violation of the exercised right of correction (articles 16 and 12 par. 2 and 3 of
GDPR).

   B. Enforces PPC SA, as data controller, based on article 58 par. 2

paragraph i of the GDPR, a fine of seven and a half thousand euros (€7,500) for the

violation of the exercised right of erasure (articles 17 b, c and d and 12 par.

2 and 3 of the GDPR).

   C. Enforces PPC SA, as data controller, based on article 58 par. 2
section i of the GDPR, a fine of ten thousand euros (€10,000) for the

violation of the principles of legality and accuracy of the processing of

personal data of the complainant (art. 5 par. 1 item a' and d'

of the GDPR).

   D. It imposes on the Municipality of Athens, as controller, based on the article

58 para. 2 subsection i of the GDPR, a fine of three thousand euros (€3,000) for
violation of article 12 par. 3 of the GDPR.





          The Deputy President The Secretary



            Georgios Batzalexis Irini Papageorgopoulou






















                                                                                 21
Retrieved from "https://gdprhub.eu/index.php?title=HDPA_(Greece)_-_26/2024&oldid=44175"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki