HDPA (Greece) - 52/2021
HDPA (Greece) - 52/2021 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 28(3) GDPR Article 32(2) GDPR Article 32(4) GDPR N. 3471/2006 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 23.06.2021 |
Published: | 08.12.2021 |
Fine: | 30,000 EUR |
Parties: | ZENITH One Way Private Company |
National Case Number/Name: | 52/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Greek |
Original Source: | Hellenic Data Protection Authority (in EL) |
Initial Contributor: | Eleni Papadopoulou |
The Hellenic DPA also fined a processor €30,000 for failing to grant an appropriate level of security of personal data under Article 32(2), Article 32(4) GDPR and Article 28(3) GDPR, and issued a reprimand against the controller for a breach of Article 28(3) GDPR.
English Summary
Facts
Seventeen individuals submitted complaints before the Hellenic DPA (HDPA) against a gas supplier company ZENITH (controller) for unlawful processing of personal data for purely marketing purposes. Zenith signed a contract with One Way Private Company (processor) which undertook the processing of the controller's customers' personal data for marketing purposes. The processor used an automated mechanism randomly selecting telephone numbers from a list of customer contact details in order to contact individuals for marketing purposes. Some customers had previously clearly waived their consent for the controller to have their contact details. The telephone numbers of these individuals were supposed to be precluded from this list. However, due to a mistake by one of the processor's employees, many of these customers were not left out from that list and consequently received calls from the processor for marketing purposes.
Holding
After reviewing the facts of the case, the HDPA first stated that the telephone number of an individual constitutes "personal data" under Article 4(1) GDPR because it makes a person identifiable. Moreover, the HDPA held that ZENITH, who transferred the contact details of its customers to the processor based on a contract signed between them in order for the latter to conduct calls for marketing purposes, must be considered as a "controller" under Article 24 GDPR and the latter company as a "processor" under Article 28 GDPR.
Furthermore, the HDPA stated that both the controller and the processor companies were in breach of GDPR provisions. Specifically, the processor failed to implement appropriate technical and organisational measures for ensuring an appropriate level of security under Article 32(2) GDPR since it was their employee who made the relevant mistake. On the other hand, the controller was responsible for offering the appropriate tools and guidelines in order to prevent unlawful calls from being conducted and for supervising the processor's methods. Lastly, the HDPA states that it was the controller's duty to act upon the individuals' complaints. However, according to the HDPA, instead of addressing the problem and offering specific guidelines to the processor, the controller only provided them with general and inadequate guidelines.
Therefor, the HDPA fined the processor €30,000 under Article 58(2) GDPR and Article 83(4) GDPR for the breach of Article 32(2), Article 32(4) GDPR and Article 28(3) GDPR. As for the controller, the HDPA issued a reprimand under Article 58(2) GDPR for the breach of Article 28(3) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Category Decision Date 08/12/2021 Transaction number 52 Thematic unit 09. Promotion of products and services Applicable provisions Article 28: Perform the processing (arrangements) Article 32: Processing security Article 11.1: Unsolicited electronic communication Summary The Authority received 17 complaints regarding illegal telephone calls aimed at promoting products or services of the company ZENITH - Gas Supply Company of Thessaloniki, Thessaly SA. For this specific processing ZENITH has the position of controller, and One Way Private Company has the position of executor. The examination of the case revealed that due to an error in the implementation of the processor, telephone calls were made to subscribers who had been registered in register 11, in violation of article 11 of Law 3471/2006. The Authority imposed on the processing One Way Private Company a fine of 30,000 euros for violation of article 32 par. 2 and 4 of the GCP in combination with article 28 par. 3, c. He also imposed on the person in charge of processing ZENITH, the sanction of the reprimand for violation of article 28 par. 3 case c of GKPD. PDF Decision 52_2021anonym.pdf272.69 KB Category Decision Date 08/12/2021 Transaction number 52 Thematic unit 09. Promotion of products and services Applicable provisions Article 28: Perform the processing (arrangements) Article 32: Processing security Article 11.1: Unsolicited electronic communication Summary The Authority received 17 complaints regarding illegal telephone calls aimed at promoting products or services of the company ZENITH - Gas Supply Company of Thessaloniki, Thessaly SA. For this specific processing ZENITH has the position of controller, and One Way Private Company has the position of executor. The examination of the case revealed that due to an error in the implementation of the processor, telephone calls were made to subscribers who had been registered in register 11, in violation of article 11 of Law 3471/2006. The Authority imposed on the processing One Way Private Company a fine of 30,000 euros for violation of article 32 par. 2 and 4 of the GCP in combination with article 28 par. 3, c. He also imposed on the person in charge of processing ZENITH, the sanction of the reprimand for violation of article 28 par. 3 case c of GKPD. PDF Decision 52_2021anonym.pdf272.69 KB