UODO (Poland) - ZSPR.421.3.2018: Difference between revisions

From GDPRhub
(Created page with "{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" ! colspan="2" |HDPA - 38/2019 |- | colspan="2" style="padding: 20px; background-color:#ffffff" |File...")
 
(All the decision)
Line 1: Line 1:
[[Category:Article 4(1) GDPR]]
[[Category:2019]]
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
! colspan="2" |HDPA - 38/2019
! colspan="2" |UODO ZSPR.421.3.2018
|-
|-
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:logoGR.jpg|center|250px]]
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:logoGR.jpg|center|250px]]
|-
|-
|Authority:||[[HDPA (Greece)]]
|Authority:||[[UODO (Poland)]]
[[Category:HDPA (Greece)]]
[[Category:HDPA (Greece)]]
|-
|-
|Jurisdiction:||[[Data Protection in Greece|Greece]]
|Jurisdiction:||[[Data Protection in Poland|Poland]]
[[Category: Greece]]
[[Category: Greece]]
|-
|-
|Relevant Law:||[[Article 4 GDPR#1|Article 4(1) GDPR]]
|Relevant Law:||[[Category:Article 5(2) GDPR]]
[[Category:Article 4(1) GDPR]]
 
[[Article 5 GDPR#2|Article 5(2) GDPR]]
[[Category:Article 5(2) GDPR]]
 
[[Article 6 GDPR]]
[[Category:Article 6 GDPR]]
[[Category:Article 6 GDPR]]
[[Article 14 GDPR]]
[[Category:Article 14 GDPR]]
[[Category:Article 14 GDPR]]
 
[[Article 14 GDPR]]
[[Article 32 GDPR]]
[[Category:Article 32 GDPR]]
[[Category:Article 32 GDPR]]
|-
|-
Line 29: Line 22:
|Outcome:||Violation
|Outcome:||Violation
|-
|-
|Decided:||18.10.2019
|Decided:||15.03.2019
[[Category:2019]]
|-
|-
|Published:||n/a
|Published:||n/a
|-
|-
|Fine:||20,000 EUR
|Fine:||EUR 220'000.-
|-
|-
|Parties:||Wind Hellas and ΠΛΕΓΜΑ ΝΕΤ
|Parties:||Unknown
|-
|-
|National Case Number:||38/2019
|National Case Number:||ZSPR.421.3.2018
|-
|-
|European Case Law Identifier:||n/a
|European Case Law Identifier:||n/a
Line 44: Line 36:
|Appeal:||n/a
|Appeal:||n/a
|-
|-
|Original Language:||[[Category:Greek]]
|Original Language:||Polish
Greek
[[Category:Greek]]
|-
|-
|Original Source:||[https://www.dpa.gr/portal/page?_pageid=33%2C15453&_dad=portal&_schema=PORTAL&_piref33_15473_33_15453_15453.etos=2019&_piref33_15473_33_15453_15453.arithmosApofasis=&_piref33_15473_33_15453_15453.thematikiEnotita=-1&_piref33_15473_33_15453_15453.ananeosi=%CE%91%CE%BD%CE%B1%CE%BD%CE%AD%CF%89%CF%83%CE%B7 HDPA (GR)]
|Original Source:||[https://uodo.gov.pl/en/file/314 UODO (PL)]
|}
|}


The HDPA imposed a fine of EUR 20,000 and a reprimand to the telecommunication company Wind Hellas for violation of the GDPR and of the national law implementing the ePrivacy Directive and it issued a reprimand to the telephone services company ΠΛΕΓΜΑ ΝΕΤ for violation of the GDPR.
The President of the Personal Data Protection Office in Poland (UODO) imposed the first fine in the amount of over PLN 943 000 for the failure to fulfil the information obligation.


==English Summary==
==English Summary==
===Facts===
===Facts===
The HDPA examined six complaints against Wind Hellas (hereafter "Wind") and ΠΛΕΓΜΑ ΝΕΤ for unsolicited calls with human intervention for direct marketing purposes. Wind claimed, among others, that it should not be the only liable company but it should first be assessed, as a preliminary issue, which the role of the contracting companies operating as call centres is (either data controllers or data processors). It claimed that some of them are data processors, because Wind provides them with lists with telephone numbers and with explicit orders for specific advertising activities; some others are data controllers, since they process lists with numbers they compile themselves, without Wind being aware of them. Wind also claimed that the purpose of the calls is research and not advertising.   
The decision of the UODO’s President concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. In total, the company has 7'594'636 records of data concerning natural persons, and the company fulfilled the information obligation in relation to only 682'439 persons in relation to whom it has email addresses within the database record. The company raised the ground that the communication by registered letter would cost its turnover for the year 2018, which would constitute a "disproportionate effort" and would critically disturb the functioning of the company.   


===Dispute===
===Dispute===
1) Does a telephone number constitute personal data?
1) What is the applicable provision?


2) Who is the data controller?  
2) Does the company fulfill its obligation of information towards all data subjects?  


3) Do the processing activities pursue (even partially) advertising purposes?
3) Is it sufficient to place a privacy notice on the company's website to fulfill the information obligation towards natural persons who were not informed by email?


4) Is the data subjects’ consent valid?
4) Is the information obligation impossible or disproportionate pursuant to Art. 14 par. 5 lit. b GDPR?


===Holding===
===Holding===


The HDPA found that:   
The President of UODO found that:   


1) The telephone number constitutes personal data according to [[Article 4 GDPR#1|Article 4(1) GDPR]] as the owner can be indirectly identified.
1) The applicable provision is the Art. 14 GDPR since the data controller collects the personal data from public sources.


2) In both cases above, Wind is the data controller as it exclusively determines the purpose of the processing while the contracting companies are data processors.
2) No, the company completed its obligation only in relation to 682'439 natural persons conducting business activity, whose personal data has been processed by the company's IT "N system", in relation to which the company had an electronic address.


3) The processing activities are intended to pursue (at least partially) advertising purposes.
3) No, the mere placement of the information on the company's website cannot be considered as sufficiently fulfilling the obligation mentioned in the Art. 14 GDPR.


4) The data subjects’ consent is not valid.  
4) No, in the assessment of the President of UODO, sending out information related to Art. 14 GDPR by regular mail to the address of a natural person conducting business activity or transmitting it via telephone contact, is not an “impossible” activity, and it doesn’t involve “a disproportionate effort” in the situation when the company '''is being in possession of address data of natural persons conducting one-man business activity''' (currently or in the past) and also, in addition to that, t'''he telephone numbers''' in reference to a fraction of these persons, in its IT system. However, it is necessary at this point to mention that as opposed to the above mentioned natural persons, '''the situation of shareholders''' or members of companies’ bodies and other legal persons, whose data are being processed by the Company, is different. In public registers (in particular in the National Court Register) '''the telephone/address data are not included''', and in this regard the Company would have to search for this data in other sources, which could mean “a disproportionate effort” for the Company.  


In addition to those issues, the HDPA admitted all the complaints and found that Wind Hellas had violated [[Article 14 GDPR|Article 14 GDPR]] and the national law on the protection of personal data and privacy in the telecommunication sector, while the processor ΠΛΕΓΜΑ ΝΕΤ had violated [[Article 32 GDPR|Article 32 GDPR]].
Finally, the fact that the company justified the non-fulfillment of the obligation resulting from Art. 14 GDPR with possible high costs, and even tried to shift the responsibility – in case of the fulfillment of this obligation - for possible decrease of its competitiveness on the market, the loss of financial liquidity and even the need to terminate its business activity, has to be recognized as an aggravating factor. It should be emphasized that although the company obtains personal data from public sources and such data are the subject of its long-term commercial activity, the data subjects lack the information regarding the processing of their personal data by the company. In the assessment of the President of UODO, the liability towards these data subjects lies with the company, in particular with regard to the fulfillment of the obligation referred to Art. 14 (1) to (3) of the GDPR. Failure to fulfill the above-mentioned obligation, due to financial expenses claimed by the company, indicates lowering of the value of the rights of the data subjects, whose personal data are being processed by the Company, in relation to the value of company's finances – which cannot be considered as a valid argument in the light of the requirements of the GDPR.


==Comment==
==Comment==

Revision as of 08:08, 23 January 2020

UODO ZSPR.421.3.2018
LogoGR.jpg
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law:

Article 14 GDPR

Type: n/a
Outcome: Violation
Decided: 15.03.2019
Published: n/a
Fine: EUR 220'000.-
Parties: Unknown
National Case Number: ZSPR.421.3.2018
European Case Law Identifier: n/a
Appeal: n/a
Original Language: Polish
Original Source: UODO (PL)

The President of the Personal Data Protection Office in Poland (UODO) imposed the first fine in the amount of over PLN 943 000 for the failure to fulfil the information obligation.

English Summary

Facts

The decision of the UODO’s President concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. In total, the company has 7'594'636 records of data concerning natural persons, and the company fulfilled the information obligation in relation to only 682'439 persons in relation to whom it has email addresses within the database record. The company raised the ground that the communication by registered letter would cost its turnover for the year 2018, which would constitute a "disproportionate effort" and would critically disturb the functioning of the company.

Dispute

1) What is the applicable provision?

2) Does the company fulfill its obligation of information towards all data subjects?

3) Is it sufficient to place a privacy notice on the company's website to fulfill the information obligation towards natural persons who were not informed by email?

4) Is the information obligation impossible or disproportionate pursuant to Art. 14 par. 5 lit. b GDPR?

Holding

The President of UODO found that:

1) The applicable provision is the Art. 14 GDPR since the data controller collects the personal data from public sources.

2) No, the company completed its obligation only in relation to 682'439 natural persons conducting business activity, whose personal data has been processed by the company's IT "N system", in relation to which the company had an electronic address.

3) No, the mere placement of the information on the company's website cannot be considered as sufficiently fulfilling the obligation mentioned in the Art. 14 GDPR.

4) No, in the assessment of the President of UODO, sending out information related to Art. 14 GDPR by regular mail to the address of a natural person conducting business activity or transmitting it via telephone contact, is not an “impossible” activity, and it doesn’t involve “a disproportionate effort” in the situation when the company is being in possession of address data of natural persons conducting one-man business activity (currently or in the past) and also, in addition to that, the telephone numbers in reference to a fraction of these persons, in its IT system. However, it is necessary at this point to mention that as opposed to the above mentioned natural persons, the situation of shareholders or members of companies’ bodies and other legal persons, whose data are being processed by the Company, is different. In public registers (in particular in the National Court Register) the telephone/address data are not included, and in this regard the Company would have to search for this data in other sources, which could mean “a disproportionate effort” for the Company.

Finally, the fact that the company justified the non-fulfillment of the obligation resulting from Art. 14 GDPR with possible high costs, and even tried to shift the responsibility – in case of the fulfillment of this obligation - for possible decrease of its competitiveness on the market, the loss of financial liquidity and even the need to terminate its business activity, has to be recognized as an aggravating factor. It should be emphasized that although the company obtains personal data from public sources and such data are the subject of its long-term commercial activity, the data subjects lack the information regarding the processing of their personal data by the company. In the assessment of the President of UODO, the liability towards these data subjects lies with the company, in particular with regard to the fulfillment of the obligation referred to Art. 14 (1) to (3) of the GDPR. Failure to fulfill the above-mentioned obligation, due to financial expenses claimed by the company, indicates lowering of the value of the rights of the data subjects, whose personal data are being processed by the Company, in relation to the value of company's finances – which cannot be considered as a valid argument in the light of the requirements of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

There is no available machine translated decision. Please refer to the Greek original decision for details.