HDPA (Greece) - 13/2021
From GDPRhub
| HDPA (Greece) - 13/2021 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 12(3) GDPR Article 17 GDPR Article 21 GDPR Article 25(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 17.02.2021 |
| Published: | 07.04.2021 |
| Fine: | 20000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 13/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Greek Greek |
| Original Source: | HDPA full text (in EL) HDPA summary (in EL) |
| Initial Contributor: | Adrian |
The HDPA fined a sports clothing company €20,000 for repeatedly failing to comply with a data subject's data erasure requests, and for sending them marketing material despite their requests.
English Summary
Facts
The HDPA imposed a €20,000 fine to a sports clothing company for failing to uphold a data subject's data erasure rights. Initially, the company ignored the subject's request. After an initial intervention by the HDPA, the company reassured that the subject's contact information were deleted, but then kept sending marketing communications. The data subject had to complain for a second time, leading to this new decision and fine which was deemed necessary and proportionate.
Holding
The HDPA held that for its first intervention, even though the data controller informed the HDPA that it took corrective measures (deletion of contact information), the controller didn't inform the data subject about this, thus being in violation of article 17 in combination with 21.2 and 12.3.
Furthermore, the controller's communications included a method to opt out (a link to opt out in each SMS message sent) which the data subject didn't use. Instead, the data subject contacted the controller's customer support in order to express their request for deletion, which the controller argued was not sufficient due to the existence of the opt-out link. The HDPA held that the data subject's rights should have been respected regardless of how they were communicated to the controller.
More importantly though, even after the first intervention of the HDPA, the controller has continued sending marketing communications to the data subject despite its assurances that the data has been deleted, thus indicating that the controller didn't act as legally required in response to the data subject's request and as instructed by the HDPA during the first intervention. The HDPA viewed this as an aggravating circumstance, thus justifying its unusually high fine as proper and proportionate for the situation.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 07-04-2021
No. Prot.1024
DECISION 13/2021
(Department)
The Personal Data Protection Authority met at
Composition of the Department via video conference on 17-02-2021 at 10:00, after
at the invitation of its President to consider the case
refers to the history hereof. Presented by George Batzalexis,
Deputy Chairman, disabled by the President of the Authority Konstantinos
Menoudakou, and the alternate members Grigorios Tsolias and Evangelos
Papakonstantinou, as rapporteur, replacing the regular members
Charalambou Anthopoulos and Konstantinos Lambrinoudakis respectively, who,
although they were legally summoned in writing they did not attend due to obstruction. The regular
member Spyridon Vlachopoulos, although legally summoned in writing, did not attend
due to obstruction. The meeting was attended by George, chaired by the President
Roussopoulos, Specialist Scientist-Auditor as Assistant Rapporteur and Irini
Papageorgopoulou, employee of the Administrative Affairs Department of the Authority,
as secretary.
The Authority took into account the following:
Complaint No. G / EIS / 4863 / 10-07-2019 was submitted to the Authority
in which the complainant received a text message on 09/07/2019
character from the company «MZN HELLAS SOCIETE ANONYME COMMERCIAL
1
1-3 Kifissias Ave., 11523 Athens
T: 210 6475 600 • E: contact@dpa.gr • www.dpa.gr COMPANY "with the distinctive title" MZN HELLAS A.E. " (hereinafter referred to as "Responsible
while expressly objecting. With the complaint
Attached is a copy of the email from which
it appears that, following a dispute that arose following an order he made
to the company, had objected to receiving any information
related products and offers of the company
delete via hyperlink.
The complaining company was informed about the complaint with the no.
prot.C / EX / 4863-1 / 09-08-2019 document of the Authority with which it was requested to submit
her views on the complaint. The company responded with the prot.
Γ / ΕΙΣ / 5868 / 27-08-2019 her document, stating, among other things, that the
prior approval of the complainant, due to his previous transaction
and that messages are sent in bulk and automatically by affiliate software
company, to which they can not intervene immediately. But after investigation
the complainant's email was found. The company considers that by his negligence
employee was not currently deleted from the list and
confirms that they have deleted their mobile phone and e-mail address
of the post office and have taken the necessary steps so as not to
happen again in the future for no other customer. Finally, they report that
complainant disputes the receipt of an order and acts intentionally and fraudulently
as it had the ability to stop receiving messages through
advertising message.
Following this reply, the complainant returned to
Complaint No. G / EIS / 7689 / 07-11-2019, stating that
received, again, a message on his cell phone number for purposes
promotion of the products and services of the company MZN on 06-11-2019,
declaration of the company that was deleted from the telephone list. The Authority
sent the document number C / EX / 7689-1 / 13-12-2019 to the company,
asking for its views on the new complaint. The complained company
responded to the Authority with its document number G / EIS / 394 / 17-01-2020. In
this argues that the complaint is inadmissible, distrustful and unfounded.
2He mentions again that there was an initial approval of the complainant, who did not
used the opt-out feature from SMS, but sent
e-mail to her e-mail address
customer service. The complainant has just received a new promotional message
on 06-11-2019. It further states that it has enabled the opt-out option
later, on 11-12-2019 to be permanently deleted based on his own
actions from the company contact list. Further, the company argues
the complainant states that no objection has been raised, and
that he did not object.
In relation to the deletion that should have been done, as reported in
previous memorandum company, claims that there was a mistake / omission
of the employee operating the electronic platform, with effective
do not finally validate the deletion of the complainant number, while the error does not
was not noticed either by this employee or by the management of the company. THE
company claims that the third company that has developed and manages the
platform, which is not named, disclosed the reasons for not
deletion. The company also states that it does not provide its details
employee as there is no substantive reason, but if they are not considered valid
her explanations, will rely on and provide full evidence of this.
Following the above, the Authority proceeded to call the company for
meeting of the department on 15-07-2020, with reference number C / EX / 4491 / 29-06-2020
her document. With the call the company was informed that during its examination
The above two complaints will be discussed. The company attended
meeting through the lawyer of Aristides Karabeazis while, after receiving
deadline, submitted its memorandum number G / EIS / 5315 / 29-07-2020. In
this summarizes the following: The complainant did not appear and therefore
It is presumed that the request and the formality of his complaints are impractical. The
complaints are inadmissible for formal reasons. Specifically, wrong
the complainant states so much that he was not given the opportunity in every message
as well as any objections to the sending of messages.
the complainant provided approval for the sending of informative / promotional SMS
3 at the completion of his transaction. In any case, he had the opportunity
"Opt-out" with one click, in which case it would not be possible to re-register
inadvertence. Activate this option after his complaint (11/12/2019)
to be removed from the list.
In essence, the company claims that while their removal was requested
of the complainant, a subsequent error / omission arose
employed in the operation of the electronic platform resulting in
remain on her contact list. The mistake was not realized and
did not become known to the company until after the second complaint, while it was
the only time such a mistake happened. The company states that it requested from
partner company to provide it with any "electronic traces", but received
answer that no such data is stored on the server. The company supports
that this is an incidental matter, which is proved by the relevant
correspondence of its operator with its partner (which although it is stated that
attached (not contained in the relevant memorandum) and cites
principle of leniency. It also argues that the complainant does not claim damages
or persistent harassment considers the complainant's motives to be questioned
older transactions.
The Authority, after examining the data in the file, after hearing him
rapporteur and clarifications from the assistant rapporteur, who attended without
and withdrew after the discussion of the case and before
the conference and decision-making, after a thorough discussion,
THOUGHT ACCORDING TO THE LAW
1. From the provisions of articles 51 and 55 of the General Regulation of Protection
Data (Regulation (EU) 2016/679 - hereinafter GCC) and Article 9 of the Law
4624/2019 (Government Gazette AD 137) it appears that the Authority has the competence to supervise the
implementation of the provisions of the GCC, this law and other regulations that
concern the protection of the individual from the processing of personal data.
42. According to article 4 lit. 7 of the GCC, which is implemented by
on 25 May 2018, the controller is defined as “the natural or legal
person, public authority, service or other body which, alone or in association with
others, determine the purposes and manner of data processing
of a personal nature ".
3. The issue of making unsolicited communications with
any means of electronic communication, without human intervention, for
for the purpose of direct marketing of products or services and for each
for advertising purposes, is regulated by Article 11tun.3471 / 2006for
protection of personal data in the field of electronic communications, o
which incorporated Directive 2002/58 / EC into national law. According
this article, such communication is allowed only if the subscriber
expressly agreed in advance. Exceptionally, according to article 11 par.
3 of Law 3471/2006, the contact details of the e-mail that
acquired legally, in the context of the sale of goods or services or otherwise
transaction, can be used for direct promotion
similar products or services of the supplier or for service
similar purposes, even when the recipient of the message has not given out
with his prior consent, provided that he is provided with
in a clear and distinct way the ability to object, in an easy way and
for free, in the collection and use of his electronic data and that
during the collection of contact information, as well as in each message, in case
that the user did not initially disagree with this use.
4. According to article 17 par. 1 of the GCP, “The data subject
has the right to request the deletion from the controller
personal data relating to it without justification
delay and the controller is required to delete data
without undue delay, if one of
the following reasons: (…) (c) the data subject objects to
processing in accordance with Article 21 (1) and there are no imperatives
and legitimate reasons for processing or the data subject object
processing in accordance with Article 21 (2) ". Further, in the article
521 par. 2 of the GCP stipulates that “If personal data
processed for the purpose of direct marketing, the
data subject is entitled to object at any time to
processing of personal data concerning it for the en
due to marketing, including profiling, if relevant
with this direct marketing promotion. "
5. Article 12 par. 2 and 3 of the GCP stipulates that “2. The person in charge
facilitates the exercise of the rights of their subjects
data provided for in Articles 15 to 22. (…) "and" 3. The person responsible
processing provides the data subject with energy information
carried out on request under Articles 15 to 22 without
delay and in any case within one month of receipt of the request.
This period may be extended by a further two months, provided that
required, taking into account the complexity of the request and its
number of requests. The controller informs the subject of
data for the said extension within one month of receipt of the request,
as well as for the reasons of the delay. (…) ».
6. Article 25 of the GCC stipulates that “Taking into account the latter
developments, implementation costs and their nature, scope, context and
processing purposes, as well as the risks of different probability
and the seriousness of the rights and freedoms of natural persons
persons from the processing, the controller applies
effectively, both at the time of determining the processing media and
and at the time of processing, appropriate technical and organizational measures, such as
the pseudonym, designed to apply the principles of protection of
data, such as data minimization, and their integration
necessary guarantees in the processing in such a way that the
requirements of this Regulation and to protect their rights
data subjects. "
7. The Authority does not accept the arguments of the controller and
considers the complaint to be admissible. The complainant was not summoned, as he was not
his personal presence is necessary for the examination of the complaint.
6Furthermore, although the company rightly claims that the complainant is wrong
states that he was not given the opportunity to object to every message, the fact
that some of the complainant's allegations are not substantiated,
does not make all his allegations inadmissible. These allegations
are examined below.
8. In this case, data processing was performed
personal nature of the complainant by the controller, for
for the purpose of promoting products and services. The legality of the original collection
is not judged by the present, as the complainant accepts that it existed
previous transaction under which it had granted the
his details in the company.
9. The complainant, as appears from the original complaint, expressed
objection to sending messages for product promotion purposes and
services by email on 05/06/2019. The complainant
did not use the automated deletion feature available
built-in SMS promotions, but this does not affect that it exercised properly
the right of cancellation, addressed to the customer service of the company.
And this if we take into account that the GCP does not set a requirement for a specific way
but states that the controller must
facilitates the exercise of the rights of data subjects. The
The complainant's request was clearly worded, with specific reference to the GIP,
therefore there is no doubt that the controller should have
the appropriate procedures to meet, regardless of other differences
with the complainant. The controller did not act to interrupt
sending advertising messages, as it should, as well as opposition and
deletion in case of direct marketing must be done
respected. This happened only after the first intervention of the Authority. In fact, and
in this case, the person responsible replied to the Authority, without informing him
complainant. The initial complaint therefore results in a breach
Article 17 in conjunction with Article 21 (2) and Article 12 (3) of the GCC.
10. In his first memorandum, the controller assured
Principle that he has deleted his mobile phone and email address
7 of the complainant's correspondence and that they have taken all the necessary steps
actions to prevent it from happening again in the future for any other customer. Of the
It turns out that the above statement was not accurate. Even if
accept the company's argument of individual wrongdoing, the
but which is not based on electronic or other data which can not
disputed, except in written statements of the officials involved,
it appears that the controller did not take action to not
a similar incident happens to another customer in the future. Therefore, with
Sending the second message on 6/11/2019, it is found that the company does not
had in practice the necessary procedures to ensure deletion
data so that the requirements of the GCP are met and protected
the rights of data subjects. There is therefore an infringement
of article 25 par. 1 of the GCP. It is pointed out that based on the principle of accountability
(article 5 par. 2 GCP) the controller is responsible and is responsible
to demonstrate its compliance with the basic principles of legal processing. To
Note that the argument about not using the built-in SMS
deletion operation and its use after 6/11/2019 and specifically on
11/12/2019, not accepted. The complainant, as explained, was not
obliged to exercise his right in this way, while no
it turns out that he was the one who triggered the deletion process as well
at this time the details of the complaint were known and so on
persons (eg in the Authority).
11. The Authority takes note that the controller does not
submitted evidence of deletion procedures, that the breach
related to the exercise of rights of the data subject, that the company
stated to the Authority that it had taken the appropriate measures and in fact for all of them
its clients, while in practice this had not been the case with regard to the complainant,
that the controller has an online store and uses
electronic communication techniques, therefore he should have taken care of
proper response to requests for rights. Further, according to
8 publicly available data in GEMI, the company in the year 2019 had a cycle
works € 1,343,513.99 and profits after taxes € 50,151.92. As relievers
takes into account that if there was a nuisance there was no financial loss to the subject
of data from the dissatisfaction of the right, that it is the first
infringement for the specific company and finally, the unfavorable financial
circumstance due to the Covid-19 pandemic.
12. In view of the above, the Authority unanimously considers that in accordance with Article 1 7 in
in conjunction with Article 21 (3) and Article 12 (3) of the GIPA and Article 25
par. 1 of the GCP meet the conditions of enforcement against the person in charge
processing, based on article 58 par. 2 i of the GCP and taking into account the
criteria of article 83 par. 2 of the GCP, of the administrative sanction mentioned
in the operative part of the present, which is deemed proportional to its weight
infringement.
FOR THOSE REASONS
The Authority imposes, on "MZN HELLAS SOCIETE ANONYME ATHLETIC COMMERCIAL COMPANY"
with the distinctive title "MZN HELLAS A.E." the effective, proportional and
a deterrent administrative fine appropriate to that
case according to its more specific circumstances, amounting to twenty thousand
(20,000.00) euros, for the above violations of Article 17
in combination with article 21par.3 and article 12par.3 of GKPD and article
25 par. 1 of the GKPD.
The Deputy Chairman The Secretary
George Batzalexis Irini Papageorgopoulou
1
https://www.businessregistry.gr/publicity/show/9178201000
9
