HDPA (Greece) - 36/2023: Difference between revisions
No edit summary |
No edit summary |
||
Line 11: | Line 11: | ||
|Original_Source_Name_1=HDPA | |Original_Source_Name_1=HDPA | ||
|Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2023-12/36_2023% | |Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2023-12/36_2023%20anonym.pdf | ||
|Original_Source_Language_1=Greek | |Original_Source_Language_1=Greek | ||
|Original_Source_Language__Code_1=EL | |Original_Source_Language__Code_1=EL |
Revision as of 12:38, 9 January 2024
HDPA - 36/2023 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1)(a) GDPR Article 12(3) GDPR Article 15(1) GDPR Article 15(3) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 17.05.2022 |
Decided: | 23.11.2023 |
Published: | 27.12.2023 |
Fine: | 10000 EUR |
Parties: | Alpha Bank |
National Case Number/Name: | 36/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | HDPA (in EL) |
Initial Contributor: | Inder-kahlon |
The Hellenic DPA imposed an administrative fine of €10,000 on Bank for failing to comply with DSAR, violating GDPR Article 12(3) and Article 15. The delay following the Data Retention Period led to deletion of requested data, violating Article 5(1) GDPR.
English Summary
Facts
A company, which was client of the data controller (Alpha Bank A.E.), suffered from electronic fraud. The data subject serving as the legal representative of the victim company, exercised their right of access under Article 15 GDPR requesting access to log files in relation to the incident and video recording of the data subject's visit to the bank.
The bank failed to provide the requested copies of the data in a timely manner, and while the bank acknowledged the delay in their response to the data subject stating the request is being processed, the bank failed to provide the reasons for the delay. Additionally, the bank didn't notify the data subject about the extension to the one-month period set in Article 12(3) GDPR.
On 17 May 2022, the data subject lodged a complaint before The Hellenic Data Protection Authority (HDPA) against the data controller. Later, while the bank provided the log files, but failed to provide the video recordings, stating that video recordings were no longer available due to the expiration of the retention period of 45 Days.
Holding
The Hellenic Data Protection Authority (HDPA) found that the controller had violated the data subject's right of access under Article 15 (1) GDPR and Article 15(3) GDPR. Furthermore, HDPA found that the data controller failed to fulfil its obligations under Article 5(1) and 12(3) of the GDPR.
a) The HDPA found that the controller did not act in a timely manner and also did not provided a reason for the delay and did not informed the data subject of an extension to the response time limit, thus violating its obligation under Article 12(3) GDPR.
b) The HDPA determined that, despite receiving the Data Subject Access Request (DSAR) within the 45-day data retention period while the material was still available, the controller proceeded with the destruction of the video footage in accordance with its data retention policy without providing a copy of the requested video recording to the data subject. Consequently, the controller breached the provisions of Article 15(1) GDPR, and Article 15(3) GDPR.
c) The HDPA stated that upon receiving a request for access to personal data, the data controller is obligated to promptly undertake necessary measures to avert the risk of planned deletion of such data. The examined the legality of the bank's erasure of visual material and decided that the company violated the Article 5(1) by deleting the requested data unlawfully.
As a result, The Hellenic DPA have imposed an administrative fine of €10,000 on Alpha Bank (the data controller).
Comment
Share your comments here!
Further Resources
Important to Note: Directive 1/2011, Article 16, paragraph 2 of the Hellenic Data Protection Authority, which impose a 45-day limit on video surveillance, with the possibility of extension under conditional circumstances such as instances of fraud or transactional disputes.
Directive 1/2011: Article 16 par. 2:
Banks and financial institutions may retain the data for a period not exceeding forty-five (45) days. If during that period of time incidents of organised financial fraud or disputed financial transactions are recorded, the relevant parts of the video surveillance system data may be kept in a separate file with appropriate security measures.
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
The Authority examined a complaint against Alpha Bank A.E. for not satisfying the right of access of its customer, who exercised the right of access to the recorded material from the video surveillance system (CCTV) of the store. It emerged that the Bank failed to deal with the complainant's request in a timely manner, resulting in the material being scheduled to be deleted when the retention period expired. The Authority found a violation of Articles 12 para. 3 and 15 para. 1 and 3 GDPR from the non-fulfillment of the right of access and a violation of the principle of legality of processing (Article 5 para. 1 a) GDPR) from the deletion of the data without legal basis and a fine of €10,000 was imposed on the Bank.