HDPA (Greece) - 42/2021: Difference between revisions
No edit summary |
(→Facts: minor grammar and syntax edits to make the reading more fluid ; addition of missing hyperlinks ; made clear that the Greek DPA was called the HDPA) |
||
Line 61: | Line 61: | ||
=== Facts === | === Facts === | ||
The data subject complained to the HDPA about having received a press release via email by a | The data subject complained to the Greek DPA (the HDPA) about having received a press release via email by a member of the Hellenic Parliament (the latter being considered the data controller in the context of this decision), without the data subject's consent. Furthermore, the data subject's email address was visible to other recipients (the "To" field was used instead of BCC). | ||
=== Holding === | === Holding === | ||
The HDPA issued a warning towards the data controller, recommending the use of the BCC field in order for mass email communication to remain compliant with Article 32 | The HDPA issued a warning towards the data controller, recommending the use of the BCC field in order for mass email communication to remain compliant with [[Article 32 GDPR]]. No other measures were deemed necessary, because of the data controller's stance that the inclusion of the subject's email was made by mistake (more particularly, the controller had wrongly thought the data subject was a journalist, and that the data processing would thus be in accordance to [[Article 6 GDPR|Article 6(1)(f) GDPR]]), and because the controller took corrective measures by removing the data subject's personal details from the mailing list. | ||
== Comment == | == Comment == |
Revision as of 07:14, 28 September 2021
HDPA (Greece) - 42/2021 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1)(d) GDPR Article 5(1)(f) GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 21.04.2021 |
Published: | 21.09.2021 |
Fine: | None |
Parties: | Party A (anonymized) Party B, Member of the Hellenic Parliament (anonymized) |
National Case Number/Name: | 42/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek Greek |
Original Source: | HDPA (in EL) HDPA (in EL) |
Initial Contributor: | Adrian |
The Greek DPA held that sending bulk email by including recipients' email addresses in the "To" field is not compliant with Article 32 of the GDPR, recommending instead the use of BCC.
English Summary
Facts
The data subject complained to the Greek DPA (the HDPA) about having received a press release via email by a member of the Hellenic Parliament (the latter being considered the data controller in the context of this decision), without the data subject's consent. Furthermore, the data subject's email address was visible to other recipients (the "To" field was used instead of BCC).
Holding
The HDPA issued a warning towards the data controller, recommending the use of the BCC field in order for mass email communication to remain compliant with Article 32 GDPR. No other measures were deemed necessary, because of the data controller's stance that the inclusion of the subject's email was made by mistake (more particularly, the controller had wrongly thought the data subject was a journalist, and that the data processing would thus be in accordance to Article 6(1)(f) GDPR), and because the controller took corrective measures by removing the data subject's personal details from the mailing list.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Category Decision Date 21/09/2021 Transaction number 42 Thematic unit 09. Promotion of products and services Applicable provisions Article 5.1.d: Principle of accuracy Article 5.1.f: Principle of integrity and confidentiality Article 32: Processing security Summary The Authority reprimanded a controller who sent e-mails to a large number of recipients, placing the recipients' details in the "To" field. When an e-mail address is addressed to a large number of recipients who are natural persons, the controller must take appropriate measures to ensure that the recipients' addresses are not disclosed to a large number of persons. Therefore, in these cases it is better to use the "hidden notification" option or to send individual messages, when possible. PDF Decision 42_2021anonym.pdf243.23 KB Category Decision Date 21/09/2021 Transaction number 42 Thematic unit 09. Promotion of products and services Applicable provisions Article 5.1.d: Principle of accuracy Article 5.1.f: Principle of integrity and confidentiality Article 32: Processing security Summary The Authority reprimanded a controller who sent e-mails to a large number of recipients, placing the recipients' details in the "To" field. When an e-mail address is addressed to a large number of recipients who are natural persons, the controller must take appropriate measures to ensure that the recipients' addresses are not disclosed to a large number of persons. Therefore, in these cases it is better to use the "hidden notification" option or to send individual messages, when possible. PDF Decision 42_2021anonym.pdf243.23 KB