HDPA (Greece) - 20/2021
From GDPRhub
| HDPA (Greece) - 20 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 17(1) GDPR Article 21(2) GDPR Article 25 GDPR Article 11 law 3471/2006 Article 11 law 3471/2006 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 17.02.2021 |
| Published: | 28.05.2021 |
| Fine: | 5000 EUR |
| Parties: | «ΚΑΡΙΕΡΑ Α.Ε.» |
| National Case Number/Name: | 20 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | ΑΠΔΠΧ (in EL) |
| Initial Contributor: | LV |
The Greek DPA fined a services provider company 5.000€ for failure to respond to a data's subject request of erasure of his personal data held by the company.
English Summary
Facts
The complainant requested to stop receiving promotional emails by the company. The promotional emails didn't stop even after he followed all the directions on the company's website and even after he submitted a request of erasure of his personal data held by the company, for which he received a confirmation email stating that all his data we deleted by the company's servers. The company stated that due to technical errors and duplicate registration of the data subject's email address, the process of the deletion of the complainant's data was not successful.
Dispute
Holding
After examination of the facts of the case and after examination of 79 other data subjects data which were not successfully deleted from the company's data base, the authority decided that the company failed to implement the appropriate procedural and security measures to detect the error and to secure the deletion of the users' data. In the light of these violations the authority fined the company 5.000€.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 12-05-2021
No. Prot.1207
DECISION 20/2021
(Department)
The Personal Data Protection Authority met at
Composition of the Department via video conference on 17-02-2021 at 10:00, after
invitation of its President to consider the case
refers to the history hereof. Presented by George Batzalexis,
Deputy Chairman, disabled by the President of the Authority Konstantinos
Menoudakou, and the alternate members Grigorios Tsolias and Evangelos
Papakonstantinou, as rapporteur, replacing the regular members
Charalambou Anthopoulos and Konstantinos Lambrinoudakis respectively, who,
although they were legally summoned in writing, they did not attend due to obstruction. The regular
member Spyridon Vlachopoulos, although legally summoned in writing, did not attend
due to obstruction. The meeting was attended by Georgia, by order of the President
Panagopoulou, expert scientist - auditor as assistant rapporteur and Irini
Papageorgopoulou, employee of the Administrative Affairs Department of the Authority,
as secretary.
The Authority took into account the following:
Submitted to the Authority or with no. prot. Γ / ΕΙΣ / 6076 / 09-09-2019 complaint against
of the company "CAREER SOLE SHAREHOLDER TECHNOLOGY SOCIETE ANONYME
CURATOR, COMMERCIAL PROMOTION AND EXPLOITATION OF SPECIAL PUBLICATIONS »with
the distinctive title "CAREER SA" about sending emails
1
1-3 Kifissias Ave., 11523 Athens
T: 210 6475 600 • E: contact@dpa.gr • www.dpa.gr of advertising content to the complainant while he had
repeatedly request its removal from the list of recipients.
Specifically, according to the document G / EIS / 6076 / 09-09-2019 the complainant
states that from ψε he ceased to wish to receive further electronically
messages from kariera.gr. Tried to make use of that link
is embedded in each email, selecting the appropriate options on the web page
displayed but emails kept coming in normally.
… Sent an email with a request to be deleted from the email lists. Of
a specific procedure was indicated by the ticketing method, in which
proceeded directly to… and by which he demanded the complete deletion of all
data relating to his person from their databases. Then
confirmation of his contact details and request, received on…
information that all his personal data have been deleted
receives by mail suggestions of ads similar to ads in which he had in
past show interest. On λε sent a new message on the issue via
of the ticketing method without receiving a response and on… sent a warning
to appeal to the Authority, if the issue is not resolved, without any response
also.
The Authority with the no. prot. G / EX / 6076-1 / 03-10-2019 document informed her
CAREER for the complaint and asked for her views.
CAREER answered with no. prot: G / EIS / 7394 / 30-10-2019 her document,
in which he analyzes the history of the communications of the complainant company
in an attempt to remove it from the list of eligible advertisements
messages. A specific technical problem has been identified, which is described
in the document as follows: The personal data processed by the Company
are recorded electronically in a data table that the Company calls
‘Master Data Table’ (hereinafter the ‘Main Data Table’). All changes to
personal data, such as deletions from email lists or requests
submitted by data subjects through the Platform
Data Management, are initially entered in the Main Data Table and in
are then integrated / copied into the individual databases that
2connected to the Main Data Table, through a synchronization process
which takes place automatically on a daily basis. One of these sub
databases linked to the Main Database is also the "Database
Data E-mail ». Due to a technical error in the computer systems
of the Company, a double registration of the electronic address was created
of the complainant in the E-mail Database. This technique
double entry error was detected and corrected immediately in order to
not repeated in the future. However, the duplicate address log file
e-mail of the complainant remained at the Base
E-mail data, with the result while the first registration file was deleted
normally, the second file remained in the E-mail Database. Thus, when the
Complainants requested deletion from the E-mail Database, making
using the delete / unsubscribe link, the request was recorded
successfully in the Master Data Sheet, but the synchronization process failed
replace / delete the duplicate entry of the email address
of the complainant in the E-mail Database. Therefore, he
is the reason why the complainant continued to receive emails about
jobs offered by the Company.
Subsequently, the Authority sent a prototype number G / EX / 931 / 05-02-2020 with
which requested the following clarifications: For how long did it exist in
systems the technical error by duplicating the email address
mail and how was it located? How many emails have been entered in
systems during this time? How many requests to delete e-mails
were visitors received during this time? There have been relative complaints from
recipients of emails?
CAREER answered with no. prot. G / EIS / 1765 / 06-03-2020 document at
which clarifies the following: The technical error occurred 6 months before…,
ie during the period between…. The technical error was detected through
investigation carried out due to the complaint forwarded by
Principle. A total of 26,969 e-mails have been entered on the Greek website (Kariera.gr)
during the existence of the technical error. 76 applications were submitted
3deletion of e-mail visitors of the website www.kariera.gr during the period
this. 5 requests for "Customer Service" were also received during
period of existence of the technical problem, on the grounds that the user does not
can be successfully unsubscribed.
Following the above, the Authority proceeded to call the company for
section meeting on 11-11-2020, with reference number C / EX / 6076-1 / 30-10-2020
her document. The company attended the meeting through its legal representative
Theofilos Vassiliadis and through the lawyer of Panagiotis Kontogeorgakopoulos
(…). He also attended the first company. After receiving the deadline, the company submitted
Memorandum No. G / EIS / 7991 / 20-11-2020, which refers to the
previous documents and further clarifies that the response to his request
subject and its satisfaction are two different stages of it
process of deleting his personal data, and that its response
The company was in the middle, but due to a technical problem, no description was given.
The company has as its permanent policy and makes every reasonable effort
in order to complete that deletion process within one (1)
month from the submission of the respective deletion request, paying each
possible effort to respond to the needs of the subjects and to
do not use the possibility of extending the response time by two (2)
further months, provided in accordance with the Regulation under certain conditions.
Also, when the technical problem was resolved, the complainant's details but
and all other data subjects experienced similar
problem, including the five subjects who had done the
requests-complaints, were successfully deleted from its information systems
company. In the context of continuous improvement and the company's commitment to
the proper management of personal data, the company continues to
develops new systems, which in the near future the company will be able to
proceeds to delete and generally manage them with greater immediacy and
convenience.The aim of the company is, from the moment of confirmation of the request
the simplification of the internal deletion procedure
so that the response time is significantly reduced.
4 The Authority, after examining the data in the file, after hearing him
rapporteur and clarifications from the assistant rapporteur, who attended without
and withdrew after the discussion of the case and before
the conference and decision-making, after a thorough discussion,
THOUGHT ACCORDING TO THE LAW
1. From the provisions of articles 51 and 55 of the General Protection Regulation
Data (Regulation (EU) 2016/679 - hereinafter GCC) and Article 9 of the Law
4624/2019 (Government Gazette AD 137) it appears that the Authority has the competence to supervise the
implementation of the provisions of the GCC, this law and other regulations that
concern the protection of the individual from the processing of personal data.
2. According to article 4 lit. 7 of the GCC, which is implemented by
on 25 May 2018, the person in charge of processing is defined as “the natural or legal
person, public authority, service or other body which, alone or jointly with
others, determine the purposes and manner of data processing
of a personal nature ".
3. The issue of making unsolicited communications with
any means of electronic communication, without human intervention, for
for the purpose of direct marketing of products or services and for each
for advertising purposes, is regulated by Article 11tun.3471 / 2006for
protection of personal data in the field of electronic communications, o
which incorporated Directive 2002/58 / EC into national law. According
this article, such communication is allowed only if the subscriber
expressly agreed in advance. Exceptionally, according to article 11 par.
3 of Law 3471/2006, the contact details of the e-mail that
acquired legally, in the context of the sale of goods or services or otherwise
transaction, can be used for direct promotion
similar products or services of the supplier or for service
similar purposes, even when the recipient of the message has not given out
with his prior consent, provided that he is provided with
5 way clear and distinct the ability to oppose, in an easy way and
for free, in the collection and use of his electronic data and that
when collecting contact information, as well as in each message, in case
that the user did not initially disagree with this use.
4. According to article 17 par. 1 of the GCP, “The data subject
has the right to request the deletion from the controller
personal data relating to it without justification
delay and the controller is required to delete data
without undue delay, if one of the
the following reasons: (…) (c) the data subject objects to
processing in accordance with Article 21 (1) and are not mandatory
and legitimate reasons for processing or the data subject object
processing in accordance with Article 21 (2) ". Further, in the article
21 par. 2 of the GCP stipulates that “If personal data
processed for the purpose of direct marketing, the
data subject is entitled to object at any time to
processing of personal data concerning it for the en
due to marketing, including profiling, if relevant
with this direct marketing promotion. "
5. Article 25 of the GCC stipulates that “Taking into account the latter
developments, application costs and nature, scope, context and
processing purposes, as well as the risks of different probability
and the seriousness of the rights and freedoms of natural persons
persons from the processing, the controller applies
effectively, both at the time of determining the processing media and
and at the time of processing, appropriate technical and organizational measures, such as
the pseudonym, designed to apply the principles of protection of
data, such as data minimization, and their integration
necessary guarantees in the processing in such a way that the
requirements of this Regulation and to protect their rights
data subjects. "
6. In this case, data processing was performed
6 personal character of the complainant for the purpose of promoting products and
services by the company CAREER, which is the person in charge of processing. THE
legality of the original collection is not judged by the present, as the
complainant admits that he had provided his information to the company.
7. The complainant, as appears from the original complaint, expressed
objection to sending messages for product promotion purposes. THE
The controller had to have the appropriate procedures in place to
respond. The controller did not act to interrupt it
sending advertising messages, as it should, as well as opposition and
deletion in case of direct marketing must be done
respected. This happened only after the intervention of the Authority. Therefore, from
An initial complaint is an infringement of Article 17 in conjunction with Article
21 par. 2 of the GKPD.
8. Only after the complaint was forwarded by the Authority to the company were they made
appropriate actions to investigate the reason for their deletion
of the complainant had not been made, and during this investigation
it was found what the technical error was. From the data below
requested Authority and following the investigation of the controller emerged
that there were another 78 cases of failure to satisfy the right
deletion of subjects as well as 5 requests-protests for this issue, the
which the controller had not identified through the procedures
nor did the technical error. It is therefore established that the company
did not have in practice the necessary procedures to ensure the
delete the data in order to meet the requirements of the GCP and to
the rights of data subjects are protected. Therefore,
there is a violation of article 25 par. 1 of the GCP.
9. The Authority takes note that the violation is related to practice
rights of the data subject, that the technical error lasted
of one semester and had affected 79 data subjects, that there were
protests of 5 data subjects which due to wrong procedures do not
received a reply, that the controller has an online store
and uses electronic communication techniques, therefore it should have
7Take care of the correct response to requests for rights.
Further, according to publicly available data in GEMI, company against
the year 2019 had a turnover of € 4,202,734.53 and profits after taxes
€ 879,150.88. As a mitigating factor, it's the first offense for her
specific company, that after the intervention of the Authority the person in charge
took action to investigate and correct it
problem and finally, the unfavorable economic situation due to the pandemic
Covid-19.
10. In view of the above, the Authority unanimously considers that in accordance with Article 17 in
in conjunction with Article 21 para. 3 of the GCP and Article 25 para. 1 of the GCP
the conditions for enforcement against the controller are met, with
based on article 58 par. 2 i of the GCP and taking into account its criteria
article 83par.2 of the GCPD, of the administrative sanction referred to in the operative part
of the present, which is considered proportionate to the gravity of the infringement.
FOR THESE REASONS
The Authority imposes, in the "CAREER SOLE SHAREHOLDER SA
TECHNOLOGY MANAGEMENT, COMMERCIAL PROMOTION AND EXPLOITATION
SPECIAL EDITIONS "with the distinctive title" CAREER SA " the effective,
proportionate and dissuasive administrative fine appropriate to
specific case according to its more specific circumstances, amount
five thousand euros (5,000.00) euros, for the above violations
of article 17 in combination with article 21 par. 3 of the GCP and article 25
par. 1 of the GCPD.
The Deputy Chairman The Secretary
George Batzalexis Irini Papageorgopoulou
1
https://www.businessregistry.gr/publicity/show/5366801000
8
