HDPA (Greece) - 44/2019: Difference between revisions
m (Corrected the hyperlink.) |
m (Ar moved page HDPA - 44/2019 to HDPA (Greece) - 44/2019) |
||
(4 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
{ | {{DPAdecisionBOX | ||
|Jurisdiction=Greece | |||
|DPA-BG-Color=background-color:#ffffff; | |||
|DPAlogo=LogoGR.jpg | |||
|DPA_Abbrevation=HDPA (Greece) | |||
|DPA_With_Country=HDPA (Greece) | |||
|Case_Number_Name=44/2019 | |||
|ECLI= | |||
|Original_Source_Name_1=HDPA (Greece) | |||
|Original_Source_Link_1=https://www.dpa.gr/el HDPA | |||
|Original_Source_Language_1=Greek | |||
|Original_Source_Language__Code_1=EL | |||
|Type=Complaint | |||
|Outcome=Upheld | |||
|Date_Started= | |||
|Date_Decided=19.12.2019 | |||
|Date_Published= | |||
|Year=2019 | |||
|Fine=150,000 | |||
|Currency=EUR | |||
|GDPR_Article_1=Article 5(1) GDPR | |||
|GDPR_Article_Link_1=Article 5 GDPR#1 | |||
|GDPR_Article_2=Article 5(2) GDPR | |||
|GDPR_Article_Link_2=Article 5 GDPR#2 | |||
|GDPR_Article_3=Article 6(1) GDPR | |||
|GDPR_Article_Link_3=Article 6 GDPR#1 | |||
|GDPR_Article_4=Article 32 GDPR | |||
|GDPR_Article_Link_4=Article 32 GDPR | |||
|GDPR_Article_5=Article 33 GDPR | |||
|GDPR_Article_Link_5=Article 33 GDPR | |||
|GDPR_Article_6=Article 58(2)(d) GDPR | |||
|GDPR_Article_Link_6=Article 58 GDPR#2d | |||
|GDPR_Article_7=Article 58(2)(i) GDPR | |||
|GDPR_Article_Link_7=Article 58 GDPR#2i | |||
|GDPR_Article_8=Article 83(5)(a) GDPR | |||
|GDPR_Article_Link_8=Article 83 GDPR#5a | |||
|GDPR_Article_9= | |||
|GDPR_Article_Link_9= | |||
|GDPR_Article_10= | |||
|GDPR_Article_Link_10= | |||
|EU_Law_Name_1= | |||
|EU_Law_Link_1= | |||
|EU_Law_Name_2= | |||
|EU_Law_Link_2= | |||
|National_Law_Name_1= | |||
|National_Law_Link_1= | |||
| | |National_Law_Name_2= | ||
| | |National_Law_Link_2= | ||
| | |||
| | |Party_Name_1=AEGEAN BUNKERING SERVICES INC (ABS) | ||
| | |Party_Link_1=http://www.ampni.com/d/aegean-bunkering-services-inc-32399.htm?lang=en&path=-1856009678 | ||
|Party_Name_2=ERNST&YOUNG HELLAS CERTIFIED AUDITORS-ACCOUNTANTS (EY Greece) | |||
|Party_Link_2=https://www.ey.com/gr/en/home | |||
|Party_Name_3=Aegean Marine Petroleum Network Inc. (AMPNI) (Reorganised as Minerva Bunkering) | |||
|Party_Link_3=http://www.ampni.com/ | |||
|Party_Name_4= | |||
|Party_Link_4= | |||
|Party_Name_5= | |||
|Party_Link_5= | |||
|Appeal_To_Body= | |||
|Appeal_To_Case_Number_Name= | |||
|Appeal_To_Status= | |||
|Appeal_To_Link= | |||
|Initial_Contributor= | |||
| | |||
}} | |||
| | |||
The HDPA issued EUR 150,000 fine against Greek supplier of marine bunker fuels and lubricants for violations of the principles of lawfulness, fairness and transparency and the security of processing according to the GDPR, while carrying out data processing operations in computer infrastructures (server hardware and software). | The HDPA issued EUR 150,000 fine against Greek supplier of marine bunker fuels and lubricants for violations of the principles of lawfulness, fairness and transparency and the security of processing according to the GDPR, while carrying out data processing operations in computer infrastructures (server hardware and software). | ||
Line 89: | Line 102: | ||
<pre> | <pre> | ||
3/2/2021 | |||
Greek Republic | |||
DATA PROTECTION AUTHORITY | |||
PERSONAL CHARACTER | |||
Decision 44/2019 | |||
Athens, 19-12-2019 | |||
No. Prot .: f /EE/ 8907 / 19-12-2019 | |||
RESOLUTION NO. 44/2019 | |||
(Department) | |||
The Personal Data Protection Authority met in composition | |||
Department at its headquarters on Wednesday, July 24, 2019 at the invitation of the President | |||
in order to examine the case referred to in the background hereof. | |||
Present were George Batzalexis, Vice President, disabled | |||
President of the Authority, Konstantinos Menoudakos, the alternate members Panagiotis | |||
Rodogiannis, Grigorios Tsolias as rapporteur, and Evangelos Papakonstantinou, in | |||
replacement of the regular members Antoniou Symvoni, Charalambos Anthopoulos and | |||
Konstantinos Lambrinoudakis who, although legally summoned in writing, did not | |||
attended due to disability. The meeting was attended by, by order of the President, Mr. | |||
George Roussopoulos, Specialist Scientist-Auditor as Assistant Rapporteur and Irene | |||
Papageorgopoulou, employee of the Administrative Department of the Authority, as secretary, while | |||
The other assistant rapporteur, Evmorfia - Iosifina Tsakiridou, was not present due to disability. | |||
specialist scientist supervisor. | |||
The Authority took into account the following: | |||
AEGEAN BUNKERING SERVICES INC (hereinafter referred to as "ABS") submitted to | |||
Authority the notification of violation case number C /EI/ 5432 / 18-06-2018 | |||
personal data, according to art. 33 of Regulation (EU) 2016/679 (General | |||
Data Protection Regulation - hereinafter referred to as "GKPD") together with a supplement | |||
1-3 Kifissias Ave., 11523 Athens, Tel.: 210-6475600, Fax: 210-6475628, contact@dpa.gr,www.dpa.gr | |||
memorandum. At the same time, the same company submitted the reference number r / EIB / 5414 / 18-06- | |||
2018 report ( she described it as a complaint) regarding a violation | |||
personal data against Aegean Marine Petroleum Network Inc (hereinafter referred to as | |||
"AMPNI") and ERNST & YOUNG HELLAS CERTIFIED AUDITORS-ACCOUNTANTS | |||
(hereinafter referred to as "EY HELLAS"), which claims that persons associated with | |||
The above two companies entered the ABS (data room) area without permission and | |||
illegally copied the entire digital to portable storage media | |||
server content that contains electronic files as well | |||
e-mails and other communications of both employees | |||
of ABS with third parties as well as employees of third companies by "cloning" him | |||
original server (server) and thus creating a new file (clone | |||
server) by copying the original server. | |||
With the no. 2/2018 Provisional Order of its President (with reference no. | |||
CI EX I 5432-1 I 22-06-2018), the Authority banned, until a final decision is issued, on | |||
AMPNI and EV HELLAS as well as to any other company or natural person in which | |||
all or part of what was copied in the case may have been transmitted | |||
file (clone server), to process personal data in any way | |||
in particular the e-mails contained in the copied file (server) | |||
which were attached as a list at the end of that Provisional Order | |||
forming an integral part ofit. Note that with the same decision | |||
clarified that the above provision suspending the processing of personnel data | |||
character contained in the copied server (clone server) does not | |||
prevents the continuation of the operation of the original server (server) of the same | |||
company, provided of course the processing of the data | |||
of a personal nature takes place legally no. 5 and 6 par. 1 GKPD. | |||
The Authority with no. prot. G / EX I 5414-1 I 26-6-2018 her document called the companies | |||
AMRNI, ABS and EV HELLAS to provide information as well as to present | |||
specific documents as well as any information necessary for a final decision | |||
on the present case. On the above document: | |||
The company EV HELLAS with its from 28-6-2018 Memorandum to the Authority | |||
(prot. no. AIIMIX r / EI/ 5824 / 29-6-2018) stated that it has nothing to do with | |||
case in question, was not even aware of the accused as illegal | |||
processing of personal data. In addition, he requested the revocation of the temporary | |||
order to the extent that it concerns her as a non-involved party and requested that she be exempted from | |||
2 | |||
any investigation or audit carried out by the Authority in relation to this case. THE | |||
Authority requested further clarifications from the company in question with reference number | |||
CI EX I 5824-1 / 06-07-2018 her document, especially in relation to two persons who are alleged to | |||
said representatives of the company "Ernst & Young" and are involved in its copying | |||
server. EV HELLAS responded with its document number GI EIS / 6424 / 24-07-2018 | |||
denying any connection with such natural persons. | |||
ii. The company ABS with its Report dated 28-6-2018 (prot. No. | |||
r / EI/ 5825/29/06/2018) and her letter dated 03-7-2018 (prot. No. r / EIB I 5935 I 04-07- | |||
2018) submitted documents to the Authority, including Organization policies with | |||
the name "AEGEAN", which did not bear the date of drafting and application, no | |||
bore the signatures of persons responsible for drafting and approval, while with the same | |||
The company provided information in response to the Authority's questions. | |||
iii. The company AMPNI with the from 13-7-2018 Treatment Application (no. APDPH | |||
prot. r / EIB I 6211 / 13-7-2018) requested the cancellation and suspension of force, in whole or in part | |||
part of the Provisional Order no. 2/2018 of the President of the Authority for the reasons | |||
which are listed in detail there. With that request the company denied them all | |||
against her, allegations submitted by the complainant company ABS, pointed out | |||
ABS was a wholly - owned subsidiary and claimed, inter alia, that | |||
legally gained access to email accounts | |||
specific current or former employees of the AMPNI Group as well as other related | |||
data in the context of internal research in relation to its important economic issues | |||
including possible fraud against the company, that the | |||
access to them was necessary in order for the company to be able to | |||
comply with its reporting obligations and | |||
notifications to the US Securities and Exchange Commission (SEC) under them | |||
applicable laws and regulations, including U.S. law | |||
securities legislation and New York Stock Exchange regulations as well | |||
also in order to protect the Group from further loss and loss | |||
that the internal investigation carried out has been obstructed by persons for | |||
which are suspected of possessing important information in relation to the subjects | |||
of internal control, that the e-mails exported were professional (corporate) and | |||
therefore they are not personal data, that he made a copy | |||
security (back up) of all system data, ie data that | |||
involved third-party employees using the same server | |||
3 | |||
(server) because the installation and operation of deletion software was detected and therefore | |||
such processing was absolutely necessary to protect their integrity | |||
of the AMR.NI Group by those who tried to destroy them without | |||
authorization, that the information in question is derived from the requested information | |||
e-mail is required for external auditors | |||
PriwaterhouseCoopersS.A. ("PwC") in order to sign the company's annual report | |||
for the financial year 2017. | |||
Furthermore, the Authority received 11 complaints from individuals against it | |||
AMPNI and EY HELLAS and in connection with the above incident, and | |||
specifically the reference numbers r / EI:E / 5648 / 26-06-2018, r / EI:E / 5650 / 26-06-2018, | |||
r / EI:E / 5651 I 26-06-20 l 8, r / EI:E / 5653 / 26-06-2018, r / EI:E / 5679 / 26-06-2018, r / EI:E / 5680 I 26- | |||
06-2018, r / EI:E / 5681 / 26-06-2018, r / EI:E / 5682 I 26-06-2018, r / EI:E / 5683 I 26-06-2018, | |||
r / EI:E / 5684 / 26-06-2018 and r / EI:E / 5685 I 26-06-2018, complaints of A, B, r, b., E, :ET, Z, | |||
H, I, I and K respectively, who brought before the Authority for violation of | |||
their personal data stored on the original server | |||
and which was illegally copied in its entirety by the controlled company AMPNI with | |||
given that some of the complainants were employees of third parties, | |||
unrelated to AMPNI and its Group companies, as D and I worked in | |||
"AEGEAN OIL", K worked at "AEGEAN NET FUELS", Z worked at | |||
"AEGEAN PETROLEUM INTERNATIONAL", and B who worked at AEGEAN | |||
SHIPPING MANAGEMENT " | |||
The Authority after studying the above answers after the attached documents | |||
sent: | |||
i. in the company AMPNI the with no. prot. G /EX / 6211-1 / 14-8-2018 document with | |||
who called her to provide additional clarifications and informed her of | |||
complaints against it in order to state its views on them. | |||
ii. in the company ABS with no. prot. G /EX / 5935-1 / 16-8-2018 document with which he called her | |||
provide additional clarifications and documents. | |||
The company ABS with its from 11-9-2018 Supplementary Memorandum to | |||
Authority (prot. No. APDPH G /EIS / 7522 / 20-9-2018) provided additional clarifications | |||
and documents and in particular: that the security policies originally submitted | |||
written outside the EU in the US and applicable to AMPNI and its subsidiaries, that | |||
in the internal working regulations of the Greek subsidiaries of AMPNI no | |||
is there any reference to checking employees' corporate emails or | |||
4 | |||
way that the company can carry out internal audits with sole responsibility | |||
of AMPNI, that on the original server, the content of which | |||
illegally copied by AMPNI kept personal data of third parties | |||
of companies to the AMPNI Group as indicative of the companies "Aegean Net Fuels Ltd | |||
Fze "," Aegean OIL SA "," Aegean Lubes "and" Aegean Gas ", that all the above companies | |||
, together with ABS, AMPNI and its subsidiaries use informally and without any | |||
written a contract on the infrastructure and servers of the ABS company and provided relevant | |||
written documentation. | |||
The company AMPNI with its documents from 10-09-2018 ( . . . ) and 17-9-2018 ( . . . ) (no. | |||
prot. AIIAIIX r /EI/ 7306 / 10-09-2018 and r /EI/ 7434 / 17-9-2018 respectively) provided | |||
additional clarifications and in particular that: The server from which | |||
exported data (server) located in the computer room (computer room) in | |||
ground floor of the building on Akti Kondili, in which the companies of the AMPNI Group | |||
rent space for their facilities. In the computer room, as far as she knows | |||
controlled company, in addition to the server, there are also servers of other companies | |||
whose offices are housed in the same building, which are not related to the Group | |||
AMPNI. The AMPNI Group does not have access to these servers. Also the controlled | |||
company claimed that the server really belongs to the AMPNI group, it is owned | |||
to the complainant ABS, which however does not process personal data for | |||
on behalf of AMPNI, reiterated its claims that it was legal and necessary | |||
processing of data for the purposes of its internal investigation and on its occasion | |||
accidental detection with approved deletion software for protection | |||
the data of the AMPNI Group, which was not personal and, therefore, has not been received | |||
country violation, that any export of personal data from the EV | |||
LLP took place by taking appropriate measures to secure the data, that the | |||
export e-mails concerned a limited number of persons, that the team ofEY LLP did not | |||
gained physical access to the server, that from the local IT staff of the AMPNI Group | |||
five (5) accounts were created for EY LLP team members for these | |||
have access to AMPNI systems, that it has not previously informed the | |||
persons whose electronic accounts have been verified and accessed | |||
by copying the server in order to avoid the risk of deterrence or | |||
obstruction of the investigation no. 14 par. 5 ed. b 'GKPD, that legally and in application | |||
of article 6 par. 1 par. c and in the GCC the data processing took place through it | |||
5 | |||
copy of the server, and that the copied file is in the offices of EV at | |||
Manchester United Kingdom. | |||
The company AMRNI with its application from 10-10-2018 (APDPH no. Prot. | |||
r /Ell:/ 8044 I 11-10-2018) requested the urgent examination of her request for removal | |||
ofno. 2/18 Interim Order invoked by the Ministry | |||
U.S. Justice summons to jury in relation to formal | |||
criminal investigation for a possible criminal offense, in the context of which (summons) | |||
was invited to send to the US and to duly submit, by .. . , information which | |||
concern, inter alia, e-mails which | |||
included in what it refers to as a "back up", the | |||
processing which has been prohibited by the Authority until a final decision is taken | |||
of. In particular, with the above application, the company AMR NI repeats them | |||
claims she develops in her from 13-7-2018 Treatment Application claiming that | |||
business (corporate) email accounts have been legally exported and therefore should | |||
to revoke the no. 2/18 Interim Order to then transmit the data | |||
( e-mail) in the USA | |||
The Authority proceeded to call for a hearing of the companies ABS, AMPNI and EV | |||
HELLAS with the reference numbers C /EX / 8303 / 18-10-2018, C /EX / 8302 / 18-10-2018 and | |||
GI EX I 8301 / 18-10-2018 her documents, respectively, while with the No. 3 Provisional | |||
Order of the President of the Authority (under reference number C /EX / 8345 / 19. 10. 2018), rejected the | |||
application for treatment - revocation ofno. 2/2018 Interim Order receiving | |||
note that the condition for cross-border transfer of personal data to | |||
USA. recommends compliance with the general principles of processing, namely Articles 5 and 6 | |||
GPD, so that in case in which the data under cross-border transmission have | |||
illegally collected, to prohibit their cross-border transmission. | |||
During the meeting of the Department of the Authority on 07-11-2018 they were present on behalf of | |||
of AMPNI the lawyers Panagiotis Bernitsas with AMDSA . . . , Marina Androulakaki | |||
with AMDSA . . . and Areti - Tania Patsalia with AMDSA . . . . Also present was L, legal | |||
ABS representative stating that he is represented by lawyer Leonidas Kotsalis with | |||
AMI:A . . . . Lawyer Eleftheria Rizou was present on behalf of the complainants | |||
AMI:A . . . . At the meeting were submitted by AMPNI the prot. | |||
r / EII: / 8790 / 07-11-2018 and r / EII: / 8791 / 07-11-2018 documents from which it appears that the | |||
ABS Board of Directors, by decision ofTitv, decided that the legal | |||
a representative of company L is not entitled to appoint or dismiss | |||
6 | |||
dismissed the former lawyer L. Kotsalis and appointed him | |||
new lawyers of their company P. Bemitsa and I. Anagnostopoulos. Filed | |||
also by the lawyer P. Bemitsa objection against the representation of the company ABS | |||
by L. and the lawyer L. Kotsalis (reference number G /EIS / 8816 / 08-11-2018). The beginning | |||
postponed the discussion of the case in order to consider the issue of representation | |||
of ABS. Following the document number C / EII: I 9207 I 21-11-2018 of ABS from the | |||
which shows that the BoD of the company replaced . . . his representative with | |||
The Authority proceeded to new calls of the companies ABS, AMPNI and EV HELLAS with the | |||
No. reference C /EX / 9 445 / 27-11-2018, C /EX / 9 449 / 27-11-2018 and C /EX / 9 448 / 27-11-2018 | |||
her documents. Furthermore, the former legal representative of ABS N.L. filed the | |||
Protocol No. CI EIS / 9 771 / 04-12-2018 complaint, arguing that his own | |||
personal data were affected by the incident. | |||
During the meeting of the Department of the Authority on 05-12-2018, ext | |||
part of the companies AMPNI and ABS the lawyers Panagiotis Bemitsas with AMDSA | |||
. . . , Marina Androulakaki with AMDSA . . . and Areti - Tania Patsalia with AMDSA . . . , from | |||
part of the company ERNST & YANG (HELLAS) CERTIFIED ACCOUNTANTS SA the Ioli | |||
Katsirouba with AMDSP . . . and Alexandra Vraka with AMDSA . . . . The complainants | |||
L and F were represented by Leonidas Kotsalis with AMDSA . . . while on behalf of the others | |||
of the complainants, Eleftheria Rizou arrived with AMDSA . . .. It is noted that after | |||
meeting ABS and AMPNI submitted the reference number C I EIS / 9981 / 11-12- | |||
2018 request for exclusion of the rapporteur which was rejected with no. 42/2019 decision | |||
of the beginning. | |||
Representatives of companies and complainants were given a deadline and | |||
submitted memoranda. Particularly: | |||
i) EY HELLAS submitted the document number prot. r /EI/ 10252 I 19-12-2018, with | |||
which reiterates their claims that it has nothing to do with the case. | |||
ii) AMPNI and ABS filed the reference number C /EIS / 10259 I 19-12- | |||
2018 memorandum, which was supplemented with the reference number r /EI/ 10398 I 28-12-2018 | |||
document while with the reference number r / EI / 10316 I 24-12-2018 expressed objections to | |||
the extension of the deadline for submission of memoranda until 15-01-2019, for which | |||
decided by the department of the Authority and in general for the procedure followed. | |||
In particular, the company ABS during the hearing process, but also with the above | |||
In its memorandum, it withdrew the complaint against AMPNI and was represented by | |||
jointly with ABS. He then relied on the following allegations: by decision | |||
7 | |||
U.S. court automatically suspends any action globally | |||
AMPNI Bankruptcy and therefore the | |||
of the Authority proceedings against the company, that the complaint of ABS is inadmissible as well | |||
exercised by a legal and not a natural person in violation of article 77 par. 1 GCP, | |||
that the complaints of natural persons are inadmissible as it was not preceded | |||
exercise of the relevant rights to the controller, that the GCC does not | |||
applies in the case of AMPNI as it has no facility in Greece, that | |||
had the right to conduct an internal audit of professional e-mails that did not | |||
under the protection of personal data legislation, that the processing | |||
e-mails was necessary for the purposes of AMPNI's legitimate interests in | |||
No. 6 par. 1 ed. in the GCC, that it refers to the documents and data that it had | |||
ABS as a complainant against AMPNI before withdrawing it | |||
complaint, that the company e-mails are the property of AMPNI, that in the context | |||
of the internal investigation it was decided to copy the e-mails of specific persons | |||
but in the process of copying them the deletion software function emerged | |||
of the entire server and the company was forced to make a total copy of it | |||
creating a backup so that there was no previous time | |||
information of data subjects, that although the establishment of its operation | |||
delete software constitutes breach of personal data did not exist by | |||
of the company no obligation to notify the Authority because it did not concern | |||
personal data but corporate (business) e-mails and therefore could not | |||
create a reasonable expectation of privacy for employees, otherwise | |||
the necessary security measures have been taken, that even if corporate e-mails recommend | |||
personal data, it was not proved that in them there was personal data, that no | |||
attempted access to personal (private) electronic accounts | |||
of the said employees but were exported from the company server, that | |||
and in the Novartis case the Authority had ruled that there was a legitimate interest | |||
compliance with the request of the US public authorities and was granted | |||
the relevant data in the US, that every young person should be aware of | |||
evidence to be provided by the complainants that there was no obligation | |||
information of former and current employees of the AMPNI Group and finally that in case | |||
imposition of administrative sanctions by the Authority not to order the destruction of the material | |||
which has been copied as it contains critical documents and information in order to | |||
delivered to the US authorities. | |||
8 | |||
iii) The eleven original complainants jointly filed the prot. | |||
r / EI:E / 268 / 15-01-2019 memorandum, while A submitted the reference number r / EI:E / 272 / 15-01- | |||
2019 memorandum, in which it is claimed that: AMPNI never submitted to ABS | |||
request for access to personal data legally, but straightforward | |||
contact with Mr. N, . . . , with a proposal of synergy in illegal acts, offering him | |||
amnesty, that the existence of deletion software is not met | |||
in fact but there was a pretext to justify its copying | |||
of the server given that from emails between N and | |||
An employee of EV LLP appears to have requested a copy of his entirety | |||
server several days before deleting software is detected, | |||
that corporate data always contains personal data, that professional emails | |||
contain personal data in accordance with the case law of the WEU, that the | |||
ownership and possession of a server does not imply ownership of | |||
personal data contained on the server, that has not been done | |||
data separation and that execution contracts have never been signed | |||
processing no. 28 GKPD, that none of the principles of Article 5 has been complied with | |||
GPA so that the processing is unfair and that AMPNI's allegations of non-compliance | |||
informing the subjects was contradictory. | |||
Following the submission of the memoranda, AMPNI and ABS informed the Authority | |||
(G / EIS / 452 / 22-01-2019) that they are in the process ofrelocation and that the company | |||
"Warehouses of Aegean SA", with which they maintained common facilities, did not | |||
delivers the original hard drive of the running ABS server, | |||
despite the fact that he was not part of the Authority 's interim order, as | |||
confirmed the Authority with its document number C / EX / 452-1 / 29-01-2019. According | |||
with the companies AMPNI and ABS the processing of the backup (back up) that | |||
is located in Manchester, United Kingdom and contains professional e-mails, | |||
is the only way to ensure that key evidence | |||
will not be permanently destroyed and any decision of the Authority it will order for | |||
any reason the destruction of professional e-mails copied to | |||
backup would be disproportionate and would interfere irreparably with | |||
property rights and defense rights of the AMPNI Group. | |||
As informed by AMPNI and ABS (G / EIS / 757 / 30-01-2019) relevant request | |||
was discussed at the Magistrates' Court of Piraeus with a procedure of precautionary measures, initially with | |||
9 | |||
issuance of a temporary order (see G / EIS / 757 / 30-01-2019). Finally, as informed | |||
Beginning with the document number C / EI/ 2883 / 16-04-2019 of AMNPI and ABS in | |||
the aforementioned court issued its decision no. 14/2019, ordering the | |||
performance of mobile equipment in ABS. | |||
On this issue, the company AEGEAN WAREHOUSES submitted the no. | |||
prot. r / E / 2111 / 19-03-2019 request requesting to clarify whether the return | |||
of servers (servers) includes their content, ie data | |||
of personal character - stored e-mails, while the Authority with the prot. | |||
CI EX / 2111-1 / 23-04-2019 document informed that the questions submitted with | |||
the application are not related to Interim Orders No. 2/2018 and 3/2018, but | |||
concern issues of interpretation and execution of the . . . Decision of the Magistrates Court of Piraeus the | |||
which do not fall within the competence of the Authority. | |||
AMPNI and ABS have also submitted a number of related documents | |||
active litigation in a US bankruptcy court and in particular a) under | |||
no. prot. r / EIL / 740 / 30-01-2019 with | |||
«NOTICE OF DEADLINE REQUIRING SUBMISSION OF PROOFS OF CLAIM ON OR | |||
BEFORE 21-02-2019 »b) under reference number r /EI/ 1467 / 25-02-2019 entitled | |||
«NOTICE OF HEARING TO CONSIDER CONFIRMATION OF THE CHAPTER 11 | |||
PLAN FILED BY THE DEBTORS AND RELATED VOTING AND OBJECTION | |||
DEADLINES ", c) under reference number r / EIL / 2678 / 09-04-2019 entitled" NOTICE OF (A) | |||
ENTRY OF OR DER CONFIRMING THE JOINT PLAN OF REORGANIZATION OF | |||
AEGEAN MARINE PETROLEUM NETWORC INC. AND ITS DEBTORS AFFILIATES | |||
PURSUANT TO CHAPTER 11 OF THE BANKRUPTCY CODE AND (B) | |||
OCCURRENCE OF EFFECTIVE DATE ». | |||
Finally, AMPNI and ABS, since (with reference number C I EX I 2214 / 21-03-2019 | |||
Authority document) became aware of the complainants' allegations through the 15- | |||
01-2019 of their memorandums submitted the reference number r / EIL / 2616 / 05-04-2019 | |||
supplementary memorandum which in principle disputes its legality | |||
extension of the deadline given for the submission of a memorandum at the hearing. | |||
They then argue, refuting the complainants' plea that they did not | |||
have not committed any act of unlawful processing of personal data, that no | |||
there was no intention from the beginning to copy the server, nor that they invented as | |||
justifying the existence of the deletion software, that the purpose of the procedure that | |||
followed by the export of professional e-mails of a specified number of ex and | |||
10 | |||
current employees of the AMPNI group, that no access to staff was attempted | |||
(private) e-mail accounts, that some of the complainants only provide | |||
some e-mails which contain their personal data, that after her | |||
new information relating in particular to e-mail is provided | |||
and exchange of e-mails from the management of PAE AEK, which is not included in | |||
list of addresses attached to Interim Order 2/2018 of the Authority, | |||
that the complainants were well aware that their corporate accounts were e-mail | |||
title | |||
intended for professional use only, to the extent that the copy is ultimately | |||
contains personal data of individuals not affiliated with | |||
AMPNI group then the company would be willing to separate or delete the data | |||
concerning such individuals, that professional e-mails do not constitute | |||
personal data, that the copying of the original server (server) was legal | |||
due to force majeure due to the detection of the deletion software function as well | |||
and that personal correspondence should not have been exchanged through | |||
corporate e-mail accounts. | |||
The Authority, from the hearing, from the details of the case file, | |||
as well as from the memoranda submitted after the attached documents, after | |||
heard the rapporteur and the clarifications of the assistant rapporteur G. Roussopoulos, who | |||
withdrew after the debate and before the conference and the decision, and | |||
after a thorough discussion, taking into account in particular: | |||
1. The provisions of the Constitution, and in particular those of articles 2 par. 1, 5 par. 1, 5 A , 9, | |||
9A, 19 par. 3, 17, 22, 25 and 28. | |||
2. The provisions of the European Convention on Human Rights | |||
04.11.1950 ratified by n.d. 53 of 19.9.1974, as in force today and in particular | |||
those of Article 8. | |||
3. The operating provisions of the Treaty on European Union, and in particular those | |||
of Article 16. | |||
4. The provisions of the Charter of Fundamental Rights of the European Union (2012 / C | |||
326/02) and in particular those of Articles 7, 8 and 52. | |||
5. The provisions of the Council of Europe Convention for the Protection of | |||
versus automated processing of personnel data | |||
character of28.1.1981 ("Contract 108"), ratified by Law 2068/1992, as | |||
11 | |||
currently in force, in particular those of Articles 5 and 6. | |||
6. The provisions of the General Regulation of Data Protection (GKPD) no. | |||
679/2016. | |||
7. The provisions of Law 2472/1997 insofar as they do not contradict the GCP | |||
(see APDP 46/18 and 52/18) | |||
8. The provisions of Directive no. 115/2001 of the Data Protection Authority | |||
Personal Character on the subject of employee records | |||
9. The no. 3/2010 Opinion of the Article 29 Working Party on the principle | |||
of accountability (WP 173 / 13-7-2010) | |||
10. The no. 2/2017 Opinion of the Working Party of article 29, for the elaboration | |||
personal data at work (WP 249) | |||
11. The Working Document of the Working Group of29-5-2002 of article 29 for | |||
Workplace Electronic Surveillance (WP55) | |||
12. The no. 8/2001 Opinion of the Working Party on Article 29 for elaboration | |||
of personal data in the context of employment relationships (WP 48) | |||
13. The no. 06/2014 Opinion of the Article 29 Working Group on | |||
concept of the legal interests of the controller (WP 217), to the extent | |||
which is interpretatively useful in the context of the present. | |||
14. The Working Group Guidelines of Article 29 "Guidelines on | |||
transparency under Regulation 2016/679 », WP260 rev.01, to the extent that it is | |||
interpretively useful in the context of the present. | |||
15. The no. 2/2018 Guidelines of the European Council | |||
Data Protection " regarding the derogations provided for in Article | |||
49 of Regulation 201 6/679 ". | |||
16. The document of the Working Group of article 29 no. 18 / EN / WP 262 of 06-02- | |||
2018 entitled "Guidelines on Article 49 of Regulation 2016/679" | |||
17. The Article 29 Working Group Guidelines for | |||
Notification of personal data breach (" Guidelines on Personal data | |||
breach notification under Regulation 2016/679 WP 250 rev. 1) | |||
18. The Guidelines (under consultation) no. 3/2018 of the European | |||
Data Protection Council on the territorial scope of the GCC | |||
12 | |||
THOUGHT ACCORDING TO THE LAW | |||
1. With article 94 of the General Regulation of Data Protection (GKPD) no. | |||
679/2016 was repealed from 25.5.2018 Directive 95/46 / EC, when it was entered into | |||
application of the GCP according to art. 99 par. 2 of this. Law 2472/1997 is still in force in | |||
to the extent that its provisions do not conflict with the GCC (see APDP 46/18 and | |||
52/18). | |||
2. The processing of personal data should be intended to | |||
serves man. The right to protection of personal data | |||
is not an absolute right, it must be valued in relation to its function in | |||
society and be weighed against other fundamental rights in accordance with its principle | |||
proportionality (Ait.Sk. 4 GKPD). | |||
3. According to article 3 par. 1 GCP " this Regulation shall apply to | |||
processing of personal data in the context of a | |||
the establishment of a controller or processor in the Union, | |||
regardless of whether the processing takes place within the Union ". In | |||
No. 22 Recital of the GCC is defined for the concept of installation | |||
that it «[ . . . ] presupposes the substantial and actual exercise of activity through | |||
fixed settings. In this respect, the legal form of these arrangements, either | |||
whether it is a subsidiary or a subsidiary with legal personality, is not decisive | |||
of importance ". | |||
4. According to article 4 par. 1 GCP as " personal data " | |||
is defined as " any information relating to an identified or identifiable natural person | |||
("Data subject ''); the identifiable natural person is one whose | |||
identity can be verified, directly or indirectly, in particular by reference to an ID | |||
ID, such as name, ID number, location data, online | |||
ID ... ». Similar broad definition for the concept of data | |||
of a personal nature pre-existed in article 2 par. a oflaw 2472/1997, in application | |||
of Directive 95/46 / EC. | |||
In this context, the e-mail address of an individual | |||
is a personal data as it can act as | |||
element of indirect or direct identification of its holder, allowing communication with | |||
13 | |||
him. When the email address bears the name or associated | |||
identifier of the natural person - user (e.g. johnsmith@ikea.sk) | |||
then it is a matter of immediate identification and therefore constitutes personal data | |||
in contrast to the address of a legal entity ( e.g. ikeacontact@ikea.com), the | |||
which in principle does not constitute personal data 1 | |||
s. According to the case law of the Court of Justice of the European Union (ECJ), | |||
the fact that the processing of information concerns the content of a professional | |||
does not exert influence in that regard and does not invalidate their classification as | |||
personal data 2 , nor does it constitute an exception to the relevant protection 3 , | |||
even when the controller acts in the context of public policy | |||
tasks 4 , and the ' distinction of the data in question according to whether they fall under | |||
in the private sphere or in the public sphere is clearly a result of confusion between the two | |||
fall into the personal data and those that fall into the private | |||
life » s | |||
According to the case law of the European Court of Human Rights | |||
Human Rights (ECtHR) the protection of "privacy" established in Article 8 thereof | |||
European Convention on Human Rights (ECHR), which includes the | |||
protection of personal data, does not exclude professional life and | |||
is not limited to life within the place ofresidence (see APDPX 34/2018 and OE29 | |||
Working document for the monitoring of electronic communications in the workplace | |||
of 29-5-2002, WP55, p. 8). Moreover, according to the same case law, in | |||
protection of Article 8 of the ECHR subject to electronic letters (e-mails) 6 , | |||
1 ,,.. details, see the content of the response from 2 1-02-20 1 8 given by the European Commission to | |||
in the context of question no. E-007 147/17 h!lJ'!://www.europarl.europa.eu/doceo/document/E-8-201 7-0071 74- | |||
ASW EN.html? Redirect | |||
, See WEU C-345/201 7 decision Sergejs Buivids of 14-02-201 9 par. 46, WEU C-398/201 5 decision Salvatore | |||
Manni of 09-3-201 7 par. 34, WEU C-6 1 5/ 1 3 Client Earth decision of 1 6-7-2015, par. 30, 32, WEU C-92/09 | |||
& C-93/09 decision Volker und Markus Schecke GbR & Hartmut Eifert v Land Hessen of 09- 1 1-20 I 0 | |||
par. 59. | |||
, See European Union Agency for Fundamental Rights (FRA), Handbook on | |||
European legislation on personal data protection, 2014 edition p. 50 and 20 1 8 edition | |||
(English) pp. 86-87. | |||
, General Court EU T-496/1 3 McCullough judgment of 1 1 -6-20 1 5 on the inclusion of names | |||
of data subjects in the minutes of the meeting regardless of the fact that they exercise publicly | |||
power par. 66 or that they have already been made public see WEU C-127/1 3 Guido Strack decision of 02- 1 0-2014 | |||
especially par. I I I . | |||
, See and T-639/15 to Ta-666/1 5 and T-94/1 6 Maria Psarra et al. European Parliament 1tap 52, | |||
see and par. 50, 53 . | |||
• George Garamukanwa v. UK decision of 14-5-201 9 on admissibility, para. 25, Copland v. United | |||
Kingdom of 3-4-2007. | |||
Therefore, not accepting that the above information (especially e-mails) | |||
constitute personal data " would have the consequence that it is not required | |||
in respect of such information, compliance with the principles and guarantees laid down in | |||
in the field of personal data protection and, in particular, | |||
principles concerning data quality and the legality of processing | |||
their ... as well as respect for rights, access, correction and opposition | |||
of the person concerned ... , but also the control exercised by the control authority ... "(WEU C- | |||
434/16 decision Peter Nowak v Ireland Data Protection Commissioner of20-12-2017, par. | |||
49). | |||
6. The data subjects, whether they are employees or senior executives | |||
administration or are connected in any way with the controller have a | |||
a reasonable expectation of protection of their privacy in the workplace, which does not | |||
removed from the fact that they use equipment, communication devices or | |||
any other professional hardware or software facilities and infrastructure ( e.g. | |||
electronic communications network, Wi-Fi, corporate email addresses | |||
mail, servers, etc.) owned by the person in charge | |||
processing (see APDPX 34/2018, 61/2004, Working Group article 29 WP55, ibid. p. | |||
9). | |||
The fact that an email has been sent by a corporation | |||
mail address does not lead to the expulsion of the right to privacy | |||
(see ECtHR, First Chamber, George Garamukanwa v. UK decision of 14-5-2019 on | |||
admissible, para. 25), the right to protection of personal data | |||
the nature of the data subjects, in particular the employees (see | |||
No. 2072/2018 License s for cross-border transfer of personal data now and | |||
former employees of the applicant company), the right to privacy | |||
of communications and related location data (see OE29 Opinion 2/17, p. 22 et seq | |||
OE29, WP55, ibid., P. 22), nor of course can it be accepted that the data | |||
the personal nature of the data subjects generated by their use | |||
1 Copland v UK of 03-7-2007, Amman v. Switzerland of l 6-02-2000, Kopp v. Switzerland of 25-3- 1 998, | |||
Halford v. The United Kingdom of 25-6-1 997, Aalmoes and 1 1 2 others v the Netherlands | |||
admissibility of 25- 1 1 -2004. | |||
, See Press Release C / EX / 1728 / 0 1 .3.20 1 8 regarding the granting ofno. 2072/20 1 8 Transmission License | |||
AilAfIX. | |||
corporate media are the "property" or "property" of the person in charge | |||
because he is the owner of the above media or | |||
e-mail addresses, an approach adopted by | |||
part of the case law of the US courts, but not of the European Union. | |||
7. According to recital 39 of the ICCPR " any data processing | |||
should be lawful and fair. It should be clear about | |||
natural persons that personal data concerning them are collected, | |||
used, taken into account or otherwise processed, | |||
as well as to what extent the data is submitted or will be processed. The beginning | |||
it requires any information and communication regarding the processing of such | |||
personal data to be easily accessible and understandable and to | |||
uses clear and simple language. This principle concerns in particular the updating of | |||
data subjects regarding the identity of the controller and their | |||
processing purposes and further information to ensure fair and | |||
transparent treatment in relation to such natural persons and their right to | |||
receive confirmation and obtain communication of the relevant data | |||
subject to processing. It should be notified to | |||
natural persons the existence of risks, rules, guarantees and rights in relation to | |||
processing of personal data and how to exercise their rights in | |||
in relation to this processing. In particular, the specific purposes of their processing | |||
personal data should be clear, legal and defined | |||
at the time of collection of personal data. Staff data | |||
should be sufficient and relevant and limited to what is necessary for them | |||
purposes of their processing. This requires in particular to ensure that space | |||
storage of personal data should be kept to a minimum. The | |||
Personal data should only be processed if the | |||
purpose of processing can not be achieved by other means. To ensure that the | |||
personal data are not retained longer than necessary, o | |||
the controller should set deadlines for their deletion or for | |||
periodic review. Every reasonable measure should be taken in order to | |||
ensure that inaccurate personal data is corrected or | |||
deleted. | |||
8. According to recital 60 GIPD " The principles of fair and transparent | |||
require the data subject to be informed of its existence | |||
processing act and its purposes. The controller should provide | |||
to the data subject any further information necessary for the | |||
ensuring fair and transparent treatment taking into account specific circumstances and | |||
the context in which staff data is processed | |||
character ". | |||
9. According to the last paragraph ofrecital 39 of the ICCPR " The data | |||
should be processed in such a way as to ensure | |||
the appropriate protection and confidentiality of personal data, | |||
including to prevent any unauthorized access to this data | |||
personal equipment and equipment used for their processing or | |||
use of such personal data and such equipment . 11 | |||
10. According to article 4 par. 12 GKP as a violation of personnel data | |||
character means II breach of security leading to accidental or unlawful | |||
destruction, loss, alteration, unauthorized disclosure or access to data | |||
personal information transmitted, stored or otherwise submitted | |||
in process 11 • | |||
According to the Guidelines of06-02-2018 of his Working Group | |||
Article 29 of Directive 95/46 / EC (now the European Data Protection Council - | |||
EDPB) for the Notification of personal data breach (" Guidelines on | |||
Personal data breach notification under Regulation 201 6/679 WP 250 rev. 1) one of them | |||
types of personal data breach is one that is categorized based on | |||
principle of security of "confidentiality" when unauthorized access is established | |||
in personal data ("confidentiality breach"). | |||
Violation of personal data also takes place with | |||
illegal access to a server, and the taking of technical and organizational measures | |||
server security is initially necessary to prevent it | |||
associated risk due to the large volume of personal data contained in 9 | |||
• For more see Detailed Guide of the French Personal Data Protection Authority (CNIL) | |||
"Security of Personal Data" which refers so much to the need for prior security measures for | |||
17 | |||
in accordance with the European Network and Information Security Agency | |||
(ENISA) 10 . | |||
The collection and retention of personal data in the context | |||
operation of a server without prior download of such necessary | |||
technical and organizational security measures constitutes a breach of the principles set out in Article 5 | |||
par. 1 ed. a 'and f GKPD. | |||
11. According to article 5 par. 1 in the GCP (" Principles governing processing | |||
personal data ")" personal data shall be submitted to | |||
processing in a way that guarantees the appropriate security of personnel data | |||
including their protection against unauthorized or unlawful use | |||
treatment and accidental loss, destruction or deterioration, using appropriate | |||
technical or organizational measures ("integrity and confidentiality "), while in Article 32 | |||
par. 2 GKP is provided in the context of an assessment of an appropriate level of security h | |||
taking into account the risk arising in particular from unauthorized access to data, | |||
where an indicative list of security measures is given 1 1 | |||
The GCC requires the submission o f personal data that they have | |||
has already been processed in accordance with the principles of article 5 par. I a 'to e' ' against | |||
way that guarantees the appropriate security "(article 5 par. 1 par. f) so that in case | |||
in which the principles other than that of security are met, to become in | |||
processing is illegal. Respectively, if the intended processing from the beginning | |||
is going to take place in a way that does not guarantee adequate security, it is unnecessary | |||
the examination of the fulfillment of the principles provided by subsections a 'to e' of par. 1 | |||
of Article 5 of the ICCPR, as it will be unsafe and therefore illegal | |||
processing. | |||
In addition, the controller's obligation to "guarantee" safety | |||
processing by taking appropriate technical and organizational measures | |||
derives from the GCC-adopted risk-based approach ("risk | |||
based approach ") so that" the degree of risk of each treatment becomes the key | |||
servers in the context of GPA compliance and the risk of unauthorized access to personal | |||
data stored on servers, | |||
10 For more see "Reinforcing trust and security in the area of electronic communications and online services", | |||
December 20 1 8 , chapter 7 "Server and DataBase Security" p. 38 ff. | |||
11 For more see L. Mitrou in L. Kotsali -K. Menoudako, GKPD-Legal dimension and practical application, | |||
Chapter VI. Notification of data breaches, p. 2 1 8 ff. | |||
18 | |||
criterion for determining the extent of the relevant obligations " 12 (see also APDPH | |||
51/2015 request sk. 4). | |||
The European Court of Human Rights is in the same direction | |||
in case I. v. Finland 13 examining an action on the basis of whether o | |||
processor managed to "guarantee" the security of personnel data | |||
found a violation of Article 8 of the ECHR by non-implementation of measures | |||
security measures that led to unauthorized access to them. | |||
Under the GCC state " integrity and confidentiality " have been reduced to | |||
basic principles and conditions for the processing of personal data | |||
No. 5 par. 1 ed. in GPD 14 so that the mentioned " appropriate technical and organizational | |||
measures ", inter alia, to prevent, if implemented, any unauthorized | |||
access to or use of the data and equipment used for | |||
processing (see Application No. 39 of the GPA and the European Network Security Agency | |||
and Information-ENISA 1s ). Therefore two of the three main goals of security | |||
information systems (ie availability excluded) have been reduced to principles | |||
and conditions for legal processing of personal data. The measures | |||
they need to be more specific (see Article 32 of the GIP) and as required by its principle | |||
and is determined by the provisions of article 24 par. 2 GCP, must | |||
appropriate policies are applied, depending on the processing activities (see | |||
All.MIX 6 7/2018). The existence of appropriate policy documents, approved by | |||
administration of a body (responsible or executing the processing) applicable and | |||
implemented in practice (a contrario APDP 98/2013 par. 5), is a basic criterion | |||
to demonstrate compliance with the principle of integrity and confidentiality | |||
(see APDPX 98/2013 ait. sk. 3. especially for information systems), to the extent that | |||
lack of other evidence such as compliance with an approved code of conduct or | |||
approved certification mechanism. | |||
12 L. Mitrou, the GKPD, ibid., P. 96 and footnotes 270 and 27 1 with references to its corresponding positions | |||
CIPL and ENISA. | |||
" Decision of 1 7-7-2009, no. ref. 205 1 1/2003 par. 37 up to 46. | |||
" See L. Mitrou, op.cit. p. 2 1 9, which states that " Security is an unconditional condition for | |||
effective protection of personal data. However, it should be noted in advance that | |||
This is a necessary but insufficient condition for data protection, as the | |||
Protecting them from unauthorized access, disclosure and general use does not mean that | |||
are subject to legal processing "but also the GCC itself, new law-new obligations-new | |||
rights, Sakkoulas 20 17, p. 1 08 ff. | |||
" "Handbook on Security of Personal Data Processing", December 2017, especially p. 8 as well as Guidelines | |||
for SMEson the security of personal data processing ", December 2016, especially p. 12 | |||
19 | |||
12. According to Recital 78 GKPD " The protection of rights and | |||
the freedoms of individuals versus the processing of personnel data | |||
requires appropriate technical and organizational measures to | |||
ensure that the requirements of this Regulation are complied with. In order to be able to | |||
to demonstrate compliance with this Regulation, the controller should | |||
establish internal policies and implement measures that respond in particular | |||
principles of data protection already by design and by definition ". | |||
13. According to Recital 82 GKPD " In order to prove | |||
compliance with this Regulation, the controller or the executor | |||
processing should keep records of the processing activities that are under | |||
their responsibility ". | |||
14. According to Recital 83 GKPD " To maintain security and | |||
to avoid processing in breach of this Regulation, the responsible person | |||
The processor or processor should evaluate the risks involved | |||
develop and implement measures to mitigate these risks, such as | |||
example through encryption. These measures should ensure appropriate | |||
level of security, which includes confidentiality ... In the assessment | |||
data security risk should be considered | |||
resulting from the processing of personal data ... ". | |||
15. According to Recital 87 GKPD " It should be ascertained against | |||
whether all appropriate technological protection measures have been implemented and | |||
organizational measures to immediately detect any breach of personnel data | |||
character and immediate information of the supervisory authority and its subject | |||
data ", as detailed in the 06-02-2018 Guidelines | |||
of OE 29 for data breach notification (WP 250 rev. 1 ). | |||
16. Appropriate accountability measures for the observance of the principles of article 5 par. 1 GKPD | |||
may include (as recommended by the Working Party on Article 29 16 before | |||
implementation of the GPA) the following non-exhaustive list of measures: adoption | |||
16 Opinion no. 3/201 0 on the principle of accountability of 13-7-20 1 0 (WP 173) p. 13 ff. And p. 14 | |||
footnote 7 for international standards approved in Madrid by the competent authorities for their protection | |||
personal data. | |||
20 | |||
internal procedures before the creation of new processing operations, adoption | |||
written and binding data protection policies available to individuals at | |||
reporting data, mapping procedures, maintaining a directory | |||
all data processing operations, appointment of a data protection officer | |||
data and other persons responsible for data protection, provision | |||
appropriate education and training for officials in their protection | |||
establish procedures for managing access requests, correction | |||
and deletion, which must be transparent to the persons referred to | |||
data, establishment of an internal grievance mechanism, establishment | |||
internal procedures for the effective management and reporting of infringements | |||
security, conducting a privacy impact assessment in specialized | |||
cases, implementation and oversight of verification procedures to ensure that | |||
all measures not only exist on paper, but are applied and operate in | |||
act (internal or external audits, etc.). | |||
The Authority, in the context of the implementation of the GCP, has already referred to the obligations | |||
the controller regarding his / her safety and general responsibility for | |||
identifying appropriate technical and organizational measures, proposing | |||
"Appropriate" measures which may be substantiated in individual proceedings or in | |||
general security policies 1 1 , clarifying that " in any case, before | |||
determining the security measures to be adopted, the proper evaluation of them is paramount | |||
risks and their possible consequences 1sfor data subjects ... the | |||
Implemented measures must be periodically reviewed, at least, but also | |||
be proven validated by the administration of the person in charge or the executor | |||
processing 19 ". Likewise, appropriate technical and organizational measures for its safety | |||
processing of personal data under the FGM are proposed | |||
and by the European Network and Information Security Agency (ENl SA). 20 | |||
1 1 www.dgr Section Security and in particular "Security Policy, Security Plan and Plan | |||
Disaster Recovery "with reference to the minimum content of the security policy concerning | |||
a description of the basic protection and safety principles applied ( organizational security measures, | |||
technical security measures, physical security measures, definition ofroles, responsibilities, | |||
duties, etc.) | |||
" See and G. Roussopoulos, APDPH specialist scientist, "Processing security and notification | |||
Violations "in the ECDC Report" GPD: the new landscape and the obligations of public | |||
of Administration ", Athens, January 20 18, p. 20 ff. available at www.ekdd.gr/images/seminaria/GDPR.pdf | |||
19 www.dp...!!,gr section "Security". | |||
20 Cf. footnote 1 1 , Annex A p. 55 et seq. | |||
21 | |||
17. In order for personal data to be legally processed, | |||
ie processing in accordance with the requirements of the GGP, should be met | |||
cumulatively the conditions of application and observance of the principles of article 5 par. 1 GCP, | |||
as is clear from the recent ruling of the Court of Justice of the European Union | |||
(CJEU) of 16-01-2019 in Case C-496/2017 Deutsche Post AG v Hauptzollamt | |||
Cologne 21 . The existence of a legal foundation (art. 6 par. 1 GCC) does not exempt the | |||
controller from the obligation to comply with the principles (art. 5 par. 1 GKP) | |||
with regard to legitimacy, necessity and proportionality, the principle | |||
of minimization 22 . In case of violation of any of | |||
the principles set out in Article 5 ( I ) of the GIP, such processing shall be presented as non - | |||
legal (subject to the provisions of the GCC) and there is no need to consider the conditions | |||
implementation of the legal bases of Article 6 GIP 23 . Thus, the violation of the principles | |||
of Article 5 of the GIPP illegal collection and processing of personnel data | |||
character is not cured by the existence of a lawful purpose and legal basis ( cf. | |||
Alli:iTIX 38/2004). | |||
Moreover, the WEU with its decision of0l -10-2015 in the context of the case | |||
C-201/14 (Smaranda Bara) considered as a condition for the fair and lawful processing of | |||
personal data informing the data subject pre | |||
of their processing 24 | |||
21 « 57 . However, any processing of personal data must be consistent with, on the one hand, the | |||
principles to be observed with regard to data quality set out in Article 6 of the Directive | |||
8aizret1'1iis"1-Jal 1J,;JJ'tff!Ii'l1i7Rdtfi!§ b'l- 911Ml1 &'1f['i#MWf1!11k,lfo/{'(cf<fNEiBrJn£iPles of legal processing | |||
... C-465/00, C-138/01, C-139/01, C-131112 » . . | |||
22 On this see L. Mitrou, the general regulation of personal data protection (new law-new | |||
obligations-new rights), published by Sakkoula, 201 7 pp. 58 and 69-70. | |||
23 Cf. !:1:E 5 1 7/201 8 par. 12: «[ ... ] in order for the personal data to be legal | |||
processing, it is required in each case to meet the cumulative conditions of article 4 par. I of | |||
Law 2472/1997, which, among other things, stipulates that data must be collected and processed | |||
in a lawful and lawful manner, for clear and lawful purposes ... Provided that the conditions of | |||
article 4 par. 1 of law 2472/1997 (legal collection and processing of data for clear and legal | |||
purposes), it is further examined whether the conditions of the provision of article 5 par. 2 of n. | |||
2472/1997 [legal bases] ". Also, cf. CoE in Plenary Session 2285/200 1 par. 10: «[ ... ] Only if | |||
the above basic conditions are met, the provisions of articles 5 and 7 of the Law apply. | |||
2472/1997, which impose as a farther additional, in principle, a condition for legal processing | |||
personal data of a specific person, his consent ". | |||
24 " 3 I. The person in charge of data processing or his representative have an obligation to inform the | |||
content of which is set out in Articles IO and I I of Directive 95/46 and differs accordingly whether the | |||
data are collected by the data subject or not, subject to reservation | |||
of the exceptions provided for in Article 13 of that Directive [ ... ] 34. Consequently, the requirement of a legitimate | |||
data processing provided for in Article 6 of Directive 95/46 obliges the administrative authority to: | |||
inform the data subjects about the transfer of such data to another | |||
administrative authority for the purpose of processing them by the second as the recipient of such data ". | |||
22 | |||
18. Further, the controller, in the context of its compliance | |||
principle of fair or just processing of personal data, owes | |||
inform the data subject that his data is to be processed | |||
in a lawful and transparent manner (see WEU C-496/17 ibid., paragraph 59 and WEU C-201/14 | |||
of0l -10-2015 par. 31-35 and especially 34) and to be in a position at any time to | |||
prove its compliance with these principles (accountability principle according to art. 5 par. 2 | |||
in combination with articles 24 par. 1 and 32 GCP). | |||
Processing personal data in a transparent manner is recommended | |||
manifestation of the principle of fair treatment and linked to the principle of accountability, | |||
giving subjects the right to exercise control over their data | |||
making those responsible for processing accountable, according to the Working Group | |||
Article 29 2s | |||
Exceptionally and pursuant to article 14 par. 5 ed. 2nd GCP (" Information | |||
provided ifp ersonal data has not been collected by | |||
data subject "), paragraphs 1-4 of the same article do not apply and no | |||
the relevant information is provided by the controller if it is likely to | |||
greatly impair the achievement of the objectives of such processing. Condition | |||
implementation of this provision in accordance with the Working Party of Article 29 26 recommends | |||
the processing (collection) of such personal data has been carried out | |||
legally, ie in accordance with the principles of article 5 par. 1 GKPD. | |||
19. In addition, a new, central compliance model was adopted with the GCC | |||
size of which is the principle of accountability, within which the person in charge | |||
is obliged to plan, implement and generally take the necessary measures | |||
and policies to ensure that data processing complies with the relevant | |||
legislative provisions. In addition, the controller is responsible for further | |||
to prove on its own and at all times its compliance with | |||
principles of article 5 par. l GK.PD. It is no coincidence that the GCC incorporates accountability | |||
(Article 5 (2) GCC) in the regulation of the principles (Article 5 (1) GCC) governing | |||
processing, giving it the function of a mechanism for their observance, | |||
essentially reversing the "burden of proof' as to its legality | |||
25 Guidelines on transparency under Regulation | |||
201 6/679) of 1 1 -4-201 8 (WP 260 rev. I), pp. 4 and 5. | |||
2• Guidelines on transparency under Regulation | |||
201 6/679) of 1 1 -4-201 8 (WP 260 rev. I), p. 3 1 par. 65. | |||
23 | |||
(and in general the observance of the principles of article 5 par. l GCP), | |||
transferring it to the controller, 21 so that it can be reasonably argued that he | |||
bears the burden of invoking and proving the legality of the processing 2s . | |||
Thus, it is the responsibility of the controller on the one hand to receive from | |||
itself the necessary measures in order to comply with its requirements | |||
On the other hand, to prove at all times its above compliance, without | |||
in fact, the Authority should be required, in the context of the exercise of research-auditing | |||
powers, to submit individual - specific questions and requests to | |||
conformity assessment. | |||
It is pointed out that the Authority due to the fact that the first period is elapsed | |||
implementation of the GCP submits questions and requests in the context of the exercise of | |||
its relevant research - control powers, in order to facilitate it on their part | |||
accountants documentation of accountability. The controller must | |||
in the context of the Authority's audits - investigations to present on its own and without | |||
relevant questions and requests of the Authority the measures and policies adopted in | |||
within the internal organization of his compliance, as he is aware of them | |||
after designing and implementing the relevant internal organization. | |||
20. Access by the controller, within an internal company | |||
control, personal data stored on a hardware computer system and | |||
software (server - server) is the processing of personal data, | |||
as in the case of access to and control of a computer that uses | |||
the subject (APDPX 34/2018). | |||
The employer exercising his managerial right, under the self-evident condition | |||
the observance of the principles of article 5 par. 1 GKPD and on the basis provided before | |||
elaboration of specific procedures and guarantees within its organization | |||
internal compliance in accordance with the principle of accountability, is entitled to exercise | |||
control over the electronic media it provides to employees for | |||
their work, provided that the relevant processing, in accordance with the principle of proportionality, | |||
is absolutely necessary for the satisfaction of the legitimate interest it pursues and | |||
provided that this obviously takes precedence over his rights and interests | |||
27 On this see L. Mitrou, The principle of Accountability in Obligations of the controller [G. | |||
Giannopoulos, L. Mitrou, G. Tsolias], Collective Volume L. Kotsali - K. Menoudakou " 0 GKPD, Nomiki | |||
dimension and practical application ", published by Law Library, 20 18, p. 172 ff. | |||
" P. de Hert, V. Papakonstantinou, D. Wright and S. Gutwirth, The proposed Regulation and the construction of | |||
a principles-driven system for individual data protection, p. 1 4 1 . | |||
24 | |||
employee, without prejudice to his fundamental freedoms no. 6 par. 1 ed. f | |||
GKPD and after being informed even about the possibility ofrelated control (see | |||
AIIMIX 34/2018). | |||
21. Essential element of the legal operation of information systems and others | |||
infrastructure and communication systems in the processing of personnel data | |||
It is advisable to take appropriate security measures, in particular physical measures and | |||
logical separation of hardware, software and data 29 | |||
22. In order to examine the legality of the access of the person in charge | |||
processing no. 5 and 6 par. 1 GKPD in the personal data of | |||
entities maintained in its corporate systems in the context of internal control, | |||
previously examined no. 5 and 6 par. 1 GKP legality of the original | |||
collection, processing and storage of personal data | |||
character in systems. The illegal original collection, processing and preservation of | |||
personal data e.g. on her computer or server | |||
also makes any subsequent or further illegal (with | |||
that is, a different purpose to the original no. 6 par. 4 GK.PD) distinct and independent | |||
processing of the same personal data as in her case | |||
copy them and save them on another digital storage medium ( eg usb stick, | |||
server, pc, etc.), but even further in that of their transmission and use, even | |||
in the event that the conditions for the application of a legal one would be met | |||
based on article 6 par. 1 GK.PD, as e.g. that of subsection f, after non-compliance | |||
of the processing principles of article 5 par. 1 GK.PD is not cured by the existence | |||
legal purpose and legal basis (see recital no. 17 hereof and | |||
cf. AIIMIX 38/2004). | |||
23. Prerequisite for the transfer of personal data outside European | |||
Union, provided that its general principles, procedures, conditions and guarantees are met | |||
Chapter V of the GCC (Articles 44-50), constitutes the initial legal collection, processing and | |||
retention of the same personal data no. 5 and 6 par. 1 GK.PD 30 | |||
,. Cf. AIIilITX 1 86/2014 an. l:K. 2, " D. Security measures - Techniques of measure separation of applications ", APDPH | |||
5 1 /20 1 5 p. 1 1 and for the relevant concepts, cf. | |||
201 3 . | |||
,o Cf. no. 2/201 8 Guidelines o f the European Data Protection Council | |||
"With regard to the derogations provided for in Article 49 of Regulation 2016/679 ", p. 3, Group | |||
Article 29 of Directive 95/46 / EC with document no. 1 8 / EN / WP 262 of 06-02-201 8 entitled | |||
"Guidelines on Article 49 of Regulation 201 6/679", p. 3 . | |||
25 | |||
(see in this regard the No. 3/2018 Provisional Order of the President of the APDPH), so that if | |||
the original collection was illegal, to become illegal and the later one | |||
their cross-border transmission 31 • As the Authority did not consider, under the state of application of no. | |||
9 Law 2472/199 7 in the context of company licensing for cross-border transmission | |||
personal data of its former and current employees, in addition to | |||
previous legal collection and processing of personal data | |||
of these, the information of the data subjects is required before the transmission | |||
in order to exercise their access and objection rights if | |||
there are legal grounds 32 and the conditions of Chapter V are self-evident | |||
of the GCC (Articles 44-50). | |||
24. ABS, a subsidiary of AMPNl (parent company of the AMRNI Group), | |||
notified the Authority of a data breach incident no. 33 fKIL which | |||
consisted of unauthorized access and copying from its server | |||
ABS of this full content. As culprits of his illegal copying | |||
server (ABS) company indicated the parent company of the same Group, | |||
AMPNI and the company EY Hellas. In addition, ABS filed a complaint for | |||
violation of personal data legislation to the detriment of companies | |||
AMPNI and EV Hellas, while it requested the issuance of an act of suspension and prohibition | |||
processing the copied content of its server. | |||
The controlled company AMPNI briefly claimed that it legally acquired | |||
access to the ABS server because the latter was a subsidiary | |||
and held 100% of its share capital, that the contents of the e-mails were | |||
corporate and therefore on the one hand belong to its property - property, on the other hand, do not belong | |||
in the protection of personal data legislation, that access has taken place | |||
in the context of internal corporate control and therefore the provision provided by | |||
article 6 par. 1 par. the legal basis of the overriding legal interest given to it | |||
provided the right of access and control as well as that the final copy of the whole | |||
ABS server content became necessary, despite the fact that | |||
The original design of the audit concerned targeted access to small e-mails | |||
" Cf. the position of the European Data Protection Supervisor (EDPS) according to which in case | |||
in which the data under cross-border transmission has been collected illegally, it is prohibited to | |||
cross-border their transmission ( see !JnP.s://edp s .europa .eu/data-protection/data-protection/referencelibrfilY. | |||
I international-transfers en) | |||
,2 Cf. Press Release C / EX / 1 728 / 0 1 .3.20 1 8 regarding the granting of no. 2072/20 1 8 Transmission License | |||
AIIMIX. | |||
26 | |||
number of specific employees and executives of the AMPNI Group, because randomly | |||
detected on the day of the audit, the operation of illegal deletion software already | |||
deleted files on the server and thus a complete copy was obtained | |||
security (back up). | |||
The ABS company, before the withdrawal of the complaint against it | |||
AMPNI, briefly argued that from the outset the targeting of the controlled AMPNI was | |||
copy of the entire server (server) that included personal data | |||
employees and executives of third companies as it emerged from relevant letters sent to her | |||
were sent by AMPNI and not the targeted copying of specific e-mails | |||
natural persons, that the audited company AMPNI illegally copied it | |||
total content of the server due to the refusal of. . . ( . . . ) N to | |||
accepts the request for copying because it relied on a relevant legal opinion from | |||
which resulted in the illegality of such processing and that the illegality of the request | |||
Copy of the server (server) results from the by the controlled company | |||
AMPNI sending a letter declaring the exemption in advance | |||
("Amnesty") ofN from any kind ofliability in case oflegal action | |||
proceedings against him due to copying. | |||
25. In the present case, it emerged at the discretion of the Authority that ABS, | |||
subsidiary of the parent company AMR NI of the same Group, was the owner | |||
servers that were installed in the office premises | |||
where the Group's companies were housed on Akti Kondili 10 in Piraeus after | |||
lease from the company "AEGEAN WAREHOUSES SA". | |||
On the above-mentioned servers (servers) owned by the company ABS had | |||
DANAOS software was installed and operated under a contract of use and | |||
on the basis of a license obtained by the company "AEGEAN SHIPPING MANAGEMENT" | |||
("ASM"), which, however, did not belong to the AMPNI Group. It should be noted that on | |||
30-10-2018 and after the control process had already started by the Authority within it | |||
in the present case, ABS entered into separate service contracts and | |||
software maintenance with the company that provided the DANAOS software with respect to | |||
companies of the AMR NI Group. | |||
In the same computer infrastructure (hardware and software) except DANAOS (where | |||
e-mails were saved), including virtual file servers | |||
servers) AMPFSl (where fileshare and usershare files were stored) and AMPFS2 (where | |||
27 | |||
attachments of e-mails stored in DANAOS), as shown in | |||
in particular from the statements of12-7-2018 and 17-12-2018 . . . ofEY LLP | |||
from 18-12-2018 statement of. . . of ABS 0, which was presented and invoked by | |||
AMPNI. | |||
The above hardware and software computing infrastructure (DANAOS, AMPFSI and | |||
AMPFS2) was used to make electronic communications | |||
e-mails from both employees and executives in the Group companies | |||
AMPNI, as well as by employees and executives in third companies, outside the AMPNI Group | |||
as in "Aegean Shipping Enterprises", "Aegean Agency" and "Aegean Oil" | |||
(according to the statement of 0, op. cit.), but also in "Aegean Net Fuels Ltd Fze", Aegean | |||
Lubes "and" Aegean Gas " 33 | |||
It is important that the ABS company, before its recall | |||
had responded to relevant written questions from the Authority that companies outside | |||
of the AMPNI Group used informally and without any written contract the | |||
infrastructure and servers of the company ABS (prot. no. APDPX G /EIS / 7522 / 20-09-2018), | |||
referring in fact to the letter of 03/7/2018 of the P AMPNI N Group, the | |||
who stated that ABS has not entered into hosting and supply contracts | |||
services with other companies. | |||
It should be noted that N, employee on behalf of the AMPNI Group as . . . ( . . . ), | |||
was hired by the company AEGEAN MANAGEMENT SERVICES"-" AMS", ie | |||
from another company of the AMPNI Group (see Supplementary Memorandum AMPNI-ABS of | |||
19-12-2018 pp. 9 and 10, AIIMIX r /EU: / 10259 / 19-12-2018). | |||
Finally, the memoranda of AMPNI show that both companies are owned | |||
in its Group, as well as third companies, outside the Group, used it | |||
computer infrastructure (hardware and software) for the processing of electronics | |||
correspondence of employees and executives, even accepting that it proceeded to | |||
copying information of 34 third parties related to companies outside | |||
Group and used the same computer infrastructure: " There was never any | |||
33 According to the employees' complaints as well as the printouts of the e-mail addresses | |||
mails submitted through ABS pleadings prior to the hearing before the Authority, in particular the | |||
No. ATILiTIX r / EU: / 5432 / 18-6-20 1 8 supplementary memorandum. | |||
" As noted above and will be developed below, AMPNI claims that this is | |||
corporate-professional e-mails owned by it which do not constitute personal data. | |||
The reference by AMRNI to personal data in its memoranda is recommended | |||
auxiliary, in the same claim, not accepting that they constitute personal data. | |||
28 | |||
intends to copy information other than the collection of specific data that | |||
concerned the 18 users and related files related to the internal investigation | |||
described above. Any further copying of information that has taken place | |||
separately from the specific data collection related to the research carried out with | |||
sole purpose of protecting against malicious permanent destruction of critical evidence | |||
data related to internal research and its important business records | |||
AMPNI Group "(see AMPNI Treatment Application no. Prot. | |||
pp. 16-17). Similarly, AMPNI stated that "[ ... ] personal data of physicists | |||
persons not affiliated in any way, now or in the past, with the Group | |||
AMP NI under any relationship of employment, provision of services or otherwise or which is otherwise | |||
pending criminal and I or civil investigations, then AMPNI would be willing to | |||
delete the data concerning such natural persons and provide | |||
evidence of this "(see Supplementary Memorandum AMPNI-ABS of 19-12- | |||
2018 p. 23, Allt.IIX f' / EII: / 10259 / 19-12-2018 as well as Supplementary Memorandum | |||
AMPNI-ABS of05-4-2019 pp. 8 and 12 AIMIIX f' / EII: / 2616 I 05-4-2019). | |||
above copy of the entire contents of the computing infrastructure h | |||
controlled company AMPNI created a new archiving system, a copy of which | |||
which he forwarded to Manchester in the United Kingdom. | |||
Finally, AMRNI stated that in the same common area (" computer room-computer | |||
room ») were installed and more servers were running and | |||
other companies whose offices are housed in the same building and which do not | |||
related to the AMRNI Group (APDPH CI EIS / 7306 / 10-9-2018 p. 2 paragraph 3). | |||
It follows from all of the above that both the parent company AMRNI and | |||
subsidiaries of its Group, as well as third companies, outside the AMRNI Group, made | |||
use and had physical access to the same area where they were located and | |||
operated more servers (servers) of companies of both the AMPNI Group and | |||
and third party companies and other legal entities outside the AMPNI Group but also | |||
physical and logical access to the same computing infrastructure (hardware and software | |||
DANAOS, AMPFS 1, AMPFS2) for the processing of e-mail | |||
employees and their executives by processing the systems | |||
electronic communications archiving. The above accesses and edits | |||
personal data took place without any action being taken | |||
physical and logical separation, and the person appointed as Head . . . ( . . . ) of the AMPNI Group | |||
was hired by a Group company in order to provide services for both | |||
29 | |||
With the | |||
companies of the AMRNI Group, as well as for third companies outside the AMRNI Group, while the | |||
licensing and service agreement with the software company DANAOS | |||
was concluded by a third company outside the AMPNI Group to finally establish that | |||
any kind of processing of personal data took place informally, without | |||
the existence of any agreement between the companies inside and outside the AMRNI Group that | |||
shared the same hardware and software infrastructure, without downloading any essentials | |||
technical or organizational measure of internal compliance with the provisions of the FGM, | |||
without relevant demarcations, resulting, as the documents show, to be set | |||
finally issue a county specific server (server) and be brought before | |||
civil courts to be resolved through the interlocutory proceedings | |||
(AIIMIX I r /E IL / 733 / 30-01-2019). | |||
26. The Authority in the exercise of its audit powers, both before | |||
hearing (see APDPH no. prot. G /EX / 5414-1 / 26-6-2018 and APDPX no. prot. | |||
G I EX I 6211-1 / 14-8-2018), as well as during the hearing requested from the audited company | |||
AMPNI, among other things, to document its compliance as it had | |||
obligation from no. 5 par. 2 GKP principle of accountability to its provisions | |||
GPD and in particular in relation to obtaining the required " technical and organizational | |||
measures taken for the security of personal data and | |||
used infrastructure that supports processing by notifying us of any | |||
relevant policy document or rules of procedure, whether it concerns the company itself or | |||
applied at Group level . For example, list the measures it takes with regard to | |||
in the physical access to the site of the MAIL SERVER in question, in the logical access to | |||
application of MAIL SER VER, the policy of proper use of corporate emails by | |||
its control policy (eg access and management rights | |||
the said subsidiary and I or the complaining parent company, if the above | |||
have been included in a text governing staff relations (eg Regulation | |||
Work), as well as whether and how staff are informed in advance about | |||
the above and in particular for any control of corporate emails, the relevant conditions, the | |||
procedural guarantees for carrying out an audit, etc. "(see APDPH no. prot. G /EX / 5414-1 / 26-6- | |||
2018 p. 2). The legality of copying the contents of the server | |||
(server), in accordance with data breach notifications and complaints, | |||
was requested in particular by the Authority among others, both at the hearing and before | |||
of this (see APDPH no. prot. G /EX / 6211-1 / 14-8-2018 p. 2) to clarify " if and with | |||
30 | |||
how the group staff and users in general were informed in advance | |||
of email accounts for your company 's right to proceed | |||
control of e-mails, the relevant conditions, the procedural guarantees of conducting an audit | |||
etc .. as well as if, when and how the staff was informed about this | |||
control . . . » . | |||
27. The audited company AMR NI before the hearing and instead ofresponding t o no. | |||
prot. APDPH CI EX I 5414-1 / 26-6-2018 document of the Authority submitted the from 13-8-2018 | |||
Application for Treatment for the revocation ofno. 2/2018 of his Interim Order | |||
Chairman of the Authority without finally responding to any of the details | |||
stated requests of the Authority, without substantiating no. 5 par. 2 GKPD the legal | |||
operation of the infrastructure used (hardware and software - servers) that | |||
supports the processing of personal data ( especially e-mails), | |||
without providing any written documentation of internal compliance | |||
to the FSAP, in particular to the requirements of secure data processing | |||
without stating the necessary technical and organizational measures | |||
received and without providing any personnel data management policy | |||
character, no safety policy, no employee regulations and no one | |||
proof of informing the subjects about the processing of their data and | |||
the exercise of their related rights but also for the possibility of doing so | |||
control in their e-mails. | |||
The then complainant ABS, in response to the same document of the Authority | |||
presented with the no. prot. AIIIIX r / EI:E / 5935 / 04-07-2018 memorandum of documents | |||
security policy, but which lacked chronology, signature, approval as well | |||
and proof of their application, in addition they were not said to concern an unclear one | |||
designated legal entity under the name "AEGEAN". | |||
The audited company AMPNI then provided clarifications on the | |||
questions asked by the Authority with no. prot. AIIMIX r /ES / 6211-1 / 14-8-2018 | |||
document, but again without documenting no. 5 par. 2 GKPD the legal | |||
operation of the infrastructure used (hardware and software - servers) and | |||
without providing any written documentation of internal compliance | |||
to the GCC. | |||
The then complainant ABS, in response to the same document of the Authority with the | |||
No. prot. AIIAfIX r / EI:E / 7522 / 20-9-2018 document stated that the submitted by | |||
The same Policies are drafted outside the European Union and specifically in the USA | |||
as well as that they are applied by the parent company AMPNI, without presenting | |||
relevant evidence. In addition, she claimed that the person presented in her memorandum | |||
" AEGEAN Rules of Procedure " has been drafted exclusively for the subsidiaries | |||
AMRNI companies and that no reference is made to their control | |||
corporate e-mails of employees or how the company can proceed | |||
above act for which the parent company is solely responsible and not the | |||
same. Finally, in the same memorandum, ABS stated that both AMPNI Group companies and | |||
and third companies outside the AMR NI Group use all informal and without any | |||
written contract the infrastructure and servers of the company ABS. | |||
28. During the meeting of05-12-2019 before the Authority, the company ABS, then | |||
replacement of her legal representative and her attorney, | |||
withdrew its complaint, which has no legal consequences for | |||
continue the examination of the case before the Authority as it is not about one | |||
private civil law dispute the subject matter of which is disposed of in accordance with | |||
will of the parties. In addition, the Authority carries out ex officio audits on the basis of | |||
information received regarding the breach of personal data | |||
of subjects. | |||
The company AMPNI both during the hearing before the Authority against | |||
the meeting of05-12-2019, and later with the no. prot. AilMIX | |||
r / EI/ 10259 / 19-12-2019 supplementary memorandum (jointly with ABS) submitted | |||
clarifications as well as a series of allegations and objections, but again without | |||
document no. 5 par. 2 GPO the legal operation of the used | |||
infrastructure (hardware and software - servers) and without providing any kind | |||
written documentation of its internal compliance with the FGM. On page 14 of | |||
above memorandum AMPNI states that " The AMPNI Group has policies | |||
IT security (see attachments as Annex D) ". This document is entitled | |||
Information Systems Security Policy | |||
Aegean Marine Petroleum Network Inc., bears the date of its signing | |||
latest version on ... by ... Director ( ... ) II and compiled by ... ( ... ) N | |||
in compliance not with the provisions of no. 679/2016 of the General Regulation | |||
Data Protection or Directive 95/46 / EC but in compliance with the provisions | |||
32 | |||
of the US legislation "Sarbanes Oxley Act 2002" ("SOX") and in particular the section (hereinafter | |||
"Article") 404, as indicated on each page of that policy. | |||
In particular, this US law was passed to address | |||
corporate financial scandals and concerns corporate governance and | |||
disclosure of financial transactions under which the provisions | |||
law companies (whose securities are traded on US stock exchanges) | |||
are obliged to integrate and implement internal control procedures as well | |||
and to prepare annual financial reports to the Commission | |||
US Securities and Exchange Commission ("Security Exchanges Commission -" SEC ") 35 , which include | |||
Internal Controls Report for financial transactions | |||
and the reliability of financial statements ("financial statements"). That said | |||
report shall be made in accordance with the provisions of Article 404 SOX Act. Specifically, with | |||
Article 404 SOX Act 36 introduces the obligation and responsibility of the company management to | |||
set up, install and operate an internal control system | |||
procedures related to the preparation of the company's financial statements | |||
submitted to the US Securities and Exchange Commission ("SEC") and includes a | |||
an internal audit report evaluating the effectiveness and | |||
reliability of the internal control system during the previous annual management | |||
use 37 . | |||
From the above in conjunction with the content of this security policy | |||
information systems under Article 404 SOX Act USA it appears that it does not | |||
take into account the risks involved in data protection | |||
personal data of the subjects through the use of the computer infrastructure | |||
(DANAOS hardware and software, AMPFSl , AMPFS2) but aims to ensure | |||
of the necessary corporate information to achieve the objectives described | |||
above in relation to the US Securities and Exchange Commission (SEC). | |||
,, cf. the website of the U.S. Securities and Exchange Commission in relation to Article 404 SOX in | |||
gov/info/smallbus/404/gyide/intro.shtml and Sarbanes-oxleY.-1 0 I .com | |||
,. ,°' details see "Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners", | |||
The Institute of Internal Auditors. | |||
3 7 SOX Act companies are required to submit to the Hellenic Capital Market Commission | |||
US (SEC) form 1 0-K which includes an internal audit report stating its responsibility | |||
management structure and internal control procedures regarding financial figures and | |||
the adequacy of internal controls. A statement is also submitted by the party | |||
external auditors of corrections on accounts, recording of off-balance sheet transactions, | |||
changes in share ownership by members of management as well as information about its existence | |||
code of ethics. | |||
Decision 44/2019 | |||
From reading the US Article 404 SOX Act policy relied on by | |||
AMPNI, moreover, the absence of any reference to | |||
protection of personal data pursuant to the GIP or the Directive | |||
95/46 I EC as well as any reference and measure of its internal organization | |||
compliance with the principles of Article 5 GIP and the legal bases of Article 6 | |||
GPD, indicatively does not lack any provision in relation to: a) their rights | |||
subjects (Articles 12-22 GCC), (b) the application of appropriate techniques; and | |||
organizational measures in order to ensure and be able to demonstrate that the | |||
processing is carried out in accordance with the GCP (article 24 par. 1 in combination with | |||
Articles 25 and 30 of the ICCPR) and ( c) the application of appropriate technical and organizational measures | |||
processing safety measures (Article 32 GIP). In addition, it is absent | |||
any provision regarding the permissibility or not of the use of corporate infrastructure | |||
electronic communication by AMPNI employees and executives in relation to | |||
surveillance, access and control of electronic communications | |||
AMPNI employees and executives and, if so, the terms, procedures and | |||
guarantees to carry out relevant checks and investigations on personal data | |||
their. | |||
Finally, the US Article 404 SOX Act policy that provides and | |||
cites AMPNI does not address the risks arising from | |||
processing of personal data (see application no. 75 GKPD). | |||
Finally, the controlled company AMPNI submitted together with ABS the no. prot. | |||
AIIMIX r /En: / 2616 / 05-4-2019 supplementary memorandum to counter the | |||
memoranda of the complainants and L, former legal representative of ABS, without | |||
but again to document no. 5 par. 2 GKP its legal operation | |||
used infrastructure (hardware and software - servers) and without | |||
provide any written documentation of its internal compliance with | |||
the GCC. | |||
29. Moreover, the controlled company AMPNI, despite its requests and questions | |||
At first, both before the hearing and during the hearing, he did not answer | |||
did not document as it should due no. 5 par. 1 GPD the legality of the processing | |||
personal data in the context of the operation of the used | |||
infrastructure (hardware and software - "original servers"). | |||
In particular, it follows from all the above that the controlled company AMPNI | |||
as controller did not take any internal compliance measures no. 5 | |||
par. 1 and 6 par. 1 GKPD in relation to the legal operation of the used | |||
infrastructure (hardware and software - "original servers" DANAOS, AMPFSl , | |||
AMPFS2) which supports the processing of personal data (in particular | |||
e-mails) included in an archiving system, nor provided by anyone | |||
such written documentation of such internal compliance required by the GCC | |||
according to no. 5 par. 2 GKPD, in particular to the requirements of secure data processing | |||
of a personal nature, nor did it take the necessary technical and organizational measures no. 5 | |||
par. 1 ed. fin combination with no. 24 par. 1, 2 and 31 par. 1, 2 GKPD to guarantee the | |||
appropriate security of personal data, including | |||
protecting them from unauthorized or illegal processing and accidental loss, | |||
destruction or deterioration (" integrity and confidentiality " ), nor did it appear to have been designed, | |||
prepared and implemented in compliance with the provisions of article 5 par. I GCP the | |||
any accountability measure referred to in recitals no. 11 | |||
and 16 hereof, including personnel data management policies | |||
nature and security policies in accordance with the requirements of the GCP, nor received | |||
measures of physical and / or rational segregation, nor produced a staff regulation or | |||
another internal document containing provisions on data protection | |||
nor provided any proof of their information | |||
subjects for the processing of their personal data during | |||
operation of the computer infrastructure used (hardware and software; | |||
"Original servers" (DANAOS, AMPFSl , AMPFS2), the exercise ofrelated | |||
their rights but also for the possibility of checking their e-mails. | |||
On the contrary, the controlled company AMRNI focused its arguments | |||
verbally at later or further stages in the processing of the same data, | |||
that is, at the stage of access to the e-mail control servers (stage 2), in | |||
subsequent copying (stage 3) and transmission to Manchester, United Kingdom (d) | |||
stage) of the contents of the original servers ("copy server" ), | |||
claiming that the conditions of article 6 par. 1 par. in the GCC for | |||
processing of personal data, again without substantiating | |||
No. 5 par. 2 GKPD the no. 5 par. 1 GCP legality of data processing | |||
personal character sufficient for the verbal invocation of article 6 par. 1 ed. f | |||
GPD on overriding legal interest. However, it was also extended to | |||
3 5 | |||
Recital no. 17 o f the present, the processing o f personnel data | |||
in violation of the principles of article 5 par. 1 GKPD is not treated by | |||
existence oflegal purpose and legal basis no. 6 par. 1 GKPD. | |||
In this case, the controlled company AMPNI had the obligation, | |||
after proving that he owed no. 5 par. 2 GKP the taking and implementation of measures | |||
compliance with the provisions of Articles 5 (1) and 6 (1) of the GIP | |||
legality of the processing of personal data that took place | |||
in the computer infrastructure used (hardware and software "prototypes | |||
DANAOS, AMPFSl , AMPFS2), to then prove no. 5 par. 2 | |||
GKPD, also the legality no. 5 par. 1 and 6 par. 1 GKPD, of the later ones | |||
(for the initial purposes) or further (for different purposes according to no. 6 par. 4 | |||
GPD) independent and distinct processing operations, namely: b) access and | |||
checking the e-mails held on the servers, c) creating one | |||
new archiving system after copying the original system | |||
archiving and d) the transmission of the copy archiving system | |||
(server - back up according to AMPNI) in Manchester, United Kingdom (see | |||
with no. prot. All.MIX r /EU: / 7306 / 10-9-2018 O"l::A.. 6 K(ll AIIAfIX r /EI/ 7434 I 17-9-2018 O"l::A.. | |||
6 AMPNI documents). | |||
In view of the above, given that the original collection, preservation and in general | |||
processing of personal data contained in the systems | |||
archiving of computer infrastructure (hardware and software "originals | |||
DANAOS, AMPFS 1, AMPFS2) has already been deemed illegal and infringing | |||
the provisions of article 5 par. 1 GCP and especially those of articles 5 par. 1 ed. a 'and f | |||
and par. 2 in conjunction with articles 24 par. 1 and 2 and 32 par. | |||
that subsequent or further processing of the same personnel data | |||
character and in particular the access and control of e-mails, the copying of their content | |||
"Original servers" and the creation of a new system | |||
archiving, sending the new archiving-copy system to | |||
Manchester United are also illegal and violate the whole | |||
of the principles of article 5 par. 1 and 2 but also article 6 par. 1 GCC, as integral | |||
linked to and originating from the original illegal processing of the data | |||
personal character of the "original server" archiving system. | |||
30. As a result of the above deficiencies, the Authority further notes, in accordance with | |||
facts accepted in no. 25 recital, that the same | |||
36 | |||
computer infrastructure (DANAOS server hardware and software, AMPFSI , AMPFS2) | |||
used for the subsequent or further processing of personnel data | |||
character (e-mails) of subjects who worked and were associated with both his companies | |||
AMPNI Group, as well as with third companies, outside the AMPNI Group, without having received the | |||
necessary measures of physical and logical separation resulting in its administrator | |||
system- computer infrastructure to access and process for | |||
AMPNI company account of personal data (e-mails) of subjects | |||
of data not related to the same 38 • Hence the lack of | |||
appropriate technical and organizational measures, in particular those requiring the natural | |||
and logical separation, the threatened risk of confidentiality occurred and | |||
integrity of personal data through access, copying and | |||
their transfer to Manchester, United Kingdom. | |||
It follows from the above that the subsequent or further processing, by | |||
access, copying and transmission to Manchester, | |||
personal data of individuals related to the Group | |||
AMPNI was illegal because it concerned personal data that | |||
from the beginning they had not been legally processed, while in terms of personnel data | |||
nature of natural persons related to third companies outside the AMR NI Group, | |||
in addition to the lack of physical and logical separation measures. | |||
31. In view of the above, the Authority considers that the audited company AMR NI as responsible | |||
processing: | |||
on the one hand, did not apply all the principles of article 5 par. I GCP and 6 par. 1 | |||
GGP on the legality of the processing of personal data | |||
(especially e-mails) that took place in the computer infrastructure used (hardware and | |||
(original server software (DANAOS, AMPFSI , AMPFS2)), but also in | |||
any subsequent or further processing of the same personnel data | |||
character, nor proved by no. 5 par. 2 GPD the observance of these. | |||
on the other hand, violated the provisions of articles 5 par. l ed. a 'and f and par. 2 in | |||
in conjunction with Articles 24 (1) and (2) and 32 (1) and (2) of the GIPA on its principle | |||
secure processing (in particular of the "confidentiality") of personnel data | |||
" Cf. the printouts of the e-mails submitted through her memos | |||
ABS before the hearing before the Authority, in particular no. AITt.IIX r / Ell: / 5432 / 1 8-6-201 8 | |||
supplementary memorandum with a list o f email addresses. | |||
37 | |||
character that took place in the computing infrastructure used (hardware and | |||
original server software (DANAOS, AMPFS l , AMPFS2) from non-download | |||
appropriate technical and organizational measures, but also in the context of any subsequent | |||
or further processing of the same personal data, as necessary | |||
the examination of the observance of the principles of processing of subsections b ', c', d 'and e' of par. 1 of | |||
article 5 as well as article 6 par. 1 GKPD, according to what was accepted in no. | |||
Recital 11 hereof. | |||
32. The objections and allegations of the audited company AMPNI: | |||
i. As to the objection that the GCC does not apply in accordance with article 3 par. 1 | |||
as " [ ... ] AMRNI is a company based in the Republic of the Marshall Islands | |||
(Marshall Islands), is listed on the NY Stock Exchange and is its head | |||
AMRNI Group. AMRNI does not have an installation in Greece but maintains only one | |||
mailing address in Piraeus. ABS is a 1 00% subsidiary of AMP NL Therefore, | |||
AMP NI does not have the same facility in Greece [ ... ] the purpose of export I copying | |||
data .... had nothing to do with the activities of the companies of the AMP NI Group | |||
in GREECE. That is, there is no relationship between the purpose for which they were exported | |||
data and the activities of Greek companies .. »( see Supplementary | |||
Memorandum AMRNI and ABS APDPH no. prot. r /EI/ 10259 / 19-12-2018 p. 5-8). | |||
From article 3 par. 1 GCP, recital 22 GCC and sub | |||
consultation Guidelines 3/2018 of the European Protection Council | |||
Given the territorial scope of the GGP, it follows that the GGP applies | |||
in the processing of personal data in the context of its activities | |||
installation of the controller, which presupposes the substantial and | |||
actual exercise of an activity, which should not be construed narrowly and | |||
typologically as with criterion e.g. the place ofregistration of the company in the relevant registers | |||
registration (see WEU C-210/2016 Facebook (fan page) decision of05-6-2018 Application Sk. | |||
in particular 56 and 53-55, 57, C-230/14 Weltimmo v NAIH decision of0l/10/2015 Ait. Sk. Especially | |||
29 as well as 31). | |||
In this case, the controlled company AMPNI only argues | |||
on the subsequent or further processing of access-control of e-mails and | |||
copying the contents of servers without interfering | |||
claims on the legality of the original collection, preservation and processing of | |||
personal data included in its archiving systems | |||
38 | |||
computer infrastructure (DANAOS "original server" hardware and software, | |||
AMPFS I , AMPFS2). | |||
This computing infrastructure (hardware and software "prototypes | |||
DANA OS, AMPFS I , AMPFS2) at the critical time was | |||
established in Greece and specifically in Piraeus on the Kondili Coast no. I 0, | |||
owned by ABS, a subsidiary of AMPNI and according to a statement | |||
of AMPNI itself (see no. prot. APDPH G /EIS / 7306 / 10-9-2018 document ofp. | |||
2): " The Server belongs to the AMPNI Group and in particular, was purchased together with the required | |||
equipment, earlier in 2018, by ABS, member of the AMRNI Group and 1 00% subsidiary | |||
of the Company ". | |||
In addition, it turned out that the use of servers that were installed on | |||
Greece and the processing of personal data through them received | |||
country following decisions by AMPNI, which determined the purpose and manner | |||
processing no. 4 par. 7 GKPD both for itself and for its subsidiaries | |||
companies in the exercise of its activities. Further, according to a statement | |||
of AMPNI itself ( see document no. | |||
2): " The Server belongs to ABS, a member of the AMPNI Group. That is, in terms of ownership, | |||
has been purchased from ABS. ABS, however, does not process personal data for | |||
account of the Company ". | |||
In addition to the above and in the alternative, the claim should be rejected; | |||
AMPNI 's objection that it has no real but postal facility only in | |||
Greece and that it is based in the Republic of the Marshall Islands (Marshall Islands) given | |||
that she declares the address of Akti Kondili 10, in Piraeus as the address | |||
installation and actual operation first, before the Authority with the | |||
submitted Application for Treatment (see prot. no. APDPH I GI EIS / 6211 / 13-7-2018 p. 1) and | |||
second, before the US Securities and Exchange Commission (SEC), as it turns out | |||
from Annexes A and B attached to the aforementioned Application | |||
Treatment, as well as from the annual report of 16/5/2017 39 which he refers to | |||
C I EIS / 7306 / 10-9-2018 her document to the Authority and from which the statement results | |||
of the following items: AEGEAN MARINE PETROLEUM NETWORK INC., 10, Akti | |||
,. Cf. her togeanmarine.gcs-web.com/static-files/ebca7627-4368-4e6c-9a75-45862ad60cac | |||
39 | |||
Kondili (Address of Principal Executive Office), Piraeus 185 45, Greece (the underlining | |||
and bold from the Annexes), | |||
For these reasons, the Authority rejects its objection - allegation | |||
controlled company AMPNI. | |||
ii. As to the objection according to which the US Bankruptcy Court | |||
of the Southern District of New York issued an order with global force no. 362 | |||
(a) The US Bankruptcy Code under the AMPNI Bankruptcy Application, which provides: | |||
according to her allegations, on the one hand, its continuation before the Authority is prohibited | |||
proceedings, on the other hand, the exercise of control over a bankruptcy asset | |||
property, which according to the audited company AMRNI includes' [ ... ] certain, if | |||
not all, from the data under discussion are assets of the bankruptcy | |||
property » | |||
In this case, by no provision of national or European | |||
legislation, but not by any international or other bilateral - transnational convention | |||
it appears that the cited US Bankruptcy Court order produces | |||
legal results in Greece, nor does the audited company AMPNI claim such | |||
nor does it produce a Greek court decision recognizing | |||
enforceability of such a foreign court order. | |||
In addition, the audited company AMRNI misinterpreted the national and | |||
European legislation on the protection of personal data | |||
as a given in order to submit the relevant objection - claim that the data | |||
personal information processed by the controller recommend | |||
His "property" and therefore part of his "property", as will be demonstrated below. | |||
For these reasons, the Authority rejects its objection - allegation | |||
controlled company AMPNI. | |||
iii. As to the allegation-objection that the complaint against the controlled company | |||
ABS was submitted without right and therefore inadmissible by legal and not natural | |||
person no. 77 par. 1 GKPD, ie the subsidiary ABS resulting in h | |||
issued under no. 2/2018 Temporary Order of the President of the Authority to suffer | |||
invalidity and that ABS withdrew its complaint against the auditee | |||
of AMPNI company, is additionally pointed out under no. 28 recital | |||
of the present that the audit was carried out ex officio according to no. 57 par. 1 ed. a 'and h' | |||
40 | |||
GPD based on the information received by the Authority primarily from 18-6-2018 | |||
Notification of Data Violation Case submitted by ABS | |||
(AIILllIX / r /EU: / 5432 / 18-6-2018). In any case, even if unacceptable | |||
the complaint was submitted by the company ABS, the Authority is entitled no. 57 par. 1 ed. a' | |||
and the GKPD in combination with no. 19 par. 1 case law 2472/199 7 to carry out | |||
ex officio checks and investigations with only the information received for real | |||
cases of breach of existing data protection legislation | |||
personal. In addition, the Authority is entitled no. 19 par. 1 per. Iy 'v. | |||
2472/199 7, but is not obliged to file requests or complaints that are judged | |||
manifestly, vaguely, unfoundedly or submitted abusively or anonymously. Therefore, from | |||
the above provisions, which apply as they do not conflict with | |||
GPA (see APDP 46/18 and 52/18) it appears that the Authority had the right to | |||
carry out an audit with only the factual information independently | |||
the validity or not of the complaint. | |||
In addition, the President of the Authority despite the submission on behalf of the company ABS | |||
application for a temporary order, issued ex officio the no. 2/2018 | |||
Interim Order, taking note of the facts relied on | |||
as it appears from the body of the Provisional Order itself to which it does not refer | |||
that it accepts that request. Therefore the no. 2/2018 Interim Order of | |||
President of the Authority does not suffer invalidity. | |||
Finally, the ABS company withdrew its complaint against it | |||
controlled company ABS, but also the complaint of inadmissible complaint by a lawyer | |||
person do not find support in any provision of law given that it is not about | |||
a private civil law dispute the subject matter of which is disposed of in accordance with | |||
the will of the parties, and in addition, as stated above, the Authority investigates ex officio | |||
any information on breaches of personnel data protection legislation | |||
character (ad hoc AIIt.IIX 136/2015 mt. enc. 6 par. a '). | |||
For these reasons, the Authority rejects its objections - allegations | |||
controlled company AMPNI. | |||
iv. As to the objection-allegation of inadmissibility of the individual complaints | |||
natural persons because they have not previously contacted the controller | |||
in order to exercise their rights under Articles 15-22 GCP, before | |||
It should be noted that, on the one hand, the provisions of Article 77 | |||
41 | |||
par. 1 GPD it appears that every data subject has the right to submit | |||
direct complaint to the Authority if it considers that the processing of personnel data | |||
violates the GPA. In this case, the natural | |||
persons denounced the violation of the GCP against them and not the non | |||
satisfactory response of the audited company AMPNI in the exercise of | |||
their rights under Articles 15-22 GCP. | |||
In addition, as stated above, the Authority is engaged on its own initiative and investigates | |||
any fact of violation of the current legislation for the protection of | |||
personal data, whether or not the complainants bear the | |||
burden of proving their allegations as well as whether or not they prove their validity | |||
of their allegations. | |||
In this case, the complainants complained about | |||
alleged illegal copying of their personal data | |||
were included in the computer infrastructure archiving systems (hardware and | |||
"original server software" (DANAOS, AMPFSl , AMPFS2). The beginning | |||
in order to verify the legality of such copying, it proceeded ex officio to | |||
investigating the legality of the original collection, preservation and processing of | |||
personal data included in the "original servers". | |||
As already stated, the obligation to prove no. 5 par. 2 GPD of legality | |||
of each treatment no. 5 par. I and 6 par. I GKPD is the responsibility of the person in charge | |||
processing and not the data subject. | |||
For these reasons, the Authority rejects its objection - allegation | |||
controlled company AMPNI. | |||
v. Regarding the objection-claim that the corporate e-mails exchanged by | |||
Corporate e-mail accounts are not data | |||
personal property and that they constitute an "asset" belonging to | |||
"Ownership" of the company, the Authority has already rejected the relevant claim on the basis of | |||
recitals 4, 5 and 6 hereof in order to reach a conclusion | |||
that the audited company processed personal data | |||
were included in a computer infrastructure archiving system (hardware and | |||
"original server software" (DANAOS, AMPFSI , AMPFS2) without complying with | |||
the principles of article 5 par. I and 6 par. I GKPD as well as in violation of its principle | |||
safe processing no. 5 par. I ed. a 'and f GKPD. | |||
42 | |||
Moreover, in this case, the fact that the email addresses | |||
(e-mails) had as their first component, identifiers of the usemame, ie | |||
of the form ovoga./i,nmvugo@-mtP-ia.gr is enough for their characterization as data | |||
without the need to check the content of e-mails | |||
in order to determine whether it is professional or private correspondence | |||
or if they come from a corporate or private e-mail account, | |||
in accordance with what has been accepted in recitals 4, 5 and 6 hereof. | |||
Therefore, the claim of the controlled company AMPNI according to which the | |||
Complainants must provide "personal" e-mails that | |||
sent from non-corporate (private) email accounts | |||
and include content copied personal data | |||
by AMPNI in order to prove the validity of their complaint, on the one hand no | |||
based on the above, on the other hand, the Authority considered that | |||
the principles of article 5 par. I GCP and 6 par. 1 GCP regarding its legality | |||
processing of personal data, ie the set of e-mails that | |||
took place in the computer infrastructure used (hardware and software | |||
"Original servers" DANAOS, AMPFSl , AMPFS2), but also any | |||
subsequent or further processing of the same personal data, | |||
so that there is no need to respond to the individual complaints of individuals, as it will | |||
discussed below. | |||
Finally, as already accepted with no. 6 recital of this o | |||
claim of the audited company AMRNI according to which the data | |||
personal belonging to the "property" or "property" of it comes in full | |||
contrary to national and European law and that the controller does not | |||
is the "owner" of the personal data it processes. | |||
If the controller was the "owner" of the personnel data | |||
character to be processed would not be introduced as a rule by article 6 par. 1 GCP h | |||
ban on the processing of personal data so that it is required to | |||
one of the legal bases provided there in order to legalize the | |||
processing, nor would the data subject be granted a set of rights on it | |||
control of personal data (art. 12-22 GKPD), in particular | |||
objection, restriction, deletion or portability rights. | |||
For these reasons, the Authority rejects its objection - allegation | |||
controlled company AMPNI. | |||
43 | |||
vi. Regarding the objection - claim of the controlled company AMRNI that any download | |||
taken into account by the Authority new evidence presented by the complainants | |||
after the end of the hearing violates her right to be heard, she must in principle | |||
It should be noted that the audited company, on the one hand, received knowledge and copies of the documents | |||
submitted by the complainants after the hearing as well | |||
deadline of 15 days in order to submit its views on them (APDP no. | |||
prot. G /EX / 2214 / 21-3-2019), on the other hand, she also presented new evidence after | |||
the end of the hearing, but also placed on the allegations and the evidence | |||
material provided by the complainants after the hearing (see Supplementary | |||
Memorandum AMPNI & ABS with no. prot. AIMTIX r /EI/ 2616 I 05-4-2019). | |||
In addition, it is not provided for in any provision of the CPC or other legislation | |||
Prohibition of presenting new evidence after the end of the hearing | |||
audited or that all the evidence on which the Authority will judge | |||
must have been gathered before the hearing at a hearing given that the | |||
The purpose of the hearing is to provide explanations and information for clarification | |||
issues that may even have first arisen during it | |||
as is the case with other constitutional hearings | |||
established independent administrative authorities such as e.g. its Security Authority | |||
Privacy of Communications (ADAE). | |||
vii. As to the allegation - objection of the audited company about illegal | |||
extension of the granted deadline for submission of a memorandum after the hearing will | |||
It should be noted that the extension was legal since the controlled company AMPNI | |||
together with ABS submitted a request for the exclusion of the rapporteur of the case after | |||
commencement and during the submission deadline resulting in | |||
the deadline for issuing a decision on the request for exemption is automatically suspended | |||
and until a new deadline is provided. In no case could the | |||
initial deadline for submitting a memorandum after the hearing, if not previously | |||
the Department of the Authority decides on the request for exemption. On the contrary, on her part | |||
controlled company AMPNI together with ABS, submission of memorandum by hearing | |||
pending the request for exclusion of the rapporteur which they themselves had submitted and without | |||
await the issuance of the decision on the exemption request comes in full | |||
contrary to the request for exemption itself as on the one hand the companies requested the | |||
44 | |||
with the exception of the rapporteur, while on the other hand they submitted a memorandum to the Department of Authority | |||
in which the rapporteur participated. | |||
For these reasons, the Authority rejects its objection - allegation | |||
controlled company AMPNI. | |||
viii. The audited company AMRNI makes the following allegations: that legally | |||
entered the computer infrastructure used (hardware and software "prototypes | |||
DANAOS, AMPFSl , AMPFS2) in order to | |||
e-mail of specific individuals, former and current employees | |||
and AMPNI Group executives, that these inspections were legal, that accidental | |||
software for deleting already deleted files was discovered to make it | |||
it is necessary to copy the entire computing infrastructure used, | |||
including personal data (e-mails) of individuals | |||
related to third party companies outside the AMR NI Groups, that there was no obligation | |||
notification of an incident of personal data breach to the Authority by | |||
detection of "malware" deletion, that as an employer he had under Article 6 | |||
par. 1 ed. GPP over legal interest in checking and copying e-mails | |||
in the context of the audit carried out, that he was not obliged to inform the | |||
data subjects, either before copying or after copying e-mails | |||
their. | |||
A prerequisite for answering the above allegations is, as stated above | |||
in accordance with recitals no. 17, 18, 22, 29 and 30 of the present but also | |||
from no. 3/2018 Provisional Order of the President of the Authority, the proof of it | |||
legality of the initial processing (collection and preservation) of the data | |||
of a personal nature taking place in the computing infrastructure used | |||
(hardware and software of"original servers" DANAOS, AMPFSl , AMPFS2). | |||
Given that the Authority considered it illegal and in particular a violation of the principle | |||
of safe processing the original collection, preservation and generally processing of | |||
personal data included in its archiving systems | |||
computer infrastructure (DANAOS "original server" hardware and software, | |||
AMPFSl , AMPFS2), it is provided that subsequent or further processing of the same | |||
personal data, namely the access and control of e-mails, h | |||
copy the contents of the "original servers" to a "server copy" | |||
with which a new archiving system was created (back up according to AMR NI) and | |||
45 | |||
the sending of the new archiving-copy system to his Manchester | |||
United Kingdom are also illegal and violate all of its principles | |||
Article 5 par. 1 and 2 but also Article 6 par. 1 GCC, as inextricably linked | |||
and derived from the initial illegal processing of personnel data | |||
the nature of the "original server" archiving system so that it is redundant | |||
the examination of both the complaints of the natural persons and the one to be rebutted | |||
examination of the claims of the controlled company AMPNI that focus | |||
exclusively in the subsequent or further processing of personnel data | |||
character. That is, even if their complaints had not been submitted | |||
natural persons ( concerning subsequent or further processing), would be | |||
copying the "original server" is illegal due to not filling them in from the beginning | |||
conditions for the legal processing of personal data contents. | |||
Thus, the invocation of the legal basis by the controlled company AMPNI | |||
of article 6 par. 1 par. in the GCC for control, access, copying and | |||
sending the content of the "original servers" (servers), but also invoking | |||
of the need to copy due to "malware" detection can not | |||
retroactively legitimize the earlier processing of | |||
personal data in violation of articles 5 par. 1 and 6 par. 1 GCP | |||
in accordance with what was accepted in recitals no. 17 and 22 of this. | |||
For these reasons, the Authority rejects its objection - allegation | |||
controlled company AMPNI. | |||
33. On the contrary, the information in the file and the hearing did not show that | |||
company " ERNST & YANG (BELLAS) CERTIFIED AUDITORS A CCOUNTANTS SA »Participated | |||
or assisted in the breach by the controller | |||
provisions of Articles 5 (1) and 6 (1) of the GIP, in particular at the access stage, | |||
control, copying and transmission in Manchester, United Kingdom | |||
personal data. | |||
34. According to the GKPD (Ait. Sk. 148) in order to strengthen their enforcement | |||
rules of this Regulation, sanctions, including administrative | |||
fines should be imposed for any infringement of this Regulation, | |||
in addition to or instead of the appropriate measures imposed by the supervisory authority | |||
in accordance with this Regulation. In cases of minor breach or if | |||
46 | |||
the fine that may be imposed would be a disproportionate charge in kind | |||
person, a reprimand could be imposed instead of a fine. | |||
The Authority after establishing the violation of the provisions of the GCP during | |||
above, taking into account, in addition to the above, in particular the Guidelines | |||
guidelines for the application and setting of administrative fines for its purposes | |||
Regulation 2016/679 issued on 03-10-2017 by the Working Group of the article | |||
29 (WP 253) and having duly taken into account the provisions of Article 83 of the ICCPR in measure | |||
applicable in this case and in particular those provided for | |||
from paragraph 2 of the same article criteria relate to the specific case that | |||
examined by the Authority: | |||
(a) the nature, gravity and duration of the infringement, taking into account | |||
the nature, extent or purpose of the treatment concerned, and the number of | |||
subj ects of the data affected by the infringement and the degree of damage suffered | |||
namely: | |||
i. the fact that the company violated the principles from article 5 par. 1 GKPD as well as | |||
the obligation (principle) of accountability no. 5 par. 2 GKPD, ie violated | |||
fundamental principles of the GBER for the protection of personnel data | |||
character. | |||
ii. the fact that the condition of safe processing no. 5 par. 1 ed. f | |||
GPA is now reduced to a basic principle of data processing | |||
personal nature so that, even if the other processing principles are followed | |||
to make the processing totally illegal in the event that o | |||
processor does not guarantee adequate security. | |||
iii. the fact that it also becomes of fundamental importance the principle of accountability | |||
under the new compliance model introduced with the FGM, where | |||
burden of compliance and the relevant responsibility lies with the controller, o | |||
which has been provided by the GCP with the necessary compliance tools. | |||
iv. the fact that according to no. 3/2010 Opinion of its Working Group | |||
Article 29 on the principle of accountability (WP l 73 / 13-7-2010) the establishment | |||
internal accountability measures for compliance with processing principles (par. 39-51 | |||
and in particular par. 41 and 44) provides great opportunities for effective implementation | |||
reducing the chances of the controller violating the | |||
legislation and therefore the assessment of sanctions takes into account the | |||
compliance with the principle of accountability (par. 38), while in case | |||
breach of it requires substantial sanctions, such as in | |||
case in which a controller does not comply with the statements made | |||
contained in its binding internal policies, which are taken | |||
in addition to the actual breach of the essential principles | |||
data protection (par. 64). | |||
47 | |||
v. the fact that the controller did not take any internal action | |||
compliance with the accountability principle to be applied and | |||
implementation of the principles of personal data processing by | |||
No. 5 par. 1 GKPD, not even the ones provided as "basic" according to the Opinion | |||
3/2010 of OE 29 (par. 44, ibid.) | |||
vi. the fact that the violation of the above principles took place in the context | |||
processing of personal data in a computer infrastructure (hardware | |||
and software) which is used to service a large number | |||
electronic communications of data subjects | |||
vii. the fact that the violation of the above principles took place during the processing | |||
personal data of labor subjects | |||
characterized by a power imbalance between employer and | |||
employees. The importance attached by the GCC to processing | |||
of personal data in employment relationships is demonstrated by | |||
fact that Article 88 thereof gives the national legislature the opportunity | |||
establishing specific rules to ensure their protection | |||
rights and freedoms of workers, including appropriate | |||
and special measures to safeguard human dignity, the law | |||
interests and fundamental rights of the person to whom | |||
the data are reported, with particular emphasis on the transparency of the processing, the | |||
intra-group data transmission and on-site monitoring systems | |||
work. Therefore, the observance of the principles provided by article 5 par. 1 | |||
ed. a 'and par. 2 GKPD acquires in this case a special and important importance for | |||
respect for the right to protection of personal data | |||
character of employees. | |||
viii. the fact that the principle of safe processing was substantially violated | |||
personal data no. 5 par. 1 ed. in the GCC through | |||
and ultimately achieve access, copy, transmission and in general | |||
processing of personal data of data subjects | |||
were affiliated with third parties, except the AMRNI Group | |||
ix. the fact that the violation of the above principles is subject to the provisions | |||
of article 83 par. 5 ed. a 'GKPD in cases of administrative enforcement | |||
fines ofup to EUR 20,000,000 or, in the case of businesses, up to 4% of | |||
total global annual turnover of the previous financial year | |||
year, depending on which is higher, ie in the higher provided | |||
category of the classification system of administrative fines, the imposition of | |||
reserved, in accordance with the principle of proportionality, | |||
in the case of the most serious violations of the GCC. Therefore, already from | |||
the provisions of the GCP show that the violation of the principles provided | |||
from article 5 par. 1 and par. 2 GKPD is treated as of greater importance | |||
in relation to the violations provided by article 83 par. 4 GKPD. | |||
48 | |||
x. the fact of causing damage to the right to data protection | |||
personal data of the subjects from the violation of the above | |||
authorities and, in particular , the processing of | |||
personal data, secondly, the continuing in breach of it | |||
GPD processing of personal data in several stages | |||
(initial preservation and processing, access and control, copying, transmission) | |||
and third, the complete deprivation of rights and the exercise of control over them | |||
personal data of the data subjects (cf. Ait.Sk. | |||
75 GKPD and OE 29 on administrative fines, ibid., P. 11 ). | |||
xi. The fact that, from the information presented to the Authority, no evidence emerged against | |||
at this stage the occurrence of material damage to the data subjects, nor | |||
relied on relevant material damage | |||
xii. the fact that the violation of the principles of article 5 par. 1 and par. 2 GKPD no | |||
concerned, on the basis of the information provided to the Authority, data | |||
personal provisions of Articles 9 and 10 of the GIP. | |||
xiii. The fact that the violation of the principles of article 5 par. 1 and par. 2 concerned | |||
any subject whose personal data occurred | |||
processing in the context of its electronic communications service | |||
from computer infrastructure (hardware and software) so that it is not one | |||
individual or occasional infringement but for an infringement that has a systemic | |||
(structural) character. | |||
b) the deceit or negligence which caused the infringement | |||
From the hearing before the Authority and the memoranda of the person in charge | |||
shows that the company was completely unaware of the compliance obligations | |||
in accordance with the requirements of the GCP, and in addition showed no willingness to comply, as | |||
will be demonstrated below. Therefore, the violations found were | |||
resulting from a lack of complete knowledge and application of the provisions of the GCC in | |||
framework of the organization of internal compliance despite the fact that the responsible | |||
could and should, in particular due to accountability, to | |||
comply with the provisions of the GCP, thus violating the duty of care which | |||
required by law. | |||
(c) any action taken by the controller to | |||
mitigate the damage suffered by data subjects, | |||
The controller did not take any action to restore or | |||
mitigation of the damage suffered by the data subjects, nor did it | |||
informing them, even after the illegal processing of the data by him | |||
their personal nature. It should be noted at this point that the person in charge | |||
processing for non-prior updating of data subjects | |||
invoked the exception of article 14 par. 5 ed. b 'GKPD so as not to damage the | |||
achieving the objectives of the processing, namely the internal control relied on. | |||
Regardless of the validity or otherwise of that claim, even after | |||
completion of the alleged internal control, never the controller | |||
informed data subjects of subsequent or further processing, | |||
namely the copying and transmission of their data to Manchester, United Kingdom | |||
Vassilios, especially natural persons affiliated with third parties outside the Group | |||
AMPNI, so that to date they have not been informed about it. It is recalled that according | |||
with what has been accepted hereby, the violation of the principles of article 5 par. 1 GCP | |||
occurred at the expense of any subject whose data were found to be illegal | |||
processing and not only of the complaining natural persons. | |||
( d) the degree of responsibility of the controller, taking into account the techniques; and | |||
organizational measures implemented pursuant to Articles 25 and 32, | |||
The controller did not take into account technical and organizational measures, nor did he take any action | |||
to the necessary evaluations in order to draw appropriate conclusions (see no. 28 | |||
request sk. of the present). | |||
(e) any relevant previous infringements by the controller; | |||
It appears from a relevant audit that no administrative sanction has been imposed to date by | |||
the begining | |||
(t) the extent of cooperation with the Authority to remedy the infringement | |||
and limiting its potential adverse effects, | |||
The Authority recognizes as a mitigating circumstance on the part of the person in charge | |||
processing admission of illegal copying and sending to his Manchester | |||
United Kingdom "[ . . . ] any e-mails of individuals who have not and I or have not | |||
any employment or service relationship or any other relationship with companies | |||
of the AMRNI group, which AMRNI would be available to separate and provide | |||
evidence of this "(Supplementary Memorandum AMPNI-ABS ofOS-4-2019 | |||
pp. 8 and 12 AilMIX r /EI/ 2616 I 05-4-2019 last page, point 4) as well as the expression | |||
of his intention, according to the above, to proceed with separation or deletion (see | |||
Supplementary Memorandum AMPNI-ABS of 19-12-2018 p. 23), although it did not express | |||
the same intention for the personal data of the other subjects | |||
data. | |||
g) the categories of personal data affected by the infringement , namely | |||
Whereas this is not personal data referred to in Articles 9 and 10 of the GIP, | |||
in accordance with the information provided to the Authority. | |||
{h) the manner in which the supervisory authority was informed of the infringement, in particular | |||
if and to what extent the controller or processor notified | |||
the infringement, | |||
In this case, the Authority was informed of the final findings | |||
breaches primarily through the Data Breach Notification submitted by | |||
ABS company as a result of which it carries out an ex-officio inspection. The person in charge | |||
did not inform the Authority, nor did it notify itself of the Infringement | |||
Data | |||
i) any other aggravating or mitigating factor arising out of | |||
circumstances of the particular case, such as the financial benefits that | |||
or damage avoided, directly or indirectly, by the infringement | |||
The Authority, in addition to the above, acknowledges as an additional mitigating factor that from | |||
the data presented to it to date and on the basis of which it found | |||
breach of the GPA, the controller did not reap any financial benefit, either | |||
caused material damage to data subjects. | |||
The Authority recognizes as aggravating the fact that the person in charge | |||
has so far shown no intention of complying with | |||
requirements of the GCP, nor has it informed the Authority of its inclusion in a program | |||
internal compliance in order to make any data processing legal | |||
of personal character no. 5 par. 1 and 6 par. 1 GKPD carried out in | |||
computer infrastructure ("original server" hardware and software). | |||
The person in charge of processing a series of documents to the Authority, especially after | |||
listening, focused all his efforts on highlighting the importance that | |||
had for him the use of the content of the copied servers ("back up" | |||
servers according to him) for the purposes of internal control of the AMPNI Group and | |||
consequently for the submission of relevant data to the Hellenic Capital Market Commission | |||
of the US and the competent US judicial authorities, even asking not to | |||
imposed by the Authority the sanction of the destruction of the content of the copied | |||
at the time the Authority banned processing and | |||
use the content of the copied servers, but not at that time | |||
period of "original servers". | |||
THE BEGINNING | |||
Having taken into account the above | |||
Because he decided the no. 58 par. 2 GKP exercising its corrective powers | |||
in this case by imposing corrective measures | |||
Because pursuant to the provision of article 58 par. 2 ed. d GKPD the Authority decided | |||
to give an order to the company "AEGEAN MARINE PETROLEUM NETWOR K INC | |||
(AMPNI) "as the controller to comply with the provisions of the GCP | |||
the processing of personal data contained in both | |||
in the computer infrastructure used (hardware and software "originals | |||
DANAOS, AMPFS 1, AMPFS2), as well as in the new archiving system | |||
a copy of the original servers sent to his Manchester | |||
United Kingdom. | |||
Because in particular the company should take all necessary internal measures | |||
compliance and accountability to the principles of Article 5 par. 1 and par. 2 in combination | |||
with article 6 par. 1 GKPD. | |||
Because the above order must be executed within three (3) months from | |||
receipt of this, informing the Authority. | |||
Because the above corrective measure alone is not enough to restore it | |||
compliance with the infringed provisions of the GCC in accordance with what has been accepted by | |||
the no. 31 recital herein and in addition, at the time when | |||
in fact the company despite the substantial admission on its part of at least part of it | |||
violation of the GCC showed complete disregard for compliance with its provisions | |||
Articles 5 and 6 par. 1 GCP. | |||
Because the Authority considers that in this case based on the circumstances | |||
should be found pursuant to the provision of article 58 par. 2 ed. 0 TKIL'.l va | |||
in addition, effective, proportionate and dissuasive administrative money is imposed | |||
fine no. 83 GPA, both for the restoration of compliance and for | |||
punishment for this illegal behavior 40 | |||
Because the Authority found to have infringed the provisions of Articles 5 and 6 of the GIP | |||
is subject to the provisions of article 83 par. 5 ed. a 'GPD in the cases | |||
imposition of administrative fines up to EUR 20,000,000 or, in the case of undertakings, up to | |||
4% of the total global annual turnover of the previous financial year | |||
year, depending on which is higher. | |||
Because the Authority took into account, on the one hand, that AMR NI has submitted an application | |||
bankruptcy in the US, on the other hand, that according to the report submitted by the company in the year | |||
2017 to the US Securities and Exchange Commission (SEC) its total revenue | |||
("Total revenue") for the year 2016 was 4,076,219,000.00 US dollars. (see p. 157 in | |||
attached no. prot. r / EIE / 7306 / 10-09-2018 document 41 ). | |||
Because with the issuance of this it ceases no. 19 par. 7 a law 24 72/199 7 the validity of | |||
Interim Orders of the President of the Authority No. 2/2018 and 3/2018 and are valid | |||
now accepted in the operative part of this | |||
FOR THOSE R EASONS | |||
THE BEGINNING | |||
A. Gives orders to the company «« AEGEAN MARINE PETROLEUM NETWORK INC | |||
(AMPNI) »» as within three (3) months ofreceipt of this, informing | |||
the begining | |||
40 Cf. OE 29, Guidelines and the implementation and setting of administrative fines for them | |||
purposes of Regulation 201 6/679 WP253, p. 6 | |||
" Also available at geanmarine.gcs-web.com/static-files/ebca7627-4368-4e6c-9a75-45862ad60cac | |||
52 | |||
i. make the processing operations in accordance with the provisions of the GCC | |||
personal data contained in both used | |||
computer infrastructure (DANAOS "original server" hardware and software, | |||
AMPFS I , AMPFS2), as well as in the new copy archiving system | |||
original server shipped to Manchester, United Kingdom, | |||
ii. take all necessary internal compliance and accountability measures | |||
principles of article 5 par. I and par. 2 in combination with article 6 par. I GCP. | |||
B. Imposes on the company «« AEGEAN MARINE PETROLEUM NETWOR K INC | |||
(AMPNI) "the effective, proportionate and dissuasive administrative fine | |||
appropriate to the particular case according to its specific circumstances, | |||
amounting to one hundred and fifty thousand (150,000.00) euros. | |||
The Vice President The Secretary | |||
George Batzalexis Irini Papageorgopoulou | |||
</pre> | </pre> |
Latest revision as of 15:39, 6 December 2023
HDPA (Greece) - 44/2019 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 32 GDPR Article 33 GDPR Article 58(2)(d) GDPR Article 58(2)(i) GDPR Article 83(5)(a) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 19.12.2019 |
Published: | |
Fine: | 150,000 EUR |
Parties: | AEGEAN BUNKERING SERVICES INC (ABS) ERNST&YOUNG HELLAS CERTIFIED AUDITORS-ACCOUNTANTS (EY Greece) Aegean Marine Petroleum Network Inc. (AMPNI) (Reorganised as Minerva Bunkering) |
National Case Number/Name: | 44/2019 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Greek |
Original Source: | HDPA HDPA (Greece) (in EL) |
Initial Contributor: | n/a |
The HDPA issued EUR 150,000 fine against Greek supplier of marine bunker fuels and lubricants for violations of the principles of lawfulness, fairness and transparency and the security of processing according to the GDPR, while carrying out data processing operations in computer infrastructures (server hardware and software).
English Summary
Facts
ABS filed a complaint against companies AMPNI and EY Greece for alleged violations of Article 33 GDPR. According to the complainant people related to the defendants entered without authorisation ABS's data room and illegally copied to mobile data carriers the entire digital content of the server which contains digital documents, e-mails and other electronic communications of ABS's employees with third parties as well as of third parties' employees. Then, these people created a clone server. Further, 11 other complaints filed before the HDPA by data subjects in relation to this incident.
Dispute
The DPA had to assess whether there was violation by both defendants regarding the notification obligation for personal data breaches to the supervisory authority.
Holding
The HDPA ordered AMPNI as the data controller in this case to bring the processing operations at stake into compliance with the GDPR within three months from the receipt of this decision as foreseen under Article 58(2)(d) GDPR. The company must take all necessary measures for internal compliance and accountability according to Article 5(1) GDPR, Article 5(2) GDPR and Article 6(1) GDPR. Since the company had totally ignored the its compliance with the mentioned provisions, the HDPA issued a fine EUR 150,000 according to Article 58(2)(i) GDPR and Article 83(5)(a) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
There is no available machine translated decision. Please refer to the Greek original decision for details.
3/2/2021 Greek Republic DATA PROTECTION AUTHORITY PERSONAL CHARACTER Decision 44/2019 Athens, 19-12-2019 No. Prot .: f /EE/ 8907 / 19-12-2019 RESOLUTION NO. 44/2019 (Department) The Personal Data Protection Authority met in composition Department at its headquarters on Wednesday, July 24, 2019 at the invitation of the President in order to examine the case referred to in the background hereof. Present were George Batzalexis, Vice President, disabled President of the Authority, Konstantinos Menoudakos, the alternate members Panagiotis Rodogiannis, Grigorios Tsolias as rapporteur, and Evangelos Papakonstantinou, in replacement of the regular members Antoniou Symvoni, Charalambos Anthopoulos and Konstantinos Lambrinoudakis who, although legally summoned in writing, did not attended due to disability. The meeting was attended by, by order of the President, Mr. George Roussopoulos, Specialist Scientist-Auditor as Assistant Rapporteur and Irene Papageorgopoulou, employee of the Administrative Department of the Authority, as secretary, while The other assistant rapporteur, Evmorfia - Iosifina Tsakiridou, was not present due to disability. specialist scientist supervisor. The Authority took into account the following: AEGEAN BUNKERING SERVICES INC (hereinafter referred to as "ABS") submitted to Authority the notification of violation case number C /EI/ 5432 / 18-06-2018 personal data, according to art. 33 of Regulation (EU) 2016/679 (General Data Protection Regulation - hereinafter referred to as "GKPD") together with a supplement 1-3 Kifissias Ave., 11523 Athens, Tel.: 210-6475600, Fax: 210-6475628, contact@dpa.gr,www.dpa.gr memorandum. At the same time, the same company submitted the reference number r / EIB / 5414 / 18-06- 2018 report ( she described it as a complaint) regarding a violation personal data against Aegean Marine Petroleum Network Inc (hereinafter referred to as "AMPNI") and ERNST & YOUNG HELLAS CERTIFIED AUDITORS-ACCOUNTANTS (hereinafter referred to as "EY HELLAS"), which claims that persons associated with The above two companies entered the ABS (data room) area without permission and illegally copied the entire digital to portable storage media server content that contains electronic files as well e-mails and other communications of both employees of ABS with third parties as well as employees of third companies by "cloning" him original server (server) and thus creating a new file (clone server) by copying the original server. With the no. 2/2018 Provisional Order of its President (with reference no. CI EX I 5432-1 I 22-06-2018), the Authority banned, until a final decision is issued, on AMPNI and EV HELLAS as well as to any other company or natural person in which all or part of what was copied in the case may have been transmitted file (clone server), to process personal data in any way in particular the e-mails contained in the copied file (server) which were attached as a list at the end of that Provisional Order forming an integral part ofit. Note that with the same decision clarified that the above provision suspending the processing of personnel data character contained in the copied server (clone server) does not prevents the continuation of the operation of the original server (server) of the same company, provided of course the processing of the data of a personal nature takes place legally no. 5 and 6 par. 1 GKPD. The Authority with no. prot. G / EX I 5414-1 I 26-6-2018 her document called the companies AMRNI, ABS and EV HELLAS to provide information as well as to present specific documents as well as any information necessary for a final decision on the present case. On the above document: The company EV HELLAS with its from 28-6-2018 Memorandum to the Authority (prot. no. AIIMIX r / EI/ 5824 / 29-6-2018) stated that it has nothing to do with case in question, was not even aware of the accused as illegal processing of personal data. In addition, he requested the revocation of the temporary order to the extent that it concerns her as a non-involved party and requested that she be exempted from 2 any investigation or audit carried out by the Authority in relation to this case. THE Authority requested further clarifications from the company in question with reference number CI EX I 5824-1 / 06-07-2018 her document, especially in relation to two persons who are alleged to said representatives of the company "Ernst & Young" and are involved in its copying server. EV HELLAS responded with its document number GI EIS / 6424 / 24-07-2018 denying any connection with such natural persons. ii. The company ABS with its Report dated 28-6-2018 (prot. No. r / EI/ 5825/29/06/2018) and her letter dated 03-7-2018 (prot. No. r / EIB I 5935 I 04-07- 2018) submitted documents to the Authority, including Organization policies with the name "AEGEAN", which did not bear the date of drafting and application, no bore the signatures of persons responsible for drafting and approval, while with the same The company provided information in response to the Authority's questions. iii. The company AMPNI with the from 13-7-2018 Treatment Application (no. APDPH prot. r / EIB I 6211 / 13-7-2018) requested the cancellation and suspension of force, in whole or in part part of the Provisional Order no. 2/2018 of the President of the Authority for the reasons which are listed in detail there. With that request the company denied them all against her, allegations submitted by the complainant company ABS, pointed out ABS was a wholly - owned subsidiary and claimed, inter alia, that legally gained access to email accounts specific current or former employees of the AMPNI Group as well as other related data in the context of internal research in relation to its important economic issues including possible fraud against the company, that the access to them was necessary in order for the company to be able to comply with its reporting obligations and notifications to the US Securities and Exchange Commission (SEC) under them applicable laws and regulations, including U.S. law securities legislation and New York Stock Exchange regulations as well also in order to protect the Group from further loss and loss that the internal investigation carried out has been obstructed by persons for which are suspected of possessing important information in relation to the subjects of internal control, that the e-mails exported were professional (corporate) and therefore they are not personal data, that he made a copy security (back up) of all system data, ie data that involved third-party employees using the same server 3 (server) because the installation and operation of deletion software was detected and therefore such processing was absolutely necessary to protect their integrity of the AMR.NI Group by those who tried to destroy them without authorization, that the information in question is derived from the requested information e-mail is required for external auditors PriwaterhouseCoopersS.A. ("PwC") in order to sign the company's annual report for the financial year 2017. Furthermore, the Authority received 11 complaints from individuals against it AMPNI and EY HELLAS and in connection with the above incident, and specifically the reference numbers r / EI:E / 5648 / 26-06-2018, r / EI:E / 5650 / 26-06-2018, r / EI:E / 5651 I 26-06-20 l 8, r / EI:E / 5653 / 26-06-2018, r / EI:E / 5679 / 26-06-2018, r / EI:E / 5680 I 26- 06-2018, r / EI:E / 5681 / 26-06-2018, r / EI:E / 5682 I 26-06-2018, r / EI:E / 5683 I 26-06-2018, r / EI:E / 5684 / 26-06-2018 and r / EI:E / 5685 I 26-06-2018, complaints of A, B, r, b., E, :ET, Z, H, I, I and K respectively, who brought before the Authority for violation of their personal data stored on the original server and which was illegally copied in its entirety by the controlled company AMPNI with given that some of the complainants were employees of third parties, unrelated to AMPNI and its Group companies, as D and I worked in "AEGEAN OIL", K worked at "AEGEAN NET FUELS", Z worked at "AEGEAN PETROLEUM INTERNATIONAL", and B who worked at AEGEAN SHIPPING MANAGEMENT " The Authority after studying the above answers after the attached documents sent: i. in the company AMPNI the with no. prot. G /EX / 6211-1 / 14-8-2018 document with who called her to provide additional clarifications and informed her of complaints against it in order to state its views on them. ii. in the company ABS with no. prot. G /EX / 5935-1 / 16-8-2018 document with which he called her provide additional clarifications and documents. The company ABS with its from 11-9-2018 Supplementary Memorandum to Authority (prot. No. APDPH G /EIS / 7522 / 20-9-2018) provided additional clarifications and documents and in particular: that the security policies originally submitted written outside the EU in the US and applicable to AMPNI and its subsidiaries, that in the internal working regulations of the Greek subsidiaries of AMPNI no is there any reference to checking employees' corporate emails or 4 way that the company can carry out internal audits with sole responsibility of AMPNI, that on the original server, the content of which illegally copied by AMPNI kept personal data of third parties of companies to the AMPNI Group as indicative of the companies "Aegean Net Fuels Ltd Fze "," Aegean OIL SA "," Aegean Lubes "and" Aegean Gas ", that all the above companies , together with ABS, AMPNI and its subsidiaries use informally and without any written a contract on the infrastructure and servers of the ABS company and provided relevant written documentation. The company AMPNI with its documents from 10-09-2018 ( . . . ) and 17-9-2018 ( . . . ) (no. prot. AIIAIIX r /EI/ 7306 / 10-09-2018 and r /EI/ 7434 / 17-9-2018 respectively) provided additional clarifications and in particular that: The server from which exported data (server) located in the computer room (computer room) in ground floor of the building on Akti Kondili, in which the companies of the AMPNI Group rent space for their facilities. In the computer room, as far as she knows controlled company, in addition to the server, there are also servers of other companies whose offices are housed in the same building, which are not related to the Group AMPNI. The AMPNI Group does not have access to these servers. Also the controlled company claimed that the server really belongs to the AMPNI group, it is owned to the complainant ABS, which however does not process personal data for on behalf of AMPNI, reiterated its claims that it was legal and necessary processing of data for the purposes of its internal investigation and on its occasion accidental detection with approved deletion software for protection the data of the AMPNI Group, which was not personal and, therefore, has not been received country violation, that any export of personal data from the EV LLP took place by taking appropriate measures to secure the data, that the export e-mails concerned a limited number of persons, that the team ofEY LLP did not gained physical access to the server, that from the local IT staff of the AMPNI Group five (5) accounts were created for EY LLP team members for these have access to AMPNI systems, that it has not previously informed the persons whose electronic accounts have been verified and accessed by copying the server in order to avoid the risk of deterrence or obstruction of the investigation no. 14 par. 5 ed. b 'GKPD, that legally and in application of article 6 par. 1 par. c and in the GCC the data processing took place through it 5 copy of the server, and that the copied file is in the offices of EV at Manchester United Kingdom. The company AMRNI with its application from 10-10-2018 (APDPH no. Prot. r /Ell:/ 8044 I 11-10-2018) requested the urgent examination of her request for removal ofno. 2/18 Interim Order invoked by the Ministry U.S. Justice summons to jury in relation to formal criminal investigation for a possible criminal offense, in the context of which (summons) was invited to send to the US and to duly submit, by .. . , information which concern, inter alia, e-mails which included in what it refers to as a "back up", the processing which has been prohibited by the Authority until a final decision is taken of. In particular, with the above application, the company AMR NI repeats them claims she develops in her from 13-7-2018 Treatment Application claiming that business (corporate) email accounts have been legally exported and therefore should to revoke the no. 2/18 Interim Order to then transmit the data ( e-mail) in the USA The Authority proceeded to call for a hearing of the companies ABS, AMPNI and EV HELLAS with the reference numbers C /EX / 8303 / 18-10-2018, C /EX / 8302 / 18-10-2018 and GI EX I 8301 / 18-10-2018 her documents, respectively, while with the No. 3 Provisional Order of the President of the Authority (under reference number C /EX / 8345 / 19. 10. 2018), rejected the application for treatment - revocation ofno. 2/2018 Interim Order receiving note that the condition for cross-border transfer of personal data to USA. recommends compliance with the general principles of processing, namely Articles 5 and 6 GPD, so that in case in which the data under cross-border transmission have illegally collected, to prohibit their cross-border transmission. During the meeting of the Department of the Authority on 07-11-2018 they were present on behalf of of AMPNI the lawyers Panagiotis Bernitsas with AMDSA . . . , Marina Androulakaki with AMDSA . . . and Areti - Tania Patsalia with AMDSA . . . . Also present was L, legal ABS representative stating that he is represented by lawyer Leonidas Kotsalis with AMI:A . . . . Lawyer Eleftheria Rizou was present on behalf of the complainants AMI:A . . . . At the meeting were submitted by AMPNI the prot. r / EII: / 8790 / 07-11-2018 and r / EII: / 8791 / 07-11-2018 documents from which it appears that the ABS Board of Directors, by decision ofTitv, decided that the legal a representative of company L is not entitled to appoint or dismiss 6 dismissed the former lawyer L. Kotsalis and appointed him new lawyers of their company P. Bemitsa and I. Anagnostopoulos. Filed also by the lawyer P. Bemitsa objection against the representation of the company ABS by L. and the lawyer L. Kotsalis (reference number G /EIS / 8816 / 08-11-2018). The beginning postponed the discussion of the case in order to consider the issue of representation of ABS. Following the document number C / EII: I 9207 I 21-11-2018 of ABS from the which shows that the BoD of the company replaced . . . his representative with The Authority proceeded to new calls of the companies ABS, AMPNI and EV HELLAS with the No. reference C /EX / 9 445 / 27-11-2018, C /EX / 9 449 / 27-11-2018 and C /EX / 9 448 / 27-11-2018 her documents. Furthermore, the former legal representative of ABS N.L. filed the Protocol No. CI EIS / 9 771 / 04-12-2018 complaint, arguing that his own personal data were affected by the incident. During the meeting of the Department of the Authority on 05-12-2018, ext part of the companies AMPNI and ABS the lawyers Panagiotis Bemitsas with AMDSA . . . , Marina Androulakaki with AMDSA . . . and Areti - Tania Patsalia with AMDSA . . . , from part of the company ERNST & YANG (HELLAS) CERTIFIED ACCOUNTANTS SA the Ioli Katsirouba with AMDSP . . . and Alexandra Vraka with AMDSA . . . . The complainants L and F were represented by Leonidas Kotsalis with AMDSA . . . while on behalf of the others of the complainants, Eleftheria Rizou arrived with AMDSA . . .. It is noted that after meeting ABS and AMPNI submitted the reference number C I EIS / 9981 / 11-12- 2018 request for exclusion of the rapporteur which was rejected with no. 42/2019 decision of the beginning. Representatives of companies and complainants were given a deadline and submitted memoranda. Particularly: i) EY HELLAS submitted the document number prot. r /EI/ 10252 I 19-12-2018, with which reiterates their claims that it has nothing to do with the case. ii) AMPNI and ABS filed the reference number C /EIS / 10259 I 19-12- 2018 memorandum, which was supplemented with the reference number r /EI/ 10398 I 28-12-2018 document while with the reference number r / EI / 10316 I 24-12-2018 expressed objections to the extension of the deadline for submission of memoranda until 15-01-2019, for which decided by the department of the Authority and in general for the procedure followed. In particular, the company ABS during the hearing process, but also with the above In its memorandum, it withdrew the complaint against AMPNI and was represented by jointly with ABS. He then relied on the following allegations: by decision 7 U.S. court automatically suspends any action globally AMPNI Bankruptcy and therefore the of the Authority proceedings against the company, that the complaint of ABS is inadmissible as well exercised by a legal and not a natural person in violation of article 77 par. 1 GCP, that the complaints of natural persons are inadmissible as it was not preceded exercise of the relevant rights to the controller, that the GCC does not applies in the case of AMPNI as it has no facility in Greece, that had the right to conduct an internal audit of professional e-mails that did not under the protection of personal data legislation, that the processing e-mails was necessary for the purposes of AMPNI's legitimate interests in No. 6 par. 1 ed. in the GCC, that it refers to the documents and data that it had ABS as a complainant against AMPNI before withdrawing it complaint, that the company e-mails are the property of AMPNI, that in the context of the internal investigation it was decided to copy the e-mails of specific persons but in the process of copying them the deletion software function emerged of the entire server and the company was forced to make a total copy of it creating a backup so that there was no previous time information of data subjects, that although the establishment of its operation delete software constitutes breach of personal data did not exist by of the company no obligation to notify the Authority because it did not concern personal data but corporate (business) e-mails and therefore could not create a reasonable expectation of privacy for employees, otherwise the necessary security measures have been taken, that even if corporate e-mails recommend personal data, it was not proved that in them there was personal data, that no attempted access to personal (private) electronic accounts of the said employees but were exported from the company server, that and in the Novartis case the Authority had ruled that there was a legitimate interest compliance with the request of the US public authorities and was granted the relevant data in the US, that every young person should be aware of evidence to be provided by the complainants that there was no obligation information of former and current employees of the AMPNI Group and finally that in case imposition of administrative sanctions by the Authority not to order the destruction of the material which has been copied as it contains critical documents and information in order to delivered to the US authorities. 8 iii) The eleven original complainants jointly filed the prot. r / EI:E / 268 / 15-01-2019 memorandum, while A submitted the reference number r / EI:E / 272 / 15-01- 2019 memorandum, in which it is claimed that: AMPNI never submitted to ABS request for access to personal data legally, but straightforward contact with Mr. N, . . . , with a proposal of synergy in illegal acts, offering him amnesty, that the existence of deletion software is not met in fact but there was a pretext to justify its copying of the server given that from emails between N and An employee of EV LLP appears to have requested a copy of his entirety server several days before deleting software is detected, that corporate data always contains personal data, that professional emails contain personal data in accordance with the case law of the WEU, that the ownership and possession of a server does not imply ownership of personal data contained on the server, that has not been done data separation and that execution contracts have never been signed processing no. 28 GKPD, that none of the principles of Article 5 has been complied with GPA so that the processing is unfair and that AMPNI's allegations of non-compliance informing the subjects was contradictory. Following the submission of the memoranda, AMPNI and ABS informed the Authority (G / EIS / 452 / 22-01-2019) that they are in the process ofrelocation and that the company "Warehouses of Aegean SA", with which they maintained common facilities, did not delivers the original hard drive of the running ABS server, despite the fact that he was not part of the Authority 's interim order, as confirmed the Authority with its document number C / EX / 452-1 / 29-01-2019. According with the companies AMPNI and ABS the processing of the backup (back up) that is located in Manchester, United Kingdom and contains professional e-mails, is the only way to ensure that key evidence will not be permanently destroyed and any decision of the Authority it will order for any reason the destruction of professional e-mails copied to backup would be disproportionate and would interfere irreparably with property rights and defense rights of the AMPNI Group. As informed by AMPNI and ABS (G / EIS / 757 / 30-01-2019) relevant request was discussed at the Magistrates' Court of Piraeus with a procedure of precautionary measures, initially with 9 issuance of a temporary order (see G / EIS / 757 / 30-01-2019). Finally, as informed Beginning with the document number C / EI/ 2883 / 16-04-2019 of AMNPI and ABS in the aforementioned court issued its decision no. 14/2019, ordering the performance of mobile equipment in ABS. On this issue, the company AEGEAN WAREHOUSES submitted the no. prot. r / E / 2111 / 19-03-2019 request requesting to clarify whether the return of servers (servers) includes their content, ie data of personal character - stored e-mails, while the Authority with the prot. CI EX / 2111-1 / 23-04-2019 document informed that the questions submitted with the application are not related to Interim Orders No. 2/2018 and 3/2018, but concern issues of interpretation and execution of the . . . Decision of the Magistrates Court of Piraeus the which do not fall within the competence of the Authority. AMPNI and ABS have also submitted a number of related documents active litigation in a US bankruptcy court and in particular a) under no. prot. r / EIL / 740 / 30-01-2019 with «NOTICE OF DEADLINE REQUIRING SUBMISSION OF PROOFS OF CLAIM ON OR BEFORE 21-02-2019 »b) under reference number r /EI/ 1467 / 25-02-2019 entitled «NOTICE OF HEARING TO CONSIDER CONFIRMATION OF THE CHAPTER 11 PLAN FILED BY THE DEBTORS AND RELATED VOTING AND OBJECTION DEADLINES ", c) under reference number r / EIL / 2678 / 09-04-2019 entitled" NOTICE OF (A) ENTRY OF OR DER CONFIRMING THE JOINT PLAN OF REORGANIZATION OF AEGEAN MARINE PETROLEUM NETWORC INC. AND ITS DEBTORS AFFILIATES PURSUANT TO CHAPTER 11 OF THE BANKRUPTCY CODE AND (B) OCCURRENCE OF EFFECTIVE DATE ». Finally, AMPNI and ABS, since (with reference number C I EX I 2214 / 21-03-2019 Authority document) became aware of the complainants' allegations through the 15- 01-2019 of their memorandums submitted the reference number r / EIL / 2616 / 05-04-2019 supplementary memorandum which in principle disputes its legality extension of the deadline given for the submission of a memorandum at the hearing. They then argue, refuting the complainants' plea that they did not have not committed any act of unlawful processing of personal data, that no there was no intention from the beginning to copy the server, nor that they invented as justifying the existence of the deletion software, that the purpose of the procedure that followed by the export of professional e-mails of a specified number of ex and 10 current employees of the AMPNI group, that no access to staff was attempted (private) e-mail accounts, that some of the complainants only provide some e-mails which contain their personal data, that after her new information relating in particular to e-mail is provided and exchange of e-mails from the management of PAE AEK, which is not included in list of addresses attached to Interim Order 2/2018 of the Authority, that the complainants were well aware that their corporate accounts were e-mail title intended for professional use only, to the extent that the copy is ultimately contains personal data of individuals not affiliated with AMPNI group then the company would be willing to separate or delete the data concerning such individuals, that professional e-mails do not constitute personal data, that the copying of the original server (server) was legal due to force majeure due to the detection of the deletion software function as well and that personal correspondence should not have been exchanged through corporate e-mail accounts. The Authority, from the hearing, from the details of the case file, as well as from the memoranda submitted after the attached documents, after heard the rapporteur and the clarifications of the assistant rapporteur G. Roussopoulos, who withdrew after the debate and before the conference and the decision, and after a thorough discussion, taking into account in particular: 1. The provisions of the Constitution, and in particular those of articles 2 par. 1, 5 par. 1, 5 A , 9, 9A, 19 par. 3, 17, 22, 25 and 28. 2. The provisions of the European Convention on Human Rights 04.11.1950 ratified by n.d. 53 of 19.9.1974, as in force today and in particular those of Article 8. 3. The operating provisions of the Treaty on European Union, and in particular those of Article 16. 4. The provisions of the Charter of Fundamental Rights of the European Union (2012 / C 326/02) and in particular those of Articles 7, 8 and 52. 5. The provisions of the Council of Europe Convention for the Protection of versus automated processing of personnel data character of28.1.1981 ("Contract 108"), ratified by Law 2068/1992, as 11 currently in force, in particular those of Articles 5 and 6. 6. The provisions of the General Regulation of Data Protection (GKPD) no. 679/2016. 7. The provisions of Law 2472/1997 insofar as they do not contradict the GCP (see APDP 46/18 and 52/18) 8. The provisions of Directive no. 115/2001 of the Data Protection Authority Personal Character on the subject of employee records 9. The no. 3/2010 Opinion of the Article 29 Working Party on the principle of accountability (WP 173 / 13-7-2010) 10. The no. 2/2017 Opinion of the Working Party of article 29, for the elaboration personal data at work (WP 249) 11. The Working Document of the Working Group of29-5-2002 of article 29 for Workplace Electronic Surveillance (WP55) 12. The no. 8/2001 Opinion of the Working Party on Article 29 for elaboration of personal data in the context of employment relationships (WP 48) 13. The no. 06/2014 Opinion of the Article 29 Working Group on concept of the legal interests of the controller (WP 217), to the extent which is interpretatively useful in the context of the present. 14. The Working Group Guidelines of Article 29 "Guidelines on transparency under Regulation 2016/679 », WP260 rev.01, to the extent that it is interpretively useful in the context of the present. 15. The no. 2/2018 Guidelines of the European Council Data Protection " regarding the derogations provided for in Article 49 of Regulation 201 6/679 ". 16. The document of the Working Group of article 29 no. 18 / EN / WP 262 of 06-02- 2018 entitled "Guidelines on Article 49 of Regulation 2016/679" 17. The Article 29 Working Group Guidelines for Notification of personal data breach (" Guidelines on Personal data breach notification under Regulation 2016/679 WP 250 rev. 1) 18. The Guidelines (under consultation) no. 3/2018 of the European Data Protection Council on the territorial scope of the GCC 12 THOUGHT ACCORDING TO THE LAW 1. With article 94 of the General Regulation of Data Protection (GKPD) no. 679/2016 was repealed from 25.5.2018 Directive 95/46 / EC, when it was entered into application of the GCP according to art. 99 par. 2 of this. Law 2472/1997 is still in force in to the extent that its provisions do not conflict with the GCC (see APDP 46/18 and 52/18). 2. The processing of personal data should be intended to serves man. The right to protection of personal data is not an absolute right, it must be valued in relation to its function in society and be weighed against other fundamental rights in accordance with its principle proportionality (Ait.Sk. 4 GKPD). 3. According to article 3 par. 1 GCP " this Regulation shall apply to processing of personal data in the context of a the establishment of a controller or processor in the Union, regardless of whether the processing takes place within the Union ". In No. 22 Recital of the GCC is defined for the concept of installation that it «[ . . . ] presupposes the substantial and actual exercise of activity through fixed settings. In this respect, the legal form of these arrangements, either whether it is a subsidiary or a subsidiary with legal personality, is not decisive of importance ". 4. According to article 4 par. 1 GCP as " personal data " is defined as " any information relating to an identified or identifiable natural person ("Data subject ''); the identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an ID ID, such as name, ID number, location data, online ID ... ». Similar broad definition for the concept of data of a personal nature pre-existed in article 2 par. a oflaw 2472/1997, in application of Directive 95/46 / EC. In this context, the e-mail address of an individual is a personal data as it can act as element of indirect or direct identification of its holder, allowing communication with 13 him. When the email address bears the name or associated identifier of the natural person - user (e.g. johnsmith@ikea.sk) then it is a matter of immediate identification and therefore constitutes personal data in contrast to the address of a legal entity ( e.g. ikeacontact@ikea.com), the which in principle does not constitute personal data 1 s. According to the case law of the Court of Justice of the European Union (ECJ), the fact that the processing of information concerns the content of a professional does not exert influence in that regard and does not invalidate their classification as personal data 2 , nor does it constitute an exception to the relevant protection 3 , even when the controller acts in the context of public policy tasks 4 , and the ' distinction of the data in question according to whether they fall under in the private sphere or in the public sphere is clearly a result of confusion between the two fall into the personal data and those that fall into the private life » s According to the case law of the European Court of Human Rights Human Rights (ECtHR) the protection of "privacy" established in Article 8 thereof European Convention on Human Rights (ECHR), which includes the protection of personal data, does not exclude professional life and is not limited to life within the place ofresidence (see APDPX 34/2018 and OE29 Working document for the monitoring of electronic communications in the workplace of 29-5-2002, WP55, p. 8). Moreover, according to the same case law, in protection of Article 8 of the ECHR subject to electronic letters (e-mails) 6 , 1 ,,.. details, see the content of the response from 2 1-02-20 1 8 given by the European Commission to in the context of question no. E-007 147/17 h!lJ'!://www.europarl.europa.eu/doceo/document/E-8-201 7-0071 74- ASW EN.html? Redirect , See WEU C-345/201 7 decision Sergejs Buivids of 14-02-201 9 par. 46, WEU C-398/201 5 decision Salvatore Manni of 09-3-201 7 par. 34, WEU C-6 1 5/ 1 3 Client Earth decision of 1 6-7-2015, par. 30, 32, WEU C-92/09 & C-93/09 decision Volker und Markus Schecke GbR & Hartmut Eifert v Land Hessen of 09- 1 1-20 I 0 par. 59. , See European Union Agency for Fundamental Rights (FRA), Handbook on European legislation on personal data protection, 2014 edition p. 50 and 20 1 8 edition (English) pp. 86-87. , General Court EU T-496/1 3 McCullough judgment of 1 1 -6-20 1 5 on the inclusion of names of data subjects in the minutes of the meeting regardless of the fact that they exercise publicly power par. 66 or that they have already been made public see WEU C-127/1 3 Guido Strack decision of 02- 1 0-2014 especially par. I I I . , See and T-639/15 to Ta-666/1 5 and T-94/1 6 Maria Psarra et al. European Parliament 1tap 52, see and par. 50, 53 . • George Garamukanwa v. UK decision of 14-5-201 9 on admissibility, para. 25, Copland v. United Kingdom of 3-4-2007. Therefore, not accepting that the above information (especially e-mails) constitute personal data " would have the consequence that it is not required in respect of such information, compliance with the principles and guarantees laid down in in the field of personal data protection and, in particular, principles concerning data quality and the legality of processing their ... as well as respect for rights, access, correction and opposition of the person concerned ... , but also the control exercised by the control authority ... "(WEU C- 434/16 decision Peter Nowak v Ireland Data Protection Commissioner of20-12-2017, par. 49). 6. The data subjects, whether they are employees or senior executives administration or are connected in any way with the controller have a a reasonable expectation of protection of their privacy in the workplace, which does not removed from the fact that they use equipment, communication devices or any other professional hardware or software facilities and infrastructure ( e.g. electronic communications network, Wi-Fi, corporate email addresses mail, servers, etc.) owned by the person in charge processing (see APDPX 34/2018, 61/2004, Working Group article 29 WP55, ibid. p. 9). The fact that an email has been sent by a corporation mail address does not lead to the expulsion of the right to privacy (see ECtHR, First Chamber, George Garamukanwa v. UK decision of 14-5-2019 on admissible, para. 25), the right to protection of personal data the nature of the data subjects, in particular the employees (see No. 2072/2018 License s for cross-border transfer of personal data now and former employees of the applicant company), the right to privacy of communications and related location data (see OE29 Opinion 2/17, p. 22 et seq OE29, WP55, ibid., P. 22), nor of course can it be accepted that the data the personal nature of the data subjects generated by their use 1 Copland v UK of 03-7-2007, Amman v. Switzerland of l 6-02-2000, Kopp v. Switzerland of 25-3- 1 998, Halford v. The United Kingdom of 25-6-1 997, Aalmoes and 1 1 2 others v the Netherlands admissibility of 25- 1 1 -2004. , See Press Release C / EX / 1728 / 0 1 .3.20 1 8 regarding the granting ofno. 2072/20 1 8 Transmission License AilAfIX. corporate media are the "property" or "property" of the person in charge because he is the owner of the above media or e-mail addresses, an approach adopted by part of the case law of the US courts, but not of the European Union. 7. According to recital 39 of the ICCPR " any data processing should be lawful and fair. It should be clear about natural persons that personal data concerning them are collected, used, taken into account or otherwise processed, as well as to what extent the data is submitted or will be processed. The beginning it requires any information and communication regarding the processing of such personal data to be easily accessible and understandable and to uses clear and simple language. This principle concerns in particular the updating of data subjects regarding the identity of the controller and their processing purposes and further information to ensure fair and transparent treatment in relation to such natural persons and their right to receive confirmation and obtain communication of the relevant data subject to processing. It should be notified to natural persons the existence of risks, rules, guarantees and rights in relation to processing of personal data and how to exercise their rights in in relation to this processing. In particular, the specific purposes of their processing personal data should be clear, legal and defined at the time of collection of personal data. Staff data should be sufficient and relevant and limited to what is necessary for them purposes of their processing. This requires in particular to ensure that space storage of personal data should be kept to a minimum. The Personal data should only be processed if the purpose of processing can not be achieved by other means. To ensure that the personal data are not retained longer than necessary, o the controller should set deadlines for their deletion or for periodic review. Every reasonable measure should be taken in order to ensure that inaccurate personal data is corrected or deleted. 8. According to recital 60 GIPD " The principles of fair and transparent require the data subject to be informed of its existence processing act and its purposes. The controller should provide to the data subject any further information necessary for the ensuring fair and transparent treatment taking into account specific circumstances and the context in which staff data is processed character ". 9. According to the last paragraph ofrecital 39 of the ICCPR " The data should be processed in such a way as to ensure the appropriate protection and confidentiality of personal data, including to prevent any unauthorized access to this data personal equipment and equipment used for their processing or use of such personal data and such equipment . 11 10. According to article 4 par. 12 GKP as a violation of personnel data character means II breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to data personal information transmitted, stored or otherwise submitted in process 11 • According to the Guidelines of06-02-2018 of his Working Group Article 29 of Directive 95/46 / EC (now the European Data Protection Council - EDPB) for the Notification of personal data breach (" Guidelines on Personal data breach notification under Regulation 201 6/679 WP 250 rev. 1) one of them types of personal data breach is one that is categorized based on principle of security of "confidentiality" when unauthorized access is established in personal data ("confidentiality breach"). Violation of personal data also takes place with illegal access to a server, and the taking of technical and organizational measures server security is initially necessary to prevent it associated risk due to the large volume of personal data contained in 9 • For more see Detailed Guide of the French Personal Data Protection Authority (CNIL) "Security of Personal Data" which refers so much to the need for prior security measures for 17 in accordance with the European Network and Information Security Agency (ENISA) 10 . The collection and retention of personal data in the context operation of a server without prior download of such necessary technical and organizational security measures constitutes a breach of the principles set out in Article 5 par. 1 ed. a 'and f GKPD. 11. According to article 5 par. 1 in the GCP (" Principles governing processing personal data ")" personal data shall be submitted to processing in a way that guarantees the appropriate security of personnel data including their protection against unauthorized or unlawful use treatment and accidental loss, destruction or deterioration, using appropriate technical or organizational measures ("integrity and confidentiality "), while in Article 32 par. 2 GKP is provided in the context of an assessment of an appropriate level of security h taking into account the risk arising in particular from unauthorized access to data, where an indicative list of security measures is given 1 1 The GCC requires the submission o f personal data that they have has already been processed in accordance with the principles of article 5 par. I a 'to e' ' against way that guarantees the appropriate security "(article 5 par. 1 par. f) so that in case in which the principles other than that of security are met, to become in processing is illegal. Respectively, if the intended processing from the beginning is going to take place in a way that does not guarantee adequate security, it is unnecessary the examination of the fulfillment of the principles provided by subsections a 'to e' of par. 1 of Article 5 of the ICCPR, as it will be unsafe and therefore illegal processing. In addition, the controller's obligation to "guarantee" safety processing by taking appropriate technical and organizational measures derives from the GCC-adopted risk-based approach ("risk based approach ") so that" the degree of risk of each treatment becomes the key servers in the context of GPA compliance and the risk of unauthorized access to personal data stored on servers, 10 For more see "Reinforcing trust and security in the area of electronic communications and online services", December 20 1 8 , chapter 7 "Server and DataBase Security" p. 38 ff. 11 For more see L. Mitrou in L. Kotsali -K. Menoudako, GKPD-Legal dimension and practical application, Chapter VI. Notification of data breaches, p. 2 1 8 ff. 18 criterion for determining the extent of the relevant obligations " 12 (see also APDPH 51/2015 request sk. 4). The European Court of Human Rights is in the same direction in case I. v. Finland 13 examining an action on the basis of whether o processor managed to "guarantee" the security of personnel data found a violation of Article 8 of the ECHR by non-implementation of measures security measures that led to unauthorized access to them. Under the GCC state " integrity and confidentiality " have been reduced to basic principles and conditions for the processing of personal data No. 5 par. 1 ed. in GPD 14 so that the mentioned " appropriate technical and organizational measures ", inter alia, to prevent, if implemented, any unauthorized access to or use of the data and equipment used for processing (see Application No. 39 of the GPA and the European Network Security Agency and Information-ENISA 1s ). Therefore two of the three main goals of security information systems (ie availability excluded) have been reduced to principles and conditions for legal processing of personal data. The measures they need to be more specific (see Article 32 of the GIP) and as required by its principle and is determined by the provisions of article 24 par. 2 GCP, must appropriate policies are applied, depending on the processing activities (see All.MIX 6 7/2018). The existence of appropriate policy documents, approved by administration of a body (responsible or executing the processing) applicable and implemented in practice (a contrario APDP 98/2013 par. 5), is a basic criterion to demonstrate compliance with the principle of integrity and confidentiality (see APDPX 98/2013 ait. sk. 3. especially for information systems), to the extent that lack of other evidence such as compliance with an approved code of conduct or approved certification mechanism. 12 L. Mitrou, the GKPD, ibid., P. 96 and footnotes 270 and 27 1 with references to its corresponding positions CIPL and ENISA. " Decision of 1 7-7-2009, no. ref. 205 1 1/2003 par. 37 up to 46. " See L. Mitrou, op.cit. p. 2 1 9, which states that " Security is an unconditional condition for effective protection of personal data. However, it should be noted in advance that This is a necessary but insufficient condition for data protection, as the Protecting them from unauthorized access, disclosure and general use does not mean that are subject to legal processing "but also the GCC itself, new law-new obligations-new rights, Sakkoulas 20 17, p. 1 08 ff. " "Handbook on Security of Personal Data Processing", December 2017, especially p. 8 as well as Guidelines for SMEson the security of personal data processing ", December 2016, especially p. 12 19 12. According to Recital 78 GKPD " The protection of rights and the freedoms of individuals versus the processing of personnel data requires appropriate technical and organizational measures to ensure that the requirements of this Regulation are complied with. In order to be able to to demonstrate compliance with this Regulation, the controller should establish internal policies and implement measures that respond in particular principles of data protection already by design and by definition ". 13. According to Recital 82 GKPD " In order to prove compliance with this Regulation, the controller or the executor processing should keep records of the processing activities that are under their responsibility ". 14. According to Recital 83 GKPD " To maintain security and to avoid processing in breach of this Regulation, the responsible person The processor or processor should evaluate the risks involved develop and implement measures to mitigate these risks, such as example through encryption. These measures should ensure appropriate level of security, which includes confidentiality ... In the assessment data security risk should be considered resulting from the processing of personal data ... ". 15. According to Recital 87 GKPD " It should be ascertained against whether all appropriate technological protection measures have been implemented and organizational measures to immediately detect any breach of personnel data character and immediate information of the supervisory authority and its subject data ", as detailed in the 06-02-2018 Guidelines of OE 29 for data breach notification (WP 250 rev. 1 ). 16. Appropriate accountability measures for the observance of the principles of article 5 par. 1 GKPD may include (as recommended by the Working Party on Article 29 16 before implementation of the GPA) the following non-exhaustive list of measures: adoption 16 Opinion no. 3/201 0 on the principle of accountability of 13-7-20 1 0 (WP 173) p. 13 ff. And p. 14 footnote 7 for international standards approved in Madrid by the competent authorities for their protection personal data. 20 internal procedures before the creation of new processing operations, adoption written and binding data protection policies available to individuals at reporting data, mapping procedures, maintaining a directory all data processing operations, appointment of a data protection officer data and other persons responsible for data protection, provision appropriate education and training for officials in their protection establish procedures for managing access requests, correction and deletion, which must be transparent to the persons referred to data, establishment of an internal grievance mechanism, establishment internal procedures for the effective management and reporting of infringements security, conducting a privacy impact assessment in specialized cases, implementation and oversight of verification procedures to ensure that all measures not only exist on paper, but are applied and operate in act (internal or external audits, etc.). The Authority, in the context of the implementation of the GCP, has already referred to the obligations the controller regarding his / her safety and general responsibility for identifying appropriate technical and organizational measures, proposing "Appropriate" measures which may be substantiated in individual proceedings or in general security policies 1 1 , clarifying that " in any case, before determining the security measures to be adopted, the proper evaluation of them is paramount risks and their possible consequences 1sfor data subjects ... the Implemented measures must be periodically reviewed, at least, but also be proven validated by the administration of the person in charge or the executor processing 19 ". Likewise, appropriate technical and organizational measures for its safety processing of personal data under the FGM are proposed and by the European Network and Information Security Agency (ENl SA). 20 1 1 www.dgr Section Security and in particular "Security Policy, Security Plan and Plan Disaster Recovery "with reference to the minimum content of the security policy concerning a description of the basic protection and safety principles applied ( organizational security measures, technical security measures, physical security measures, definition ofroles, responsibilities, duties, etc.) " See and G. Roussopoulos, APDPH specialist scientist, "Processing security and notification Violations "in the ECDC Report" GPD: the new landscape and the obligations of public of Administration ", Athens, January 20 18, p. 20 ff. available at www.ekdd.gr/images/seminaria/GDPR.pdf 19 www.dp...!!,gr section "Security". 20 Cf. footnote 1 1 , Annex A p. 55 et seq. 21 17. In order for personal data to be legally processed, ie processing in accordance with the requirements of the GGP, should be met cumulatively the conditions of application and observance of the principles of article 5 par. 1 GCP, as is clear from the recent ruling of the Court of Justice of the European Union (CJEU) of 16-01-2019 in Case C-496/2017 Deutsche Post AG v Hauptzollamt Cologne 21 . The existence of a legal foundation (art. 6 par. 1 GCC) does not exempt the controller from the obligation to comply with the principles (art. 5 par. 1 GKP) with regard to legitimacy, necessity and proportionality, the principle of minimization 22 . In case of violation of any of the principles set out in Article 5 ( I ) of the GIP, such processing shall be presented as non - legal (subject to the provisions of the GCC) and there is no need to consider the conditions implementation of the legal bases of Article 6 GIP 23 . Thus, the violation of the principles of Article 5 of the GIPP illegal collection and processing of personnel data character is not cured by the existence of a lawful purpose and legal basis ( cf. Alli:iTIX 38/2004). Moreover, the WEU with its decision of0l -10-2015 in the context of the case C-201/14 (Smaranda Bara) considered as a condition for the fair and lawful processing of personal data informing the data subject pre of their processing 24 21 « 57 . However, any processing of personal data must be consistent with, on the one hand, the principles to be observed with regard to data quality set out in Article 6 of the Directive 8aizret1'1iis"1-Jal 1J,;JJ'tff!Ii'l1i7Rdtfi!§ b'l- 911Ml1 &'1f['i#MWf1!11k,lfo/{'(cf<fNEiBrJn£iPles of legal processing ... C-465/00, C-138/01, C-139/01, C-131112 » . . 22 On this see L. Mitrou, the general regulation of personal data protection (new law-new obligations-new rights), published by Sakkoula, 201 7 pp. 58 and 69-70. 23 Cf. !:1:E 5 1 7/201 8 par. 12: «[ ... ] in order for the personal data to be legal processing, it is required in each case to meet the cumulative conditions of article 4 par. I of Law 2472/1997, which, among other things, stipulates that data must be collected and processed in a lawful and lawful manner, for clear and lawful purposes ... Provided that the conditions of article 4 par. 1 of law 2472/1997 (legal collection and processing of data for clear and legal purposes), it is further examined whether the conditions of the provision of article 5 par. 2 of n. 2472/1997 [legal bases] ". Also, cf. CoE in Plenary Session 2285/200 1 par. 10: «[ ... ] Only if the above basic conditions are met, the provisions of articles 5 and 7 of the Law apply. 2472/1997, which impose as a farther additional, in principle, a condition for legal processing personal data of a specific person, his consent ". 24 " 3 I. The person in charge of data processing or his representative have an obligation to inform the content of which is set out in Articles IO and I I of Directive 95/46 and differs accordingly whether the data are collected by the data subject or not, subject to reservation of the exceptions provided for in Article 13 of that Directive [ ... ] 34. Consequently, the requirement of a legitimate data processing provided for in Article 6 of Directive 95/46 obliges the administrative authority to: inform the data subjects about the transfer of such data to another administrative authority for the purpose of processing them by the second as the recipient of such data ". 22 18. Further, the controller, in the context of its compliance principle of fair or just processing of personal data, owes inform the data subject that his data is to be processed in a lawful and transparent manner (see WEU C-496/17 ibid., paragraph 59 and WEU C-201/14 of0l -10-2015 par. 31-35 and especially 34) and to be in a position at any time to prove its compliance with these principles (accountability principle according to art. 5 par. 2 in combination with articles 24 par. 1 and 32 GCP). Processing personal data in a transparent manner is recommended manifestation of the principle of fair treatment and linked to the principle of accountability, giving subjects the right to exercise control over their data making those responsible for processing accountable, according to the Working Group Article 29 2s Exceptionally and pursuant to article 14 par. 5 ed. 2nd GCP (" Information provided ifp ersonal data has not been collected by data subject "), paragraphs 1-4 of the same article do not apply and no the relevant information is provided by the controller if it is likely to greatly impair the achievement of the objectives of such processing. Condition implementation of this provision in accordance with the Working Party of Article 29 26 recommends the processing (collection) of such personal data has been carried out legally, ie in accordance with the principles of article 5 par. 1 GKPD. 19. In addition, a new, central compliance model was adopted with the GCC size of which is the principle of accountability, within which the person in charge is obliged to plan, implement and generally take the necessary measures and policies to ensure that data processing complies with the relevant legislative provisions. In addition, the controller is responsible for further to prove on its own and at all times its compliance with principles of article 5 par. l GK.PD. It is no coincidence that the GCC incorporates accountability (Article 5 (2) GCC) in the regulation of the principles (Article 5 (1) GCC) governing processing, giving it the function of a mechanism for their observance, essentially reversing the "burden of proof' as to its legality 25 Guidelines on transparency under Regulation 201 6/679) of 1 1 -4-201 8 (WP 260 rev. I), pp. 4 and 5. 2• Guidelines on transparency under Regulation 201 6/679) of 1 1 -4-201 8 (WP 260 rev. I), p. 3 1 par. 65. 23 (and in general the observance of the principles of article 5 par. l GCP), transferring it to the controller, 21 so that it can be reasonably argued that he bears the burden of invoking and proving the legality of the processing 2s . Thus, it is the responsibility of the controller on the one hand to receive from itself the necessary measures in order to comply with its requirements On the other hand, to prove at all times its above compliance, without in fact, the Authority should be required, in the context of the exercise of research-auditing powers, to submit individual - specific questions and requests to conformity assessment. It is pointed out that the Authority due to the fact that the first period is elapsed implementation of the GCP submits questions and requests in the context of the exercise of its relevant research - control powers, in order to facilitate it on their part accountants documentation of accountability. The controller must in the context of the Authority's audits - investigations to present on its own and without relevant questions and requests of the Authority the measures and policies adopted in within the internal organization of his compliance, as he is aware of them after designing and implementing the relevant internal organization. 20. Access by the controller, within an internal company control, personal data stored on a hardware computer system and software (server - server) is the processing of personal data, as in the case of access to and control of a computer that uses the subject (APDPX 34/2018). The employer exercising his managerial right, under the self-evident condition the observance of the principles of article 5 par. 1 GKPD and on the basis provided before elaboration of specific procedures and guarantees within its organization internal compliance in accordance with the principle of accountability, is entitled to exercise control over the electronic media it provides to employees for their work, provided that the relevant processing, in accordance with the principle of proportionality, is absolutely necessary for the satisfaction of the legitimate interest it pursues and provided that this obviously takes precedence over his rights and interests 27 On this see L. Mitrou, The principle of Accountability in Obligations of the controller [G. Giannopoulos, L. Mitrou, G. Tsolias], Collective Volume L. Kotsali - K. Menoudakou " 0 GKPD, Nomiki dimension and practical application ", published by Law Library, 20 18, p. 172 ff. " P. de Hert, V. Papakonstantinou, D. Wright and S. Gutwirth, The proposed Regulation and the construction of a principles-driven system for individual data protection, p. 1 4 1 . 24 employee, without prejudice to his fundamental freedoms no. 6 par. 1 ed. f GKPD and after being informed even about the possibility ofrelated control (see AIIMIX 34/2018). 21. Essential element of the legal operation of information systems and others infrastructure and communication systems in the processing of personnel data It is advisable to take appropriate security measures, in particular physical measures and logical separation of hardware, software and data 29 22. In order to examine the legality of the access of the person in charge processing no. 5 and 6 par. 1 GKPD in the personal data of entities maintained in its corporate systems in the context of internal control, previously examined no. 5 and 6 par. 1 GKP legality of the original collection, processing and storage of personal data character in systems. The illegal original collection, processing and preservation of personal data e.g. on her computer or server also makes any subsequent or further illegal (with that is, a different purpose to the original no. 6 par. 4 GK.PD) distinct and independent processing of the same personal data as in her case copy them and save them on another digital storage medium ( eg usb stick, server, pc, etc.), but even further in that of their transmission and use, even in the event that the conditions for the application of a legal one would be met based on article 6 par. 1 GK.PD, as e.g. that of subsection f, after non-compliance of the processing principles of article 5 par. 1 GK.PD is not cured by the existence legal purpose and legal basis (see recital no. 17 hereof and cf. AIIMIX 38/2004). 23. Prerequisite for the transfer of personal data outside European Union, provided that its general principles, procedures, conditions and guarantees are met Chapter V of the GCC (Articles 44-50), constitutes the initial legal collection, processing and retention of the same personal data no. 5 and 6 par. 1 GK.PD 30 ,. Cf. AIIilITX 1 86/2014 an. l:K. 2, " D. Security measures - Techniques of measure separation of applications ", APDPH 5 1 /20 1 5 p. 1 1 and for the relevant concepts, cf. 201 3 . ,o Cf. no. 2/201 8 Guidelines o f the European Data Protection Council "With regard to the derogations provided for in Article 49 of Regulation 2016/679 ", p. 3, Group Article 29 of Directive 95/46 / EC with document no. 1 8 / EN / WP 262 of 06-02-201 8 entitled "Guidelines on Article 49 of Regulation 201 6/679", p. 3 . 25 (see in this regard the No. 3/2018 Provisional Order of the President of the APDPH), so that if the original collection was illegal, to become illegal and the later one their cross-border transmission 31 • As the Authority did not consider, under the state of application of no. 9 Law 2472/199 7 in the context of company licensing for cross-border transmission personal data of its former and current employees, in addition to previous legal collection and processing of personal data of these, the information of the data subjects is required before the transmission in order to exercise their access and objection rights if there are legal grounds 32 and the conditions of Chapter V are self-evident of the GCC (Articles 44-50). 24. ABS, a subsidiary of AMPNl (parent company of the AMRNI Group), notified the Authority of a data breach incident no. 33 fKIL which consisted of unauthorized access and copying from its server ABS of this full content. As culprits of his illegal copying server (ABS) company indicated the parent company of the same Group, AMPNI and the company EY Hellas. In addition, ABS filed a complaint for violation of personal data legislation to the detriment of companies AMPNI and EV Hellas, while it requested the issuance of an act of suspension and prohibition processing the copied content of its server. The controlled company AMPNI briefly claimed that it legally acquired access to the ABS server because the latter was a subsidiary and held 100% of its share capital, that the contents of the e-mails were corporate and therefore on the one hand belong to its property - property, on the other hand, do not belong in the protection of personal data legislation, that access has taken place in the context of internal corporate control and therefore the provision provided by article 6 par. 1 par. the legal basis of the overriding legal interest given to it provided the right of access and control as well as that the final copy of the whole ABS server content became necessary, despite the fact that The original design of the audit concerned targeted access to small e-mails " Cf. the position of the European Data Protection Supervisor (EDPS) according to which in case in which the data under cross-border transmission has been collected illegally, it is prohibited to cross-border their transmission ( see !JnP.s://edp s .europa .eu/data-protection/data-protection/referencelibrfilY. I international-transfers en) ,2 Cf. Press Release C / EX / 1 728 / 0 1 .3.20 1 8 regarding the granting of no. 2072/20 1 8 Transmission License AIIMIX. 26 number of specific employees and executives of the AMPNI Group, because randomly detected on the day of the audit, the operation of illegal deletion software already deleted files on the server and thus a complete copy was obtained security (back up). The ABS company, before the withdrawal of the complaint against it AMPNI, briefly argued that from the outset the targeting of the controlled AMPNI was copy of the entire server (server) that included personal data employees and executives of third companies as it emerged from relevant letters sent to her were sent by AMPNI and not the targeted copying of specific e-mails natural persons, that the audited company AMPNI illegally copied it total content of the server due to the refusal of. . . ( . . . ) N to accepts the request for copying because it relied on a relevant legal opinion from which resulted in the illegality of such processing and that the illegality of the request Copy of the server (server) results from the by the controlled company AMPNI sending a letter declaring the exemption in advance ("Amnesty") ofN from any kind ofliability in case oflegal action proceedings against him due to copying. 25. In the present case, it emerged at the discretion of the Authority that ABS, subsidiary of the parent company AMR NI of the same Group, was the owner servers that were installed in the office premises where the Group's companies were housed on Akti Kondili 10 in Piraeus after lease from the company "AEGEAN WAREHOUSES SA". On the above-mentioned servers (servers) owned by the company ABS had DANAOS software was installed and operated under a contract of use and on the basis of a license obtained by the company "AEGEAN SHIPPING MANAGEMENT" ("ASM"), which, however, did not belong to the AMPNI Group. It should be noted that on 30-10-2018 and after the control process had already started by the Authority within it in the present case, ABS entered into separate service contracts and software maintenance with the company that provided the DANAOS software with respect to companies of the AMR NI Group. In the same computer infrastructure (hardware and software) except DANAOS (where e-mails were saved), including virtual file servers servers) AMPFSl (where fileshare and usershare files were stored) and AMPFS2 (where 27 attachments of e-mails stored in DANAOS), as shown in in particular from the statements of12-7-2018 and 17-12-2018 . . . ofEY LLP from 18-12-2018 statement of. . . of ABS 0, which was presented and invoked by AMPNI. The above hardware and software computing infrastructure (DANAOS, AMPFSI and AMPFS2) was used to make electronic communications e-mails from both employees and executives in the Group companies AMPNI, as well as by employees and executives in third companies, outside the AMPNI Group as in "Aegean Shipping Enterprises", "Aegean Agency" and "Aegean Oil" (according to the statement of 0, op. cit.), but also in "Aegean Net Fuels Ltd Fze", Aegean Lubes "and" Aegean Gas " 33 It is important that the ABS company, before its recall had responded to relevant written questions from the Authority that companies outside of the AMPNI Group used informally and without any written contract the infrastructure and servers of the company ABS (prot. no. APDPX G /EIS / 7522 / 20-09-2018), referring in fact to the letter of 03/7/2018 of the P AMPNI N Group, the who stated that ABS has not entered into hosting and supply contracts services with other companies. It should be noted that N, employee on behalf of the AMPNI Group as . . . ( . . . ), was hired by the company AEGEAN MANAGEMENT SERVICES"-" AMS", ie from another company of the AMPNI Group (see Supplementary Memorandum AMPNI-ABS of 19-12-2018 pp. 9 and 10, AIIMIX r /EU: / 10259 / 19-12-2018). Finally, the memoranda of AMPNI show that both companies are owned in its Group, as well as third companies, outside the Group, used it computer infrastructure (hardware and software) for the processing of electronics correspondence of employees and executives, even accepting that it proceeded to copying information of 34 third parties related to companies outside Group and used the same computer infrastructure: " There was never any 33 According to the employees' complaints as well as the printouts of the e-mail addresses mails submitted through ABS pleadings prior to the hearing before the Authority, in particular the No. ATILiTIX r / EU: / 5432 / 18-6-20 1 8 supplementary memorandum. " As noted above and will be developed below, AMPNI claims that this is corporate-professional e-mails owned by it which do not constitute personal data. The reference by AMRNI to personal data in its memoranda is recommended auxiliary, in the same claim, not accepting that they constitute personal data. 28 intends to copy information other than the collection of specific data that concerned the 18 users and related files related to the internal investigation described above. Any further copying of information that has taken place separately from the specific data collection related to the research carried out with sole purpose of protecting against malicious permanent destruction of critical evidence data related to internal research and its important business records AMPNI Group "(see AMPNI Treatment Application no. Prot. pp. 16-17). Similarly, AMPNI stated that "[ ... ] personal data of physicists persons not affiliated in any way, now or in the past, with the Group AMP NI under any relationship of employment, provision of services or otherwise or which is otherwise pending criminal and I or civil investigations, then AMPNI would be willing to delete the data concerning such natural persons and provide evidence of this "(see Supplementary Memorandum AMPNI-ABS of 19-12- 2018 p. 23, Allt.IIX f' / EII: / 10259 / 19-12-2018 as well as Supplementary Memorandum AMPNI-ABS of05-4-2019 pp. 8 and 12 AIMIIX f' / EII: / 2616 I 05-4-2019). above copy of the entire contents of the computing infrastructure h controlled company AMPNI created a new archiving system, a copy of which which he forwarded to Manchester in the United Kingdom. Finally, AMRNI stated that in the same common area (" computer room-computer room ») were installed and more servers were running and other companies whose offices are housed in the same building and which do not related to the AMRNI Group (APDPH CI EIS / 7306 / 10-9-2018 p. 2 paragraph 3). It follows from all of the above that both the parent company AMRNI and subsidiaries of its Group, as well as third companies, outside the AMRNI Group, made use and had physical access to the same area where they were located and operated more servers (servers) of companies of both the AMPNI Group and and third party companies and other legal entities outside the AMPNI Group but also physical and logical access to the same computing infrastructure (hardware and software DANAOS, AMPFS 1, AMPFS2) for the processing of e-mail employees and their executives by processing the systems electronic communications archiving. The above accesses and edits personal data took place without any action being taken physical and logical separation, and the person appointed as Head . . . ( . . . ) of the AMPNI Group was hired by a Group company in order to provide services for both 29 With the companies of the AMRNI Group, as well as for third companies outside the AMRNI Group, while the licensing and service agreement with the software company DANAOS was concluded by a third company outside the AMPNI Group to finally establish that any kind of processing of personal data took place informally, without the existence of any agreement between the companies inside and outside the AMRNI Group that shared the same hardware and software infrastructure, without downloading any essentials technical or organizational measure of internal compliance with the provisions of the FGM, without relevant demarcations, resulting, as the documents show, to be set finally issue a county specific server (server) and be brought before civil courts to be resolved through the interlocutory proceedings (AIIMIX I r /E IL / 733 / 30-01-2019). 26. The Authority in the exercise of its audit powers, both before hearing (see APDPH no. prot. G /EX / 5414-1 / 26-6-2018 and APDPX no. prot. G I EX I 6211-1 / 14-8-2018), as well as during the hearing requested from the audited company AMPNI, among other things, to document its compliance as it had obligation from no. 5 par. 2 GKP principle of accountability to its provisions GPD and in particular in relation to obtaining the required " technical and organizational measures taken for the security of personal data and used infrastructure that supports processing by notifying us of any relevant policy document or rules of procedure, whether it concerns the company itself or applied at Group level . For example, list the measures it takes with regard to in the physical access to the site of the MAIL SERVER in question, in the logical access to application of MAIL SER VER, the policy of proper use of corporate emails by its control policy (eg access and management rights the said subsidiary and I or the complaining parent company, if the above have been included in a text governing staff relations (eg Regulation Work), as well as whether and how staff are informed in advance about the above and in particular for any control of corporate emails, the relevant conditions, the procedural guarantees for carrying out an audit, etc. "(see APDPH no. prot. G /EX / 5414-1 / 26-6- 2018 p. 2). The legality of copying the contents of the server (server), in accordance with data breach notifications and complaints, was requested in particular by the Authority among others, both at the hearing and before of this (see APDPH no. prot. G /EX / 6211-1 / 14-8-2018 p. 2) to clarify " if and with 30 how the group staff and users in general were informed in advance of email accounts for your company 's right to proceed control of e-mails, the relevant conditions, the procedural guarantees of conducting an audit etc .. as well as if, when and how the staff was informed about this control . . . » . 27. The audited company AMR NI before the hearing and instead ofresponding t o no. prot. APDPH CI EX I 5414-1 / 26-6-2018 document of the Authority submitted the from 13-8-2018 Application for Treatment for the revocation ofno. 2/2018 of his Interim Order Chairman of the Authority without finally responding to any of the details stated requests of the Authority, without substantiating no. 5 par. 2 GKPD the legal operation of the infrastructure used (hardware and software - servers) that supports the processing of personal data ( especially e-mails), without providing any written documentation of internal compliance to the FSAP, in particular to the requirements of secure data processing without stating the necessary technical and organizational measures received and without providing any personnel data management policy character, no safety policy, no employee regulations and no one proof of informing the subjects about the processing of their data and the exercise of their related rights but also for the possibility of doing so control in their e-mails. The then complainant ABS, in response to the same document of the Authority presented with the no. prot. AIIIIX r / EI:E / 5935 / 04-07-2018 memorandum of documents security policy, but which lacked chronology, signature, approval as well and proof of their application, in addition they were not said to concern an unclear one designated legal entity under the name "AEGEAN". The audited company AMPNI then provided clarifications on the questions asked by the Authority with no. prot. AIIMIX r /ES / 6211-1 / 14-8-2018 document, but again without documenting no. 5 par. 2 GKPD the legal operation of the infrastructure used (hardware and software - servers) and without providing any written documentation of internal compliance to the GCC. The then complainant ABS, in response to the same document of the Authority with the No. prot. AIIAfIX r / EI:E / 7522 / 20-9-2018 document stated that the submitted by The same Policies are drafted outside the European Union and specifically in the USA as well as that they are applied by the parent company AMPNI, without presenting relevant evidence. In addition, she claimed that the person presented in her memorandum " AEGEAN Rules of Procedure " has been drafted exclusively for the subsidiaries AMRNI companies and that no reference is made to their control corporate e-mails of employees or how the company can proceed above act for which the parent company is solely responsible and not the same. Finally, in the same memorandum, ABS stated that both AMPNI Group companies and and third companies outside the AMR NI Group use all informal and without any written contract the infrastructure and servers of the company ABS. 28. During the meeting of05-12-2019 before the Authority, the company ABS, then replacement of her legal representative and her attorney, withdrew its complaint, which has no legal consequences for continue the examination of the case before the Authority as it is not about one private civil law dispute the subject matter of which is disposed of in accordance with will of the parties. In addition, the Authority carries out ex officio audits on the basis of information received regarding the breach of personal data of subjects. The company AMPNI both during the hearing before the Authority against the meeting of05-12-2019, and later with the no. prot. AilMIX r / EI/ 10259 / 19-12-2019 supplementary memorandum (jointly with ABS) submitted clarifications as well as a series of allegations and objections, but again without document no. 5 par. 2 GPO the legal operation of the used infrastructure (hardware and software - servers) and without providing any kind written documentation of its internal compliance with the FGM. On page 14 of above memorandum AMPNI states that " The AMPNI Group has policies IT security (see attachments as Annex D) ". This document is entitled Information Systems Security Policy Aegean Marine Petroleum Network Inc., bears the date of its signing latest version on ... by ... Director ( ... ) II and compiled by ... ( ... ) N in compliance not with the provisions of no. 679/2016 of the General Regulation Data Protection or Directive 95/46 / EC but in compliance with the provisions 32 of the US legislation "Sarbanes Oxley Act 2002" ("SOX") and in particular the section (hereinafter "Article") 404, as indicated on each page of that policy. In particular, this US law was passed to address corporate financial scandals and concerns corporate governance and disclosure of financial transactions under which the provisions law companies (whose securities are traded on US stock exchanges) are obliged to integrate and implement internal control procedures as well and to prepare annual financial reports to the Commission US Securities and Exchange Commission ("Security Exchanges Commission -" SEC ") 35 , which include Internal Controls Report for financial transactions and the reliability of financial statements ("financial statements"). That said report shall be made in accordance with the provisions of Article 404 SOX Act. Specifically, with Article 404 SOX Act 36 introduces the obligation and responsibility of the company management to set up, install and operate an internal control system procedures related to the preparation of the company's financial statements submitted to the US Securities and Exchange Commission ("SEC") and includes a an internal audit report evaluating the effectiveness and reliability of the internal control system during the previous annual management use 37 . From the above in conjunction with the content of this security policy information systems under Article 404 SOX Act USA it appears that it does not take into account the risks involved in data protection personal data of the subjects through the use of the computer infrastructure (DANAOS hardware and software, AMPFSl , AMPFS2) but aims to ensure of the necessary corporate information to achieve the objectives described above in relation to the US Securities and Exchange Commission (SEC). ,, cf. the website of the U.S. Securities and Exchange Commission in relation to Article 404 SOX in gov/info/smallbus/404/gyide/intro.shtml and Sarbanes-oxleY.-1 0 I .com ,. ,°' details see "Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners", The Institute of Internal Auditors. 3 7 SOX Act companies are required to submit to the Hellenic Capital Market Commission US (SEC) form 1 0-K which includes an internal audit report stating its responsibility management structure and internal control procedures regarding financial figures and the adequacy of internal controls. A statement is also submitted by the party external auditors of corrections on accounts, recording of off-balance sheet transactions, changes in share ownership by members of management as well as information about its existence code of ethics. Decision 44/2019 From reading the US Article 404 SOX Act policy relied on by AMPNI, moreover, the absence of any reference to protection of personal data pursuant to the GIP or the Directive 95/46 I EC as well as any reference and measure of its internal organization compliance with the principles of Article 5 GIP and the legal bases of Article 6 GPD, indicatively does not lack any provision in relation to: a) their rights subjects (Articles 12-22 GCC), (b) the application of appropriate techniques; and organizational measures in order to ensure and be able to demonstrate that the processing is carried out in accordance with the GCP (article 24 par. 1 in combination with Articles 25 and 30 of the ICCPR) and ( c) the application of appropriate technical and organizational measures processing safety measures (Article 32 GIP). In addition, it is absent any provision regarding the permissibility or not of the use of corporate infrastructure electronic communication by AMPNI employees and executives in relation to surveillance, access and control of electronic communications AMPNI employees and executives and, if so, the terms, procedures and guarantees to carry out relevant checks and investigations on personal data their. Finally, the US Article 404 SOX Act policy that provides and cites AMPNI does not address the risks arising from processing of personal data (see application no. 75 GKPD). Finally, the controlled company AMPNI submitted together with ABS the no. prot. AIIMIX r /En: / 2616 / 05-4-2019 supplementary memorandum to counter the memoranda of the complainants and L, former legal representative of ABS, without but again to document no. 5 par. 2 GKP its legal operation used infrastructure (hardware and software - servers) and without provide any written documentation of its internal compliance with the GCC. 29. Moreover, the controlled company AMPNI, despite its requests and questions At first, both before the hearing and during the hearing, he did not answer did not document as it should due no. 5 par. 1 GPD the legality of the processing personal data in the context of the operation of the used infrastructure (hardware and software - "original servers"). In particular, it follows from all the above that the controlled company AMPNI as controller did not take any internal compliance measures no. 5 par. 1 and 6 par. 1 GKPD in relation to the legal operation of the used infrastructure (hardware and software - "original servers" DANAOS, AMPFSl , AMPFS2) which supports the processing of personal data (in particular e-mails) included in an archiving system, nor provided by anyone such written documentation of such internal compliance required by the GCC according to no. 5 par. 2 GKPD, in particular to the requirements of secure data processing of a personal nature, nor did it take the necessary technical and organizational measures no. 5 par. 1 ed. fin combination with no. 24 par. 1, 2 and 31 par. 1, 2 GKPD to guarantee the appropriate security of personal data, including protecting them from unauthorized or illegal processing and accidental loss, destruction or deterioration (" integrity and confidentiality " ), nor did it appear to have been designed, prepared and implemented in compliance with the provisions of article 5 par. I GCP the any accountability measure referred to in recitals no. 11 and 16 hereof, including personnel data management policies nature and security policies in accordance with the requirements of the GCP, nor received measures of physical and / or rational segregation, nor produced a staff regulation or another internal document containing provisions on data protection nor provided any proof of their information subjects for the processing of their personal data during operation of the computer infrastructure used (hardware and software; "Original servers" (DANAOS, AMPFSl , AMPFS2), the exercise ofrelated their rights but also for the possibility of checking their e-mails. On the contrary, the controlled company AMRNI focused its arguments verbally at later or further stages in the processing of the same data, that is, at the stage of access to the e-mail control servers (stage 2), in subsequent copying (stage 3) and transmission to Manchester, United Kingdom (d) stage) of the contents of the original servers ("copy server" ), claiming that the conditions of article 6 par. 1 par. in the GCC for processing of personal data, again without substantiating No. 5 par. 2 GKPD the no. 5 par. 1 GCP legality of data processing personal character sufficient for the verbal invocation of article 6 par. 1 ed. f GPD on overriding legal interest. However, it was also extended to 3 5 Recital no. 17 o f the present, the processing o f personnel data in violation of the principles of article 5 par. 1 GKPD is not treated by existence oflegal purpose and legal basis no. 6 par. 1 GKPD. In this case, the controlled company AMPNI had the obligation, after proving that he owed no. 5 par. 2 GKP the taking and implementation of measures compliance with the provisions of Articles 5 (1) and 6 (1) of the GIP legality of the processing of personal data that took place in the computer infrastructure used (hardware and software "prototypes DANAOS, AMPFSl , AMPFS2), to then prove no. 5 par. 2 GKPD, also the legality no. 5 par. 1 and 6 par. 1 GKPD, of the later ones (for the initial purposes) or further (for different purposes according to no. 6 par. 4 GPD) independent and distinct processing operations, namely: b) access and checking the e-mails held on the servers, c) creating one new archiving system after copying the original system archiving and d) the transmission of the copy archiving system (server - back up according to AMPNI) in Manchester, United Kingdom (see with no. prot. All.MIX r /EU: / 7306 / 10-9-2018 O"l::A.. 6 K(ll AIIAfIX r /EI/ 7434 I 17-9-2018 O"l::A.. 6 AMPNI documents). In view of the above, given that the original collection, preservation and in general processing of personal data contained in the systems archiving of computer infrastructure (hardware and software "originals DANAOS, AMPFS 1, AMPFS2) has already been deemed illegal and infringing the provisions of article 5 par. 1 GCP and especially those of articles 5 par. 1 ed. a 'and f and par. 2 in conjunction with articles 24 par. 1 and 2 and 32 par. that subsequent or further processing of the same personnel data character and in particular the access and control of e-mails, the copying of their content "Original servers" and the creation of a new system archiving, sending the new archiving-copy system to Manchester United are also illegal and violate the whole of the principles of article 5 par. 1 and 2 but also article 6 par. 1 GCC, as integral linked to and originating from the original illegal processing of the data personal character of the "original server" archiving system. 30. As a result of the above deficiencies, the Authority further notes, in accordance with facts accepted in no. 25 recital, that the same 36 computer infrastructure (DANAOS server hardware and software, AMPFSI , AMPFS2) used for the subsequent or further processing of personnel data character (e-mails) of subjects who worked and were associated with both his companies AMPNI Group, as well as with third companies, outside the AMPNI Group, without having received the necessary measures of physical and logical separation resulting in its administrator system- computer infrastructure to access and process for AMPNI company account of personal data (e-mails) of subjects of data not related to the same 38 • Hence the lack of appropriate technical and organizational measures, in particular those requiring the natural and logical separation, the threatened risk of confidentiality occurred and integrity of personal data through access, copying and their transfer to Manchester, United Kingdom. It follows from the above that the subsequent or further processing, by access, copying and transmission to Manchester, personal data of individuals related to the Group AMPNI was illegal because it concerned personal data that from the beginning they had not been legally processed, while in terms of personnel data nature of natural persons related to third companies outside the AMR NI Group, in addition to the lack of physical and logical separation measures. 31. In view of the above, the Authority considers that the audited company AMR NI as responsible processing: on the one hand, did not apply all the principles of article 5 par. I GCP and 6 par. 1 GGP on the legality of the processing of personal data (especially e-mails) that took place in the computer infrastructure used (hardware and (original server software (DANAOS, AMPFSI , AMPFS2)), but also in any subsequent or further processing of the same personnel data character, nor proved by no. 5 par. 2 GPD the observance of these. on the other hand, violated the provisions of articles 5 par. l ed. a 'and f and par. 2 in in conjunction with Articles 24 (1) and (2) and 32 (1) and (2) of the GIPA on its principle secure processing (in particular of the "confidentiality") of personnel data " Cf. the printouts of the e-mails submitted through her memos ABS before the hearing before the Authority, in particular no. AITt.IIX r / Ell: / 5432 / 1 8-6-201 8 supplementary memorandum with a list o f email addresses. 37 character that took place in the computing infrastructure used (hardware and original server software (DANAOS, AMPFS l , AMPFS2) from non-download appropriate technical and organizational measures, but also in the context of any subsequent or further processing of the same personal data, as necessary the examination of the observance of the principles of processing of subsections b ', c', d 'and e' of par. 1 of article 5 as well as article 6 par. 1 GKPD, according to what was accepted in no. Recital 11 hereof. 32. The objections and allegations of the audited company AMPNI: i. As to the objection that the GCC does not apply in accordance with article 3 par. 1 as " [ ... ] AMRNI is a company based in the Republic of the Marshall Islands (Marshall Islands), is listed on the NY Stock Exchange and is its head AMRNI Group. AMRNI does not have an installation in Greece but maintains only one mailing address in Piraeus. ABS is a 1 00% subsidiary of AMP NL Therefore, AMP NI does not have the same facility in Greece [ ... ] the purpose of export I copying data .... had nothing to do with the activities of the companies of the AMP NI Group in GREECE. That is, there is no relationship between the purpose for which they were exported data and the activities of Greek companies .. »( see Supplementary Memorandum AMRNI and ABS APDPH no. prot. r /EI/ 10259 / 19-12-2018 p. 5-8). From article 3 par. 1 GCP, recital 22 GCC and sub consultation Guidelines 3/2018 of the European Protection Council Given the territorial scope of the GGP, it follows that the GGP applies in the processing of personal data in the context of its activities installation of the controller, which presupposes the substantial and actual exercise of an activity, which should not be construed narrowly and typologically as with criterion e.g. the place ofregistration of the company in the relevant registers registration (see WEU C-210/2016 Facebook (fan page) decision of05-6-2018 Application Sk. in particular 56 and 53-55, 57, C-230/14 Weltimmo v NAIH decision of0l/10/2015 Ait. Sk. Especially 29 as well as 31). In this case, the controlled company AMPNI only argues on the subsequent or further processing of access-control of e-mails and copying the contents of servers without interfering claims on the legality of the original collection, preservation and processing of personal data included in its archiving systems 38 computer infrastructure (DANAOS "original server" hardware and software, AMPFS I , AMPFS2). This computing infrastructure (hardware and software "prototypes DANA OS, AMPFS I , AMPFS2) at the critical time was established in Greece and specifically in Piraeus on the Kondili Coast no. I 0, owned by ABS, a subsidiary of AMPNI and according to a statement of AMPNI itself (see no. prot. APDPH G /EIS / 7306 / 10-9-2018 document ofp. 2): " The Server belongs to the AMPNI Group and in particular, was purchased together with the required equipment, earlier in 2018, by ABS, member of the AMRNI Group and 1 00% subsidiary of the Company ". In addition, it turned out that the use of servers that were installed on Greece and the processing of personal data through them received country following decisions by AMPNI, which determined the purpose and manner processing no. 4 par. 7 GKPD both for itself and for its subsidiaries companies in the exercise of its activities. Further, according to a statement of AMPNI itself ( see document no. 2): " The Server belongs to ABS, a member of the AMPNI Group. That is, in terms of ownership, has been purchased from ABS. ABS, however, does not process personal data for account of the Company ". In addition to the above and in the alternative, the claim should be rejected; AMPNI 's objection that it has no real but postal facility only in Greece and that it is based in the Republic of the Marshall Islands (Marshall Islands) given that she declares the address of Akti Kondili 10, in Piraeus as the address installation and actual operation first, before the Authority with the submitted Application for Treatment (see prot. no. APDPH I GI EIS / 6211 / 13-7-2018 p. 1) and second, before the US Securities and Exchange Commission (SEC), as it turns out from Annexes A and B attached to the aforementioned Application Treatment, as well as from the annual report of 16/5/2017 39 which he refers to C I EIS / 7306 / 10-9-2018 her document to the Authority and from which the statement results of the following items: AEGEAN MARINE PETROLEUM NETWORK INC., 10, Akti ,. Cf. her togeanmarine.gcs-web.com/static-files/ebca7627-4368-4e6c-9a75-45862ad60cac 39 Kondili (Address of Principal Executive Office), Piraeus 185 45, Greece (the underlining and bold from the Annexes), For these reasons, the Authority rejects its objection - allegation controlled company AMPNI. ii. As to the objection according to which the US Bankruptcy Court of the Southern District of New York issued an order with global force no. 362 (a) The US Bankruptcy Code under the AMPNI Bankruptcy Application, which provides: according to her allegations, on the one hand, its continuation before the Authority is prohibited proceedings, on the other hand, the exercise of control over a bankruptcy asset property, which according to the audited company AMRNI includes' [ ... ] certain, if not all, from the data under discussion are assets of the bankruptcy property » In this case, by no provision of national or European legislation, but not by any international or other bilateral - transnational convention it appears that the cited US Bankruptcy Court order produces legal results in Greece, nor does the audited company AMPNI claim such nor does it produce a Greek court decision recognizing enforceability of such a foreign court order. In addition, the audited company AMRNI misinterpreted the national and European legislation on the protection of personal data as a given in order to submit the relevant objection - claim that the data personal information processed by the controller recommend His "property" and therefore part of his "property", as will be demonstrated below. For these reasons, the Authority rejects its objection - allegation controlled company AMPNI. iii. As to the allegation-objection that the complaint against the controlled company ABS was submitted without right and therefore inadmissible by legal and not natural person no. 77 par. 1 GKPD, ie the subsidiary ABS resulting in h issued under no. 2/2018 Temporary Order of the President of the Authority to suffer invalidity and that ABS withdrew its complaint against the auditee of AMPNI company, is additionally pointed out under no. 28 recital of the present that the audit was carried out ex officio according to no. 57 par. 1 ed. a 'and h' 40 GPD based on the information received by the Authority primarily from 18-6-2018 Notification of Data Violation Case submitted by ABS (AIILllIX / r /EU: / 5432 / 18-6-2018). In any case, even if unacceptable the complaint was submitted by the company ABS, the Authority is entitled no. 57 par. 1 ed. a' and the GKPD in combination with no. 19 par. 1 case law 2472/199 7 to carry out ex officio checks and investigations with only the information received for real cases of breach of existing data protection legislation personal. In addition, the Authority is entitled no. 19 par. 1 per. Iy 'v. 2472/199 7, but is not obliged to file requests or complaints that are judged manifestly, vaguely, unfoundedly or submitted abusively or anonymously. Therefore, from the above provisions, which apply as they do not conflict with GPA (see APDP 46/18 and 52/18) it appears that the Authority had the right to carry out an audit with only the factual information independently the validity or not of the complaint. In addition, the President of the Authority despite the submission on behalf of the company ABS application for a temporary order, issued ex officio the no. 2/2018 Interim Order, taking note of the facts relied on as it appears from the body of the Provisional Order itself to which it does not refer that it accepts that request. Therefore the no. 2/2018 Interim Order of President of the Authority does not suffer invalidity. Finally, the ABS company withdrew its complaint against it controlled company ABS, but also the complaint of inadmissible complaint by a lawyer person do not find support in any provision of law given that it is not about a private civil law dispute the subject matter of which is disposed of in accordance with the will of the parties, and in addition, as stated above, the Authority investigates ex officio any information on breaches of personnel data protection legislation character (ad hoc AIIt.IIX 136/2015 mt. enc. 6 par. a '). For these reasons, the Authority rejects its objections - allegations controlled company AMPNI. iv. As to the objection-allegation of inadmissibility of the individual complaints natural persons because they have not previously contacted the controller in order to exercise their rights under Articles 15-22 GCP, before It should be noted that, on the one hand, the provisions of Article 77 41 par. 1 GPD it appears that every data subject has the right to submit direct complaint to the Authority if it considers that the processing of personnel data violates the GPA. In this case, the natural persons denounced the violation of the GCP against them and not the non satisfactory response of the audited company AMPNI in the exercise of their rights under Articles 15-22 GCP. In addition, as stated above, the Authority is engaged on its own initiative and investigates any fact of violation of the current legislation for the protection of personal data, whether or not the complainants bear the burden of proving their allegations as well as whether or not they prove their validity of their allegations. In this case, the complainants complained about alleged illegal copying of their personal data were included in the computer infrastructure archiving systems (hardware and "original server software" (DANAOS, AMPFSl , AMPFS2). The beginning in order to verify the legality of such copying, it proceeded ex officio to investigating the legality of the original collection, preservation and processing of personal data included in the "original servers". As already stated, the obligation to prove no. 5 par. 2 GPD of legality of each treatment no. 5 par. I and 6 par. I GKPD is the responsibility of the person in charge processing and not the data subject. For these reasons, the Authority rejects its objection - allegation controlled company AMPNI. v. Regarding the objection-claim that the corporate e-mails exchanged by Corporate e-mail accounts are not data personal property and that they constitute an "asset" belonging to "Ownership" of the company, the Authority has already rejected the relevant claim on the basis of recitals 4, 5 and 6 hereof in order to reach a conclusion that the audited company processed personal data were included in a computer infrastructure archiving system (hardware and "original server software" (DANAOS, AMPFSI , AMPFS2) without complying with the principles of article 5 par. I and 6 par. I GKPD as well as in violation of its principle safe processing no. 5 par. I ed. a 'and f GKPD. 42 Moreover, in this case, the fact that the email addresses (e-mails) had as their first component, identifiers of the usemame, ie of the form ovoga./i,nmvugo@-mtP-ia.gr is enough for their characterization as data without the need to check the content of e-mails in order to determine whether it is professional or private correspondence or if they come from a corporate or private e-mail account, in accordance with what has been accepted in recitals 4, 5 and 6 hereof. Therefore, the claim of the controlled company AMPNI according to which the Complainants must provide "personal" e-mails that sent from non-corporate (private) email accounts and include content copied personal data by AMPNI in order to prove the validity of their complaint, on the one hand no based on the above, on the other hand, the Authority considered that the principles of article 5 par. I GCP and 6 par. 1 GCP regarding its legality processing of personal data, ie the set of e-mails that took place in the computer infrastructure used (hardware and software "Original servers" DANAOS, AMPFSl , AMPFS2), but also any subsequent or further processing of the same personal data, so that there is no need to respond to the individual complaints of individuals, as it will discussed below. Finally, as already accepted with no. 6 recital of this o claim of the audited company AMRNI according to which the data personal belonging to the "property" or "property" of it comes in full contrary to national and European law and that the controller does not is the "owner" of the personal data it processes. If the controller was the "owner" of the personnel data character to be processed would not be introduced as a rule by article 6 par. 1 GCP h ban on the processing of personal data so that it is required to one of the legal bases provided there in order to legalize the processing, nor would the data subject be granted a set of rights on it control of personal data (art. 12-22 GKPD), in particular objection, restriction, deletion or portability rights. For these reasons, the Authority rejects its objection - allegation controlled company AMPNI. 43 vi. Regarding the objection - claim of the controlled company AMRNI that any download taken into account by the Authority new evidence presented by the complainants after the end of the hearing violates her right to be heard, she must in principle It should be noted that the audited company, on the one hand, received knowledge and copies of the documents submitted by the complainants after the hearing as well deadline of 15 days in order to submit its views on them (APDP no. prot. G /EX / 2214 / 21-3-2019), on the other hand, she also presented new evidence after the end of the hearing, but also placed on the allegations and the evidence material provided by the complainants after the hearing (see Supplementary Memorandum AMPNI & ABS with no. prot. AIMTIX r /EI/ 2616 I 05-4-2019). In addition, it is not provided for in any provision of the CPC or other legislation Prohibition of presenting new evidence after the end of the hearing audited or that all the evidence on which the Authority will judge must have been gathered before the hearing at a hearing given that the The purpose of the hearing is to provide explanations and information for clarification issues that may even have first arisen during it as is the case with other constitutional hearings established independent administrative authorities such as e.g. its Security Authority Privacy of Communications (ADAE). vii. As to the allegation - objection of the audited company about illegal extension of the granted deadline for submission of a memorandum after the hearing will It should be noted that the extension was legal since the controlled company AMPNI together with ABS submitted a request for the exclusion of the rapporteur of the case after commencement and during the submission deadline resulting in the deadline for issuing a decision on the request for exemption is automatically suspended and until a new deadline is provided. In no case could the initial deadline for submitting a memorandum after the hearing, if not previously the Department of the Authority decides on the request for exemption. On the contrary, on her part controlled company AMPNI together with ABS, submission of memorandum by hearing pending the request for exclusion of the rapporteur which they themselves had submitted and without await the issuance of the decision on the exemption request comes in full contrary to the request for exemption itself as on the one hand the companies requested the 44 with the exception of the rapporteur, while on the other hand they submitted a memorandum to the Department of Authority in which the rapporteur participated. For these reasons, the Authority rejects its objection - allegation controlled company AMPNI. viii. The audited company AMRNI makes the following allegations: that legally entered the computer infrastructure used (hardware and software "prototypes DANAOS, AMPFSl , AMPFS2) in order to e-mail of specific individuals, former and current employees and AMPNI Group executives, that these inspections were legal, that accidental software for deleting already deleted files was discovered to make it it is necessary to copy the entire computing infrastructure used, including personal data (e-mails) of individuals related to third party companies outside the AMR NI Groups, that there was no obligation notification of an incident of personal data breach to the Authority by detection of "malware" deletion, that as an employer he had under Article 6 par. 1 ed. GPP over legal interest in checking and copying e-mails in the context of the audit carried out, that he was not obliged to inform the data subjects, either before copying or after copying e-mails their. A prerequisite for answering the above allegations is, as stated above in accordance with recitals no. 17, 18, 22, 29 and 30 of the present but also from no. 3/2018 Provisional Order of the President of the Authority, the proof of it legality of the initial processing (collection and preservation) of the data of a personal nature taking place in the computing infrastructure used (hardware and software of"original servers" DANAOS, AMPFSl , AMPFS2). Given that the Authority considered it illegal and in particular a violation of the principle of safe processing the original collection, preservation and generally processing of personal data included in its archiving systems computer infrastructure (DANAOS "original server" hardware and software, AMPFSl , AMPFS2), it is provided that subsequent or further processing of the same personal data, namely the access and control of e-mails, h copy the contents of the "original servers" to a "server copy" with which a new archiving system was created (back up according to AMR NI) and 45 the sending of the new archiving-copy system to his Manchester United Kingdom are also illegal and violate all of its principles Article 5 par. 1 and 2 but also Article 6 par. 1 GCC, as inextricably linked and derived from the initial illegal processing of personnel data the nature of the "original server" archiving system so that it is redundant the examination of both the complaints of the natural persons and the one to be rebutted examination of the claims of the controlled company AMPNI that focus exclusively in the subsequent or further processing of personnel data character. That is, even if their complaints had not been submitted natural persons ( concerning subsequent or further processing), would be copying the "original server" is illegal due to not filling them in from the beginning conditions for the legal processing of personal data contents. Thus, the invocation of the legal basis by the controlled company AMPNI of article 6 par. 1 par. in the GCC for control, access, copying and sending the content of the "original servers" (servers), but also invoking of the need to copy due to "malware" detection can not retroactively legitimize the earlier processing of personal data in violation of articles 5 par. 1 and 6 par. 1 GCP in accordance with what was accepted in recitals no. 17 and 22 of this. For these reasons, the Authority rejects its objection - allegation controlled company AMPNI. 33. On the contrary, the information in the file and the hearing did not show that company " ERNST & YANG (BELLAS) CERTIFIED AUDITORS A CCOUNTANTS SA »Participated or assisted in the breach by the controller provisions of Articles 5 (1) and 6 (1) of the GIP, in particular at the access stage, control, copying and transmission in Manchester, United Kingdom personal data. 34. According to the GKPD (Ait. Sk. 148) in order to strengthen their enforcement rules of this Regulation, sanctions, including administrative fines should be imposed for any infringement of this Regulation, in addition to or instead of the appropriate measures imposed by the supervisory authority in accordance with this Regulation. In cases of minor breach or if 46 the fine that may be imposed would be a disproportionate charge in kind person, a reprimand could be imposed instead of a fine. The Authority after establishing the violation of the provisions of the GCP during above, taking into account, in addition to the above, in particular the Guidelines guidelines for the application and setting of administrative fines for its purposes Regulation 2016/679 issued on 03-10-2017 by the Working Group of the article 29 (WP 253) and having duly taken into account the provisions of Article 83 of the ICCPR in measure applicable in this case and in particular those provided for from paragraph 2 of the same article criteria relate to the specific case that examined by the Authority: (a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the treatment concerned, and the number of subj ects of the data affected by the infringement and the degree of damage suffered namely: i. the fact that the company violated the principles from article 5 par. 1 GKPD as well as the obligation (principle) of accountability no. 5 par. 2 GKPD, ie violated fundamental principles of the GBER for the protection of personnel data character. ii. the fact that the condition of safe processing no. 5 par. 1 ed. f GPA is now reduced to a basic principle of data processing personal nature so that, even if the other processing principles are followed to make the processing totally illegal in the event that o processor does not guarantee adequate security. iii. the fact that it also becomes of fundamental importance the principle of accountability under the new compliance model introduced with the FGM, where burden of compliance and the relevant responsibility lies with the controller, o which has been provided by the GCP with the necessary compliance tools. iv. the fact that according to no. 3/2010 Opinion of its Working Group Article 29 on the principle of accountability (WP l 73 / 13-7-2010) the establishment internal accountability measures for compliance with processing principles (par. 39-51 and in particular par. 41 and 44) provides great opportunities for effective implementation reducing the chances of the controller violating the legislation and therefore the assessment of sanctions takes into account the compliance with the principle of accountability (par. 38), while in case breach of it requires substantial sanctions, such as in case in which a controller does not comply with the statements made contained in its binding internal policies, which are taken in addition to the actual breach of the essential principles data protection (par. 64). 47 v. the fact that the controller did not take any internal action compliance with the accountability principle to be applied and implementation of the principles of personal data processing by No. 5 par. 1 GKPD, not even the ones provided as "basic" according to the Opinion 3/2010 of OE 29 (par. 44, ibid.) vi. the fact that the violation of the above principles took place in the context processing of personal data in a computer infrastructure (hardware and software) which is used to service a large number electronic communications of data subjects vii. the fact that the violation of the above principles took place during the processing personal data of labor subjects characterized by a power imbalance between employer and employees. The importance attached by the GCC to processing of personal data in employment relationships is demonstrated by fact that Article 88 thereof gives the national legislature the opportunity establishing specific rules to ensure their protection rights and freedoms of workers, including appropriate and special measures to safeguard human dignity, the law interests and fundamental rights of the person to whom the data are reported, with particular emphasis on the transparency of the processing, the intra-group data transmission and on-site monitoring systems work. Therefore, the observance of the principles provided by article 5 par. 1 ed. a 'and par. 2 GKPD acquires in this case a special and important importance for respect for the right to protection of personal data character of employees. viii. the fact that the principle of safe processing was substantially violated personal data no. 5 par. 1 ed. in the GCC through and ultimately achieve access, copy, transmission and in general processing of personal data of data subjects were affiliated with third parties, except the AMRNI Group ix. the fact that the violation of the above principles is subject to the provisions of article 83 par. 5 ed. a 'GKPD in cases of administrative enforcement fines ofup to EUR 20,000,000 or, in the case of businesses, up to 4% of total global annual turnover of the previous financial year year, depending on which is higher, ie in the higher provided category of the classification system of administrative fines, the imposition of reserved, in accordance with the principle of proportionality, in the case of the most serious violations of the GCC. Therefore, already from the provisions of the GCP show that the violation of the principles provided from article 5 par. 1 and par. 2 GKPD is treated as of greater importance in relation to the violations provided by article 83 par. 4 GKPD. 48 x. the fact of causing damage to the right to data protection personal data of the subjects from the violation of the above authorities and, in particular , the processing of personal data, secondly, the continuing in breach of it GPD processing of personal data in several stages (initial preservation and processing, access and control, copying, transmission) and third, the complete deprivation of rights and the exercise of control over them personal data of the data subjects (cf. Ait.Sk. 75 GKPD and OE 29 on administrative fines, ibid., P. 11 ). xi. The fact that, from the information presented to the Authority, no evidence emerged against at this stage the occurrence of material damage to the data subjects, nor relied on relevant material damage xii. the fact that the violation of the principles of article 5 par. 1 and par. 2 GKPD no concerned, on the basis of the information provided to the Authority, data personal provisions of Articles 9 and 10 of the GIP. xiii. The fact that the violation of the principles of article 5 par. 1 and par. 2 concerned any subject whose personal data occurred processing in the context of its electronic communications service from computer infrastructure (hardware and software) so that it is not one individual or occasional infringement but for an infringement that has a systemic (structural) character. b) the deceit or negligence which caused the infringement From the hearing before the Authority and the memoranda of the person in charge shows that the company was completely unaware of the compliance obligations in accordance with the requirements of the GCP, and in addition showed no willingness to comply, as will be demonstrated below. Therefore, the violations found were resulting from a lack of complete knowledge and application of the provisions of the GCC in framework of the organization of internal compliance despite the fact that the responsible could and should, in particular due to accountability, to comply with the provisions of the GCP, thus violating the duty of care which required by law. (c) any action taken by the controller to mitigate the damage suffered by data subjects, The controller did not take any action to restore or mitigation of the damage suffered by the data subjects, nor did it informing them, even after the illegal processing of the data by him their personal nature. It should be noted at this point that the person in charge processing for non-prior updating of data subjects invoked the exception of article 14 par. 5 ed. b 'GKPD so as not to damage the achieving the objectives of the processing, namely the internal control relied on. Regardless of the validity or otherwise of that claim, even after completion of the alleged internal control, never the controller informed data subjects of subsequent or further processing, namely the copying and transmission of their data to Manchester, United Kingdom Vassilios, especially natural persons affiliated with third parties outside the Group AMPNI, so that to date they have not been informed about it. It is recalled that according with what has been accepted hereby, the violation of the principles of article 5 par. 1 GCP occurred at the expense of any subject whose data were found to be illegal processing and not only of the complaining natural persons. ( d) the degree of responsibility of the controller, taking into account the techniques; and organizational measures implemented pursuant to Articles 25 and 32, The controller did not take into account technical and organizational measures, nor did he take any action to the necessary evaluations in order to draw appropriate conclusions (see no. 28 request sk. of the present). (e) any relevant previous infringements by the controller; It appears from a relevant audit that no administrative sanction has been imposed to date by the begining (t) the extent of cooperation with the Authority to remedy the infringement and limiting its potential adverse effects, The Authority recognizes as a mitigating circumstance on the part of the person in charge processing admission of illegal copying and sending to his Manchester United Kingdom "[ . . . ] any e-mails of individuals who have not and I or have not any employment or service relationship or any other relationship with companies of the AMRNI group, which AMRNI would be available to separate and provide evidence of this "(Supplementary Memorandum AMPNI-ABS ofOS-4-2019 pp. 8 and 12 AilMIX r /EI/ 2616 I 05-4-2019 last page, point 4) as well as the expression of his intention, according to the above, to proceed with separation or deletion (see Supplementary Memorandum AMPNI-ABS of 19-12-2018 p. 23), although it did not express the same intention for the personal data of the other subjects data. g) the categories of personal data affected by the infringement , namely Whereas this is not personal data referred to in Articles 9 and 10 of the GIP, in accordance with the information provided to the Authority. {h) the manner in which the supervisory authority was informed of the infringement, in particular if and to what extent the controller or processor notified the infringement, In this case, the Authority was informed of the final findings breaches primarily through the Data Breach Notification submitted by ABS company as a result of which it carries out an ex-officio inspection. The person in charge did not inform the Authority, nor did it notify itself of the Infringement Data i) any other aggravating or mitigating factor arising out of circumstances of the particular case, such as the financial benefits that or damage avoided, directly or indirectly, by the infringement The Authority, in addition to the above, acknowledges as an additional mitigating factor that from the data presented to it to date and on the basis of which it found breach of the GPA, the controller did not reap any financial benefit, either caused material damage to data subjects. The Authority recognizes as aggravating the fact that the person in charge has so far shown no intention of complying with requirements of the GCP, nor has it informed the Authority of its inclusion in a program internal compliance in order to make any data processing legal of personal character no. 5 par. 1 and 6 par. 1 GKPD carried out in computer infrastructure ("original server" hardware and software). The person in charge of processing a series of documents to the Authority, especially after listening, focused all his efforts on highlighting the importance that had for him the use of the content of the copied servers ("back up" servers according to him) for the purposes of internal control of the AMPNI Group and consequently for the submission of relevant data to the Hellenic Capital Market Commission of the US and the competent US judicial authorities, even asking not to imposed by the Authority the sanction of the destruction of the content of the copied at the time the Authority banned processing and use the content of the copied servers, but not at that time period of "original servers". THE BEGINNING Having taken into account the above Because he decided the no. 58 par. 2 GKP exercising its corrective powers in this case by imposing corrective measures Because pursuant to the provision of article 58 par. 2 ed. d GKPD the Authority decided to give an order to the company "AEGEAN MARINE PETROLEUM NETWOR K INC (AMPNI) "as the controller to comply with the provisions of the GCP the processing of personal data contained in both in the computer infrastructure used (hardware and software "originals DANAOS, AMPFS 1, AMPFS2), as well as in the new archiving system a copy of the original servers sent to his Manchester United Kingdom. Because in particular the company should take all necessary internal measures compliance and accountability to the principles of Article 5 par. 1 and par. 2 in combination with article 6 par. 1 GKPD. Because the above order must be executed within three (3) months from receipt of this, informing the Authority. Because the above corrective measure alone is not enough to restore it compliance with the infringed provisions of the GCC in accordance with what has been accepted by the no. 31 recital herein and in addition, at the time when in fact the company despite the substantial admission on its part of at least part of it violation of the GCC showed complete disregard for compliance with its provisions Articles 5 and 6 par. 1 GCP. Because the Authority considers that in this case based on the circumstances should be found pursuant to the provision of article 58 par. 2 ed. 0 TKIL'.l va in addition, effective, proportionate and dissuasive administrative money is imposed fine no. 83 GPA, both for the restoration of compliance and for punishment for this illegal behavior 40 Because the Authority found to have infringed the provisions of Articles 5 and 6 of the GIP is subject to the provisions of article 83 par. 5 ed. a 'GPD in the cases imposition of administrative fines up to EUR 20,000,000 or, in the case of undertakings, up to 4% of the total global annual turnover of the previous financial year year, depending on which is higher. Because the Authority took into account, on the one hand, that AMR NI has submitted an application bankruptcy in the US, on the other hand, that according to the report submitted by the company in the year 2017 to the US Securities and Exchange Commission (SEC) its total revenue ("Total revenue") for the year 2016 was 4,076,219,000.00 US dollars. (see p. 157 in attached no. prot. r / EIE / 7306 / 10-09-2018 document 41 ). Because with the issuance of this it ceases no. 19 par. 7 a law 24 72/199 7 the validity of Interim Orders of the President of the Authority No. 2/2018 and 3/2018 and are valid now accepted in the operative part of this FOR THOSE R EASONS THE BEGINNING A. Gives orders to the company «« AEGEAN MARINE PETROLEUM NETWORK INC (AMPNI) »» as within three (3) months ofreceipt of this, informing the begining 40 Cf. OE 29, Guidelines and the implementation and setting of administrative fines for them purposes of Regulation 201 6/679 WP253, p. 6 " Also available at geanmarine.gcs-web.com/static-files/ebca7627-4368-4e6c-9a75-45862ad60cac 52 i. make the processing operations in accordance with the provisions of the GCC personal data contained in both used computer infrastructure (DANAOS "original server" hardware and software, AMPFS I , AMPFS2), as well as in the new copy archiving system original server shipped to Manchester, United Kingdom, ii. take all necessary internal compliance and accountability measures principles of article 5 par. I and par. 2 in combination with article 6 par. I GCP. B. Imposes on the company «« AEGEAN MARINE PETROLEUM NETWOR K INC (AMPNI) "the effective, proportionate and dissuasive administrative fine appropriate to the particular case according to its specific circumstances, amounting to one hundred and fifty thousand (150,000.00) euros. The Vice President The Secretary George Batzalexis Irini Papageorgopoulou