HDPA (Greece) - 33/2023: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=33/2023 |ECLI= |Original_Source_Name_1=HDPA |Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2023-11/33_2023%2520anonym.pdf |Original_Source_Language_1=Greek |Original_Source_Language__Code_1=EL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Sour...")
 
 
(5 intermediate revisions by 3 users not shown)
Line 11: Line 11:


|Original_Source_Name_1=HDPA
|Original_Source_Name_1=HDPA
|Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2023-11/33_2023%2520anonym.pdf
|Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2023-11/33_2023%20anonym.pdf
|Original_Source_Language_1=Greek
|Original_Source_Language_1=Greek
|Original_Source_Language__Code_1=EL
|Original_Source_Language__Code_1=EL
Line 69: Line 69:
}}
}}


The Hellenic DPA imposed a fine and reprimanded the Municipality X for having unlawfully processed personal data, by uploading on diavgeia and on the Municipality's website acts/decisions including personal data of the data subject, and for having not complied with the request for erasure.
The Hellenic DPA fined a municipality for uploading personal data to a public portal and then failing to comply with the subsequent erasure request.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 25 October 2021, the Head of the technical department (“Z”) of Municipality X lodged a complaint before the Hellenic DPA ("HDPA") against the same Municipality.
A municipality uploaded on a public portal (“diavgeia”) a decision where the personal data of an employee including her full name, position, place of employment and involvement in a criminal complaint were mentioned. A separate decision regarding her participation in the municipality's financial council was also discovered by the data subject on the portal. The complainant requested the erasure of her personal data from the public portal by exercising her right to erasure under [[Article 17 GDPR|Article 17 GDPR.]]
Municipality X had uploaded on the Greek Transparency Portal (diavgeia.gov.gr, where all acts and decisions of Greek government/ municipalities/authorities etc. are uploaded in order to be fully available to the public, “diavgeia”) the decision of the Mayor, including personal data of Z, such as her full name, her position and place of employment, which mentioned that Z will abstain from any administrative act concerning the company of citizen Y, because the latter filed a criminal complaint against Y. Moreover, a decision of the financial committee of the Municipality X that a counsel will be appointed for the defense of Z in the context of the criminal procedure, was uploaded to diavgeia. On the website of the Municipality X was also uploaded an invitation to convene the financial committee of Municipality, which was also including personal data of Z.
 
Exercising her right to erasure, under Article 17, Z requested the erasure of the decision of the Mayor from diavgeia, and also complaint about the inclusion of her personal data in the abovementioned invitation and decision of the financial committee, but the DPO of Municipality X rejected it, on the grounds that Municipality X has the obligation to upload on diavgeia every act, decision or document relating to the performance of its duties, under the applicable legislation. The same line of reasoning was followed for the invitation uploaded on the website and the decision of the committee uploaded on diavgeia.
The DPO of the municipality rejected her request on the grounds that the municipality had the legal obligation to upload onto this portal every act, decision or document relating to the performance of its duties, under national law.
 
On 25 October 2021, the data subject lodged a complaint before the Hellenic DPA ("HDPA") against the municipality.


=== Holding ===
=== Holding ===
After considering all the facts of the case, the HDPA fined with €2000 and reprimanded the Municipality X for violating Articles 5(1)(a) and 6 (1)(c). Also, fined the Municipality X with €1000 for violating Article 5(1)(c) and with €2000 for violating Article 17 (1). The HDPA ordered the Municipality X to remove 2 decisions concerning the data subject from its website and from within a 20-day period. Last but not least, the HDPA advised the legislator, according to Article 57 (1) (c), to take measures in order to determine the criteria for the selection of the decisions which will be published through diavgeia.
After considering all the facts of the case, the Hellenic DPA fined the municipality a total of €5000. 
 
They fined the them €2,000 for breaches 6(1)(c) and Articles 5(1)(a) GDPR. The muncipality had processed data unlawfully. The HDPA considered the national law and concluded that the decisions fell outside its scope, therefore the municipality could not rely on Article 6(1)(c) GDPR as a legal basis. This made the processing also unlawful under Article 5(1)(a) GDPR.  
 
The HDPA fined the municipality €1,000 for violating Article 5(1)(c) GDPR as the municipality had not adhered to the principle of data minimisation by having no filter for the selection of decisions which had to be published on the online portal.
 
The HDPA fined the muncipality €2,000 for violating Article 17(1) GDPR. This was because the DPO refused to erase the data when requested to do so by the data subject. 
 
The HDPA also ordered the municipality to remove the two decisions concerning the data subject from its website within a 20-day period.  


== Comment ==
== Comment ==

Latest revision as of 14:07, 20 December 2023

HDPA - 33/2023
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1)(c) GDPR
Article 17(1) GDPR
Article 57(1)(c) GDPR
Article 58(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 25.10.2021
Decided: 11.04.2023
Published: 07.11.2023
Fine: 5000 EUR
Parties: n/a
National Case Number/Name: 33/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Iliana Papantoni

The Hellenic DPA fined a municipality for uploading personal data to a public portal and then failing to comply with the subsequent erasure request.

English Summary

Facts

A municipality uploaded on a public portal (“diavgeia”) a decision where the personal data of an employee including her full name, position, place of employment and involvement in a criminal complaint were mentioned. A separate decision regarding her participation in the municipality's financial council was also discovered by the data subject on the portal. The complainant requested the erasure of her personal data from the public portal by exercising her right to erasure under Article 17 GDPR.

The DPO of the municipality rejected her request on the grounds that the municipality had the legal obligation to upload onto this portal every act, decision or document relating to the performance of its duties, under national law.

On 25 October 2021, the data subject lodged a complaint before the Hellenic DPA ("HDPA") against the municipality.

Holding

After considering all the facts of the case, the Hellenic DPA fined the municipality a total of €5000.

They fined the them €2,000 for breaches 6(1)(c) and Articles 5(1)(a) GDPR. The muncipality had processed data unlawfully. The HDPA considered the national law and concluded that the decisions fell outside its scope, therefore the municipality could not rely on Article 6(1)(c) GDPR as a legal basis. This made the processing also unlawful under Article 5(1)(a) GDPR.

The HDPA fined the municipality €1,000 for violating Article 5(1)(c) GDPR as the municipality had not adhered to the principle of data minimisation by having no filter for the selection of decisions which had to be published on the online portal.

The HDPA fined the muncipality €2,000 for violating Article 17(1) GDPR. This was because the DPO refused to erase the data when requested to do so by the data subject.

The HDPA also ordered the municipality to remove the two decisions concerning the data subject from its website within a 20-day period.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.