HDPA (Greece) - 2/2023
HDPA - 2/2023 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 31 GDPR Article 58(1) GDPR Article 83(4) GDPR Article 13 of National Law 4624/2019 Article 15 of National Law 4624/2019 Article 66 of National Law 4624/2019 |
Type: | Complaint |
Outcome: | Upheld |
Started: | 20.12.2022 |
Decided: | 13.01.2023 |
Published: | 13.01.2023 |
Fine: | 50.000 EUR |
Parties: | n/a |
National Case Number/Name: | 2/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Greek |
Original Source: | HDPA (in EL) |
Initial Contributor: | Anastasia Tsermenidou |
The Greek DPA (HDPA) imposed a fine of €50,000 on Intellexa S.A for failing to cooperate with an investigation into their alleged installation of monitoring software on data subject's devices without their knowledge.
English Summary
Facts
An individual, "A", provided to the HDPA a copy of a petition they filed with the Prosecutor of the Supreme Court concerning the alleged attempted interception of their mobile phone with the 'Predator' surveillance software. Furthermore, numerous press reports were published linking Intellexa S.A. (Intellexa), a software company which provides technology and intelligence to law enforcement agencies, to the aforementioned software, and to the installation of monitoring software on users' mobile telephone devices without their knowledge.
Following these developments, the HDPA conducted an "own-volition" investigation, undertaking an on-site audit of Intellexa premises on 3 October 2022. Prior to the audit, the HDPA sent Intellexa a document containing the details of the investigation and requesting further information. Despite multiple telephone assurances from the company's lawyers to auditors that their request would be met, the company did not submit any information. During the audit, the company's three-story building was found to be completely empty and without any functional network infrastructure or information system. Through a discussion with the representatives of the company, the audit team requested specific information on the data processed, the auditees took notes and assured them that they would provide this promptly.
On 4 October 2022, Intellexa submitted a request to the HDPA to be provided with the audit questions in writing, claiming that it was impossible to draft effective and accurate responses to notes taken during the audit, due to the complexity and highly technical nature of the isssue. On 6 October 2022, the HDPA sent the company a written request containing 24 questions, asking for as much information as possible, and specific documentation, as soon as possible. On 21 October 2022, the HDPA received an email from Intellexa claiming their employees have been subject to "haasasment" by journalists following the audit, and informing the authority that they intend to submit responses the following week. The HDPA responded to this email on 24 October 2022, stating that they expect full and substantiatied replies to their questions as soon as possible.
Intellexa S.A did not reply to the HDPA's enquiries, they were subsequently invited to attend a hearing on 29 November 2022 to verify their compliance with the requirements of Article 31 GDPR. On 18 November 2022, the company sent a response to the auditor's questions. It was noted that, in response to some of the questions, Intellexa did not provide the information requested by the authority; information which was, according to the HDPA, undoubtedly in the company's possession.
At the hearing Intellexa's lawyers argued that, despite their "justified reservations", the company tried to respond to the questions asked "to the fullest extent possible" in cooperation with "various investigations launched simultaneously by several different Greek authorities". In their submissions, they asserted that the Greek authorities ought to act in a more "coordinated and consistent" manner.
Holding
The HDPA found that Intellexa S.A, has, by choice, breached its obligation to cooperate with the supervisory authority under Article 31 GDPR. In doing so, they found that the company has unduly delayed its response to the investigation, and failed to provide information which was indisputably in its possession.
The HDPA did not accept the controller's assertions that they had responded in a reasonable period of time. Furthermore, in asserting that the Greek authorities should act in a "coordinated and consistent" manner, the company had disregarded the independence of the DPA and the rules governing the effective performance of its obligations in the context of its statutory objective of the protection of personal data.
Pursuant to Articles 58(2)GPDR and 83 GDPR, the authority unanimously considered that the conditions for imposing an administrative fine on Intellexa SA had been fulfilled. In doing so, they took into account the serious nature and gravity of the infringement, and imposed a fine of €50,000. Additionally, the HDPA issued an order instructing the company to deliver the relevant information immediately.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary The Authority carried out an administrative audit on Intellexa SA. investigating cases of the installation of tracking software on users' mobile terminal devices, with the aim of tracking them without their knowledge, as well as the subsequent collection and processing of their personal data collected by such software. As the company was excessively late in responding to the Authority's questions and did not provide specific information that was requested and is in its possession, the Authority imposed a fine of 50,000 euros and ordered that specific information be delivered to it immediately.