HDPA (Greece) - 51/2021
HDPA (Greece) - 51/19-11-2021 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 21 GDPR Article 22(1) GDPR ν. 3758/2009 |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 19.11.2021 |
Published: | 19.11.2021 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 51/19-11-2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Greek |
Original Source: | https://www.dpa.gr/el/enimerwtiko/prakseisArxis (in EL) |
Initial Contributor: | Anastasia Tsermenidou |
The Hellenic DPA rejected a complaint citing lack of proof for any violation of rights or automated decision-making under Article 22 GDPR, and noted that the data subject did not exercise their right to object under Article 21(1) GDPR.
English Summary
Facts
In a previous case, a data subject informed the Hellenic DPA (HDPA) that during the period from July to September they were getting frequent phone calls and nuisances by the representatives from a Greek bank on debt matters from a consumer loan, and issued a complaint on the grounds that this practice constitutes automated decision-making (including profiling) according to Article 22 GDPR. The Hellenic DPA rejected the claim and did not apply legal remedy since there was no substantial documentation or essential proof that any processing activity through automated decision-making had taken place, or that the data subject's rights were infringed upon.
Moreover, the HDPA stated that the data subject could exercise his rights through the right to object under Article 21(1) GDPR, which should be addressed to the controller first (the Greek bank in this case) . The HDPA indicated there is a specific legal framework for the proper information of bank clients and debtors, which is defined by the national law 3758/2009.
Holding
According to the applicant, this practice constitutes automated decision making (including profiling) , according to article 22 of the GDPR. The HDPA examined carefully the complaints of the data subject and rejected and filed the legal remedy, since there it lacked of substantial documentation. There were no proofs for any processing activity based on neither automated decision making (including profiling) nor a breach of the rights of the data subject. Moreover, the Greek Authority stated that the data subject could exercise his rights through the right to objection, which should be addressed to the Controller first (in this case to the Controller of the Greek Bank), according to Articles 21 and 22 of the GDPR. The HDPA indicated there is a specific legal framework for the proper information of bank clients and debtors, which is defined by the national law 3758/2009. The data subject submitted a complained for the same case, but the HDPA rejected and filed the complaint again, since there were no new evidence.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Article 2: Substantive scope Article 2.2.c: Exclusively personal or domestic activity Article 3: Territorial scope Article 4.1: Personal data (definition) Article 4.1: Data subject (definition) Article 4.2: Processing (definition) Article 4.3: Restriction of processing (definition) Article 4.4: Profileing (definition) Article 4.5: Aliasing (definition) Article 4.6: Archiving system (definition) Article 4.7: Processor (definition) Article 4.8: Executor (definition) Article 4.9: Recipient (definition) Article 4.10: Third (definition) Article 4.11: Consent (definition) Article 4.12: Violation of personal data (definition) Article 4.13: Genetic data (definition) Article 4.14: Biometric data (definition) Article 4.15: Health data (definition) Article 4.16: Main establishment ( definition) Article 4.17: Representative (definition) Article 4.18: Business (definition) Article 4.19: Group of companies (definition) Article 4.20: Binding company rules (definition) Article 4.21: Supervisory authority (definition) Article 4.22: Interesting supervisory authority (definition) Article 4.23: Cross-border processing (definition) Article 4.24: Relevant and reasoned objection (definition) Article 4.25: Information society service (definition) Article 4.26: International organization (definition) Article 5.1: Data processing principles Article 5.1.a: Principle of legality, objectivity and transparency Article 5.1. b: Principle of limitation of purpose Article 5.1.c: Principle of data minimization Article 5.1.d: Principle of accuracy Article 5.1.e: Principle of limitation of the storage period Article 5.1.f: Principle of integrity and confidentiality Article 5.2: Principle of accountability Article 6.1.a: Legal basis of consent Article 6.1.b: Legal basis ext Termination of contract Article 6.1.c: Legal basis for compliance with a legal obligation Article 6.1.d: Legal basis for safeguarding a vital interest Article 6.1.e: Legal basis for the performance of a public duty Article 6.1.f: Legal basis of a higher legal interest Article 6.4: Compatibility of processing for other Article 7: Conditions for consent Article 8: Child consent for information society services Article 9.1: Special categories of personal data Article 9.2.a: Explicit consent Article 9.2.b: Execution of labor law obligations etc. Article 9.2.c: Protection of vital interests Article 9.2.d: Edit protection of data of special categories of members of an institution, organization, etc. Article 9.2.e: Explicit disclosure Article 9.2.g: Substantial public interest Article 9.2.f: Establishment, exercise or support of legal claims Article 9.2.h: Processing by a health professional Article 9.2.i: Public interest in the field of public health Article 9.2.i: Archiving, scientific or historical research - statistics Article 10: Processing of criminal convictions and offenses Article 11: Processing which does not require identification Article 12: Transparent information Article 12.2: Facilitation exercise of rights Article 12.3: Deadline for responding to a right Article 12.4: Deadline for informing of a non-action on a right Article 12.5: Manifestly unfounded or excessive claims of a right Article 12.6: Information necessary to confirm the identity of the subject Article 13: Information collected by the data subject Article 14: Information when the collection is not Article 15: Right of access Article 16: Right of correction Article 17: Right of deletion Article 18: Right of limitation of processing Article 19: Obligation to notify of correction, deletion or restriction Article 20: Right of portability Article 21: Right of a Article 22: Automated individual decision-making Article 23: Restrictions on rights Article 24: Responsibility of the controller Article 24.2: Implementation of appropriate data protection policies Article 25.1: Data protection already by design Article 25.2: Data protection by default Article 26: Joint controllers Article 27: Representatives of non-EU managers or executors Article 28: Executor (arrangements) Article 28.3: Arrangements of a contract (or other legal act) with executor Article 29: Processing under the supervision of the responsible or executor Article 30: Records of processing activities Article 31 - Law 4624/2019 article 66: Cooperation with the supervisory authority Article 32: Processing security Article 33: Notification of personal data breach Article 34: Notification of personal data breach Article 35: Impact assessment on data protection Article 36: Prior consultation Article 37 - Law 4624 / 2019 article 6: Appointment of the data protection officer Article 38 - n .4624 / 2019 article 7: Position of the data protection officer Article 39 - n.4624 / 2019 article 8: Duties of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Article 45: Transfers on the basis of a decision of competence Article 46: Transfers subject to appropriate guarantees Article 47: Binding corporate rules Article 49: Derogations for special situations Article 50: International cooperation Article 55: Responsibility of supervisory authority Article 56: Supervisory authority Article 56.2: Jurisdiction over local affairs Article 60: Cooperation of supervisors and supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint ventures Article 63: Cohesion mechanism Article 66: Urgent procedure Article 80 - Law 4624/2019 Article 41: Representation of Article 83: General conditions for the imposition of administrative fines Article 86 - Law 4624/2019 Article 42: Processing and public access to official documents Article 87: National identity number Article 89.1: Safeguards for the purposes of archiving, scientific or historical research, statistics Article 95 Relation to Directive 2002/58 / EC