HDPA (Greece) - 33/2023: Difference between revisions
No edit summary |
No edit summary |
||
| Line 11: | Line 11: | ||
|Original_Source_Name_1=HDPA | |Original_Source_Name_1=HDPA | ||
|Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2023-11/33_2023% | |Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2023-11/33_2023%20anonym.pdf | ||
|Original_Source_Language_1=Greek | |Original_Source_Language_1=Greek | ||
|Original_Source_Language__Code_1=EL | |Original_Source_Language__Code_1=EL | ||
| Line 74: | Line 74: | ||
=== Facts === | === Facts === | ||
A municipality uploaded on a public portal (“diavgeia”) a decision where the personal data of the complainant including her full name, position, place of employment and involvement in a criminal complaint were mentioned. A separate decision regarding her participation in the municipality's financial council was also discovered on the portal. The complainant requested the erasure of her personal data from the public portal by exercising her right to erasure under Article 17 GDPR. | A municipality uploaded on a public portal (“diavgeia”) a decision where the personal data of the complainant including her full name, position, place of employment and involvement in a criminal complaint were mentioned. A separate decision regarding her participation in the municipality's financial council was also discovered by the complainent on the portal. The complainant requested the erasure of her personal data from the public portal by exercising her right to erasure under [[Article 17 GDPR|Article 17 GDPR.]] | ||
The DPO of the municipality rejected her request on the grounds that the municipality had the legal obligation to upload onto this portal every act, decision or document relating to the performance of its duties, under national law. | The DPO of the municipality rejected her request on the grounds that the municipality had the legal obligation to upload onto this portal every act, decision or document relating to the performance of its duties, under national law. | ||
In 25 October 2021, the complainant lodged a complaint before the Hellenic DPA ("HDPA") against the municipality. | In 25 October 2021, the complainant lodged a complaint before the Hellenic DPA ("HDPA") against the municipality. | ||
=== Holding === | === Holding === | ||
After considering all the facts of the case, the Hellenic DPA fined the municipality a total of €5000. | After considering all the facts of the case, the Hellenic DPA fined the municipality a total of €5000. | ||
They fined the them €2,000 for breaches 6 (1)(c) and Articles 5(1)(a) andGDPR. The muncipality had processed data unlawfully. The data subject had withdrawn the consent over the processing by raising a complaint to the DPO meaning that the muncipality no longer had a legal basis. Moreover, it was not lawful becaause once the complainent objected to the processing of her data (for example, through an erasure request), the controller should have ceded processing until they could prove that there were overriding interests to do so under Article 21 GDPR. | |||
The DPA fined the municipality €1,000 for violating Article 5(1)(c) as the municipality had not adhered to the principle of data minimisation by having no criteria for the selection of decisions which would be published through the portal. | |||
The Hellenic DPA ordered the Municipality X to remove the two decisions concerning the data subject from its website and within a 20-day period | The DPA fined the muncipality €2,000 for violating Article 17 (1) GDPR. This was because the DPO refused to erase the data when requested to do so by the data subject. | ||
The Hellenic DPA ordered the Municipality X to remove the two decisions concerning the data subject from its website and within a 20-day period. | |||
== Comment == | == Comment == | ||
Revision as of 11:30, 20 December 2023
| HDPA - 33/2023 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6(1)(c) GDPR Article 17(1) GDPR Article 57(1)(c) GDPR Article 58(2) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 25.10.2021 |
| Decided: | 11.04.2023 |
| Published: | 07.11.2023 |
| Fine: | 5000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 33/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | Iliana Papantoni |
The Hellenic DPA fined a municipality for uploading personal data to a public portal and then failing to comply with the subsequent erasure request.
English Summary
Facts
A municipality uploaded on a public portal (“diavgeia”) a decision where the personal data of the complainant including her full name, position, place of employment and involvement in a criminal complaint were mentioned. A separate decision regarding her participation in the municipality's financial council was also discovered by the complainent on the portal. The complainant requested the erasure of her personal data from the public portal by exercising her right to erasure under Article 17 GDPR.
The DPO of the municipality rejected her request on the grounds that the municipality had the legal obligation to upload onto this portal every act, decision or document relating to the performance of its duties, under national law.
In 25 October 2021, the complainant lodged a complaint before the Hellenic DPA ("HDPA") against the municipality.
Holding
After considering all the facts of the case, the Hellenic DPA fined the municipality a total of €5000.
They fined the them €2,000 for breaches 6 (1)(c) and Articles 5(1)(a) andGDPR. The muncipality had processed data unlawfully. The data subject had withdrawn the consent over the processing by raising a complaint to the DPO meaning that the muncipality no longer had a legal basis. Moreover, it was not lawful becaause once the complainent objected to the processing of her data (for example, through an erasure request), the controller should have ceded processing until they could prove that there were overriding interests to do so under Article 21 GDPR.
The DPA fined the municipality €1,000 for violating Article 5(1)(c) as the municipality had not adhered to the principle of data minimisation by having no criteria for the selection of decisions which would be published through the portal.
The DPA fined the muncipality €2,000 for violating Article 17 (1) GDPR. This was because the DPO refused to erase the data when requested to do so by the data subject.
The Hellenic DPA ordered the Municipality X to remove the two decisions concerning the data subject from its website and within a 20-day period.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
