HDPA (Greece) - 2/2023: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=2/2...")
 
(Summary, Facts, Holding)
Line 69: Line 69:
}}
}}


The HDPA imposed a fine of EUR 50.000 to Intellexa S.A. for not providing specific data to the HDPA for investigation purposes and for installing a monitoring software without informing the data subjects.
The Greek DPA (HDPA) imposed a fine of €50,000 to Intellexa S.A for failing to cooperate with an investigation into their alleged installation of monitoring software on data subject's devices without their knowledge.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A, submitted to the HDPA the complaint, by which he notified the Commission of the complaint he had  filed before the Prosecutor of the Supreme Court concerning the alleged attempted interception of his mobile phone terminal phone with the 'Predator' surveillance software and the relevant report of the European Parliament's Special Service, requesting that the HDPA to detect the illegal action. Following investigations by the HDPA and numerous press publications, which linked Intellexa S.A. with the above mentioned monitoring software, the HDPA carried out on 15-09-2022 an on-site administrative audit at the headquarters of Intellexa S.A., and find out that its purpose is, inter alia, to provide services related to the design and development of applications, networks and systems, software and technological solutions in general, as well as services.
An individual, "A", provided to the HDPA a copy of a petition they filed with the Prosecutor of the Supreme Court concerning the alleged attempted interception of their mobile phone with the 'Predator' surveillance software. Furthermore, numerous press reports were published linking Intellexa S.A. (Intellexa), a software company which provides technology and intelligence to law enforcement agencies, to the aforementioned software, and to the installation of monitoring software on users' mobile telephone devices without their knowledge.
The HDPA sent Intellexa S.A. a document containing the questions of the inspection. Despite multiple telephone assurances from the company's lawyers to auditors of the audit team that the information would be sent, the company did not submit to the HDPA the information document. The HDPA noted that Intellexa S.A. has unduly delayed to respond to its requests and has failed to provide information which in its possession and requested by the HDPA. The HDPA also took into account that the nature and gravity of the infringement is  particularly serious. The infringement found is included in those of the article 83(1)(a) par. 4 of the GDPR (infringements with a maximum amount of EUR 10 000 000); and concerned the investigated personal data processing activities of the company, from the year 2019 to 2022, which are related to the production, support and operation of software/software solutions for processing of all types of personal data, not excluding specific categories of personal data.
 
In the light of the above and without prejudice to the exercise of its powers under the GDPR on the basis of the results of the audit carried out, the Authority considers that unanimously that, in view of the infringement found and taking into account the above elements, the conditions for imposing a fine on the HDPA are fulfilled.
Following these developments, the HDPA conducted an "''own-volition''" invesitgation, undertaking an on-site audit of Intellexa premises on 3 October 2022. Prior to the audit, the HDPA sent Intellexa a document containing the details of the investigation and requesting further information. Despite multiple telephone assurances from the company's lawyers to auditors that their request would be met, the company did not submit any information. During the audit, the company's three-story building was found to be completely empty and without any functional network infrastructure or information system. Through a discussion with the representatives of the company, the audit team requested specific information on the data processed, the auditees took notes and assured them that they would provide this promptly.  
 
On 4 October 2022, Intellexa submitted a request to the HDPA to be provided with the audit questions in writing, claiming that it was impossible to draft effective and accurate responses to notes taken during the audit, due to the complexity and highly technical nature of the isssue. On 6 October 2022, the HDPA sent the company a written request containing 24 questions, asking for as much information as possible, and specific documentation, as soon as possible. On 21 October 2022, the HDPA received an email from Intellexa claiming their employees have been subject to "harrasment" by journalists following the audit, and informing the authority that they intend to submit responses the following week. The HDPA responded to this email on 24 October 2022, stating that they expect full and substantiatied replies to their questions as soon as possible.
 
Intellexa S.A did not reply to the HDPA's enquiries, they were subsequently invited to attend a hearing on 29 November 2022 to verify their compliance with the requirements of Article 31 GDPR. On 18 November 2022, the company sent a response to the auditor's questions. It was noted that, in response to some of the questions, Intellexa did not provide the information requested by the authority; information which was, according to the HDPA, undoubtedly in the company's possession.
 
At the hearing Intellexa's lawyers argued that, despite their "''justified reservations''", the company tried to respond to the questions asked "''to the fullest extent possible''" in coopertation with "''various investigations launched simultaneously by several different Greek authorities''". In their submisisons, they asserted that the Greek authorities ought to act in a more "''coordinated and consistent''" manner.


=== Holding ===
=== Holding ===
The HDPA carried out an administrative audit at Intellexa S.A. investigating cases of installation of monitoring software on users' mobile telephony terminals for the purpose of unknowingly monitoring them, as well as the subsequent collection and processing of their personal data collected by such software. As the company was excessively late in responding to the Authority's enquiries and did not provide specific data requested and in its possession, the Authority imposed a fine of EUR 50. 000 and ordered that specific data be delivered to it immediately.
The HDPA found that Intellexa S.A, has, by choice, breached its obligation to cooperate with the supervisory authority under Article 31 GDPR. In doing so, they found that the company has unduly delayed its repsonse to the invesitgation, and failed to provide information which was indisputably in its possession.
 
The HDPA did not accept the controller's assertions that they had responded in a reasonable period of time. Furthemore, in asserting that the Greek authorities should act in a "''coordinated and consistent''" manner, the company had disregarded the independence of the DPA and the rules governing the effective performance of its obligations in the context of its statutory objective of the protection of personal data.
 
Pursuant to Articles 58(2)GPDR and 83 GDPR, the authority unanimously considered that the conditions for imposing an administrative fine on Intellexa SA had been fulfilled. In doing so, they took into account the serious nature and gravity of the infringement, and imposed a fine of €50,000. Additionally, the HDPA issued an order instructing the company to deliver the relevant information immediately.


== Comment ==
== Comment ==

Revision as of 15:07, 31 January 2023

HDPA - 2/2023
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 31 GDPR
Article 58(1) GDPR
Article 83(4) GDPR
Article 13 of National Law 4624/2019
Article 15 of National Law 4624/2019
Article 66 of National Law 4624/2019
Type: Complaint
Outcome: Upheld
Started: 20.12.2022
Decided: 13.01.2023
Published: 13.01.2023
Fine: 50.000 EUR
Parties: n/a
National Case Number/Name: 2/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Anastasia Tsermenidou

The Greek DPA (HDPA) imposed a fine of €50,000 to Intellexa S.A for failing to cooperate with an investigation into their alleged installation of monitoring software on data subject's devices without their knowledge.

English Summary

Facts

An individual, "A", provided to the HDPA a copy of a petition they filed with the Prosecutor of the Supreme Court concerning the alleged attempted interception of their mobile phone with the 'Predator' surveillance software. Furthermore, numerous press reports were published linking Intellexa S.A. (Intellexa), a software company which provides technology and intelligence to law enforcement agencies, to the aforementioned software, and to the installation of monitoring software on users' mobile telephone devices without their knowledge.

Following these developments, the HDPA conducted an "own-volition" invesitgation, undertaking an on-site audit of Intellexa premises on 3 October 2022. Prior to the audit, the HDPA sent Intellexa a document containing the details of the investigation and requesting further information. Despite multiple telephone assurances from the company's lawyers to auditors that their request would be met, the company did not submit any information. During the audit, the company's three-story building was found to be completely empty and without any functional network infrastructure or information system. Through a discussion with the representatives of the company, the audit team requested specific information on the data processed, the auditees took notes and assured them that they would provide this promptly.

On 4 October 2022, Intellexa submitted a request to the HDPA to be provided with the audit questions in writing, claiming that it was impossible to draft effective and accurate responses to notes taken during the audit, due to the complexity and highly technical nature of the isssue. On 6 October 2022, the HDPA sent the company a written request containing 24 questions, asking for as much information as possible, and specific documentation, as soon as possible. On 21 October 2022, the HDPA received an email from Intellexa claiming their employees have been subject to "harrasment" by journalists following the audit, and informing the authority that they intend to submit responses the following week. The HDPA responded to this email on 24 October 2022, stating that they expect full and substantiatied replies to their questions as soon as possible.

Intellexa S.A did not reply to the HDPA's enquiries, they were subsequently invited to attend a hearing on 29 November 2022 to verify their compliance with the requirements of Article 31 GDPR. On 18 November 2022, the company sent a response to the auditor's questions. It was noted that, in response to some of the questions, Intellexa did not provide the information requested by the authority; information which was, according to the HDPA, undoubtedly in the company's possession.

At the hearing Intellexa's lawyers argued that, despite their "justified reservations", the company tried to respond to the questions asked "to the fullest extent possible" in coopertation with "various investigations launched simultaneously by several different Greek authorities". In their submisisons, they asserted that the Greek authorities ought to act in a more "coordinated and consistent" manner.

Holding

The HDPA found that Intellexa S.A, has, by choice, breached its obligation to cooperate with the supervisory authority under Article 31 GDPR. In doing so, they found that the company has unduly delayed its repsonse to the invesitgation, and failed to provide information which was indisputably in its possession.

The HDPA did not accept the controller's assertions that they had responded in a reasonable period of time. Furthemore, in asserting that the Greek authorities should act in a "coordinated and consistent" manner, the company had disregarded the independence of the DPA and the rules governing the effective performance of its obligations in the context of its statutory objective of the protection of personal data.

Pursuant to Articles 58(2)GPDR and 83 GDPR, the authority unanimously considered that the conditions for imposing an administrative fine on Intellexa SA had been fulfilled. In doing so, they took into account the serious nature and gravity of the infringement, and imposed a fine of €50,000. Additionally, the HDPA issued an order instructing the company to deliver the relevant information immediately.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority carried out an administrative audit on Intellexa SA. investigating cases of the installation of tracking software on users' mobile terminal devices, with the aim of tracking them without their knowledge, as well as the subsequent collection and processing of their personal data collected by such software. As the company was excessively late in responding to the Authority's questions and did not provide specific information that was requested and is in its possession, the Authority imposed a fine of 50,000 euros and ordered that specific information be delivered to it immediately.