HDPA (Greece) - 7/2021: Difference between revisions
(I made some grammatical and syntax changes to ensure clarity ; I added the missing hyperlinks to the articles of the GDPR (make sure to say "Article 6(4) GDPR" and not "Article 6(4) of the GDPR ;-)) ; I erased the numbering in line with our Style Guidelines (NB. normally, numbering/bullet point should only be used for example to list names of parties or specific conditions ; here however, the points made by the HDPA were on different topics, such as the qualification of parties or lawfulness)) |
No edit summary |
||
| Line 60: | Line 60: | ||
}} | }} | ||
The Greek DPA decided that the Athens Bar Association (ABA) was allowed to share the personal data of its members with the candidates | The Greek DPA decided that the Athens Bar Association (ABA) was allowed to share the personal data of its members with the candidates for the elections of the ABA, as long as the further processing of these data remains compliant with the GDPR. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The Athens Bar Association (ABA), in the context of the upcoming elections of its representatives, asked the Hellenic Data Protection Authority (HDPA) whether they were allowed under the GDPR to provide the candidates | The Athens Bar Association (ABA), in the context of the upcoming elections of its representatives, asked the Hellenic Data Protection Authority (HDPA) whether they were allowed under the GDPR to provide the candidates with the names and contact details of the members of ABA. The main purpose was to allow those candidates to reach out to members of the ABA to share projects and ideas as part of the upcoming electoral campaign. | ||
=== Holding === | === Holding === | ||
After reviewing the facts of the case, the HDPA first stated that each candidate | After reviewing the facts of the case, the HDPA first stated that each candidate for the elections should be considered as a 'third party' in the sense of [[Article 4 GDPR|Article 4(10) GDPR]] in relation to the disclosure of the personal data by the ABA, and also as a separate controller in the sense of [[Article 4 GDPR|Article 4(7) GDPR]] when further processing the personal data of the members of the ABA. | ||
Regarding the lawfulness of the processing, the HDPA considered that the processing of personal data by the ABA for its own internal organisation is allowed under [[Article 6 GDPR|Article 6(1)(e) GDPR]], in the sense that such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. As a consequence, the HDPA decided that the ABA may generally process the personal data of its members when necessary for its organization, without having to obtain the prior consent of the individuals concerned. | Regarding the lawfulness of the processing, the HDPA considered that the processing of personal data by the ABA for its own internal organisation is allowed under [[Article 6 GDPR|Article 6(1)(e) GDPR]], in the sense that such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. As a consequence, the HDPA decided that the ABA may generally process the personal data of its members when necessary for its organization, without having to obtain the prior consent of the individuals concerned. | ||
Regarding the sharing of members' personal data with candidates | Regarding the sharing of members' personal data with candidates for the elections, the HDPA further considered that, even though the data subjects (i.e. ABA's members) did not specifically consent to this type of processing, it would still be permitted under the [[Article 6 GDPR|Article 6(4) GDPR]], since such processing is compatible with the purpose for which the personal data were initially collected at the time each member registered with the ABA. | ||
In order for the sharing of the members' personal data with the elections' candidates to remain lawful, the HDPA specified that | In order for the sharing of the members' personal data with the elections' candidates to remain lawful, however, the HDPA specified that each candidate must grant to these members the right to object to the processing of their personal data at any time, in accordance with the [[Article 21 GDPR]]. | ||
Furthermore, in their capacity as controllers, each candidate must ensure to comply with their other obligations under the GDPR, including by indicating the exact period of time after which those personal data will be deleted, and by ensuring that those data are only processed in a manner which is compatible with the purpose for which they were initially collected. | Furthermore, in their capacity as controllers, each candidate must ensure to comply with their other obligations under the GDPR when processing such data, including by indicating the exact period of time after which those personal data will be deleted, and by ensuring that those data are only processed in a manner which is compatible with the purpose for which they were initially collected. | ||
== Comment == | == Comment == | ||
Latest revision as of 13:48, 15 November 2021
| HDPA (Greece) - 7/2021 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 4(7) GDPR Article 4(10) GDPR Article 6(1)(e) GDPR Article 6(4) GDPR Article 21 GDPR Article 103 etc from National Law 4194/13(Lawyers' Code) Article 11§3,4 from National Law 3471/06 |
| Type: | Advisory Opinion |
| Outcome: | n/a |
| Started: | |
| Decided: | 14.10.2021 |
| Published: | 01.11.2021 |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 7/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Greek |
| Original Source: | Greek DPA (in EL) |
| Initial Contributor: | Eleni.papadopoulou |
The Greek DPA decided that the Athens Bar Association (ABA) was allowed to share the personal data of its members with the candidates for the elections of the ABA, as long as the further processing of these data remains compliant with the GDPR.
English Summary
Facts
The Athens Bar Association (ABA), in the context of the upcoming elections of its representatives, asked the Hellenic Data Protection Authority (HDPA) whether they were allowed under the GDPR to provide the candidates with the names and contact details of the members of ABA. The main purpose was to allow those candidates to reach out to members of the ABA to share projects and ideas as part of the upcoming electoral campaign.
Holding
After reviewing the facts of the case, the HDPA first stated that each candidate for the elections should be considered as a 'third party' in the sense of Article 4(10) GDPR in relation to the disclosure of the personal data by the ABA, and also as a separate controller in the sense of Article 4(7) GDPR when further processing the personal data of the members of the ABA.
Regarding the lawfulness of the processing, the HDPA considered that the processing of personal data by the ABA for its own internal organisation is allowed under Article 6(1)(e) GDPR, in the sense that such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. As a consequence, the HDPA decided that the ABA may generally process the personal data of its members when necessary for its organization, without having to obtain the prior consent of the individuals concerned.
Regarding the sharing of members' personal data with candidates for the elections, the HDPA further considered that, even though the data subjects (i.e. ABA's members) did not specifically consent to this type of processing, it would still be permitted under the Article 6(4) GDPR, since such processing is compatible with the purpose for which the personal data were initially collected at the time each member registered with the ABA.
In order for the sharing of the members' personal data with the elections' candidates to remain lawful, however, the HDPA specified that each candidate must grant to these members the right to object to the processing of their personal data at any time, in accordance with the Article 21 GDPR.
Furthermore, in their capacity as controllers, each candidate must ensure to comply with their other obligations under the GDPR when processing such data, including by indicating the exact period of time after which those personal data will be deleted, and by ensuring that those data are only processed in a manner which is compatible with the purpose for which they were initially collected.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Category
Opinion
Date
01/11/2021
Transaction number
7
Thematic unit
16. Other
Applicable provisions
Article 4.10: Third (definition)
Article 6.1.e: Legal basis for fulfillment of public duty
Article 21: Right of objection
Article 11.3: Use of previous contact details for electronic communication
Article 11.4: Conditions for sending an e-mail
Summary
Following a question from the Athens Bar Association to the Authority as to whether it is in accordance with the legislation on personal data protection, the Authority provided the candidates with the contact details of the Lawyers - members of the DSA, the Authority considered that a) the candidate for the DSA is a third party, as he is a separate controller (he completely determines the means, even if the purpose is of the association), b) the membership of the DSA is not a given of special categories (related to professional status by law), c) the legality of the transfer may be based on Article 6.1.e of the GCC - public interest in the operation of the DSA and in the conduct of recruitment in such a way as to ensure the visibility of all candidates, d) the subjects have not been informed at the collection stage, but there may be an application of Article 6.4 GCP, as the purpose is relevant to the original, e) the DSA for the transmission must take measures (such as setting conditions for the use of data corresponding to those of promotional messages in articles 11 par. 3 and 4 of Law 3471/2006), which should be precisely determined by him, and in ) each candidate, as the controller, must satisfy any submitted right of objection of the members-subjects of the data.
PDF Decision
gnomodotisi 7_2021anonym.pdf278.93 KB
Category
Opinion
Date
01/11/2021
Transaction number
7
Thematic unit
16. Other
Applicable provisions
Article 4.10: Third (definition)
Article 6.1.e: Legal basis for fulfillment of public duty
Article 21: Right of objection
Article 11.3: Use of previous contact details for electronic communication
Article 11.4: Conditions for sending an e-mail
Summary
Following a question from the Athens Bar Association to the Authority as to whether it is in accordance with the legislation on personal data protection, the Authority provided the candidates with the contact details of the Lawyers - members of the DSA, the Authority considered that a) the candidate for the DSA is a third party, as he is a separate controller (he completely determines the means, even if the purpose is of the association), b) the membership of the DSA is not a given of special categories (related to professional status by law), c) the legality of the transfer may be based on Article 6.1.e of the GCC - public interest in the operation of the DSA and in the conduct of recruitment in such a way as to ensure the visibility of all candidates, d) the subjects have not been informed at the collection stage, but there may be an application of Article 6.4 GCP, as the purpose is relevant to the original, e) the DSA for the transmission must take measures (such as setting conditions for the use of data corresponding to those of promotional messages in articles 11 par. 3 and 4 of Law 3471/2006), which should be precisely determined by him, and in ) each candidate, as the controller, must satisfy any submitted right of objection of the members-subjects of the data.
PDF Decision
gnomodotisi 7_2021anonym.pdf278.93 KB
