HDPA (Greece) - 52/2021
| HDPA (Greece) - 52/2021 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 4(7) GDPR Article 4(8) GDPR Article 28(1) GDPR Article 28(3) GDPR Article 32 GDPR Article 58(2) GDPR Article 83 GDPR Guidlines 07/2020 EDPB N. 3471/2006 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 23.06.2021 |
| Published: | 08.12.2021 |
| Fine: | 30.000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 52/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | Hellenic Data Protection Authority (in EL) |
| Initial Contributor: | Eleni Papadopoulou |
The Hellenic DPA fined a processor company 30.000€ and issued reprimand to a controller company for failing to grand an appropriate level of security of personal data in a procedure under article 32(2) GDPR.
English Summary
Facts
Seventeen individuals submitted complaints before the HDPA against a gas supplier company(controller) for unlawful processing of personal data for purely marketing purposes. A gas supplier company(controller) signed a contract with another company(processor) which undertook the processing of personal data of the controller's customers for marketing purposes. The processor used an automated mechanism selecting randomly telephone numbers from a list of contact details of customers in order to contact individuals for marketing purposes. What was precluded from that list, were the telephone numbers of individuals who clearly waived their consent as regards the controller company having their contact details. However, due to a mistake done by one of the processor's employees many individuals who disagreed in having their personal data processed by the controller were not left out from that list and consequently, received calls from the processor for marketing purposes.
Holding
After reviewing the facts of the case, the HDPA first stated that the telephone number of an individual constitutes "personal data" under 4(1) GDPR since it turns a person identifiable. Moreover, the HDPA held that a gas supplier company who transferred the contact details of its customers to another company based on a contract signed between them, in order for the latter to conduct calls for marketing purposes, must be considered as "controller" under 24 GDPR and the latter company as "processor" under 28 GDPR.
Furthermore, the HDPA stated that both the controller and the processor companies are in breach of the GDPR provisions. Specifically, the processor failed to implement appropriate technical and organisational measures for ensuring the appropriate level of security under 32 GDPR and it was his employee who did the relevant mistake. On the other hand, the controller was responsible for offering the appropriate tools and guidelines in order to prevent unlawful calls from being conducted and for supervising the processor's methods. Lastly, it was the controller's duty to act upon the individuals' complaints. However, the controller did not manage to meet the last condition and instead of addressing the problem and offering specific guidelines to the processor, he provided the latter only with general and inadequate guidelines.
In that sense, the HDPA assessed that the processor must be fined 30.000€ under 58(2) και 83(4) GDPR for the breach of 32(2) and (4) and 28(3) GDPR. As for the controller, the HDPA issued reprimands under 58(2) GDPR for the breach of 28(3) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Category
Decision
Date
08/12/2021
Transaction number
52
Thematic unit
09. Promotion of products and services
Applicable provisions
Article 28: Perform the processing (arrangements)
Article 32: Processing security
Article 11.1: Unsolicited electronic communication
Summary
The Authority received 17 complaints regarding illegal telephone calls aimed at promoting products or services of the company ZENITH - Gas Supply Company of Thessaloniki, Thessaly SA. For this specific processing ZENITH has the position of controller, and One Way Private Company has the position of executor. The examination of the case revealed that due to an error in the implementation of the processor, telephone calls were made to subscribers who had been registered in register 11, in violation of article 11 of Law 3471/2006. The Authority imposed on the processing One Way Private Company a fine of 30,000 euros for violation of article 32 par. 2 and 4 of the GCP in combination with article 28 par. 3, c. He also imposed on the person in charge of processing ZENITH, the sanction of the reprimand for violation of article 28 par. 3 case c of GKPD.
PDF Decision
52_2021anonym.pdf272.69 KB
Category
Decision
Date
08/12/2021
Transaction number
52
Thematic unit
09. Promotion of products and services
Applicable provisions
Article 28: Perform the processing (arrangements)
Article 32: Processing security
Article 11.1: Unsolicited electronic communication
Summary
The Authority received 17 complaints regarding illegal telephone calls aimed at promoting products or services of the company ZENITH - Gas Supply Company of Thessaloniki, Thessaly SA. For this specific processing ZENITH has the position of controller, and One Way Private Company has the position of executor. The examination of the case revealed that due to an error in the implementation of the processor, telephone calls were made to subscribers who had been registered in register 11, in violation of article 11 of Law 3471/2006. The Authority imposed on the processing One Way Private Company a fine of 30,000 euros for violation of article 32 par. 2 and 4 of the GCP in combination with article 28 par. 3, c. He also imposed on the person in charge of processing ZENITH, the sanction of the reprimand for violation of article 28 par. 3 case c of GKPD.
PDF Decision
52_2021anonym.pdf272.69 KB
