HDPA (Greece) - 48/2021: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA (Greece) |DPA_With_Country=HDPA (Greece) |Case_Number...") |
(→Facts) |
||
| Line 67: | Line 67: | ||
=== Facts === | === Facts === | ||
Three data subjects filed complains with the Greek DPA against a marketing agency for processing their personal data for a purpose other than it was collected in first place. The data subjects claimed that the marketing agency was contacting them in order to promote its products without respecting their opt-out requests while the marketing agency was claiming that they contacted the data subject | Three data subjects filed complains with the Greek DPA against a marketing agency for processing their personal data for a purpose other than it was collected in first place. The personal data was collected during purchases of goods. The data subjects claimed that the marketing agency was contacting them in order to promote its products without respecting their opt-out requests while the marketing agency was claiming that they contacted the data subject for a customer satisfaction survey after having obtained their consent. | ||
Revision as of 21:43, 22 November 2021
| HDPA (Greece) - 2322/14-10-2021 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 4(11) GDPR Article 4(12) GDPR Article 5(2) GDPR Article 6(1)(f) GDPR Article 6(1)(a) GDPR Article 6(4) GDPR Article 7 GDPR Article 21 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 14.10.2021 |
| Published: | 14.10.2021 |
| Fine: | 20000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 2322/14-10-2021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | Greek's DPA website (in EL) |
| Initial Contributor: | Elisavet Dravalou |
A company that conducts phone sales, processed customer personal data to promote its products and services to the customers, whose personal data was collected during the purchase of products. The controller held that consent was obtained but was unable to prove it and did not respect the data subject's opt-out requests.
English Summary
Facts
Three data subjects filed complains with the Greek DPA against a marketing agency for processing their personal data for a purpose other than it was collected in first place. The personal data was collected during purchases of goods. The data subjects claimed that the marketing agency was contacting them in order to promote its products without respecting their opt-out requests while the marketing agency was claiming that they contacted the data subject for a customer satisfaction survey after having obtained their consent.
Holding
The Greek DPA held that this processing constitutes use of personal data for a purpose other than that for which the personal data was originally collected, therefore the criteria of Article 6 (4) GDPR must be fulfilled and article 5 GDPR principles must be respected. In this case, it was found that the data subjects were not properly informed during the data collection stage that their personal data will be used for an additional different purpose, that their objections were not respected and the identity of the controller was not clear to the data subjects. Also, in relation to the application of the right of objection, the controller did not respect the data subject's opt-out requests and did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found, taken into consideration the duration and the intensity of the violations.
Comment
What is interesting in this case is that the controller claimed that they processed personal data for marketing purposes (promotion of products) based on data subjects' oral consent obtained during the purchase of products. The DPA couldn't find evidence to suggest that consent was given. Therefore, in the absence of evidence, it cannot be accepted that consent is accepted as the legal basis of this processing. The DPA stated that it could accept legitimate interest as a legal basis, given the soft opt-in exception. Given though that the processing was carried out for a purpose different that the one for which the personal data was collected in first place, the Greek DPA held that article 6(4) and 5 of the GDPR must be respected. In this specific case at least appropriate information should have been provided to data subject at the data collection stage so that data subjects know that their personal data will be used for an additional purpose, while at the same time providing them with the opportunity to express their objections.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Category
Decision
Date
14/10/2021
Transaction number
48
Thematic unit
09. Promotion of products and services
Applicable provisions
Article 4.11: Consent (definition)
Article 4.12: Violation of personal data (definition)
Article 5.2: Principle of accountability
Article 6.1.a: Legal basis of consent
Article 6.1.f: Legal basis of overriding legal interest
Article 6.4: Compatibility of processing for another purpose
Article 7: Conditions for consent
Article 21: Right of objection
Article 11.2: Register - Article 11
Summary
A company that conducts long distance telephone sales, used to promote its products and services the customer data, which it collected during the purchase of products. This processing is the use of personal data for a purpose other than that for which the data were originally collected, therefore the criteria of Article 6 par. In this case, it was found that the data subject was not properly informed during the data collection stage, so that he knows that his data will be used for an additional different purpose, that customer objections were not respected and it was not clear to the data subjects the identity of the controller. Also, in relation to the satisfaction of the right of objection, the controller did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found.
PDF Decision
48_2021anonym.pdf299.82 KB
Category
Decision
Date
14/10/2021
Transaction number
48
Thematic unit
09. Promotion of products and services
Applicable provisions
Article 4.11: Consent (definition)
Article 4.12: Violation of personal data (definition)
Article 5.2: Principle of accountability
Article 6.1.a: Legal basis of consent
Article 6.1.f: Legal basis of overriding legal interest
Article 6.4: Compatibility of processing for another purpose
Article 7: Conditions for consent
Article 21: Right of objection
Article 11.2: Register - Article 11
Summary
A company that conducts long distance telephone sales, used to promote its products and services the customer data, which it collected during the purchase of products. This processing is the use of personal data for a purpose other than that for which the data were originally collected, therefore the criteria of Article 6 par. In this case, it was found that the data subject was not properly informed during the data collection stage, so that he knows that his data will be used for an additional different purpose, that customer objections were not respected and it was not clear to the data subjects the identity of the controller. Also, in relation to the satisfaction of the right of objection, the controller did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found.
PDF Decision
48_2021anonym.pdf299.82 KB
