HDPA (Greece) - 1/2023

From GDPRhub
Revision as of 23:49, 27 February 2023 by Lr (talk | contribs) (Substantial changed to content and structure)
HDPA - 1/2023
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 17 GDPR
Article 21(1) GDPR
Article 21(2) GDPR
Article 51 GDPR
Article 55 GDPR
Article 56(2) GDPR
Type: Complaint
Outcome: Other Outcome
Started: 09.01.2033
Decided: 11.01.2023
Published: 12.02.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 1/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Anastasia Tsermenidou

After Google failed to respond to a right to erasure request made by a Greek data subject, the Greek DPA held that it is competent to examine the complaint in accordance with Article 56(2) GDPR, as the processing only concerns a Greek data subject, and is conducted Google LLC, based in the US. As a result, the section of the DPA referred the case in its entirely to the plenary of the DPA.

English Summary

Facts

The complainant, a Greek data subject, submitted an erasure request to Google, the controller, seeking the removal of various search results on the website which include links to third party website containing information related to the data subject's status, and personal and professional reputation. After receiving no response to their request, the data subject lodged a complaint against Google Ireland Limited, for failure to satisfy their right to erasure.

Responding to the complaint, Google asserted that it had balanced the relevant rights and interests, including the relevance to the complainant's professional life, and decided not to cut the content. Furthermore, the content of the links are accurate, as the complainant has not proven they are inaccurate; up to date, as the professional activity in question is still carried out today. Therefore, the public has a legitimate interest in accessing the information.

Holding

After considering the submissions of both parties and reviewing the evidence, the section of the Greek DPA tasked with investigating the complaint issued its decision.

Firstly, the decision acknowledged that, in accordance with Article 51 and 55 GDPR, this authority is competent to supervise the application of the GDPR to this case. This is because, while Google Ireland Limited is the company's main establishment in the EU for user data collected and processed when users interact with Google services, the processing of erasure requests is conducted by Google LLC, based in the US. This has been confirmed, by Google LLC, in communications with the EDPC. Therefore, while in cases concerning other personal data processing the Irish DPA (DPC) is the competent supervisory authority, that is not the case in this context. Article 56(2) of the GPDR states that "by way of derogation from paragraph 1, each supervisory authority shall be competent to examine a complaint lodged or to deal with a possible infringement of this Regulation if the subject matter concerns only an establishment in the Member State concerned or substantially affects data subjects only in the Member state concerned". As a result, given that the processing is undertaken by Google LLC, and concerns only a Greek data subject, the Greek DPA is competent to investigate the complaint. Furthermore, in a previous similar case the Greek DPA informed the Irish DPA that they intend to proceed with an examination of the complaint, and received a reply from the confirming the Greek DPA is competent.

The DPA also observed that, due to a range of factors, this case of of particular importance and general importance, and referred the case in its entirety to the plenary of the authority for determination, pursuant to Article 1(b) of the Authority's Rules of Procedure.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

We use cookies that are necessary to maintain your connection to the online services of the Authority's Internet Portal (PO) and to store your choices in relation to optional cookies ("Necessary").
Only with your consent will we use any of the following optional cookies you choose ("Analysis", "LinkedIn", "Twitter"). You can see information about each category of cookies by hovering over each option.