HDPA (Greece) - 42/2021

From GDPRhub
Revision as of 18:01, 27 September 2021 by Adrian (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA (Greece) |DPA_With_Country=HDPA (Greece) |Case_Number...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HDPA (Greece) - 42/2021
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(d) GDPR
Article 5(1)(f) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 21.04.2021
Published: 21.09.2021
Fine: None
Parties: Party A (anonymized)
Party B (anonymized)
National Case Number/Name: 42/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Greek
Original Source: HDPA (in EL)
HDPA (in EL)
Initial Contributor: Adrian

The Greek DPA held that sending bulk email by including recipients' email addresses in the "To" field is not compliant with Article 32 of the GDPR, recommending instead the use of BCC.

English Summary

Facts

The data subject complained to the HDPA about having received a press release via email by a Member of the Hellenic Parliament (considered the data controller in the context of this decision), without the subject's consent. Furthermore, the data subject's email address was visible to other recipients (the "To" field was used instead of BCC).

Holding

The HDPA issued a warning towards the data controller, recommending the use of the BCC field in order for mass email communication to remain compliant with Article 32 of the GDPR. No other measures were deemed necessary, because of the data controller's stance that the inclusion of the subject's email was made by mistake (falsely believing that the data subject was a journalist, thus the data processing would be in accordance to Article 6(1)(f), and because the controller took corrective measures, by removing the subject's personal details from their systems.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.



  
    

  
  
    
  
    Category
              Decision
          

  
    Date
              21/09/2021

          

  
    Transaction number
              42
          

  
    Thematic unit
          
              09. Promotion of products and services
              
      

  
    Applicable provisions
          
              Article 5.1.d: Principle of accuracy
          Article 5.1.f: Principle of integrity and confidentiality
          Article 32: Processing security
              
      

  
    Summary
              The Authority reprimanded a controller who sent e-mails to a large number of recipients, placing the recipients' details in the "To" field. When an e-mail address is addressed to a large number of recipients who are natural persons, the controller must take appropriate measures to ensure that the recipients' addresses are not disclosed to a large number of persons. Therefore, in these cases it is better to use the "hidden notification" option or to send individual messages, when possible.

          

  
    PDF Decision
              42_2021anonym.pdf243.23 KB
          

  


    
  
    Category
              Decision
          

  
    Date
              21/09/2021

          

  
    Transaction number
              42
          

  
    Thematic unit
          
              09. Promotion of products and services
              
      

  
    Applicable provisions
          
              Article 5.1.d: Principle of accuracy
          Article 5.1.f: Principle of integrity and confidentiality
          Article 32: Processing security
              
      

  
    Summary
              The Authority reprimanded a controller who sent e-mails to a large number of recipients, placing the recipients' details in the "To" field. When an e-mail address is addressed to a large number of recipients who are natural persons, the controller must take appropriate measures to ensure that the recipients' addresses are not disclosed to a large number of persons. Therefore, in these cases it is better to use the "hidden notification" option or to send individual messages, when possible.

          

  
    PDF Decision
              42_2021anonym.pdf243.23 KB