HDPA (Greece) - 30/2023: Difference between revisions

From GDPRhub
No edit summary
 
(One intermediate revision by one other user not shown)
Line 65: Line 65:
}}
}}


The Greek DPA fined the Athens Urban Transport Organisation (OASA) €50,000 for violating [[Article 5 GDPR|Articles 5(1)(e)]] and [[Article 35 GDPR|35(1) GDPR]], as a result of their processing in the context of electronic ticketing.
The Hellenic DPA (HDPA) fined the Athens Urban Transport Organisation (OASA) €50,000 for violating [[Article 5 GDPR|Article 5(1)(e)]], as their electronic ticketing system was in violation of the principle of storage limitation. Moreover, the HDPA reprimanded OASA for violating [[Article 35 GDPR|Article 35(1) GDPR]], as the data protection impact assessment they submitted to the HDPA for their electronic ticketing system was insufficient.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
In 2017, the Greek DPA had issued two opinions against the Athens Public Transport Authority (OASA) S.A. (the controller), for their processing activities in their implementation of an electronic ticketing system for public transport. The DPA considered that the controller should carry out a data protection impact assessment (DPIA) for their electronic ticketing system. The system used passengers' passport number or other official identification document, their 8-digit code (PIN), their month and year of birth, and if applicable, their category of social beneficiary (for instance, if a passenger received social welfare benefits). In these opinions, the DPA held that the controller should make some amendments in order for their processing to be in compliance with GDPR.
The Athens Public Transport Authority's (OASA) established a new electronic ticketing system. The system used passengers' passport number or other official identification document, their 8-digit code (PIN), their month and year of birth, and if applicable, their category of social beneficiary (for instance, if a passenger received social welfare benefits).  


On 18 November 2019, the Authority carried out an on-site inspection at OASA to determine compliance with the GDPR. Following this inspection, the DPA found remaining issues and in March 2020, the controller made new submissions to the DPA. These included a new DPIA, their record of prior processing activities, as well as a technical report from their contracted processor, "HELLAS SMARTICKET S.A.". The Authority had requested additional information from the controller, which after receiving, it deemed to be unsatisfactory. On 25 September 2023, the DPA proceeded to issue a decision and impose a fine.
In 2017, the HDPA had issued two opinions regarding the OASA's electronic ticketing system. In these opinions, the HDPA considered that the OASA, as the controller, should carry out a data protection impact assessment (DPIA) for their electronic ticketing system.
 
On 18 November 2019, the Authority carried out an on-site inspection at OASA to determine compliance with the previously issued opinions. Following this inspection, the HDPA found remaining issues and ordered OASA to make amendments to their system.
 
In March 2020, the OASA made new submissions to the DPA. These included a new DPIA, their record of prior processing activities, as well as a technical report from their contracted processor, "HELLAS SMARTICKET S.A.". Following these submissions, the HDPA still considered there to be issues with OASA's systems and requested additional information from them.
 
After receiving this information, the HDPA deemed it to be unsatisfactory, and on 25 September 2023, the DPA proceeded to issue a decision.


=== Holding ===
=== Holding ===
Following their inspection, the DPA found that the controller had violated [[Article 5 GDPR|Article 5(1)(e) GDPR]] and [[Article 35 GDPR|Article 35(1) GDPR]].  
The DPA found that the controller had violated [[Article 5 GDPR|Article 5(1)(e) GDPR]] and [[Article 35 GDPR|Article 35(1) GDPR]].  


(a) The DPA found that the controller had breached the principle of storage limitation under [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. In the course of their investigation, the DPA found that the controller aimed to retain personal data collected from their customers for 20 years, without demonstrating why this was necessary.  
(a) The DPA found that the controller had breached the principle of storage limitation under [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. In the course of their investigation, the DPA found that the controller aimed to retain personal data collected from their customers for 20 years, without demonstrating why this was necessary.  

Latest revision as of 09:08, 25 October 2023

HDPA - 30/2023
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(e) GDPR
Article 25(1) GDPR
Article 35(1) GDPR
Type: Other
Outcome: n/a
Started: 18.11.2019
Decided: 13.06.2023
Published: 25.09.2023
Fine: 50000 EUR
Parties: Athens Urban Transport Organization (OASA)
National Case Number/Name: 30/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Evangelia Tsimpida

The Hellenic DPA (HDPA) fined the Athens Urban Transport Organisation (OASA) €50,000 for violating Article 5(1)(e), as their electronic ticketing system was in violation of the principle of storage limitation. Moreover, the HDPA reprimanded OASA for violating Article 35(1) GDPR, as the data protection impact assessment they submitted to the HDPA for their electronic ticketing system was insufficient.

English Summary

Facts

The Athens Public Transport Authority's (OASA) established a new electronic ticketing system. The system used passengers' passport number or other official identification document, their 8-digit code (PIN), their month and year of birth, and if applicable, their category of social beneficiary (for instance, if a passenger received social welfare benefits).

In 2017, the HDPA had issued two opinions regarding the OASA's electronic ticketing system. In these opinions, the HDPA considered that the OASA, as the controller, should carry out a data protection impact assessment (DPIA) for their electronic ticketing system.

On 18 November 2019, the Authority carried out an on-site inspection at OASA to determine compliance with the previously issued opinions. Following this inspection, the HDPA found remaining issues and ordered OASA to make amendments to their system.

In March 2020, the OASA made new submissions to the DPA. These included a new DPIA, their record of prior processing activities, as well as a technical report from their contracted processor, "HELLAS SMARTICKET S.A.". Following these submissions, the HDPA still considered there to be issues with OASA's systems and requested additional information from them.

After receiving this information, the HDPA deemed it to be unsatisfactory, and on 25 September 2023, the DPA proceeded to issue a decision.

Holding

The DPA found that the controller had violated Article 5(1)(e) GDPR and Article 35(1) GDPR.

(a) The DPA found that the controller had breached the principle of storage limitation under Article 5(1)(e) GDPR. In the course of their investigation, the DPA found that the controller aimed to retain personal data collected from their customers for 20 years, without demonstrating why this was necessary.

(b) The DPA found that the controller had violated Article 35(1) GDPR, as their DPIA insufficiently identified the data retention purposes in relation to their records of processing. Moreover, the DPIA was unclear in terms of the risks arising from processing.

As a result, the Greek DPA fined OASA €50,000 for breaching the principle of storage limitation, and issued a reprimand for the violation of Article 35(1) GDPR. In addition, the DPA issued a compliance order against the controller, to identify and document within one month, all data retention periods for their various processing purposes. In addition to these, the DPA issued a compliance order against the controller to revise their DPIA within three months, because their DPIA still contained ambiguities in its risk assessment.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority carried out an extraordinary on-site inspection at the Athens Urban Transport Organization (OASA) regarding the protection of personal data processed in the framework of the Automatic Fee Collection System (ASSC), a system also referred to by the term "electronic ticket".

Based on the findings, the Authority a) imposed a fine of a total of 50,000 euros on OASA, for the violation of article 5 par. 1 item. e' of the GDPR, b) reprimanded the OASA for the violations of the provisions of article 25 par. 1 and article 35 par. 1 of the GDPR, c) gave a compliance order to the OASA regarding the determination of the data retention times for the various processing purposes, but also to review the personal data impact assessment.