HDPA (Greece) - 9/2024: Difference between revisions
Inder-kahlon (talk | contribs) m (→Facts) |
Inder-kahlon (talk | contribs) m (→Holding) |
||
Line 87: | Line 87: | ||
The Hellenic DPA noted that Article 11, Paragraph 1 of Greek Law 3471/2006, the automated unsolicited electronic communications for direct marketing or advertising purposes is only permissible if the recipient has given explicit prior consent and Paragraph 2 specifies that unsolicited communications involving human intervention for such purposes are prohibited if the recipient is listed on the opt-out register-list of the provider. Advertisers conducting telephone promotions with human intervention are required to obtain an updated register-list from all providers to exclude those who have opted out. Additionally, according to [[Article 4 GDPR#1|Article 4(1) GDPR]] and the opinion 4/2007 of the Article 29 Working Party of the EU, a person's telephone number constitutes personal data, as it can be an indirect identifier of the data subject. The Hellenic DPA also noted that under [[Article 32 GDPR|Article 32 GDPR]], both the controller and the processor have an obligation to implement appropriate technical and organisational measures to ensure an appropriate level of security of processing. | The Hellenic DPA noted that Article 11, Paragraph 1 of Greek Law 3471/2006, the automated unsolicited electronic communications for direct marketing or advertising purposes is only permissible if the recipient has given explicit prior consent and Paragraph 2 specifies that unsolicited communications involving human intervention for such purposes are prohibited if the recipient is listed on the opt-out register-list of the provider. Advertisers conducting telephone promotions with human intervention are required to obtain an updated register-list from all providers to exclude those who have opted out. Additionally, according to [[Article 4 GDPR#1|Article 4(1) GDPR]] and the opinion 4/2007 of the Article 29 Working Party of the EU, a person's telephone number constitutes personal data, as it can be an indirect identifier of the data subject. The Hellenic DPA also noted that under [[Article 32 GDPR|Article 32 GDPR]], both the controller and the processor have an obligation to implement appropriate technical and organisational measures to ensure an appropriate level of security of processing. | ||
The Hellenic DPA found that the controller had breached Article 11 of Greek Law 3471/2006 In six cases, alongside violations of [[Article 32 GDPR|Article 32 GDPR]], in the absence of sufficient security measures to oversee the data processed by processors. Call Experts was found in violation of [[Article 32 GDPR|Article 32 GDPR]] in ten cases due to inadequate security measures. Similarly, Plegma Net was found to be in violation of [[Article 32 GDPR|Article 32 GDPR]] in ten cases. Meanwhile, Zitatel was found to be in violation of [[Article 5 GDPR#1|Article 5(1) GDPR]] and [[Article 32 GDPR|Article 32 GDPR]] in two cases. | The Hellenic DPA found that the controller had breached Article 11 of Greek Law 3471/2006 In six cases, alongside violations of [[Article 32 GDPR|Article 32 GDPR]], in the absence of sufficient security measures to oversee the data processed by processors. Call-Experts was found in violation of [[Article 32 GDPR|Article 32 GDPR]] in ten cases due to inadequate security measures. Similarly, Plegma Net was found to be in violation of [[Article 32 GDPR|Article 32 GDPR]] in ten cases. Meanwhile, Zitatel was found to be in violation of [[Article 5 GDPR#1|Article 5(1) GDPR]] and [[Article 32 GDPR|Article 32 GDPR]] in two cases. With regards to Teleraise and Befon, the DPA observed that the measures implemented by both processors to mitigate the risk of recurrence were deemed satisfactory. | ||
For these reasons, the Hellenic DPA: A) imposed a fine of €127,709 on Elpedison the “controller” for violation of [[Article 32 GDPR|Article 32 GDPR]] and instructed the controller to, within six months, develop a procedure for monitoring call centre companies. This procedure should involve conducting comprehensive or random checks on a significant volume of outgoing calls from each collaborating company at least once a year. B) imposed a fine of €10,000 on Call Experts the “processor” for violation of [[Article 32 GDPR|Article 32 GDPR]] and imposed a prohibition on keeping an internal register-list of objections. C) imposed a fine of total €11,000 on ΣΤ & Σια Ε.Ε. (Zitatel) the “processors”, fine of €6,000 imposed for violation of [[Article 32 GDPR|Article 32 GDPR]] and a fine of €5,000 for the violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. Additionally instructed the erasure of personal data obtained by Zitatel as controller from the website https://fthinorevma.gr for the purpose of promoting products and services of Elpedison. D) imposed a fine of €20,000 on Call Experts the “processor” for violation of [[Article 32 GDPR|Article 32 GDPR]] and imposed a prohibition on keeping an internal register-list of objections. | For these reasons, the Hellenic DPA: A) imposed a fine of €127,709 on Elpedison the “controller” for violation of [[Article 32 GDPR|Article 32 GDPR]] and instructed the controller to, within six months, develop a procedure for monitoring call centre companies. This procedure should involve conducting comprehensive or random checks on a significant volume of outgoing calls from each collaborating company at least once a year. B) imposed a fine of €10,000 on Call Experts the “processor” for violation of [[Article 32 GDPR|Article 32 GDPR]] and imposed a prohibition on keeping an internal register-list of objections. C) imposed a fine of total €11,000 on ΣΤ & Σια Ε.Ε. (Zitatel) the “processors”, fine of €6,000 imposed for violation of [[Article 32 GDPR|Article 32 GDPR]] and a fine of €5,000 for the violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. Additionally instructed the erasure of personal data obtained by Zitatel as controller from the website https://fthinorevma.gr for the purpose of promoting products and services of Elpedison. D) imposed a fine of €20,000 on Call Experts the “processor” for violation of [[Article 32 GDPR|Article 32 GDPR]] and imposed a prohibition on keeping an internal register-list of objections. |
Revision as of 14:23, 25 April 2024
HDPA - 9/2024 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1)(a) GDPR Article 32 GDPR Greek Law 3471/2006 Article 11.1 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 28.02.2024 |
Published: | 12.04.2024 |
Fine: | 168,709 EUR |
Parties: | Elpedison PLEGMA NET Call Experts Zitatel BEFON LTD Teleraise |
National Case Number/Name: | 9/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | HDPA (in EL) |
Initial Contributor: | Inder-kahlon |
The DPA imposed a fine of total €168,709 on a Greek electric power supplier and its three affiliated companies for Unsolicited communications a violations of Article 11(1) Greek Law 3471/2006 and for inadequate security of processing Article 32 GDPR.
English Summary
Facts
The Hellenic Data Protection Authority undertook an investigation following numerous complaints regarding unsolicited spam calls originating from companies acting as call centres (hereinafter “processor”) on behalf of ELPEDISON A.E. (hereinafter "controller"), aimed at promoting the controller's products and services. In Greece, individuals have the option to register under Article 11 of Greek Law 3471/2006 (hereinafter "register-list") to opt out of unsolicited communications. During the investigation, complaints that did not meet validity criteria (e.g., complainants not registered on the register-list or had failed to raise objections under Article 21 GDPR) were rejected by the HDPA. The remaining 40 potentially valid complaints, two of which were still under investigation, were categorised into four categories. Category A: six complaints where the controller acknowledged a violation might had occurred. Category B: three complaints where the controller disputed the occurrence of a violation. Category C: twenty-nine complaints where the controller claimed to had fulfilled its obligation but the processor failed. Therefore, in addition to the controller, the investigation was extended to include five processors. These processors included BEFON (3 complaints), Call Experts (11 complaints), Televise (1 complaint), Zitatel (8 complaints), and Plegmanet (7 complaints). Category D: two complaints that were still under investigation at the time.
The controller had failed in many cases to provide a correct, up-to-date register-list on time, pointing out the complex process that involves receiving the register-list from various providers, which it then needs to combine and send to the processors. The processor pointed out that delays in the register-list update were due to the 11 million phone numbers that required reformatting before they could be imported and the long time required to upload them into the relevant systems. Both the controller and its processors blame human and systemic errors, claiming they were isolated incidents and not intentional.
Holding
The Hellenic DPA noted that Article 11, Paragraph 1 of Greek Law 3471/2006, the automated unsolicited electronic communications for direct marketing or advertising purposes is only permissible if the recipient has given explicit prior consent and Paragraph 2 specifies that unsolicited communications involving human intervention for such purposes are prohibited if the recipient is listed on the opt-out register-list of the provider. Advertisers conducting telephone promotions with human intervention are required to obtain an updated register-list from all providers to exclude those who have opted out. Additionally, according to Article 4(1) GDPR and the opinion 4/2007 of the Article 29 Working Party of the EU, a person's telephone number constitutes personal data, as it can be an indirect identifier of the data subject. The Hellenic DPA also noted that under Article 32 GDPR, both the controller and the processor have an obligation to implement appropriate technical and organisational measures to ensure an appropriate level of security of processing.
The Hellenic DPA found that the controller had breached Article 11 of Greek Law 3471/2006 In six cases, alongside violations of Article 32 GDPR, in the absence of sufficient security measures to oversee the data processed by processors. Call-Experts was found in violation of Article 32 GDPR in ten cases due to inadequate security measures. Similarly, Plegma Net was found to be in violation of Article 32 GDPR in ten cases. Meanwhile, Zitatel was found to be in violation of Article 5(1) GDPR and Article 32 GDPR in two cases. With regards to Teleraise and Befon, the DPA observed that the measures implemented by both processors to mitigate the risk of recurrence were deemed satisfactory.
For these reasons, the Hellenic DPA: A) imposed a fine of €127,709 on Elpedison the “controller” for violation of Article 32 GDPR and instructed the controller to, within six months, develop a procedure for monitoring call centre companies. This procedure should involve conducting comprehensive or random checks on a significant volume of outgoing calls from each collaborating company at least once a year. B) imposed a fine of €10,000 on Call Experts the “processor” for violation of Article 32 GDPR and imposed a prohibition on keeping an internal register-list of objections. C) imposed a fine of total €11,000 on ΣΤ & Σια Ε.Ε. (Zitatel) the “processors”, fine of €6,000 imposed for violation of Article 32 GDPR and a fine of €5,000 for the violation of Article 5(1)(a) GDPR. Additionally instructed the erasure of personal data obtained by Zitatel as controller from the website https://fthinorevma.gr for the purpose of promoting products and services of Elpedison. D) imposed a fine of €20,000 on Call Experts the “processor” for violation of Article 32 GDPR and imposed a prohibition on keeping an internal register-list of objections.
Comment
Please find relevant provisions of laws and texts cited in this case below:
Greek Law 3471/2006 - Article 11
- "The use of automatic calling systems, in particular using fax machines or electronic mail, and more generally the making of unsolicited communications by any means of electronic communication, [with or] without human intervention, for the purposes of direct marketing of products or services and for any kind of advertising purposes, shall be permitted only if the subscriber has expressly consented in advance."
- "Unsolicited communications with human intervention (calls) may not be made for the above purposes if the subscriber has declared to the provider of the publicly available service that he/she does not wish to receive such calls in general. "10 The provider is obliged to record these declarations free of charge in a special subscriber list, which is available to any interested party.
Comment from the initial contributor: The call centres that randomly dial numbers previously believed they are not handling personal data, as they randomly dial numbers. However, the Hellenic DPA has clarified this matter in Greece, stating that a phone number constitutes personal data, even if the controller or processor claims that no additional data is involved.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 02-28-2024 Prot. No.: 669 DECISION 9/2024 The Personal Data Protection Authority met, at the invitation of its President, in an extraordinary meeting via video conference on 07-28-2023. Konstantinos Menudakos, President of the Authority and regular members Spyros Vlachopoulos, Konstantinos Lambrinoudakis, Charalambos Anthopoulos, Christos Kalloniatis, as rapporteur, and Grigorios Tsolias were present. The regular member of the Authority Aikaterini Iliadou and her deputy Nikolaos Faldamis did not attend, even though they were legally summoned in writing, due to disability. At the meeting, without the right to vote, George Roussopoulos, computer scientist specialist, as assistant rapporteur, and Georgia Palaiologou, an employee of the Department of Administrative Affairs, as secretary, attended the meeting, by order of the President. The Authority took into account the following: The Authority has received numerous complaints from telephone subscribers which are related to receiving telephone calls for the purposes of promoting products and services of the company ELPEDISON ELECTRICITY GENERATION SOLE PERSON ANONYMOUS COMPANY (hereinafter Elpedison). In these cases, the Authority forwarded each complaint to Elpedison, usually within a short period of time, so that the company could investigate the complaints and present its views. Then, the Authority examined Elpedison's views so that the details of each case were complete, proceeding to send further documents for clarification, when this was deemed necessary. In the cases where the complaint was not confirmed (e.g. when the complainant was not registered in the Register of article 11 par. 2 of Law 3471/2006 - hereinafter also the Register - or had not filed an objection based on article 21 of the GDPR) the Authority dismissed the complaint, responding to the complainant. For those cases where, after the above-described examination of the case, it is probable that the complaint is confirmed or appears to be true, even if this is not accepted by the company, the Authority grouped the relevant cases so that they can be examined together. In this particular case, forty (40) complaint cases are being considered which are contained in the Appendix hereto. After completing the complaint files and taking into account Elpedison's views on each of the complaints, they were categorized as follows: Category A (6 complaints): Cases where Elpedison appears to accept that there has been a breach, which concerns , primarily, its activity as a data controller. Category B (3 complaints): Cases in which the respective complainant provides sufficient data and evidence to document the making of promotional calls on behalf of Elpedison, but during the investigation of the respective complaint case and completion of its file, the Elpedison provided data, from the companies cooperating with it, based on which it does not accept, substantiated, the making of the calls to the specific complainants. Category C (29 complaints): Cases in which, from the initial investigation of the complaints and the opinions of Elpedison, it appears that while Elpedison has – correctly – sent the data of the telephone number of the complainant to the companies cooperating with it, which carry out telephone calls for its promotional purposes, so that this number is not called, these companies, for various reasons, failed to block the call to the complainant. Therefore, in these cases, responsibility appears to arise, in addition to Elpedison, and the respective company making telephone calls (hereinafter also call center). These complaints concern the following companies: a) BEFON TELECOMMUNICATIONS Sole Proprietorship Ltd. (hereinafter referred to as Befon): three (3) complaints (with items G.A.1 to G.A.3 in the Appendix). b) CALL EXPERTS TELEPHONE CENTER SERVICES I.K.E. hereinafter Call Experts: eleven (11) complaints (with items G.B.1 to G.B.11 in the Appendix) c) Teleraise İKE (hereinafter also Teleraise): one (1) complaint (with item G.C.1 in the Appendix) d) ST & Co. E.E. (hereinafter also Zitatel): eight (8) complaints (with items G.D.1 to G.D.7 and G.E.71 in the Appendix) e) PLEGMA NET M.E.P.E. (henceforth GRID): seven (7) complaints (with G.E.1 to G.E.7 details in the Appendix) Category D (2 complaints): Complaint cases that were under investigation, at the time the companies were called to hearing at the Authority. The issues raised for examination in the above complaints are summarized as follows: 1. Category A cases In 4 of the 6 cases of complaint (cases under items A.{1,3,4,6} in the Appendix) from the data of each file that Elpedison delayed by a few days at some stage of the process of updating and sending the Register to the cooperating companies, as a result of which the called subscriber's number was not sent to the call center companies in time and a call was made to him. This process, which has been described in detail in Elpedison's memoranda and procedures, includes: a) receiving a register from the providers, once a month, b) merging the Register of the different providers and c) sending the consolidated Register to the cooperating companies , which must then use it for the calls they make. The delay is established in particular in each specific case as follows: A.1: Elpedison was a few days late in sending the Record (six -6- days according to its initial response), in the month of June 2020. The file was sent on 14/6/2020 while the call was made on 11/6/2020. A.3: The call was made on 17/9/2020 while the complainant had joined the Register in the month of August 2020. Elpedison collected the Registers and sent them to the call centers on 15/9/2020 (Tuesday). The processor (call center) informed their system (dialer) with a delay of one business day, which can however be considered reasonable. A.4: The call was made on 4/11/2020. The complainant's number was not included in the file Elpedison received from his provider in October 2020, but was in the November file. Elpedison received this file on 9/11/2020. A.6: The subscriber was registered on 08/02/2022, while she received the call on 15/3/2022. The number was received by Elpedison with the March Registry from the complainant's provider, but as another provider had delayed sending its Registry, Elpedison was late in sending the Registry files to the call centers (sent on 16 /3/2022), an action he proceeded with without finally including the Registry of the late provider. A.2: It appears from the case file that during the examination of the first 2 calls to which the complaint relates, the called number was not included in the Register. Elpedison stated in writing that it included the phone number in the internal objection register (which it practically maintains for the implementation of Article 21 of the GDPR), but followed up with a new call on 20/10/2020. The company reports that due to an obvious and unacceptable error by an employee, the implementation of the inclusion of the number in the internal register of objections had not been completed. A.5: The complainant was a subscriber of the provider InterTelecom. Elpedison accepts that it did not receive the registry from this company. After the complaint, he included this company among those to whom he sends requests to receive the Register. 2. Category B cases The three cases in this category show different incidents. In case B.1 Elpedison admits that a call was made (out of two -2- listed in the complaint) to one number of the complainant, but denies any call to the other number. To this end, it provides a relevant certificate from the company that provides the software to the processor (call center). As for the one call that was made, Elpedison maintains that it lasted one second and that it was made at the subscriber's objection request, in order to enter the number in the internal registry. It is pointed out that the call, according to the complainant, was covert. In a second, supplemental complaint, there are two (2) more recent calls, which the complainant adequately documents by providing copies of cell phone device screens. Elpedison, however, with a newer document, while accepting that the number belongs to her partner, denies that calls were made, presenting a certificate from the processor, from which it appears that the number has been excluded from the calls. With a subsequent, third document, the Authority asked for an explanation of the difference between the data provided by the complainant and those listed by the executor. The company provided more complete information, from which it appears that the call has not been made and states that the subscriber must now provide information about (incoming) calls. With his fourth document, the subscriber reports another call (missed this time). The company, in response, with its fourth document, denies that this call was made, presenting a list of outgoing calls of the executor. With his fifth document, the complainant mentions a call again, this time including the name of an employee of the call center company with whom he spoke. On the other hand, the call center company, which owns the number, produced a document from its carrier with a copy of outgoing calls for two months, to prove that it did not make the call, as it does not include the number of the complainant. In case B.2 the number of the complainant was registered in the Registry. The company denies the call, providing a printout from the company's call center system showing that no call was made. The complainant responded by providing a screenshot from his device showing the first call and two more (the first on 7/5/2021, the next on 7/26/2021 and 9/6/2021). The company reiterates that the associate sent her call logs (which she provided to the Authority), which did not result in a call. In case B.3 the complainant mentions two calls made on 2/22/2022 and 2/25/2022 respectively. After filing the complaint, it states another call on 4/7/2022. For the calls he provides screenshots from his device. It also appears that the telephone number of the complainant had been entered in the Register. According to Elpedison, a check carried out by the call center company revealed that no calls were made from its phone numbers to the complainant's phone number, attaching a list of outgoing calls as proof. From this list it appears that a call was made by the complainant to the call center company, which he also mentions and which appears to have been made 4 minutes after the call that the complainant says he received. The company speculates that the appearance of its numbers in the screenshots is due to a possible diversion of the complainant's calls. 3. Category C C.A BEFON cases In the three complaint cases (two in 2019 and one in 2022) Elpedison accepts Befon errors (human and systemic) for the first two calls. In the third complaint, the complainant, who was registered with the Registry, states that he entered his number into an online form in order to receive a call from Elpedison. After receiving two related calls, he asked not to be called again. The cooperating company admits that while it received this request, it did not register it correctly, due to a technical failure, and proceeded with subsequent calls. Befon says it has already taken steps to resolve such functional failures by installing special software. G.B Call Experts In most of the complaints concerning the company in question (7 out of 11), the calls referred to in the cases seem to be due to a delay by this company to integrate the file with the Registry into its systems (or the special objections ), after being forwarded by Elpedison. According to Call Experts, this is due on the one hand to the large volume of files (more than 11,000,000 telephone numbers), which require separate formatting before entering them into its system, and on the other hand to the long time required to load them into the relevant system, which must be performed on non-working days and hours. The delay period is as follows in each case: G.B.4: one (1) full working day (without intervening S/C) G.B.5: one (1) full working day (without intervening S/C) G.B.6: eleven (11) days G.B.8: six (6) days (mediates S/K) G.B.9: three (3) days (mediates S/K) G.B.10 : four (4) days (S/K mediates) G.B.11: five (5) days (S/K mediates) In the other cases, specific issues are mentioned as follows: G.B.1 and G.B.2: Call Experts reports that due to a technical issue, some calls are not "cut off" in advance, but after 2-3 seconds. He also claims that in the first instance there was no conversation (which the complainant disputes). G.B.3: Elpedison alleges that there was a breach due to "unreasonable human error" on the part of the processor (Call Experts) as the March 2021 Vodafone Record was loaded into the dialer system, instead of the April 2021 Record. C .B.7: The complaint concerns a call on 4/1/2022. Elpedison reports a processor error. Specifically, on the first working day of the year (3/1/2022), Call Experts renewed and upgraded user licenses (however, it is not stated which user licenses and which systems are affected). There were bugs with this update, which were fixed on 8-9/1/2022 which were not business days (weekend). C.C TELERAISE C.C.1: Elpedison accepts an illegal call. A system error is reported at the processing company Teleraise, due to an upgrade, which has since been fixed. G.D. Zitatel In most of the eight (8) complaint cases (G.D.1-7 and G.E.7) Elpedison states that the processing company Zitatel states that an error has been made (either systemic of a technical nature –G. D.1, G.D.2, G.D.3 – or human when a manual call is made –G.D.4, G.E.7-). In the other cases it states the following: G.D.5-G.D.6: In these cases Zitatel seems to be involved not only in terms of making each call, but also in terms of the initial collection and processing of the telephone number of called subscriber. In the first case, it is stated that the call was made after registering the complainant's phone number on the "www.fthinoreyma.gr" website. Zitatel considers that there is consent (even if this action was not done by the complainant as the data subject but by a third party, e.g. malicious). The complainant maintains that he did not register his details on such a website. With its document, the Authority pointed out that the consent procedure, which the company invokes, does not seem to be in accordance with the Directive 2/2011 and the consent conditions of the GDPR. It was also pointed out that, on this website, M.I.K.E. is listed as the controller. with the brand name "NUZIT" and the d.t. "Nooseit" and not Zitatel. With her next document, Elpedison mentions that for this specific action she is not the data controller herself, but the company that cooperates with her, but stating that she will investigate the issue, although she maintains that she cannot control the specific website. In the second case, Elpedison reports the blindness of an employee of the cooperating company. Zitatel states that the complainant was called as part of an existing customer relationship, but this is not confirmed by Elpedison. According to Zitatel, after a further request by the complainant not to call back, a call did indeed follow, which was due to an employee error as the complainant's number was listed as a redial. After the answer to the Authority, another call followed, this time with concealment. Elpedison again reports editor error (Zitatel). He adds that he carried out an on-site inspection and sent recommendations by email, among which the recommendation that the cooperating company should apply the Register to all the phones declared on "fthinorevma.gr" is highlighted. G.D.7: The company had not cooperated with Elpedison, providing the necessary clarifications, until the hearing call. G.E. NETWORK In three (G.E.4, G.E.5, G.E.6) out of the seven total cases, the NETWORK reports that the call was made solely due to a system error during the update of the "local dialer" system which is used among other things, for the exclusion of the Registry numbers from the calls it makes. Specifically, at least on the dates 07-02-2022, 08-02-2022 (first two complaints) and 16-02-2022 PLEGMA reports that it faced a technical problem in the connection with its provider due to a technical failure, as a result of which they cannot to make the calls from the "cloud dialer" system located at the MED NAUTILUS company. PLEGMA reports that it has "turned" its sales employees to the "local dialer" system that exists in its facilities (as provided by the Business Continuity Plan based on ISO 27001). PLEGMA estimates that there was not enough time for the "local dialer" system to be fully updated with the numbers to be discarded as the process of updating the local system requires some time to be fully completed. The following are mentioned in the other cases: G.E.1, G.E.3: The call center called because it characterized the action as a "callback". Three (3) calls were made in the first case, while in the second the call was made manually. No documentation is provided as to the purpose of the callback (eg whether it occurred after subscriber action). G.E.2: PLEGMA reports that no call was found to the complainant's number on the specific day. But he mentions (voluntarily) that calls were made after 22-04-2022 by the "CAMP1" campaign in which a customer is called after consultation - consent to be called back in order to settle pending matters. In this case, the Register is not checked, and this is because the Customer himself has requested and/or consented to be called at a later time. G.E.7: According to Elpedison's response with original number G/EIS/3090/07-05-2020, the complainant exercised the right to object on 01-24-2020 while he was not registered in the Register of his provider. The complainant came back stating that he received a total of five (5) calls (the first on 02-13-2020, while he also mentions four more after a month from the date of the objection). Elpedison does not acknowledge that either of these calls were made. A newer document from Elpedison (G/EIS/7350/26-10-2020) provides a response from PLEGMA which shows that two calls were made on 13-02-2020 and 31-03-2020 due to an error, despite the fact that the number it had been included in the internal file of objections so that it would not be called. With this document Elpedison states that finally the number of the complainant was added to the internal register of objections after the receipt of the Authority's document (sent in April 2020) and not on 24-01-2020 as it had originally reported in error. Category D cases In these two cases Elpedison's views had not been filed by the day of the hearing with the Authority. The first concerns a complaint in which Call Experts may be involved as the processor, while the second concerns Zitatel. As regards its general activity, Elpedison had indicated before the hearing (see its document with prot. no. C/EIS/6019/13-04-2022) that it makes telephone calls through its external partners in order to inform consumers for its products and services. In compliance with the current legislative framework and the decisions of the Authority, it has formulated specific procedures for making the above outgoing calls, which are described in detail in the memorandum with protocol number C/EIS/8221/17-10-2018 that it has submitted to the Authority. The call center companies cooperating with it, hold the position of processors, have been selected based on strict criteria, have committed within the framework of the cooperation agreements to apply the provisions of both the GDPR and Law 3471/2006 and are regularly checked regarding compliance of the conditions of the relevant legislation. Within the month of February 2022, it completed the regular inspection of its partners and is in the process of evaluating its results in order to make decisions regarding the instructions to be given to them for issues that require improvements. It also points out that it has communicated to its partners specific instructions regarding the processing of personal data, including the procedure for making outgoing calls (see "Personal data management instructions for Elpedison partners"). All partners carry out training of their employees at regular intervals, so that any violations of Elpedison's procedures are minimal. Elpedison specifically points out the difficulties created by the application of Law 3471/2006, which she states that the Authority has also recognized in its various decisions. He specifically mentions that the Registry numbers (at the last inspection) more than 11,000,000 telephone numbers, a figure he considers unrealistic and raises questions regarding the receipt of objection requests from providers. However, the very size of the specific files (Registries) creates most problems during its cleaning and formatting (especially for those performing the processing), while, in addition, the time required to update the information systems is significant. Problems also arise from time to time due to the relative delays in the collection of the Registers, because they are not sent on time by the providers. In the month of March 2022, for example, one of the three main telephone providers had not sent the Register until the 17th day of the relevant month. He maintains that, of course, the above difficulties increase the possibility of an error through no fault of Elpedison and its partners. Following the above, the Authority proceeded with a call for a hearing in the plenary on 19/7/2022 of the following: Elpedison for all the complaints and for the general practice that follows for the phone calls for promotional purposes of the companies Call Experts, Zitatel and PLEGMA, for the complaints of categories C and D that concern them and for the general practice they follow in the context of their cooperation with Elpedison. Especially for Zitatel, he pointed out that its role will be examined for the data collected through the fthinorevma.gr website. During the meeting of 7/19/2022, all four of the above companies were present and submitted a request to postpone the discussion of the case, which was accepted. The Authority proceeded with new calls of the companies for 13/9/2022 (prot. no. C/EXE/{2197-2200}/06-09-2022). The following representatives of the four companies attended this meeting by video conference: On behalf of Elpedison, Marios Andrikopoulos, Director of the Legal Department with AM DSA ... and from the Legal Department Despina Kollia with AM DSA ... and Eleni Miga with AM DSA .... On behalf of PLEGMA, A, ... and the company's attorney-at-law Alexandros Koliothomas with AMDSA ..., while B, the company's Data Protection Officer, was also present. On behalf of Zitatel, the representative of C. On behalf of CALL EXPERTS, D, legal representative of the company, E, shareholder and the attorney of the company, Alexandros Koliothomas with AMDSA.... The representatives of the companies presented their views orally, received a deadline and filed briefs, with the exception of the Zitatel company, which did not file a brief, referring (as it stated in a telephone communication) to Elpedison's views. In particular, Elpedison submitted its memorandum No. Β/ΕΙΣ/10818/07-10-2022, in which it briefly mentions the following: The cases of complaint to the Authority concern individual cases of errors and not cases of systemic failure part of the company, rather than a deliberate act. They are isolated events, as evidenced by their small number, which were unnecessarily corrected. It is obvious that in the daily operation of the businesses of both Elpedison and its partners, sometimes human and sometimes technical errors occur, which for the company are evaluated and are a springboard for improvement in order to take the necessary improvement measures and ensure the faithful and strict adherence to the terms and conditions of applicable law. Elpedison provides her opinions on the specific complaint cases by adding or clarifying the following information, in relation to what she had reported to the Authority during the stage of completing the file of each case: A.1: The short delay in notifying the register to her partners was solely due to to an obvious human error of the employee who had undertaken to process the specific procedure, as can be seen from the data provided by the company. A.2: From the internal communication provided, it appears that the inclusion of the telephone number in the company's "do not call list" was mistakenly perceived as having been implemented - with a relevant reference being mistakenly included in the company's initial letter. A.3: The cooperating call center (Call Experts) was late in sending the investigation data, which has been evaluated as its misconduct and has been duly taken into account by Elpedison. The company has also provided explicit instructions not to make anonymous calls and to properly inform the called persons. A letter from Call Experts is also provided as proof. A.4: This is a case that proves the difficulties of applying the current legislation for making calls for the purposes of promoting products and services. Given the periodicity with which files are received on a case-by-case basis, an asymmetry is created between the numbers declared at the beginning of each period and the rest, since for the former the 30-day period has almost automatically passed as soon as the company receives each list – where a reasonable processing time is also required. In this case, therefore, a question of proportionality and legitimate leniency arises if the right to terminate is still exercised. Objective difficulties from the application of the applicable procedures, as derived from the relevant provisions, cannot be overcome even with extreme diligence measures. A.5: The involvement of a regional telecommunications company in the number of subscribers should be taken into account and evaluated. The relevant register of licensed telephone providers numbers several hundred companies. Coverage of over 99.95% of all subscribers makes Elpedison's policy fully compliant with the requirements of current legislation. A.6: In this particular case, the company is not liable, given that for reasons of consistency and efficiency, a single register should be sent. This was not possible due to a delay by one of the main telecommunication providers. B.1: Given the facts of the case, Elpedison considers that this specific complaint should be dismissed because there was no wrongdoing on her part or on the part of her partner. B.2: Elpedison asked the partner call center (Zitatel) to send the outgoing call analysis of its telecommunication provider in order to provide additional data, however, no relevant analysis was sent. Consequently, he considers that he bears no responsibility regarding this particular call. B.3: The partner of Elpedison (GRID) informed that no calls were made to the complainant's telephone number and in support of his claims an analysis of outgoing calls was provided by her provider. Therefore, the company considers that no liability arises both for itself and for its partner. D.1: Elpedison forwards the 12/9/2022 response of the cooperating call center (Call Experts), from which there is a delay on its part in sending the data, which it considers to be the misconduct of the specific partner / performing the processing to provide the requested information in a timely manner and has been evaluated by Elpedison in terms of the context of their cooperation. Furthermore, he considers that based on what the Call Experts company presents, no responsibility of Elpedison can be identified and he considers that in this case the given instructions were not followed by this company. D.2: Elpedison's partner (Zitatel) did not provide data. The misconduct of this partner has been assessed by Elpedison. In addition to the examination of individual complaints, Elpedison states that it systematically follows specific procedures for recording and monitoring the complaints and requests of the data subjects with the aim of continuous improvement of the procedures, as well as the monitoring of its partners. A result of this approach is the small number of complaints, but also their fragmentary nature, as none of them demonstrate systematic wrongdoing or systemic failure on its part. Individual omissions do not negate an overall picture of compliance. Elpedison also states that it systematically carries out inspections of the cooperating call centers through an external consultant, with a frequency of approximately one audit per year, with the aim of controlling the implementation of the procedures notified to them and the fulfillment of their obligations. The last check was carried out in the month of 02/2022 with on-site sample checks in all call centers except one (TELERAISE) where it was carried out via a remote questionnaire. The audit did not reveal any critical findings and, however, a deadline was set until the end of 09/2022 for compliance. Within the first half of 2023, it is estimated that a new audit will be launched regarding the corrections made by the partners based on the findings. In relation to the calls that the partner companies claim were not made, Elpedison states that it has not been aware of the use of mechanisms other than due process. As part of the audit by its consultant, the applications and systems used for calls were recorded, among other things, and the measures taken for their correct use (following the fields of the ISO 27001 standard) were noted. It was not possible to check whether they were used other parallel means or systems for making calls, after all this requires a technically complex procedure, but in any case there were no indications to refer to the need for further specialized control. The detailed audit reports were forwarded to the Authority. From their supervision, in the matters that are the subject of the complaints, the above references in Elpedison's memorandum were confirmed. It is especially pointed out that the audit concerned organizational and technical measures, while it does not seem to have included a (sample or full) audit in relation to the calls that have been made. Elpedison also states that, in compliance with applicable legislation since May 2018, it has established and is implementing a specific policy for the protection of personal data and the proper implementation of the GDPR. In this context, its collaborators, who hold the position of processors, have been selected on the basis of strict criteria, have committed in the framework of the cooperation agreements between them to apply the provisions of both the GDPR and Law 3471/2006 and are regularly checked by Elpedison regarding their compliance, while written and verbal recommendations are addressed to them as the case may be. At the same time, the company, in the context of the contracts it concludes with its partners, includes special conditions regarding the making of outgoing calls, in addition to the relevant instructions it notifies them about. In relation to the fthinoreyma website, Elpedison states that it has come to an agreement with its partner ST KE SIA EE and has agreed that the website in question will be set up as a website that will exclusively advertise its products. This was reflected in the relevant agreement of the year 2022. Therefore, after this contract, the said partner is a processor and Elpedison considers that it took due care and acted promptly and by taking appropriate compliance measures, regardless of its non-immediate prior responsibility. Call Experts submitted its memorandum No. Prot. G/EIS/10817/07-10-2022, in which it states the following briefly: Call Experts strictly complies with the current legislation, and in this case the proper monitoring registered in the Register of telephone numbers, and constantly makes every effort to comply with its obligations, taking into account that it has taken organizational measures in order to ensure the guarantees required for its compliance with the conditions of legality when carrying out promotional and other actions, not only having appropriate and documented procedures in accordance with international standards (ISO), but also having given written and detailed instructions to its staff for the strict observance of the process of keeping the Register. The company cooperates with Elpedison as a "Processor" on the basis of a contract - which is attached - for the purpose of expanding Elpedison's customer base by promoting and selling through the sales channels of the products in the sales area, for the purpose of concluding supply contracts with selected customers. For this purpose, Call Experts makes calls on a "cold list" and/or "hot list" basis (as such lists are commonly known in the art). A "cold list" means a list consisting exclusively of telephone numbers which is automatically generated based on the so-called "random numbering spectrum". "Hot list" means the list-database, usually of the controller's existing clientele, which contains, in addition to the telephone number of the customer-subscriber, and other details of the latter, such as name, postal address and e-mail address . This list is forwarded by the data controller to the call center in order for the latter to make phone calls to the above customers - subscribers in the name and on behalf of the data controller to promote the latter's products/services in accordance with its explicit orders and instructions. The company describes in detail the process it follows for calls based on a "cold list", according to which the final list (electronic file) of phone numbers to which calls are to be made is created after first excluding, by an automated process, the phone numbers in which, according to the current legislation, promotional calls cannot be made and includes: I) Electronic file with the telephone numbers registered in the Registry. This file is received by the Company electronically (usually the first 10 days of each month for the previous month) from all the main telecommunications providers and also from the Elpedison company on a monthly basis. II) Electronic file with the telephone numbers registered in the Objection Register maintained by Call Experts. After the above procedure excludes the telephone numbers, the electronic file with the remaining telephone numbers of the selected numbering range is entered into the dialer, which then starts calling these numbers. The dialer forwards the calls made in this way to the Call Experts sales staff. The employee first informs the called person of his name, from which company he is calling (Call Experts) and also that he is calling on behalf of the Elpedison company. Caller numbers are not masked. Personal data is collected if the invitee expresses an interest in the offer and the negotiation process for concluding a contract is about to begin. Call Experts also declares that it is checked for the correct implementation of the opt-out register and other rights of the subjects, by Elpedison. In relation to the individual complaint cases, Call Experts states the following: G.B.1: He accepts that he made calls on the approximate dates and times indicated in the complaint (21-01-2021 and 03-02-2021), supporting however, that they were unanswered and terminated within 2 seconds, without accepting that there was communication between the complainant and an employee. The company states that the complainant's number was included in the January 2021 Register, but not the February 2021 Register, and that as it "loads" into its information systems the Register sent by the Elpedison company on a monthly basis, which amounts to 14 million telephone numbers approximately, it happens (very rarely) when a user of the company puts a lot of stress on the information system (eg pulls a very heavy report or loads a new list) that the system is slow to "react", but again it is a matter of seconds. He claims that for this reason the complainant's telephone number was called by the company's dialer, who (dialer) terminated the above telephone calls within 2 seconds (because he "recognized" (sic) that the telephone number is registered in the Register). The company attributes the calls to a minor technical delay. G.B.2: Although the complainant's number was included in the Registry file received from Elpedison on 03-02-2021, the "loading" of that particular Registry into its information systems was completed shortly after Call Experts called the complainant on 05-05-2021 (a call about which the complainant did not complain to the Authority). The call in question was not answered and was routed to the company's information system for automatic redial, which occurred on 02-23-2021. The company reports that the call lasted just 2.8 seconds and was terminated (without an answer) almost immediately by the dialer who "recognized" with this infinitesimal delay that the complainant's phone number is now registered in the Registry. G.B.3: The dialer system should not have called the complainant's phone number on 28/04/2021, because the electronic file with the Registry for the month of March 2021 had already been received by Elpedison from 08/04/ 2021. Her further investigation revealed that the company's IT manager uploaded the February 2021 file by mistake and without purpose. G.B.4: He accepts that he made a call on 06-09-2021 to the complainant's number, which was included in the Register, which is due solely to the time of receiving the specific Register and the time required for it to " loaded' into its information systems. In particular, it received the Register for the month of April 2021 (note obviously May as the subscriber was registered in the Register on 07-05-2021), just on 07-06-2021 and the "loading" of the specific Register into its information systems was completed shortly after the disputed call was made, i.e. on 06-09-2021 and after the end of that day's shift, no further calls were made to the telephone number. G.B.5 – G.B.6: He accepts that he made calls on 07-09-2021 and 07-16-2021 to the numbers of the complainants, which were included in the Registry, which are due solely to the time receipt of the specific Register (07-07-2021) and the time required for it to be "loaded" into its information systems, taking into account the summer holidays and the absence of a specific high-ranking executive. After the complainants exercised their right to object during the disputed telephone calls, Call Experts immediately took the required remedial actions to avoid any further harassment of them for advertising, promotional or other purposes and further has included their telephone numbers and in the register of objections maintained by it, and no further calls have been made. G.B.7: He accepts that he made a call on 04-01-2022 to the complainant's number, which was included in the Registry. On the first working day of the year (03-01-2022) the company renewed and upgraded some licenses (note which are not explicitly specified). With this particular "update" there were some bugs (note which are also not specified), which were fixed on 08-01-2022 and 09-01-2022 which were not working days (weekend). The company states that "Apparently in the context of the specific technical problem we faced, this call was also made, which is in no way due to fraud, bad intent or conscious non-compliance with the legal obligations of our Company", as well as that he has entered the telephone number and in the register of objections maintained by it, and no further calls have been made. G.B.8: He accepts that he made a call on 17-01-2022 to the complainant's number, which was included in the Registry. The call is solely due to the time it took to receive the specific Register from its provider and the time it took to "load" it into its information systems. In particular, it states that it received the Register on 11-01-2021 and its "loading" in its information systems was completed after the disputed call was made, and no subsequent calls were made to the telephone number. G.B.9 – G.B.10: He accepts that he made calls on 14-02-2022 and 15- 02-2022 to the numbers of the complainants, which were included in the Registry. The calls are due solely to the time it took to receive the particular Register and the time it took to "load" it into its information systems. In particular, it states that it received the Register on 10-02-2022 and its "loading" in its information systems was completed after the disputed calls were made, and no further calls were made to the telephone numbers. G.B.11: He accepts that he made a call on 22-03-2022 to the complainant's number, which was included in the Registry. The call is solely due to the time it took to receive the specific Register from its provider and the time it took to "load" it into its information systems. In particular, it states that it received the Registry on 16-03-2022 and its "loading" in its information systems was completed after the disputed call was made, and no subsequent calls were made to the telephone number. D.1: He accepts that he made a call on 08-03-2022 to the complainant's number, which was included in the Registry that he received on 10-01-2022 and 10-02-2022. In particular, it states that the call lasted only 2.8 seconds and was terminated (without being answered) almost immediately by the dialer who "recognized" with this infinitesimal delay that the said telephone number of the complainant is registered in the Register. It also reports that the 2-3 second delay for the dialer to end a call to a phone number registered in the Registry has recurred, but is something the company is trying to remedy. In conclusion, Call Experts maintains that the complaints at issue fall into two main categories: (a) those cases in which it takes an average of approximately four business days from the date of receipt to "load" the Registry dialer each month. In this, it should be taken into account that the very voluminous file of the Registry requires, each time, previous time-consuming processing in terms of formatting (format) as well as that the processing of this file as well as the "loading" of the latter takes place during non-working hours. (b) calls are made to telephone numbers that are registered in the Register, however these calls are automatically terminated by the dialer with an infinitesimal delay of approximately 2-3 seconds, without of course being answered. This is due to the fact that at that moment the Company's information system may be strained (e.g. because someone downloads a large file) resulting in this small delay in the termination of the call. Call Experts considers these cases to be isolated incidents without malice. This is because the telephone calls in question were made over a period of two years (six calls in the year 2021 and six calls in the year 2022), while the systematic and purposeful making of telephone calls to telephone numbers included in the Register in order to obtain a substantial financial benefit from the company would arise, as you, only from a systematic and short-term violation of the Registry. Nor could any substantial financial benefit for the company arise from any reduction. On the contrary, such calls, such as the ones in question, and given the sensitivity of consumers (who know that the telephone number is included in the Article 11 Register) are only at the expense of the company. In all cases, the company immediately proceeded with the required actions to avoid any further harassment of the complainants for the purpose of advertising or promotional actions, having entered their telephone numbers in the register of objections kept by the company (Call Experts), and no calls have been made from now on from her. Finally, the company states that it has never engaged the Authority, given the known pathologies of the Registry, while it constantly makes every possible effort to comply with its obligations, taking into account that it has taken organizational measures to ensure the guarantees required for its compliance with the conditions of legality when carrying out promotional and other actions, having not only appropriate and documented procedures in accordance with international standards (ISO), but also having given written and detailed instructions to its staff for the strict observance of the compliance procedure Registry of Article 11 of Law 3471/2006. PLEGMA submitted its memorandum No. G/EIS/10810/07-10-2022, which is identical to that of Call Experts, up to the point where reference is made to the individual complaint cases that were mentioned in the No. prot. C/EXE/1772/11-07-2022 document of the Authority and concern it. In relation to these cases, PLEGMA states the following: G.E.1: Accepts that calls were made on 06-22-2020 and 07-03-2020, during the hours mentioned in the complaint and while the number of the complainant was included in the Registry. From her research, it emerged that the number had been called by PLEGMA before its inclusion in the Registry and was characterized as a "recall". The NETWORK reports that the two calls on the above days were made manually by an employee in charge of the company who is strongly "suspected" to have kept the complainant's phone number on hold and called him, mistakenly believing that the above phone number is still not registered in the Registry. The company reports that it immediately proceeded with the required remedial actions to avoid any further harassment of the complainant for promotional purposes and has also included his telephone number in the register of objections that it maintains, and no other calls have been made. G.E.2: It states that the complainant was called on 04-03-2020, before the inclusion of his number in the Registry on 04-09-2020. While he does not accept the call being made on the date mentioned in the complaint, he states (voluntarily) that this number had been included in a special call-back campaign in order to settle pending cases for which the Registry is not checked. The company reports that it immediately proceeded with the required remedial actions to avoid any further harassment of the complainant for promotional purposes and has also included his telephone number in the register of objections that it maintains, and no other calls have been made. G.E.3: He states that he actually called the number of the complainant on 26-10-2020, but this number was not included in the Register that PLEGMA received from Cosmote on 05-10-2020. During the call, the number was marked with "STATUS IMMEDIATE REFUSAL" and was added to PLEGMA's objection register. PLEGMA points out that the telephone number of the complainant appears for the first time as included in the Register received from the company COSMOTE on 09-11-2020. However, it should be pointed out that based on the opinions of Elpedison (prot. no. G/EIS/8627/16-12-2020), the number of the complainant was sent to PLEGMA on 05-10-2020, while the complainant herself with a newer her document had ruled out the possibility that she had been summoned in the past by PLEGMA and that the new summons arose out of her own recall request, as Elpedison had argued in her opinions based on what she says she was informed by PLEGMA. G.E.4 – G.E.5.: Accepts calls to the numbers of the complainants on 02-07-2022 and 02-08-2022, which it attributes exclusively to a system error. The company reports that it encountered a technical problem in the interface with its provider due to a technical failure, as a result of which calls cannot be made from the cloud dialer located at the company MED NAUTILUS. Thus, in order for the activity to work on that particular day, and after previously starting to update the "local dialer" with the renewed registers, they turned the salespeople to the "local dialer" that exists in the company's premises (as provided for in the Business Continuity Plan based on ISO: 27001 of the company). However, this update requires time in order to be fully completed, and given that they had already started the phone calls from the "local dialer", as a sufficient amount of time had already passed since the calls were stopped via the "cloud dialer", it seems that they did not time was sufficient for the "local dialer" to be fully informed, resulting in the numbers being called. G.E.6: Accepts a call to the number of the complainant on 16-02-2022, which is due to a systemic error in the interface with its provider due to a technical failure, as in the two previous cases. The company reports that in the above cases of technical failure of the "cloud dialer" it proceeded immediately to the required treatment actions, namely simultaneously systematically updating both the "cloud dialer" and the "local dialer" with the Register updated each time and the register of objections that adheres to it. It is pointed out that, although it was requested during the hearing, PLEGMA did not provide further documentation for the above incidents, such as technical reports from its provider or MED NAUTILUS, internal technical reports or internal documentation of the incident and countermeasures. G.E.7: Accepts only one call, on 24-01-2020 which lasted 5 seconds and marked with "status" "IMMEDIATE REJECTION". The company states that it immediately added the telephone number to the register of objections that it maintains and no further calls have been made by it to the number in question. It should be noted, however, that this statement contradicts the information that PLEGMA provided to Elpedison (see the document no. G/EIS/7350/26-10-2020) from which it appears that two calls were made on the 13 - 02-2020 and 31-03-2020. In conclusion, PLEGMA reports that the contested calls are minimal and cover a period of three years, they concern individual incidents, no financial benefit could arise for the company, they do not exceed the "psychological limit" of 10 set by the Authority and ultimately can to be only at her expense, as they damage and expose her. Finally, the company states that it has never concerned the Authority (note: it should be noted, however, that with decision 38/2019, the Authority has imposed the penalty of reprimanding PLEGMA for violating Article 32 of the GDPR when processing the data of a natural person subscriber, who received a call while he had entered his number in the Registry), and given the known pathologies of the Registry, he constantly makes every effort to comply with his obligations, taking into account that he has taken organizational measures to ensure the guarantees required for its compliance with the conditions of legality when carrying out promotional and other actions, having not only appropriate and documented procedures in accordance with international standards (ISO), but also having given written and detailed instructions to its staff for the strict observance of the process of keeping the Register of article 11 of Law 3471/2006. The Authority, after examining all the elements of the file and after hearing the rapporteur and the assistant rapporteur, after a thorough discussion. CONSIDERED IN ACCORDANCE WITH THE LAW 1. The issue of telephone calls, for the purposes of direct promotion of products or services and for any kind of advertising purposes, is regulated in article 11 of Law 3471/2006, which introduces regulations regarding unsolicited communications ( see par. 1 and 2). Specifically, in article 11 par. 1 of Law 3471/2006 it is defined that: "The use of automatic dialing systems, in particular using facsimile (fax) or e-mail devices, and more generally the making of unsolicited communications by any means of electronic communication, without human intervention, for the purposes of direct commercial promotion of products or services and for any kind of advertising purposes, is allowed only if the subscriber expressly consents in advance", while paragraph 2 of the same article states that: "It is not allowed to make unsolicited communications with human intervention (calls) for the above purposes, as long as the subscriber has declared to the provider of the service available to the public, that he generally does not wish to receive such calls. The organization is obliged to register these declarations free of charge in a special list of subscribers, which is available to anyone interested". Consequently, telephone calls with human intervention, in view of the above purposes, are permitted, unless the called party has declared that he does not wish them ("opt-out" system). Advertisers, as long as they carry out telephone promotions with human intervention, must receive from all providers updated copies of the registers of article 11 of Law 3471/2006 and ensure that they have available the subscribers' statements made up to thirty days before the making of the telephone call (see also Decisions no. 62-67/2016 of the Authority). 2. Furthermore, the telephone number of a natural person is personal data, since it can function as an element of indirect identification of its owner (cf. article 4 par. 1 of Regulation (EU) 2016/679, hereinafter GDPR), allowing communication with him . According to Opinion 4/2007 of the working group of Article 29 of the E.U. on the concept of personal data, especially in the operation of electronic services, indirect identification elements, can in some cases sufficiently distinguish a person from others within a certain set, even if his name has not been verified. 3. Making telephone calls for the purpose of promoting products and services is regulated in principle by article 11 of Law 3471/2006. However, it should be pointed out that, in article 3, paragraph 2 of this law, it is clarified that "Law 2472/1997, as applicable, and the executive laws of article 19 of the Constitution, as applicable, apply to every issue related to the provision of electronic communications services , which is not specifically regulated by this law". Now, after the implementation of the GDPR, any reference to Law 2472/1997, which was issued in compliance with Directive 95/46/EC, is understood as a reference to the GDPR (see also article 94 par. 1 GDPR) . Therefore, for every issue related to the provision of electronic communications services to subscribers or users who are natural persons and which is not specifically regulated in Law 3471/2006, the GDPR applies (see also article 95 GDPR as well as the recital under No. 173, as well as Opinion 5/2019 of the EDPS on the interaction between the Directive on the protection of privacy in the field of electronic communications and the GDPR, in particular with regard to the competence, tasks and powers of data protection authorities ). 4. In article 4 par. 7 of the GDPR, a data controller is defined as "...the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of personal data processing character…". The processor is defined in the next paragraph of the same article as "the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller". 5. In article 28 of the GDPR, which regulates the matters concerning the processor, and in particular in paragraph 1, it is provided that when the processing is to be carried out on behalf of a controller, the controller uses only processors who provide sufficient assurances for the implementation of appropriate technical and organizational measures, in such a way that the processing meets the requirements of the regulation and ensures the protection of the rights of the data subject. In paragraph 3 of the same article it is defined that the processing by the processor is governed by a contract or other legal act subject to the law of the Union or the Member State, which binds the processor in relation to the controller and defines the object and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller. The contract or other legal act in question provides in particular, among other things, that the processor processes the personal data only on the basis of recorded instructions of the controller and takes all the necessary measures pursuant to article 32 of the GDPR. 6. In article 29 of the GDPR it is defined that "The processor and any person acting under the supervision of the controller or the processor, who has access to personal data, processes said data only on the instructions of controller, unless required to do so by Union or Member State law." This provision introduces an obligation for the data processor to process data only on the instructions of the data controller, unless the law stipulates another obligation. Therefore, violation of this provision by processors constitutes a violation of the GDPR on their part. 7. Article 32 of the GDPR stipulates, inter alia, that both the controller and the processor implement appropriate technical and organizational measures in order to ensure an appropriate level of security against risks, taking into account the latest developments, implementation costs and the nature, scope, context and purposes of the processing, as well as the risks of varying probability of occurrence and severity to the rights and freedoms of natural persons. The controller and the processor shall take measures to ensure that any natural person acting under the supervision of the controller or the processor who has access to personal data processes it only on the instructions of the controller. It follows from these provisions that the responsibility for the observance of appropriate security measures rests with both the controller and the processor and therefore responsibility for a breach of security measures should be apportioned and attributed appropriately. 8. In the GDPR Guidelines 07/2020 on the concepts of controller and processor in the GDPR it is stated (paragraph 127) that the level of instructions given by the controller to the processor as to the measures to be taken depends on the specific conditions. In some cases, the controller may provide a clear and detailed description of the security measures to be implemented. In other cases, the controller may describe the minimum security objectives to be achieved, while asking the processor to propose the implementation of specific security measures. In any case, the controller must provide the processor with a description of the activities processing and security objectives (based on the controller's risk assessment), as well as the approval of the measures proposed by the processor. 9. Paragraph 10 of article 28 states that "Without prejudice to articles 82, 83 and 84, if the processor determines the purposes and means of the processing in violation of this regulation, the processor is considered a controller for the specific processing.' Therefore, in cases where a processor, even in the wider context of his cooperation with a data controller, carries out processing activities for which he has no recorded instructions (either specific or general) from the data controller, then he must be considered as the controller, as it determines the purpose and means of said activities. 10. From the information in the file, it appears that Elpedison, through a contract, assigns cooperating call center companies to make promotional calls to promote its own products and services. With the contracts, printed instructions and other orders it provides to the companies in question, Elpedison sets a series of specifications, which determine the framework of activity of each of its partners with the aim of meeting the requirements of the GDPR and Law 3471 /2006. Elpedison fully defines the goal of the processing, thus its purpose, while also defining the basic characteristics for the means of processing. As explicitly stated in Elpedison's instructions to partner companies (see page 8 of the instructions form) "The contact list with the details of persons called by Elpedison's partners is either sent by Elpedison to the partner or is generated based on a random number spectrum. » Therefore, Elpedison is the controller for both cold-listed and targeted (hot-listed) calls. In particular, the following activities of processing personal data and making telephone calls for the purpose of commercial promotion to subscribers, which largely include natural persons, arise and are examined: i. Calls from Elpedison's partner companies in a random numbering range, as selected by Elpedison's criteria ("cold list"). For these calls, the legal basis of the processing, taking into account article 11 par. 1 and 2 of Law 3471/2006, may be article 6 par. 1 f of the GDPR ("the processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, unless these interests are overridden by the interest or the fundamental rights and freedoms of the data subject that require the protection of personal data, in particular if the data subject is a child") to the extent that it is ensured that numbers that have been included in the Registry will not be called and the principles of article 5 of the GDPR and the other conditions set by the Regulation are ensured, such as in relation to the satisfaction of the principle of transparency (see in particular article 14 of the GDPR) and the satisfaction of the rights of the requested data subjects. ii. Targeted calls to numbers, which have been pre-selected with various criteria, such as due to the consumer's desire, due to a "to call back" note, etc. Individual cases of this category of calls are the following actions: a. Calls based on lists provided by Elpedison ("hot list") e.g. customer lists to approach. b. Calls that arise at the request of the called subscriber, such as e.g. when he requests a callback. c. Calls to numbers after a collection action directly from their data subscribers to call, such as for example through the "fthinorevma.gr" website. For these calls, the legal basis of the processing, taking into account article 11 par. 1 and 2 of Law 3471/2006, can be: For the first case either the aforementioned article 6 par. 1 f of the GDPR, as e.g. for calls to existing customers of the controller, as long as they have not expressed an objection (either generally through the Registry or specifically) or Article 6 para. 1 a' of the GDPR (consent). Calls based on consent can be made even to subscribers who are registered in the Register of article 11 par. 2 of Law 3471/2006. For the second case, the legal basis that can be more easily applied in the case of the request of the called subscriber is his consent, while especially in cases where the called subscriber is registered in the Register, consent is the only legal basis for being able to called, even in the event of a redial. For the cth case, the first stage of the processing activity includes data collection directly from the subject (the subscriber to be called) by his own actions, therefore, a more appropriate legal basis may again be consent without the legal basis of the processing that is necessary to take measures at the request of the data subject before entering into a contract (no. 6 para. 1 b΄ GDPR). It goes without saying that in all cases the other conditions provided for in the GDPR must be met, both in relation to the basic principles of Article 5 (in particular the satisfaction of the principle of transparency and the requirements of Article 14 of the GDPR) and in relation to the legal consent requirements, as defined in articles 4 para. 11 and 7 of the GDPR. It is pointed out in particular that in cases of consent the controller should be able to prove that the data subject consented to the processing act. In particular, the data controller must obtain consent in such a way that it is possible to verify with certainty that the specific data subject has taken a positive declaration action. Therefore, a note in an information system entered by an employee of the controller or processor cannot be considered as valid consent, as sufficient evidence is not provided to prove that the particular natural person subscriber requested the call. Also, the non-response of a subscriber to a call to him, when the initial call has not been made with the legal basis of consent, cannot be considered valid consent. Finally, for the application of the legal basis of article 6 par. 1 b', the controller should be sure that the request comes from the actual subscriber and not a third party, therefore, he must implement measures to be sure that the a specific subscriber (natural person) requested the call during the pre-contractual stage. These measures must be equivalent to the case of proof of consent. iii. The activity related to the gathering of the Register through the telephone service providers, its consolidation and its eventual sending to the final recipients (e.g. processors), for use when making the calls. This activity was found to be carried out by Elpedison. It is also reported that some of the partner companies also collect the Registry. This activity is necessary based on article 11 of Law 3471/2006 (and therefore has a legal basis in article 6 par. 1 c of the GDPR, which concerns the processing necessary to comply with a legal obligation of the controller processing) and falls as an obligation on the controller and not on the processors, who can proceed with such activities for the specific purpose, only after an explicit order from the controller. iv. The activity related to the maintenance of a special register of objections by natural persons subscribers, i.e. the register of subscribers who, exercising the right to object in accordance with article 21 of the GDPR, oppose the processing for direct marketing purposes, with a statement which, based on the article 21 para. 3 of the GDPR must result in the cessation of the processing of the data of said natural person subscribers for promotional purposes by the data controller. Regarding this activity, it was established that such an objection register is kept both by Elpedison and by companies collaborating with Elpedison, such as the companies Call Experts and PLEGMA, for the calls they make for promotional purposes of Elpedison and possibly third parties. This activity is necessary for the satisfaction of the aforementioned article 21 of the GDPR (and therefore has a legal basis in the aforementioned article 6 par. 1 c of the GDPR) and falls as an obligation on the data controller (Elpedison) but not on the processors . The controller is, based on Article 12 of the GDPR, responsible for satisfying the rights of the data subjects. The processors may proceed with such activities for the specific purpose, only after an express order from the controller. With regard to the register of objections, it is found that Elpedison has included a specific term in the text of instructions by which it binds the Call Center companies cooperating with it. In it (see section 8.1 p. 10) it explicitly specifies that "Especially with regard to the subject's objection/objection/unwillingness to be called back at the time of the call regarding calls similar to the one made to the subject, the partner's staff will must record this wish together with the person's identification and contact information and inform Elpedison by a specified process (e.g. via email, via CRM) about this person's request." Therefore, the keeping of a special register of objections internally by each Call Center company, when it is not the data controller, does not meet the requirements of Article 21 of the GDPR. And this as a called natural person who has expressed opposition to receiving calls to promote Elpedison, may be called by another Call Center company again to promote Elpedison.Finally, in case a Call Center company keeps such an internal register of objections, for calls that implements for many of its customers or for calls that it implements for one of its customers without its express order, then it is the controller and it is responsible for illegal processing of personal data. It is pointed out that the processing of data of a subscriber (natural person) which is carried out after the stage of accepting an offer, which is of course included in the contracts between Elpedison and the call center companies, is not the subject of examination of this case. 11. The controller and the processor undertake the implementation of appropriate measures in order to ensure an appropriate level of security against risks. Responsibility for not implementing appropriate measures in violation of Articles 28, 29 and 32 of the GDPR should be appropriately shared between the processor and the controller. Therefore, in cases where an error occurs during the application of security measures by the processor, who has specialized the general measures set by the controller, the processor bears a greater responsibility for the implementation of these security measures. However, if it turns out that the processor violates the obligations imposed on him by the contract, and processes data beyond or in violation of the instructions of the controller, then there is a violation of Article 29 of the GDPR by the processor. 12. In relation to the technical and organizational measures, which must be taken by the person in charge and the processor in order to ensure the appropriate level of security against risks, it is pointed out that these measures are not always possible to prevent every possible incident of violation of the security in personal data. However, it is necessary, after any failure of these measures, to follow an assessment and evaluation of their effectiveness, as a necessary element to maintain the security of the processing. Therefore, the primary step is to record the incident, so that it can be documented and prove the controller's compliance with the principles of Article 5 of the GDPR, as is also required based on the principle of accountability. Such failures must be recorded, while to the extent that they concern an incident of breach of security (requirements of confidentiality, integrity or availability), the provisions of article 33 of the GDPR for the notification of the incident to the supervisory authority are also applied. Indeed, if such an incident is noticed by the processor, it is his responsibility to immediately inform the controller of the incident, without even carrying out a risk assessment of the incident2. 13. Elpedison's responsibility as controller in relation to processors is, in the first instance, to provide appropriate tools, directions and instructions so that only lawful calls and only lawful personal data processing activities are carried out. In the examined cases, it was found that as part of its obligations, Elpedison collects the Registers from the providers at regular intervals, consolidates them and sends them to the processing partner call center companies. At the same time, it keeps a special register with those who have objected to receiving telephone calls (based on Article 21 of the GDPR), which it also sends to the cooperating companies. It is found that the activity in question is well planned, but it remains to be checked how it has been implemented in each of the cases of the examined complaints. And this, because in a second stage, Elpedison's responsibility also concerns the adequacy of the control and supervision of the processors as well as the actions taken by the company itself as soon as it becomes aware of the complaints, in order to check the effectiveness of the procedures and the manner of operation of the cooperating companies and their application of the instructions it provides them, to identify points in which these procedures can be improved or cases in which the cooperating companies violate their obligations, and in the event that any violation is found, to take the necessary measures to avoid similar incidents in the future. 14. In relation to the individual complaints, the following is established: In cases A.1, A.3, A.4 and A.6, small delays in receiving and sending the Records from Elpedison are found, which are marginal (i.e. a few days after the period of one month), while in one case (A.6) the delay is more justified due to the non-response of a provider to the company's request to receive the Register. Complaint A.2 refers to an obvious and unacceptable error by an employee which was actually documented through the company's internal communications. Therefore, it is accepted that this is a case of an isolated error. For complaint A.5, it appears that Elpedison did not initially receive the Register of a provider with a particularly small number of subscribers, but as soon as it was informed of the complaint, it proceeded with appropriate corrective actions. Consequently, in the six (6) cases above, there is a violation of the provision of article 11 of Law 3471/2006 and the calling of numbers of subscribers who had been included in the register of article 11 par. 2 of their provider. It is accepted, however, that no systematic wrongdoing or systemic failure on the part of Elpedison has been established and that the complaints in question relate to isolated incidents. 15. For the cases of category B, the Authority considers that from the existing data no violation of the companies in question can be established, although the complainants provide sufficient data to prove that they have received phone calls. However, the evidence provided by the call center companies and Elpedison is sufficient, at this stage, to prove that they did not make these calls, especially as detailed lists of outgoing calls are provided by their provider. It cannot be ruled out that one of the Call Center companies made the call in another way (eg via VoIP technology or other similar technique) but, with the current evidence, it is not possible to investigate further. Furthermore, the specific cases are a small number of isolated phenomena, which do not appear to be repeated, nor have other similar incidents been reported to the Authority in relation to the companies in question. The Authority will monitor in the future for the appearance of similar complaints in order to judge whether it is required to carry out a specialized control action. For the cases of category C complaints: 16. Regarding the companies Teleraise (case Γ.Γ.1) and Befon (three cases Γ.Α.1-3), it is established that due to individual errors the companies made calls to subscribers who they had been added to the register, while they had received the appropriate instructions from the controller. As can be seen from the examined data, the companies themselves accept their errors, which are few and concern a period of more than two years, while they have taken measures to limit them. 17. Regarding Call Experts IKE: A key finding of the Authority is the delay in integrating the Register into its systems. It is pointed out that it cannot be accepted that this process requires a particularly long time. It is a repetitive process, which concerns only telephone numbers, although in a fairly large number, that is, a single data with a very specific format, which can easily be checked. It must be accepted that some additional time is required to check the Registry entries received from the providers and to homogenize the files, as the format in which the Registry files are received from each provider differs, but the Authority estimates that such processes are now easily automated, as after more than ten years of experience operating the Registry, problems of homogenization and formats must be recognized and resolved immediately, basically automatically and with minimal human intervention. Delays beyond one working day are not reasonable, while when a weekend intervenes, the company has the opportunity to complete these processes even more easily. This action should be the first priority of the company, as it is related to the satisfaction of citizens' rights and is a legal obligation of the controller, which has been assigned through the contracts to the Call Center companies. Therefore, it can be considered that the phone calls in cases G.B.4 and G.B.5 (which occurred one working day after the Registry file was received) do not result in a violation by Call Experts, while in the cases of the five (5) cases G.B.6 (11 days delay in applying the Registry), G.B.8 (6 days), G.B.9 (3 days including a weekend), G.B.10 (4 days including a weekend) and G.B.11 (5 days including a weekend) there is a violation of article 32 of the GDPR. Furthermore, to avoid errors, the automatic dialer must be set to reject calls before they even begin. It is not acceptable to perform such a check after the call routing has started, as there is the possibility of calling an objected subscriber. Therefore, in automatic calls, the numbers should be discarded before being loaded into the dialer (assumptions G.B.1 and D.1). In the case of manual calls, which would only exceptionally be permitted, appropriate measures should be in place to check before the call is made that the number is not in the Register or objection register, or that specific consent exists (case G.B.2). Consequently, from the specific three (3) cases of complaint, a systemic problem arises in the applications of the Call Experts company and a violation of article 32 of the GDPR by the processor. For the other two complaint cases (G.B.3, G.B.7) Call Experts reports that a human (in the first of these) and technical (in the second) error has occurred. But it does not provide any relevant recorded evidence of the error, not even internal communications, which could be considered as the minimum indication of the error. In fact, even in the case of license upgrades, it is not mentioned which licenses these were and how they affected the processing. Furthermore, it is established that in no case has such an error been notified to the Authority or that the process of informing the data controller in relation to the error had been initiated, internally by the processor, as the processor is obliged to do based on article 33 par 2 of the GDPR. Therefore, the claims of Call Experts regarding the justification of the errors are rejected as unfounded and unproven, and therefore violations of Article 32 of the GDPR arise. 18. As regards Zitatel, which it should be noted did not file a statement of opinions, despite the presence of its representatives during the hearing, based on what has been communicated to the Authority by Elpedison, the following is established: In the cases of the six (6) complaints G.D.1, G.D.2, G.D.3, G.D.4, G.D.6, G.E.7 report errors, for which no documentation is provided. Therefore, with the reasoning developed above, the company's relevant claims are rejected as unfounded and unproven. It is noted that in order to avoid mistakes, the control of calls must also include "manual" calls, which may be allowed either to numbers that are not included in the Register, or after consent that meets the characteristics of the GDPR. Therefore, in the above cases, a violation of Article 32 of the GDPR is established. In the case of complaint D.2, as mentioned by Elpedison, there is misconduct by Zitatel, due to failure to provide information to the data controller. Therefore, as the process of investigating a complaint is a necessary stage for the evaluation of the security measures taken, there is also a violation of Article 32 of the GDPR for which Zitatel is responsible. 19. With regard to the operation of the fthinorevma.gr website, the collection of personal data through it, and the subsequent making of telephone calls with "consent", it appears that with regard to the two complaints under investigation (G.D.5-G.D .6), Zitatel was the data controller, as it was an action that was implemented to promote Elpedison products and services, but beyond Elpedison's instructions. The specific activity was also carried out in violation of the principle of transparency and the principle of legality of article 5 par. 1 a' of the GDPR, as in the information existing at the time of the complaints on the website, a different company appeared as the controller and there was no information about the recipients (eg Zitatel). In addition, the collection of telephone numbers through their declaration in the form of a website does not meet the conditions of valid consent. And this, because the data controller is not able to prove that the specific data subject who is a subscriber or even a user of the telephone number, consented to the processing act, i.e. it was he and not a third party who registered his telephone number on the website . The Authority recalls that it has issued Directive 2/2010 on electronic consent in the context of Article 11 of Law 3471/2006, which provides guidance on the minimum measures to prove consent regarding the collection of telephone numbers and other electronic communication data. Therefore, statements and other personal data received by Zitatel through the website in question have not been collected legally and must also be deleted. 20. It is also pointed out that even after the new agreement between Elpedison and Zitatel, based on which the operation of the fthinorevma.gr website will be done on behalf of Elpedison, it is not clear that the risk of data being entered in the online form has been addressed subscriber (e.g. phone number) from third parties. Therefore, the legality of the applications and other personal data obtained through the said website must be evaluated, even after the agreement with Elpedison and in case the above risk has not been addressed, this data must also be deleted. 21. Regarding the NETWORK: As mentioned above, in the cases of "recall" or call after the callee's wish, the legal basis of the processing of personal data for the implementation of the call appears to be consent. Therefore, the evidence for this should provide certainty that the specific natural person/subscriber performed the action considered as consent within the meaning of Article 4 point 11 of the GDPR. To this end, a simple note in the company's systems is not sufficient, while in any case the Register must be checked before making any callback for which there is no consent. Therefore, in the four (4) complaint cases G.E.1, G.E.2, and G.E.3 and G.E.7 it is found that PLEGMA, due to not taking sufficient measures to avoid illegal calls, violated Article 32 of the GDPR. In complaint cases G.E.4-6, PLEGMA exclusively reports a systemic error due to a technical problem in its interface with its provider and Med Nautilus. Although requested by the Authority, no relevant recorded evidence of the error was provided nor was it mentioned that a data breach incident management procedure was initiated with the timely notification of the data controller, as required by Article 33 para. 2 of the GDPR. In any case, such an incident could be dealt with directly by using the "local dialer" infrastructure but, based on PLEGMA's reports, the specific infrastructure worked, at least for some hours and even on different days, without the renewed Registers, in violation of the obligations of the processor deriving from article 32 of the GDPR. 22. It is also noted that both Call Experts and PLEGMA state that they maintain an internal objection register, based on which they do not redial subscribers who object during the call. It is pointed out that, as analyzed above, "Call Center" companies are not authorized to keep their own record of objections and this processing is outside the scope of the contract with the data controller, in violation of Article 29 of the GDPR. On the contrary, they must, as soon as an invited subscriber informs them that they wish to exercise the right to object, if they record this statement, they must immediately transfer the information in question to the data controller, so that it can be included in the file of objections that he keeps, as provided for in the contract with Elpedison. In the event that the above two Call Center companies still keep such a register, they should immediately forward it to the data controller (and in case this concerns several managers, to the relevant manager) and delete it. The Authority considers, however, that the activity in question was carried out without malice and was, even incompletely, in the interest of the invited subscribers, therefore no other corrective measure is required, beyond those mentioned above. 23. For all of the complaints in category C, it is crucial to examine the role of Elpedison, as the controller. As mentioned, the Authority accepts that Elpedison has appropriate policies and procedures in relation to making telephone calls for the purpose of promoting its products and services, which it has communicated to the companies cooperating with it. At the same time, as can be seen from its memorandum, it has initiated actions to control the organizational and technical measures followed by some of these companies, as can be seen from the detailed control reports sent to the Authority. It is found, however, that the procedure for checking the complaints that the Authority forwards to Elpedison is flawed and does not include a thorough check of the causes that led to an illegal call. Elpedison, like any controller, must not be satisfied with the assurances it receives from the respective processor, but identify the source of any error, as soon as it is detected, and take appropriate corrective measures. In this way, calls that are made "manually" and with human error, without checking the Registry, would have been avoided. Also, the failure to maintain an internal objection register in each company would have been identified. Finally, surely a company's delay in integrating the Registry would have been identified, a fact that should have led to the immediate taking of relevant measures. It is also pointed out that, especially when the number of promotional calls is high, as reported by all companies, Elpedison as the controller, must also take preventive measures to control the measures and procedures applied by the processors, such as by carrying out checks on cooperating companies. These checks should not be limited to organizational and technical issues, but, where the number of calls is high, in the order of thousands per day, should include a check in relation to calls that have been carried out for a sufficient period of time. Indeed, given that Elpedison already has the Register per month and that the processors are required to keep outgoing call logs, such an audit, which consists of an automated comparison of records with numbers (of the Register and the outgoing call logs), taking given the current level of technology, it is simple to implement and repeat periodically on a sufficient sample of calls, over a period of no longer than one year. Accordingly, it is found that Elpedison has not taken appropriate measures, based on Article 32 of the GDPR, to control the processors. 24. According to the previous considerations, the following are established for Elpedison: i. In six (6) cases, as reflected in paragraph 14 hereof, there is a violation of the provision of article 11 of Law 3471/2006 and the calling of numbers of subscribers who had been included in the Register of article 11 paragraph 2 of their provider. Regarding these, the Authority considers that the sanction of the warning is appropriate, based on article 21 par. 1 subsection a of Law 2472/1997, in combination with Article 84 of Law 4624/2019. ii. Regarding the measures taken by Elpedison to control the processors (paragraph 23), a violation of Article 32 of the GDPR is found and the Authority considers that it must impose an administrative fine based on Article 58, paragraph 2, subparagraph i of the GDPR . iii. At the same time, based on article 58 par. 2 subsection d of the GDPR, the Authority considers that it must give an order that Elpedison, within a period of six months from the notification of the decision, proceed with the design of an audit procedure for the Call Center companies, in which should include, at least once a year, a complete or sample check of a large number of outgoing calls of each Call Center in relation to the calls made, in order to establish their legitimacy. Elpedison should inform the Authority about the implementation of this procedure. 25. For Teleraise and Befon, at this stage, the Authority considers that it does not require any corrective measure, in view of the findings of paragraph 16. 26. For Call Experts, a violation of Article 32 of the GDPR occurs in ten (10) cases complaints, as mentioned in paragraph 17, due to insufficient security measures being taken, during the execution of the processing. Therefore, the sanctioning of the administrative fine based on article 58 paragraph 2 subsection i of the GDPR is appropriate. 27. For Zitatel there is a violation of Article 32 of the GDPR in seven (7) cases of complaints due to insufficient security measures, during the execution of the processing, as mentioned in paragraph 18. Therefore, the sanction of the administrative fine based on the article is appropriate 58 paragraph 2 subsection i of the GDPR. 28. Furthermore, for Zitatel it appears that in two complaint cases (one of which also involved an error during the call) the complainants were called after registering their telephone number on the website "www.fthinoreyma.gr", as described in paragraph 19. In both cases these, there is a violation of article 5 par. 1 a' of the GDPR and the sanctioning of the administrative fine based on article 58 par. 2 subsection i of the GDPR is appropriate. Also, in relation to the website in question, an order must be given to Zitatel, based on article 58 par. 2 paragraph f of the GDPR, so that statements and other personal data received by Zitatel through the website in question to be deleted. 29. For the PLEGMA company, there is a violation of Article 32 of the GDPR in seven (7) cases of complaints, as mentioned in paragraph 21, due to insufficient security measures being taken during the execution of the processing. Therefore, the sanctioning of the administrative fine based on article 58 paragraph 2 subsection i of the GDPR is appropriate. 30. For the companies PLEGMA and Call Experts, in relation to keeping an internal register of objections, as described in paragraph 22, an appropriate administrative measure is to prohibit the processing and to take the actions described in paragraph 22, based on article 58 par 2 f of GDPR. 31. For the measurement of the fines, based on article 83 of the GDPR, the Authority takes into account the guidelines 4/2022 of the ESPD for the calculation of administrative fines3 and the following: i. The last available turnover of the companies, namely: Elpedison4: €3,192,742,000 (year 2022) Call Experts5: €961,496.96 (07/01/2021-06/30/2022) Zitatel6: Not publicly available. GRID7: €4,081,489.09 (year 2021) ii. That the seriousness of the violations found is judged in all cases to be minor, taking into account the number of violations and telephone calls found to have been made in violation of the legislation8, the time period, the small number of violations in relation to the number of total calls made are carried out but also that it has been established by the Authority's controls that a small percentage of those who receive illegal calls make a complaint (see decisions 60-63/2018 of the Authority), that the violations are included in those of article 83 par. 4 of GDPR except for the violation of Zitatel in relation to the website fthinorevma.gr which is included in those of article 83 par. 5 of the GDPR. iii. The Authority takes into account the following as mitigating factors: a. Elpedison has proven that it is gradually improving the measures implemented for its compliance with the GDPR and Law 3471/2006, taking measures such as carrying out checks on cooperating companies b. The difficulty of implementing the provision of the Registry (for all companies). c. Especially in the case of Zitatel and the fthinorevma.gr website, the changes in its operation, with the determination of the data controller and the provision of more complete information. iv. The Authority takes into account the following as aggravating factors: a. The three call center companies (Call Experts, PLEGMA, Zitatel) have as their main activity the making of telephone calls, therefore they must know and fully respect the relevant institutional framework b. In the case of PLEGMA, there has been a previous reprimand with decision 38/2019 which is completely relevant, while the first complaints against PLEGMA concern calls made in 2020, shortly after the issuance of this decision. 32. Based on the above, the Authority unanimously judges that, in view of the violations found and taking into account the above elements, the conditions for imposing the corrective measures referred to in the operative part of this including administrative fines which are judged to be effective, proportionate and dissuasive. FOR THESE REASONS, the Authority: a. imposes, on ELPEDISON ELECTRIC ENERGY PRODUCTION SOLE PERSON ANONYMOUS COMPANY: i. based on article 58 par. 2 sec. i' of the GDPR, the effective, proportionate and dissuasive administrative fine that is appropriate in this particular case according to its special circumstances, in the amount of one hundred and twenty-seven thousand seven hundred and nine euros (127.7099), for the above found violation of article 32 of the GDPR as is analyzed in paragraph 24 point ii of the present. ii. on the basis of article 58, paragraph 2, paragraph d of the GDPR, instructs that, within a period of six months from the notification of the decision, to design a control procedure for Call Center companies, which includes, at least once, the year, full or sample control of a large number of outgoing calls of each cooperating company and to inform the Authority after the implementation of this procedure, as analyzed in paragraph 24 point iii of this present. iii. based on article 21 paragraph 1 subsection a' of Law 2472/1997, in conjunction with Article 84 of Law 4624/2019, the sanctioning of the warning in relation to the six (6) complaints analyzed in paragraph 24 point i of the present. b. imposes, on CALL EXPERTS TELEPHONE CENTER SERVICES I.K.E.: i. based on article 58 par. 2 sec. i' of the GDPR, the effective, proportionate and dissuasive administrative fine that is appropriate in this particular case according to its special circumstances, in the amount of ten thousand euros (10,000), for the above found violation of article 32 of the GDPR, as analyzed in paragraph 26 of the present. ii. based on article 58 par. 2 sec. in the GDPR prohibition of keeping an internal register of objections, as analyzed in paragraph 27 of the present. c. imposes, on ST & Co. E.E.: i. based on article 58 par. 2 sec. i' of the GDPR, the effective, proportionate and dissuasive administrative fine that is appropriate in this particular case according to its special circumstances, in the amount of six thousand euros (6,000), for the above found violation of article 32 of the GDPR, as analyzed in paragraph 27 of the present. ii. based on article 58 par. 2 sec. i' of the GDPR, the effective, proportionate and dissuasive administrative monetary fine that is appropriate in this particular case according to its special circumstances, in the amount of five thousand euros (5,000), for the above found violation of article 5 par. 1 a' of the GDPR , as analyzed in paragraph 27 hereof. iii. based on article 58 par. 2 paragraph f of the GDPR, orders such as statements and other personal data received through the fthinorevma.gr website with Zitatel as data controller and kept for the purpose of promoting products and services to be deleted and then updated the Authority, as analyzed in paragraph 28 hereof. d. imposes, on PLEGMA NET M.E.P.E.: i. based on article 58 par. 2 sec. i' of the GDPR, the effective, proportionate and dissuasive administrative fine that is appropriate in this particular case according to its special circumstances, in the amount of twenty thousand euros (20,000), for the above found violation of article 32 of the GDPR, as analyzed in paragraph 29 of the present. ii. based on article 58 par. 2 sec. in the GDPR prohibition of keeping an internal register of objections, as analyzed in paragraph 30 hereof.