HDPA (Greece) - 48/2021: Difference between revisions
No edit summary |
m (FD moved page HDPA (Greece) - 2322/14-10-2021 to HDPA (Greece) - 48/2021) |
Revision as of 08:40, 23 November 2021
HDPA (Greece) - 2322/14-10-2021 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 4(11) GDPR Article 4(12) GDPR Article 5(2) GDPR Article 6(1)(f) GDPR Article 6(1)(a) GDPR Article 6(4) GDPR Article 7 GDPR Article 21 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 14.10.2021 |
Published: | 14.10.2021 |
Fine: | 20000 EUR |
Parties: | n/a |
National Case Number/Name: | 2322/14-10-2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Greek |
Original Source: | Greek's DPA website (in EL) |
Initial Contributor: | Elisavet Dravalou |
The Greek DPA imposed a fine of €20,000 EUR on a company selling phones because the latter had processed its customers' personal data to promote other products and services without obtaining their prior consent, and had not respected customers' opt-out requests.
English Summary
Facts
Three customers filed a complaint with the Greek DPA against a company (the Company) for processing their personal data for a purpose other than the one for which their data was collected in the first place. The personal data was initially collected during the purchases of goods. The customers claimed that the Company contacted them in order to promote other products and services without respecting their opt-out requests. The Company was claiming that they had contacted the data subjects for a customer satisfaction survey after having obtained their consent.
Holding
The Greek DPA held that the processing of the customers' data to promote other services and goods constituted use of personal data for a purpose other than that for which the personal data was originally collected. Although the Company had argued that they had obtained the customers' oral consent to such processing during the sale of the goods, the Greek DPA found that the Company was unable to prove it. Therefore, the Greek DPA considered that the criteria of Article 6(4) GDPR and Article 5 GDPR should have been respected. The Greek DPA found however that the customers had not been properly informed during the data collection stage about the identity of the controller, and about the fact that their personal data would be used for an additional different purpose.
The Greek DPA also found that the objections of the customers to the further processing of their personal data for marketing purposes had not been respected, in violation of Article 21 GDPR. In relation to the application of the right to object (Article 21 GDPR), the Greek DPA found in particular that the Company did not respect the customers' opt-out requests and did not provide appropriate documents or instructions to prove that they would have been able to respond to such requests.
The Greek DPA therefore imposed a fine of €20,000 for the violations found, taken into consideration the duration and the intensity of the violations.
Comment
What is interesting in this case is that the controller claimed that they processed personal data for marketing purposes (promotion of products) based on data subjects' oral consent obtained during the purchase of products. The DPA couldn't find evidence to suggest that consent was given. Therefore, in the absence of evidence, it cannot be accepted that consent was used as the legal basis of this processing. The DPA stated that it could accept legitimate interest as a legal basis, given the soft opt-in exception. Given though that the processing was carried out for a purpose different that the one for which the personal data was collected in first place, the Greek DPA held that article 6(4) and 5 of the GDPR must be respected. In this specific case at least appropriate information should have been provided to data subject at the data collection stage so that data subjects know that their personal data will be used for an additional purpose, while at the same time providing them with the opportunity to express their objections.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Category Decision Date 14/10/2021 Transaction number 48 Thematic unit 09. Promotion of products and services Applicable provisions Article 4.11: Consent (definition) Article 4.12: Violation of personal data (definition) Article 5.2: Principle of accountability Article 6.1.a: Legal basis of consent Article 6.1.f: Legal basis of overriding legal interest Article 6.4: Compatibility of processing for another purpose Article 7: Conditions for consent Article 21: Right of objection Article 11.2: Register - Article 11 Summary A company that conducts long distance telephone sales, used to promote its products and services the customer data, which it collected during the purchase of products. This processing is the use of personal data for a purpose other than that for which the data were originally collected, therefore the criteria of Article 6 par. In this case, it was found that the data subject was not properly informed during the data collection stage, so that he knows that his data will be used for an additional different purpose, that customer objections were not respected and it was not clear to the data subjects the identity of the controller. Also, in relation to the satisfaction of the right of objection, the controller did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found. PDF Decision 48_2021anonym.pdf299.82 KB Category Decision Date 14/10/2021 Transaction number 48 Thematic unit 09. Promotion of products and services Applicable provisions Article 4.11: Consent (definition) Article 4.12: Violation of personal data (definition) Article 5.2: Principle of accountability Article 6.1.a: Legal basis of consent Article 6.1.f: Legal basis of overriding legal interest Article 6.4: Compatibility of processing for another purpose Article 7: Conditions for consent Article 21: Right of objection Article 11.2: Register - Article 11 Summary A company that conducts long distance telephone sales, used to promote its products and services the customer data, which it collected during the purchase of products. This processing is the use of personal data for a purpose other than that for which the data were originally collected, therefore the criteria of Article 6 par. In this case, it was found that the data subject was not properly informed during the data collection stage, so that he knows that his data will be used for an additional different purpose, that customer objections were not respected and it was not clear to the data subjects the identity of the controller. Also, in relation to the satisfaction of the right of objection, the controller did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found. PDF Decision 48_2021anonym.pdf299.82 KB