HDPA (Greece) - 48/2021: Difference between revisions

From GDPRhub
No edit summary
Line 62: Line 62:
}}
}}


The Greek DPA imposed a fine of €20,000 EUR on a company selling phones because the latter had processed its customers' personal data to promote other products and services without obtaining their prior consent, and had not respected customers' opt-out requests.  
The Greek DPA also fined a company selling phones €20,000 for processing its customers' personal data to promote other products and services without obtaining their prior consent, and not respecting customers' opt-out requests.  


== English Summary ==
== English Summary ==

Revision as of 09:42, 24 November 2021

HDPA (Greece) - 2322/14-10-2021
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4(11) GDPR
Article 4(12) GDPR
Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 6(1)(a) GDPR
Article 6(4) GDPR
Article 7 GDPR
Article 21 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 14.10.2021
Published: 14.10.2021
Fine: 20000 EUR
Parties: n/a
National Case Number/Name: 2322/14-10-2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Greek's DPA website (in EL)
Initial Contributor: Elisavet Dravalou

The Greek DPA also fined a company selling phones €20,000 for processing its customers' personal data to promote other products and services without obtaining their prior consent, and not respecting customers' opt-out requests.

English Summary

Facts

Three customers filed a complaint with the Greek DPA against a company (the Company) for processing their personal data for a purpose other than the one for which their data was collected in the first place. The personal data was initially collected during the purchases of goods. The customers claimed that the Company contacted them in order to promote other products and services without respecting their opt-out requests. The Company was claiming that they had contacted the data subjects for a customer satisfaction survey after having obtained their consent.

Holding

The Greek DPA held that the processing of the customers' data to promote other services and goods constituted use of personal data for a purpose other than that for which the personal data was originally collected. Although the Company had argued that they had obtained the customers' oral consent to such processing during the sale of the goods, the Greek DPA found that the Company was unable to prove it. Therefore, the Greek DPA considered that the criteria of Article 6(4) GDPR and Article 5 GDPR should have been respected. The Greek DPA found however that the customers had not been properly informed during the data collection stage about the identity of the controller, and about the fact that their personal data would be used for an additional different purpose.

The Greek DPA also found that the objections of the customers to the further processing of their personal data for marketing purposes had not been respected, in violation of Article 21 GDPR. In relation to the application of the right to object (Article 21 GDPR), the Greek DPA found in particular that the Company did not respect the customers' opt-out requests and did not provide appropriate documents or instructions to prove that they would have been able to respond to such requests.

The Greek DPA therefore imposed a fine of €20,000 for the violations found, taken into consideration the duration and the intensity of the violations.

Comment

What is interesting in this case is that the controller claimed that they processed personal data for marketing purposes (promotion of products) based on data subjects' oral consent obtained during the purchase of products. The DPA couldn't find evidence to suggest that consent was given. Therefore, in the absence of evidence, it cannot be accepted that consent was used as the legal basis of this processing. The DPA stated that it could accept legitimate interest as a legal basis, given the soft opt-in exception. Given though that the processing was carried out for a purpose different that the one for which the personal data was collected in first place, the Greek DPA held that article 6(4) and 5 of the GDPR must be respected. In this specific case at least appropriate information should have been provided to data subject at the data collection stage so that data subjects know that their personal data will be used for an additional purpose, while at the same time providing them with the opportunity to express their objections.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.



  
    

  
  
    
  
    Category
              Decision
          

  
    Date
              14/10/2021

          

  
    Transaction number
              48
          

  
    Thematic unit
          
              09. Promotion of products and services
              
      

  
    Applicable provisions
          
              Article 4.11: Consent (definition)
          Article 4.12: Violation of personal data (definition)
          Article 5.2: Principle of accountability
          Article 6.1.a: Legal basis of consent
          Article 6.1.f: Legal basis of overriding legal interest
          Article 6.4: Compatibility of processing for another purpose
          Article 7: Conditions for consent
          Article 21: Right of objection
          Article 11.2: Register - Article 11
              
      

  
    Summary
              A company that conducts long distance telephone sales, used to promote its products and services the customer data, which it collected during the purchase of products. This processing is the use of personal data for a purpose other than that for which the data were originally collected, therefore the criteria of Article 6 par. In this case, it was found that the data subject was not properly informed during the data collection stage, so that he knows that his data will be used for an additional different purpose, that customer objections were not respected and it was not clear to the data subjects the identity of the controller. Also, in relation to the satisfaction of the right of objection, the controller did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found.

          

  
    PDF Decision
              48_2021anonym.pdf299.82 KB
          

  


    
  
    Category
              Decision
          

  
    Date
              14/10/2021

          

  
    Transaction number
              48
          

  
    Thematic unit
          
              09. Promotion of products and services
              
      

  
    Applicable provisions
          
              Article 4.11: Consent (definition)
          Article 4.12: Violation of personal data (definition)
          Article 5.2: Principle of accountability
          Article 6.1.a: Legal basis of consent
          Article 6.1.f: Legal basis of overriding legal interest
          Article 6.4: Compatibility of processing for another purpose
          Article 7: Conditions for consent
          Article 21: Right of objection
          Article 11.2: Register - Article 11
              
      

  
    Summary
              A company that conducts long distance telephone sales, used to promote its products and services the customer data, which it collected during the purchase of products. This processing is the use of personal data for a purpose other than that for which the data were originally collected, therefore the criteria of Article 6 par. In this case, it was found that the data subject was not properly informed during the data collection stage, so that he knows that his data will be used for an additional different purpose, that customer objections were not respected and it was not clear to the data subjects the identity of the controller. Also, in relation to the satisfaction of the right of objection, the controller did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found.

          

  
    PDF Decision
              48_2021anonym.pdf299.82 KB