HDPA (Greece) - 20/2021
HDPA (Greece) - 20 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 17(1) GDPR Article 21(2) GDPR Article 25 GDPR Article 11 law 3471/2006 Article 11 law 3471/2006 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 17.02.2021 |
Published: | 28.05.2021 |
Fine: | 5000 EUR |
Parties: | «ΚΑΡΙΕΡΑ Α.Ε.» |
National Case Number/Name: | 20 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Greek |
Original Source: | ΑΠΔΠΧ (in EL) |
Initial Contributor: | LV |
The Greek DPA fined a services provider €5,000 for failure to properly execute a data's subject request for erasure, because of a technical error which meant that the data subject's personal data had been duplicated on the company's servers. The DPA found that 79 other data subjects had also been affected by this error.
English Summary
Facts
The complainant requested to stop receiving promotional emails by the company. The promotional emails didn't stop even after he followed all the directions on the company's website and even after he submitted a request of erasure of his personal data held by the company, for which he received a confirmation email stating that all his data we deleted by the company's servers. The company stated that due to technical errors and duplicate registration of the data subject's email address, the process of the deletion of the complainant's data was not successful.
Holding
After examination of the facts of the case and after examination of 79 other data subjects data which were not successfully deleted from the company's data base, the authority decided that the company failed to implement the appropriate procedural and security measures to detect the error and to secure the deletion of the users' data. In the light of these violations the authority fined the company 5.000€.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 12-05-2021 No. Prot.1207 DECISION 20/2021 (Department) The Personal Data Protection Authority met at Composition of the Department via video conference on 17-02-2021 at 10:00, after invitation of its President to consider the case refers to the history hereof. Presented by George Batzalexis, Deputy Chairman, disabled by the President of the Authority Konstantinos Menoudakou, and the alternate members Grigorios Tsolias and Evangelos Papakonstantinou, as rapporteur, replacing the regular members Charalambou Anthopoulos and Konstantinos Lambrinoudakis respectively, who, although they were legally summoned in writing, they did not attend due to obstruction. The regular member Spyridon Vlachopoulos, although legally summoned in writing, did not attend due to obstruction. The meeting was attended by Georgia, by order of the President Panagopoulou, expert scientist - auditor as assistant rapporteur and Irini Papageorgopoulou, employee of the Administrative Affairs Department of the Authority, as secretary. The Authority took into account the following: Submitted to the Authority or with no. prot. Γ / ΕΙΣ / 6076 / 09-09-2019 complaint against of the company "CAREER SOLE SHAREHOLDER TECHNOLOGY SOCIETE ANONYME CURATOR, COMMERCIAL PROMOTION AND EXPLOITATION OF SPECIAL PUBLICATIONS »with the distinctive title "CAREER SA" about sending emails 1 1-3 Kifissias Ave., 11523 Athens T: 210 6475 600 • E: contact@dpa.gr • www.dpa.gr of advertising content to the complainant while he had repeatedly request its removal from the list of recipients. Specifically, according to the document G / EIS / 6076 / 09-09-2019 the complainant states that from ψε he ceased to wish to receive further electronically messages from kariera.gr. Tried to make use of that link is embedded in each email, selecting the appropriate options on the web page displayed but emails kept coming in normally. … Sent an email with a request to be deleted from the email lists. Of a specific procedure was indicated by the ticketing method, in which proceeded directly to… and by which he demanded the complete deletion of all data relating to his person from their databases. Then confirmation of his contact details and request, received on… information that all his personal data have been deleted receives by mail suggestions of ads similar to ads in which he had in past show interest. On λε sent a new message on the issue via of the ticketing method without receiving a response and on… sent a warning to appeal to the Authority, if the issue is not resolved, without any response also. The Authority with the no. prot. G / EX / 6076-1 / 03-10-2019 document informed her CAREER for the complaint and asked for her views. CAREER answered with no. prot: G / EIS / 7394 / 30-10-2019 her document, in which he analyzes the history of the communications of the complainant company in an attempt to remove it from the list of eligible advertisements messages. A specific technical problem has been identified, which is described in the document as follows: The personal data processed by the Company are recorded electronically in a data table that the Company calls ‘Master Data Table’ (hereinafter the ‘Main Data Table’). All changes to personal data, such as deletions from email lists or requests submitted by data subjects through the Platform Data Management, are initially entered in the Main Data Table and in are then integrated / copied into the individual databases that 2connected to the Main Data Table, through a synchronization process which takes place automatically on a daily basis. One of these sub databases linked to the Main Database is also the "Database Data E-mail ». Due to a technical error in the computer systems of the Company, a double registration of the electronic address was created of the complainant in the E-mail Database. This technique double entry error was detected and corrected immediately in order to not repeated in the future. However, the duplicate address log file e-mail of the complainant remained at the Base E-mail data, with the result while the first registration file was deleted normally, the second file remained in the E-mail Database. Thus, when the Complainants requested deletion from the E-mail Database, making using the delete / unsubscribe link, the request was recorded successfully in the Master Data Sheet, but the synchronization process failed replace / delete the duplicate entry of the email address of the complainant in the E-mail Database. Therefore, he is the reason why the complainant continued to receive emails about jobs offered by the Company. Subsequently, the Authority sent a prototype number G / EX / 931 / 05-02-2020 with which requested the following clarifications: For how long did it exist in systems the technical error by duplicating the email address mail and how was it located? How many emails have been entered in systems during this time? How many requests to delete e-mails were visitors received during this time? There have been relative complaints from recipients of emails? CAREER answered with no. prot. G / EIS / 1765 / 06-03-2020 document at which clarifies the following: The technical error occurred 6 months before…, ie during the period between…. The technical error was detected through investigation carried out due to the complaint forwarded by Principle. A total of 26,969 e-mails have been entered on the Greek website (Kariera.gr) during the existence of the technical error. 76 applications were submitted 3deletion of e-mail visitors of the website www.kariera.gr during the period this. 5 requests for "Customer Service" were also received during period of existence of the technical problem, on the grounds that the user does not can be successfully unsubscribed. Following the above, the Authority proceeded to call the company for section meeting on 11-11-2020, with reference number C / EX / 6076-1 / 30-10-2020 her document. The company attended the meeting through its legal representative Theofilos Vassiliadis and through the lawyer of Panagiotis Kontogeorgakopoulos (…). He also attended the first company. After receiving the deadline, the company submitted Memorandum No. G / EIS / 7991 / 20-11-2020, which refers to the previous documents and further clarifies that the response to his request subject and its satisfaction are two different stages of it process of deleting his personal data, and that its response The company was in the middle, but due to a technical problem, no description was given. The company has as its permanent policy and makes every reasonable effort in order to complete that deletion process within one (1) month from the submission of the respective deletion request, paying each possible effort to respond to the needs of the subjects and to do not use the possibility of extending the response time by two (2) further months, provided in accordance with the Regulation under certain conditions. Also, when the technical problem was resolved, the complainant's details but and all other data subjects experienced similar problem, including the five subjects who had done the requests-complaints, were successfully deleted from its information systems company. In the context of continuous improvement and the company's commitment to the proper management of personal data, the company continues to develops new systems, which in the near future the company will be able to proceeds to delete and generally manage them with greater immediacy and convenience.The aim of the company is, from the moment of confirmation of the request the simplification of the internal deletion procedure so that the response time is significantly reduced. 4 The Authority, after examining the data in the file, after hearing him rapporteur and clarifications from the assistant rapporteur, who attended without and withdrew after the discussion of the case and before the conference and decision-making, after a thorough discussion, THOUGHT ACCORDING TO THE LAW 1. From the provisions of articles 51 and 55 of the General Protection Regulation Data (Regulation (EU) 2016/679 - hereinafter GCC) and Article 9 of the Law 4624/2019 (Government Gazette AD 137) it appears that the Authority has the competence to supervise the implementation of the provisions of the GCC, this law and other regulations that concern the protection of the individual from the processing of personal data. 2. According to article 4 lit. 7 of the GCC, which is implemented by on 25 May 2018, the person in charge of processing is defined as “the natural or legal person, public authority, service or other body which, alone or jointly with others, determine the purposes and manner of data processing of a personal nature ". 3. The issue of making unsolicited communications with any means of electronic communication, without human intervention, for for the purpose of direct marketing of products or services and for each for advertising purposes, is regulated by Article 11tun.3471 / 2006for protection of personal data in the field of electronic communications, o which incorporated Directive 2002/58 / EC into national law. According this article, such communication is allowed only if the subscriber expressly agreed in advance. Exceptionally, according to article 11 par. 3 of Law 3471/2006, the contact details of the e-mail that acquired legally, in the context of the sale of goods or services or otherwise transaction, can be used for direct promotion similar products or services of the supplier or for service similar purposes, even when the recipient of the message has not given out with his prior consent, provided that he is provided with 5 way clear and distinct the ability to oppose, in an easy way and for free, in the collection and use of his electronic data and that when collecting contact information, as well as in each message, in case that the user did not initially disagree with this use. 4. According to article 17 par. 1 of the GCP, “The data subject has the right to request the deletion from the controller personal data relating to it without justification delay and the controller is required to delete data without undue delay, if one of the the following reasons: (…) (c) the data subject objects to processing in accordance with Article 21 (1) and are not mandatory and legitimate reasons for processing or the data subject object processing in accordance with Article 21 (2) ". Further, in the article 21 par. 2 of the GCP stipulates that “If personal data processed for the purpose of direct marketing, the data subject is entitled to object at any time to processing of personal data concerning it for the en due to marketing, including profiling, if relevant with this direct marketing promotion. " 5. Article 25 of the GCC stipulates that “Taking into account the latter developments, application costs and nature, scope, context and processing purposes, as well as the risks of different probability and the seriousness of the rights and freedoms of natural persons persons from the processing, the controller applies effectively, both at the time of determining the processing media and and at the time of processing, appropriate technical and organizational measures, such as the pseudonym, designed to apply the principles of protection of data, such as data minimization, and their integration necessary guarantees in the processing in such a way that the requirements of this Regulation and to protect their rights data subjects. " 6. In this case, data processing was performed 6 personal character of the complainant for the purpose of promoting products and services by the company CAREER, which is the person in charge of processing. THE legality of the original collection is not judged by the present, as the complainant admits that he had provided his information to the company. 7. The complainant, as appears from the original complaint, expressed objection to sending messages for product promotion purposes. THE The controller had to have the appropriate procedures in place to respond. The controller did not act to interrupt it sending advertising messages, as it should, as well as opposition and deletion in case of direct marketing must be done respected. This happened only after the intervention of the Authority. Therefore, from An initial complaint is an infringement of Article 17 in conjunction with Article 21 par. 2 of the GKPD. 8. Only after the complaint was forwarded by the Authority to the company were they made appropriate actions to investigate the reason for their deletion of the complainant had not been made, and during this investigation it was found what the technical error was. From the data below requested Authority and following the investigation of the controller emerged that there were another 78 cases of failure to satisfy the right deletion of subjects as well as 5 requests-protests for this issue, the which the controller had not identified through the procedures nor did the technical error. It is therefore established that the company did not have in practice the necessary procedures to ensure the delete the data in order to meet the requirements of the GCP and to the rights of data subjects are protected. Therefore, there is a violation of article 25 par. 1 of the GCP. 9. The Authority takes note that the violation is related to practice rights of the data subject, that the technical error lasted of one semester and had affected 79 data subjects, that there were protests of 5 data subjects which due to wrong procedures do not received a reply, that the controller has an online store and uses electronic communication techniques, therefore it should have 7Take care of the correct response to requests for rights. Further, according to publicly available data in GEMI, company against the year 2019 had a turnover of € 4,202,734.53 and profits after taxes € 879,150.88. As a mitigating factor, it's the first offense for her specific company, that after the intervention of the Authority the person in charge took action to investigate and correct it problem and finally, the unfavorable economic situation due to the pandemic Covid-19. 10. In view of the above, the Authority unanimously considers that in accordance with Article 17 in in conjunction with Article 21 para. 3 of the GCP and Article 25 para. 1 of the GCP the conditions for enforcement against the controller are met, with based on article 58 par. 2 i of the GCP and taking into account its criteria article 83par.2 of the GCPD, of the administrative sanction referred to in the operative part of the present, which is considered proportionate to the gravity of the infringement. FOR THESE REASONS The Authority imposes, in the "CAREER SOLE SHAREHOLDER SA TECHNOLOGY MANAGEMENT, COMMERCIAL PROMOTION AND EXPLOITATION SPECIAL EDITIONS "with the distinctive title" CAREER SA " the effective, proportionate and dissuasive administrative fine appropriate to specific case according to its more specific circumstances, amount five thousand euros (5,000.00) euros, for the above violations of article 17 in combination with article 21 par. 3 of the GCP and article 25 par. 1 of the GCPD. The Deputy Chairman The Secretary George Batzalexis Irini Papageorgopoulou 1 https://www.businessregistry.gr/publicity/show/5366801000 8