HDPA (Greece) - 25/2022
HDPA - 25/2022 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1)(a) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 15.06.2022 |
Decided: | |
Published: | 19.07.2022 |
Fine: | 20,000 EUR |
Parties: | doValue Greece |
National Case Number/Name: | 25/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | dpa.gr (in EL) |
Initial Contributor: | n/a |
The Greek DPA fined a credit claim management company €20,000 for failing to prove the lawfulness of processing according to Article 6(1)(b) GDPR and for violating Article 12(2) GDPR by creating undue barriers to the exercise of the data subject rights.
English Summary
Facts
A loan and credit management Company (controller) was repeatedly contacting a data subject by telephone-call regarding the repayment of their alleged debt. The data subject had already declared personal bankruptcy according to Article 8(2) Law Nr. 3869/2010 and the insolvency court had granted a discharge of the debt in question. After that, the attorney of the data subject filed an objection to the processing of their data according to Article 21 GDPR. The data subject requested the controller to cease contacting them regarding the alleged debt and to erase their personal data according to Article 17 GDPR. The controller refused to respond to the request claiming that the data subject could not be identified with certainty, due to the data subject's ID number stated on the power of attorney not matching the one kept in the controller's record. The controller claimed that the data subject should first update their personal identification information by visiting a branch office in person. Consequently, the data subject lodged a complaint with the DPA regarding the processing of their data. The controller stated before the DPA that the data processing was lawful according to Article 6(1)(b) GDPR, since the data subject was still obliged to repay the debt on a legal basis not covered by precedent created from the insolvency court's decision. Regarding the data subject's requests, the controller argued that the data subject acted in bad faith by refusing to update their identification information.
Holding
The DPA held that the controller processed personal data in absence of a valid contractual relationship with the data subject. In particular, the controller had full access to all crucial information (especially the decision of the insolvency court and records kept in public registries) proving that the data subject was not obliged to repay the debt in question. The controller failed to prove the lawfulness of the processing in violation of its accountability obligation. For this reason, DPA imposed a €10,000 fine for the violation Articles 5(1)(a), 5(2), and 6 GDPR. The DPA also held that the controller created undue barriers to the exercise of the data subject’s rights by demanding the update of the identification information. The controller had at its disposal a variety of personal identification information such as VAT number, date of birth, and father's name. The identification of the data subject was possible even without the ID number. For this reason, the DPA fined the controller €10,000 for violating Article 12(2) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.