HDPA (Greece) - 42/2021: Difference between revisions
No edit summary |
(Summary changes for newsletter.) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 21: | Line 21: | ||
|Type=Complaint | |Type=Complaint | ||
|Outcome=Upheld | |Outcome=Upheld | ||
|Date_Decided=21. | |Date_Decided=21.09.2021 | ||
|Date_Published=21.09.2021 | |Date_Published=21.09.2021 | ||
|Year=2021 | |Year=2021 | ||
Line 56: | Line 56: | ||
}} | }} | ||
The Greek DPA held that sending bulk | The Greek DPA held that sending bulk emails with all recipients' email addresses entered in the "To" field is not compliant with Article 32 of the GDPR. It recommended the use of BCC as an alternative. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject complained to the HDPA about having received a press release via email by a | The data subject complained to the Greek DPA (the HDPA) about having received a press release via email by a member of the Hellenic Parliament (the latter being considered the data controller in the context of this decision), without the data subject's consent. Furthermore, the data subject's email address was visible to other recipients (the "To" field was used instead of BCC). | ||
=== Holding === | === Holding === | ||
The HDPA issued a warning towards the data controller, recommending the use of the BCC field in order for mass email communication to remain compliant with Article 32 | The HDPA issued a warning towards the data controller, recommending the use of the BCC field in order for mass email communication to remain compliant with [[Article 32 GDPR]]. No other measures were deemed necessary, because of the data controller's stance that the inclusion of the subject's email was made by mistake (more particularly, the controller had wrongly thought the data subject was a journalist, and that the data processing would thus be in accordance to [[Article 6 GDPR|Article 6(1)(f) GDPR]]), and because the controller took corrective measures by removing the data subject's personal details from the mailing list. | ||
== Comment == | == Comment == |
Latest revision as of 08:42, 29 September 2021
HDPA (Greece) - 42/2021 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1)(d) GDPR Article 5(1)(f) GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 21.09.2021 |
Published: | 21.09.2021 |
Fine: | None |
Parties: | Party A (anonymized) Party B, Member of the Hellenic Parliament (anonymized) |
National Case Number/Name: | 42/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek Greek |
Original Source: | HDPA (in EL) HDPA (in EL) |
Initial Contributor: | Adrian |
The Greek DPA held that sending bulk emails with all recipients' email addresses entered in the "To" field is not compliant with Article 32 of the GDPR. It recommended the use of BCC as an alternative.
English Summary
Facts
The data subject complained to the Greek DPA (the HDPA) about having received a press release via email by a member of the Hellenic Parliament (the latter being considered the data controller in the context of this decision), without the data subject's consent. Furthermore, the data subject's email address was visible to other recipients (the "To" field was used instead of BCC).
Holding
The HDPA issued a warning towards the data controller, recommending the use of the BCC field in order for mass email communication to remain compliant with Article 32 GDPR. No other measures were deemed necessary, because of the data controller's stance that the inclusion of the subject's email was made by mistake (more particularly, the controller had wrongly thought the data subject was a journalist, and that the data processing would thus be in accordance to Article 6(1)(f) GDPR), and because the controller took corrective measures by removing the data subject's personal details from the mailing list.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Category Decision Date 21/09/2021 Transaction number 42 Thematic unit 09. Promotion of products and services Applicable provisions Article 5.1.d: Principle of accuracy Article 5.1.f: Principle of integrity and confidentiality Article 32: Processing security Summary The Authority reprimanded a controller who sent e-mails to a large number of recipients, placing the recipients' details in the "To" field. When an e-mail address is addressed to a large number of recipients who are natural persons, the controller must take appropriate measures to ensure that the recipients' addresses are not disclosed to a large number of persons. Therefore, in these cases it is better to use the "hidden notification" option or to send individual messages, when possible. PDF Decision 42_2021anonym.pdf243.23 KB Category Decision Date 21/09/2021 Transaction number 42 Thematic unit 09. Promotion of products and services Applicable provisions Article 5.1.d: Principle of accuracy Article 5.1.f: Principle of integrity and confidentiality Article 32: Processing security Summary The Authority reprimanded a controller who sent e-mails to a large number of recipients, placing the recipients' details in the "To" field. When an e-mail address is addressed to a large number of recipients who are natural persons, the controller must take appropriate measures to ensure that the recipients' addresses are not disclosed to a large number of persons. Therefore, in these cases it is better to use the "hidden notification" option or to send individual messages, when possible. PDF Decision 42_2021anonym.pdf243.23 KB