HDPA (Greece) - 25/2023: Difference between revisions

Latest revision as of 14:25, 20 January 2024

HDPA - 25/2023

Authority:	HDPA (Greece)
Jurisdiction:	Greece
Relevant Law:	Article 5(1) GDPR Article 6 GDPR Article 15(1) GDPR Article 25(1) GDPR
Type:	Complaint
Outcome:	Upheld
Started:	21.01.2020
Decided:	12.06.2023
Published:	27.07.2023
Fine:	210.000 EUR
Parties:	Τράπεζα Πειραιώς Α.Ε.
National Case Number/Name:	25/2023
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Greek
Original Source:	HDPA (in EL)
Initial Contributor:	ANASTASIA TSERMENIDOU

The Hellenic DPA fined a bank €210,000 for mistakenly including its customers's personal data in a list of debtors and for not properly responding to an access request. The DPA also concluded that the controller did not implement sufficient organizational and technical measures according to Article 25 GDPR.

English Summary

Facts

Piraeus Bank S.A., the controller, sent the data subject a letter informing them that it had entrusted the management of loans and credit related claims to a credit management company (AFS), its wholly owned subsidiary. The letter also informed that the data subject was subject to a claim and that their personal data had been shared with AFS, which was managing the claim.

The data subject submitted an access request to the controller under Article 15 GDPR, asking for more detailed information such as the date, the means and the purpose of the transmission of their personal data, as well as the loan contract number and any other personal data.

The controller responded that the letter was sent to the data subject by mistake and asked them to disregard it as their personal data had not been shared and remained on its servers.

Dissatisfied with the response, the data subject filed a complaint with the Hellenic DPA, claiming that the controller did not provide them with sufficient information. Moreover, they argued that they did not have any loan or credit related claim with the controller and, therefore, there was no legal basis for sharing their data with AFS.

The DPA opened an investigation regarding the controller.

In the procedure, the controller stated that it had an agreement with AFS for the management of its 'portfolio' (receivables from loan granting and/or customers' debts that had became overdue, terminated or settled). The controller admitted that, due to a technical problem with its systems, letters were mistakenly sent to customers that had zero balance and should not be included in the portfolio.

Holding

After the investigation, the Hellenic DPA could not determine if the data subject's data had been transferred to AFS, but reserved itself the right to further investigate the matter.

On the other hand, the DPA found that personal data from the data subject, as well as from a large number of customers who were involved in loans with zero rest were mistakenly included in a debtors list and received personalized letters. According to the DPA, the controller had no legal basis for this personal data processing and, therefore, violated Articles 5(1)(a) and 6 GDPR.

Furthermore, the DPA held that the controller did not implement sufficient organizational and technical measures to ensure that the processing of personal data meets the legal requirements, in breach of Article 25(1) GDPR.

Finally, the DPA stated that the response to the access request was incomplete as the controller merely informed the data subject that their data remained on its servers, but did not clarify about further processing operations that were being carried out. Thus, it concluded that the controller also violated Article 15(1) GDPR.

For the above reasons, the Hellenic DPA issued a total fine of €210.000 and instruct (the controller) to satisfy the complainant's right of access.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority found that the complained bank processed the personal data of the complainant and a large number of its customers in violation of the principle of legality and, moreover, without having taken appropriate and effective technical and organizational measures so that only the data that they are necessary to serve a specific purpose, thus violating the principles of legality of processing and data protection by design.

With the information available to date, there has been no transmission of the data of the above persons to the Loan and Credit Receivables Management Company. The Authority expressly reserves the right to exercise its powers in relation to this particular issue in the future, given that the overall audit is ongoing and not yet complete.

Finally, the Authority established the non-satisfaction of the complainant's right of access.

@@ Line 1: / Line 1: @@
+{{DISPLAYTITLE:HDPA (Greece) - 25/2023}}
 {{DPAdecisionBOX
@@ Line 7: / Line 8: @@
 |DPA_With_Country=HDPA (Greece)
-|Case_Number_Name=1510/12-06-2023
+|Case_Number_Name=25/2023
 |ECLI=
 |Original_Source_Name_1=HDPA
-|Original_Source_Link_1=https://www.dpa.gr/el/enimerwtiko/prakseisArxis
+|Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2023-06/25_2023%20anonym.pdf
 |Original_Source_Language_1=Greek
 |Original_Source_Language__Code_1=EL
@@ Line 21: / Line 22: @@
 |Type=Complaint
 |Outcome=Upheld
-|Date_Started=13.12.2022
+|Date_Started=21.01.2020
 |Date_Decided=12.06.2023
 |Date_Published=27.07.2023
 |Year=2023
-|Fine=100.000
+|Fine=210.000
 |Currency=EUR
 |GDPR_Article_1=Article 5(1) GDPR
 |GDPR_Article_Link_1=Article 5 GDPR#1
-|GDPR_Article_2=Article 5(2) GDPR
+|GDPR_Article_2=Article 6 GDPR
-|GDPR_Article_Link_2=Article 5 GDPR#2
+|GDPR_Article_Link_2=Article 6 GDPR
-|GDPR_Article_3=Article 15 GDPR
+|GDPR_Article_3=Article 15(1) GDPR
 |GDPR_Article_Link_3=Article 15 GDPR
 |GDPR_Article_4=Article 25(1) GDPR
@@ Line 51: / Line 52: @@
 |National_Law_Link_2=
-|Party_Name_1=
+|Party_Name_1=Τράπεζα Πειραιώς Α.Ε.
-|Party_Link_1=
+|Party_Link_1=https://www.piraeusbank.gr/
 |Party_Name_2=
 |Party_Link_2=
@@ Line 65: / Line 66: @@
 }}
-The Greek DPA issued a fine of 100 000 EUR to a bank for unlawful processing of personal data and breach of right of access.
+The Hellenic DPA fined a bank €210,000 for mistakenly including its customers's personal data in a list of debtors and for not properly responding to an access request. The DPA also concluded that the controller did not implement sufficient organizational and technical measures according to [[Article 25 GDPR|Article 25 GDPR.]]
 == English Summary ==
 === Facts ===
-Piraeus Bank S.A., the controller, sent the data subject a letter informing them that it had entrusted the management of loans and/or credits related claims to a credit management company (AFS), its wholly owned subsidiary. The letter also informed that the data subject was a party to a claim and that their personal data had been transmitted to the AFS which was managing the claim.
+Piraeus Bank S.A., the controller, sent the data subject a letter informing them that it had entrusted the management of loans and credit related claims to a credit management company (AFS), its wholly owned subsidiary. The letter also informed that the data subject was subject to a claim and that their personal data had been shared with AFS, which was managing the claim.
-The data subject submitted an access request to the controller but wanot satisfied with the answer they received. Then they filed a complaint with the Hellenic DPA, arguing that the controller had no legal basis for sharing their personal data as they were not a party to any loan or credit related claims with the bank. Moreover, they argued that the controller did not provide them with sufficient information after the acess request  under [[Article 15 GDPR]].
+The data subject submitted an access request to the controller under [[Article 15 GDPR]], asking for more detailed information such as the date, the means and the purpose of the transmission of their personal data, as well as the loan contract number and any other personal data.
-On the basis of the information available to date, no transfer of the data of the above-mentioned persons to the Loan and Credit Claims Management Company has occurred (the Bank proceeded, in accordance with the provisions of Law 4354/2015 as in force, an agreement to entrust the management of its receivables from loans/credit to debtors whose debts had become fully or partially due and/or terminated or settled to the Loan and Credit Claims Management Company).
+The controller responded that the letter was sent to the data subject by mistake and asked them to disregard it as their personal data had not been shared and remained on its servers.
-The HDPA stated that she expressly reserves the right to exercise its powers in this regard in the future, given that the general audit is ongoing and has not yet been completed. Finally, the HDPA has found that the complainant's right of access has not been respected.
+Dissatisfied with the response, the data subject filed a complaint with the Hellenic DPA, claiming that the controller did not provide them with sufficient information. Moreover, they argued that they did not have any loan or credit related claim with the controller and, therefore, there was no legal basis for sharing their data with AFS.
+The DPA opened an investigation regarding the controller.
+In the procedure, the controller stated that it had an agreement with AFS for the management of its 'portfolio' (receivables from loan granting and/or customers' debts that had became overdue, terminated or settled). The controller admitted that, due to a technical problem with its systems, letters were mistakenly sent to customers that had zero balance and should not be included in the portfolio.
 === Holding ===
-The Greek DPA found that the controller processed personal data of the data subject and of a large number of its customers in breach of the lawfulness principle. It also held that the controller did not put in place enough measures to ensure that only the data necessary for a specific purpose were processed, violating the principles of data protection by design.
+After the investigation, the Hellenic DPA could not determine if the data subject's data had been transferred to AFS, but reserved itself the right to further investigate the matter.
+On the other hand, the DPA found that personal data from the data subject, as well as from a large number of customers who were involved in loans with zero rest were mistakenly included in a debtors list and received personalized letters. According to the DPA, the controller had no legal basis for this personal data processing and, therefore, violated [[Article 5 GDPR|Articles 5(1)(a)]] and [[Article 6 GDPR|6 GDPR]].
+Furthermore, the DPA held that the controller did not implement sufficient organizational and technical measures to ensure that the processing of personal data meets the legal requirements, in breach of Article [[Article 25 GDPR|25(1) GDPR]].
+Finally, the DPA stated that the response to the access request was incomplete as the controller merely informed the data subject that their data remained on its servers, but did not clarify about further processing operations that were being carried out. Thus, it concluded that the controller also violated Article [[Article 15 GDPR|15(1) GDPR]].
-The HDPA held that the Bank had not taken the appropriate technical and organisational measures measures and did not have the appropriate procedures in place to ensure that the creation of the list of its customers with debts in question was drawn up in accordance with proper systemic configure. Moreover that the high degree of responsibility owns the Bank in relation to the absence of technical and organisational measures.
+For the above reasons, the Hellenic DPA issued a total fine of €210.000 and instruct (the controller) to satisfy the complainant's right of access.
 == Comment ==