HDPA (Greece) - 38/2019: Difference between revisions

From GDPRhub
No edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{{DPAdecisionBOX
! colspan="2" |HDPA - 38/2019
|-
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:logoGR.jpg|center|250px]]
|-
|Authority:||[[HDPA (Greece)]]
[[Category:HDPA (Greece)]]
|-
|Jurisdiction:||[[Data Protection in Greece|Greece]]
[[Category: Greece]]
|-
|Relevant Law:||[[Article 4 GDPR#1|Article 4(1) GDPR]]
[[Category:Article 4(1) GDPR]]


[[Article 5 GDPR#2|Article 5(2) GDPR]]
|Jurisdiction=Greece
[[Category:Article 5(2) GDPR]]
|DPA-BG-Color=background-color:#ffffff;
|DPAlogo=LogoGR.jpg
|DPA_Abbrevation=HDPA (Greece)
|DPA_With_Country=HDPA (Greece)


[[Article 6 GDPR]]
|Case_Number_Name=38/2019
[[Category:Article 6 GDPR]]
|ECLI=


[[Article 14 GDPR]]
|Original_Source_Name_1=HDPA
[[Category:Article 14 GDPR]]
|Original_Source_Link_1=https://www.dpa.gr/portal/page?_pageid=33%2C15453&_dad=portal&_schema=PORTAL&_piref33_15473_33_15453_15453.etos=2019&_piref33_15473_33_15453_15453.arithmosApofasis=&_piref33_15473_33_15453_15453.thematikiEnotita=-1&_piref33_15473_33_15453_15453.ananeosi=%CE%91%CE%BD%CE%B1%CE%BD%CE%AD%CF%89%CF%83%CE%B7
|Original_Source_Language_1=Greek
|Original_Source_Language__Code_1=EL
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=


[[Article 32 GDPR]]
|Type=Investigation
[[Category:Article 32 GDPR]]
|Outcome=Violation
|-
|Date_Started=
|Type:||n/a
|Date_Decided=18.10.2019
|-
|Date_Published=
|Outcome:||Violation
|Year=2019
|-
|Fine=20,000
|Decided:||18.10.2019
|Currency=EUR
[[Category:2019]]
 
|-
|GDPR_Article_1=Article 4(1) GDPR
|Published:||n/a
|GDPR_Article_Link_1=Article 4 GDPR#1
|-
|GDPR_Article_2=Article 5(2) GDPR
|Fine:||20,000 EUR
|GDPR_Article_Link_2=Article 5 GDPR#2
|-
|GDPR_Article_3=Article 6 GDPR
|Parties:||Wind Hellas and ΠΛΕΓΜΑ ΝΕΤ
|GDPR_Article_Link_3=Article 6 GDPR
|-
|GDPR_Article_4=Article 14 GDPR
|National Case Number:||38/2019
|GDPR_Article_Link_4=Article 14 GDPR
|-
|GDPR_Article_5=Article 32 GDPR
|European Case Law Identifier:||n/a
|GDPR_Article_Link_5=Article 32 GDPR
|-
|GDPR_Article_6=
|Appeal:||n/a
|GDPR_Article_Link_6=
|-
|GDPR_Article_7=
|Original Language:||[[Category:Greek]]
|GDPR_Article_Link_7=
Greek
 
|-
|EU_Law_Name_1=
|Original Source:||[https://www.dpa.gr/portal/page?_pageid=33%2C15453&_dad=portal&_schema=PORTAL&_piref33_15473_33_15453_15453.etos=2019&_piref33_15473_33_15453_15453.arithmosApofasis=&_piref33_15473_33_15453_15453.thematikiEnotita=-1&_piref33_15473_33_15453_15453.ananeosi=%CE%91%CE%BD%CE%B1%CE%BD%CE%AD%CF%89%CF%83%CE%B7 HDPA (GR)]
|EU_Law_Link_1=
|}
|EU_Law_Name_2=
|EU_Law_Link_2=
 
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
 
|Party_Name_1=Wind Hellas
|Party_Link_1=ΠΛΕΓΜΑ ΝΕΤ
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
 
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
 
|Initial_Contributor=
|
}}


The HDPA imposed a fine of EUR 20,000 and a reprimand to the telecommunication company Wind Hellas for violation of the GDPR and of the national law implementing the ePrivacy Directive and it issued a reprimand to the telephone services company ΠΛΕΓΜΑ ΝΕΤ for violation of the GDPR.
The HDPA imposed a fine of EUR 20,000 and a reprimand to the telecommunication company Wind Hellas for violation of the GDPR and of the national law implementing the ePrivacy Directive and it issued a reprimand to the telephone services company ΠΛΕΓΜΑ ΝΕΤ for violation of the GDPR.
Line 59: Line 78:
1) Does a telephone number constitute personal data?
1) Does a telephone number constitute personal data?


2) Who is the controller?  
2) Who is the data controller?  


3) Do the processing activities pursue (even partially) advertising purposes?
3) Do the processing activities pursue (even partially) advertising purposes?
Line 69: Line 88:
The HDPA found that:   
The HDPA found that:   


1) The telephone number constitutes personal data according to Article 4 (1) GDPR as the owner can be indirectly identified.
1) The telephone number constitutes personal data according to [[Article 4 GDPR#1|Article 4(1) GDPR]] as the owner can be indirectly identified.


2) In both cases above, Wind is the data controller as it exclusively determines the purpose of the processing while the contracting companies are data processors.
2) In both cases above, Wind is the data controller as it exclusively determines the purpose of the processing while the contracting companies are data processors.
Line 77: Line 96:
4) The data subjects’ consent is not valid.  
4) The data subjects’ consent is not valid.  


In addition to those issues, the HDPA admitted all the complaints and found that Wind Hellas had violated Article 14 GDPR and the national law on the protection of personal data and privacy in the telecommunication sector, while the processor ΠΛΕΓΜΑ ΝΕΤ had violated Article 32 GDPR.
In addition to those issues, the HDPA admitted all the complaints and found that Wind Hellas had violated [[Article 14 GDPR|Article 14 GDPR]] and the national law on the protection of personal data and privacy in the telecommunication sector, while the processor ΠΛΕΓΜΑ ΝΕΤ had violated [[Article 32 GDPR|Article 32 GDPR]].


==Comment==
==Comment==
Line 84: Line 103:


==Further Resources==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


==English Machine Translation of the Decision==
==English Machine Translation of the Decision==


The decision below is a machine translation of the original. Please refer to the Greek original for more details.
There is no available machine translated decision. Please refer to the Greek original decision for details.  


<pre>
<pre>
published decision AP. 39/2019


</pre>
</pre>

Latest revision as of 15:37, 6 December 2023

HDPA (Greece) - 38/2019
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4(1) GDPR
Article 5(2) GDPR
Article 6 GDPR
Article 14 GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation
Started:
Decided: 18.10.2019
Published:
Fine: 20,000 EUR
Parties: [ΠΛΕΓΜΑ ΝΕΤ Wind Hellas]
National Case Number/Name: 38/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: n/a

The HDPA imposed a fine of EUR 20,000 and a reprimand to the telecommunication company Wind Hellas for violation of the GDPR and of the national law implementing the ePrivacy Directive and it issued a reprimand to the telephone services company ΠΛΕΓΜΑ ΝΕΤ for violation of the GDPR.

English Summary

Facts

The HDPA examined six complaints against Wind Hellas (hereafter "Wind") and ΠΛΕΓΜΑ ΝΕΤ for unsolicited calls with human intervention for direct marketing purposes. Wind claimed, among others, that it should not be the only liable company but it should first be assessed, as a preliminary issue, which the role of the contracting companies operating as call centres is (either data controllers or data processors). It claimed that some of them are data processors, because Wind provides them with lists with telephone numbers and with explicit orders for specific advertising activities; some others are data controllers, since they process lists with numbers they compile themselves, without Wind being aware of them. Wind also claimed that the purpose of the calls is research and not advertising.

Dispute

1) Does a telephone number constitute personal data?

2) Who is the data controller?

3) Do the processing activities pursue (even partially) advertising purposes?

4) Is the data subjects’ consent valid?

Holding

The HDPA found that:

1) The telephone number constitutes personal data according to Article 4(1) GDPR as the owner can be indirectly identified.

2) In both cases above, Wind is the data controller as it exclusively determines the purpose of the processing while the contracting companies are data processors.

3) The processing activities are intended to pursue (at least partially) advertising purposes.

4) The data subjects’ consent is not valid.

In addition to those issues, the HDPA admitted all the complaints and found that Wind Hellas had violated Article 14 GDPR and the national law on the protection of personal data and privacy in the telecommunication sector, while the processor ΠΛΕΓΜΑ ΝΕΤ had violated Article 32 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

There is no available machine translated decision. Please refer to the Greek original decision for details.