HDPA (Greece) - 56/2021
HDPA (Greece) - 56/13-12-2021 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 4(7) GDPR Article 5(1) GDPR Article 5(2) GDPR Article 13 GDPR Article 14 GDPR Article 15 GDPR Article 21 GDPR Article 11 of national law 3471/2006 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 31.12.2021 |
Published: | 31.12.2021 |
Fine: | 30.000 EUR |
Parties: | INFO COMMUNICATION SERVICES |
National Case Number/Name: | 56/13-12-2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Greek |
Original Source: | HDPA (in EL) |
Initial Contributor: | Anastasia.Tsermenidou |
The HDPA held that when companies are using automated procedures for marketing purposes should clarify the data's subject valid consent, in order to continue with the processing activity of personal data, according to Article 13 and Article 14 GDPR.
English Summary
Facts
The HDPA received a great number of complaints, concerning automated (without human intervention) telephone harassment on purpose the promotion of products or services, without informing about the identity of the person on his behalf being determined if these calls are made, while all are by telephone numbers started with the same prefix. The complaints included also text messages harassment. The HDPA conducted a thorough and careful research and reached out the following: the Greek company (the controller) did violate the GDPR, since as a controller it should have kept up with several obligations, according to the GDPR. First of all, the controller continued with the processing of personal data, without having obtained a crystal clear consent of the data subject, as the Article 6(2) GDPR points out and Article 11 of National Law 3471/2006. Specifically, the controller makes automated calls to promote services and products without prior valid consent of data subjects. And this because the key claim of the controller that the automated calls carried out only to those who have given an explicit prior to this consent, is unfounded, since it is not confirmed by the evidence. Moreover, the controller did not inform the data subject about his identity, the purpose of the processing activity, if the processing was lawful and transparent and if as a controller is able to demonstrate compliance with those principles at any time. In addition the company did not inform the data subject about his/her right, like the right to access and the right to object. The HDPA, taking into account the above violations and especially the breaches of Articles 13 and 14 GDPR and the Article 11 of National Law 3471/2006 imposed a penalty of 30.000 €, which effective, proportional and dissuasive.
Holding
The HDPA imposed a fine of 30.000 € to a Greek company for breaching Articles 13 and 14 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary The Authority examined nine complaints regarding automated telephone promotions from the company INFO COMMUNICATION SERVICES ADVERTISING - PROMOTIONAL - COMMERCIAL - RESEARCH AND PUBLICATION as a regarding the promotional activities it carries out. The Authority found violations of article 11 par. 1 of law 3471/2006 (carrying out automated telephone operations without prior consent - since, apart from the fact that the company did not prove that it receives consent, the very procedure it described that follows does not guarantee the receipt as well as Articles 13 and 14 of the GIP (non-disclosure of data subjects - since, inter alia, the complainants did not initially know the name of the company that made the calls) and fined € 30,000 for infringements found above.