HDPA (Greece) - 7/2023

From GDPRhub
Revision as of 10:04, 19 April 2023 by Anastasia.tsermenidou (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=7/2...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HDPA - 7/2023
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 6(4) GDPR
Article 13 GDPR
Article 33 GDPR
Article 34 GDPR
Type: Complaint
Outcome: Upheld
Started: 25.01.2023
Decided: 20.02.2023
Published: 30.03.2023
Fine: 40.000 EUR
Parties: Vodafone
Citizen
National Case Number/Name: 7/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Anastasia Tsermenidou

The HDPA imposed a fine of EUR 40.000 to a telecom service provider for failing to notify a personal data breach.

English Summary

Facts

The complainant is taking action against Vodafone complaining of a failure to grant her right of access to recorded conversations, as well as a data breach. In particular, following a request by the complainant for access to her recorded telephone conversations with representatives of the complainant's company, and in the context of a challenge to the subscription plan sold to the complainant by telephone, the company sent to the complainant's home address an envelope containing a CD with recorded conversations of a third party with the complainant and not the complainant's conversations. The conversation included a lot of personal data of the third person in question. The complainant telephoned the complainant about the incorrect shipment as soon as she heard the CD, seeking the latter's assurance that her own personal data had not been sent to another customer.However, although Vodafone was immediately notified by the complainant, it did not take any action to investigate in order to confirm or deny the incident, but was initially satisfied with the response of the processor that it had not traced the complainant to the telephone, and then invited her in writing through the Consumer Advocate to return the CD, thus shifting the responsibility for investigating the possible incident to the subject.

Holding

Vodafone was ordered to satisfy the claim by sending the correct file and fined EUR 40,000 for breach of the complainant's right of access under Article 15 of the GDPR and the obligation to disclose the incident under Article 33 of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Article 2: Material scope Article 2.2.c: Exclusively personal or domestic activity Article 3: Territorial scope Article 4.1: Personal data (definition) Article 4.1: Data subject (definition) Article 4.2: Processing (definition) Article 4.3: Restriction of processing (definition) Article 4.4 : Profiling (definition) Article 4.5 : Pseudonymization (definition) Article 4.6 : Filing system (definition) Article 4.7 : Controller (definition) Article 4.8 : Processor (definition) Article 4.9 : Recipient (definition) Article 4.10 : Third party (definition) Article 4.11 : Consent (definition) Article 4.12 : Breach of personal data (definition) Article 4.13 : Genetic data (definition) Article 4.14 : Biometric data (definition) Article 4.15 : Data concerning health (definition) Article 4.16 : Main establishment (definition) Article 4.17 : Representative (definition) Article 4.18 : Enterprise (definition) Article 4.19 : Group of enterprises (definition) Article 4.20 : Binding corporate rules (definition) Article 4.21 : Supervisory authority (definition) ) Article 4.22 : Relevant supervisory authority (definition) Article 4.23 : Cross-border processing (definition) Article 4.24 : Relevant and reasoned objection (definition) Article 4.25 : Information society service (definition) Article 4.26 : International organization (definition) Article 5.1 : Principles of data processing Article 5.1.a : Principle of legality, objectivity and transparency Article 5.1.b : Principle of purpose limitation Article 5.1.c : Principle of data minimization Article 5.1.d : Principle of accuracy Article 5.1.e : Principle of limitation of storage period Article 5.1.f : Principle of integrity and confidentiality Article 5.2 : Principle of accountability Article 6.1.a : Legal basis of consent Article 6.1.b : Legal basis of contract execution Article 6.1.c : Legal basis of compliance with a legal obligation Article 6.1 .d: Legal basis for safeguarding vital interest Article 6.1.e: Legal basis for fulfilling a public duty Article 6.1.f: Legal basis for overriding legal interest Article 6.4: Compatibility of processing for another purpose Article 7: Conditions for consent Article 8: Consent of a child for services information society Article 9.1: Special categories of personal data Article 9.2.a: Express consent Article 9.2.b: Fulfillment of labor law obligations, etc. Article 9.2.c: Protection of vital interests Article 9.2.d: Processing of data of special categories of members of an institution, organization etc. Article 9.2.e: Overt disclosure Article 9.2.g: Substantial public interest Article 9.2.f: Establishment, exercise or support of legal claims Article 9.2.h: Processing by a health professional Article 9.2.i: Public interest in the field of public health Article 9.2.i: Archiving, scientific or historical research - statistics Article 10: Processing of data of criminal convictions and offenses Article 11: Processing which does not require identity verification Article 12: Transparent information Article 12.2: Facilitation for the exercise of rights Article 12.3: Deadline for response in right Article 12.4: Deadline for informing non-action in right Article 12.5: Manifestly unfounded or excessive right requests Article 12.6: Information necessary to confirm the identity of the subject Article 13: Information during collection from the data subject Article 14: Information when the collection is not done by the data subject Article 15: Right of access Article 16: Right of correction Article 17: Right of deletion Article 18: Right to limit processing Article 19: Obligation to notify correction, deletion or restriction Article 20: Right to portability Article 21: Right of objection Article 22: Automated individual decision-making Article 23: Limitations of rights Article 24: Responsibility of the controller Article 24.2: Implementation of appropriate data protection policies Article 25.1: Data protection by design Article 25.2: Data protection by definition Article 26: Joint controllers Article 27: Representatives of managers or executors outside the EU Article 28: Processor of processing (regulations) Article 28.3: Arrangements of a contract (or other legal act) with processors Article 29: Processing under the supervision of the person in charge or the processor Article 30: Records of processing activities Article 31 - Law 4624/2019 article 66: Cooperation with the supervisory authority Article 32: Processing security Article 33: Notification of a personal data breach Article 34: Notification of a personal data breach Article 35: Impact assessment regarding data protection Article 36: Prior consultation Article 37 - Law 4624/ 2019 article 6: Definition of the data protection officer Article 38 - Law 4624/2019 article 7: Position of the data protection officer Article 39 - Law 4624/2019 article 8: Duties of the data protection officer Article 40: Codes of ethics Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Article 45: Transfers based on adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 49: Derogations for special situations Article 50: International cooperation Article 55: Jurisdiction of the supervisory authority Article 56: Competence of the lead supervisory authority Article 56.2: Competence in local affairs Article 60: Cooperation between the head and interested supervisory authorities Article 61: Mutual assistance Article 62: Joint undertakings Article 63: Coherence mechanism Article 66: Urgent procedure Article 80 - n .4624/2019 article 41: Representation of data subjects Article 83: General conditions for imposing administrative fines Article 86 - n.4624/2019 article 42: Processing and public access to official documents Article 87: National identity number Article 89.1: Safeguards for purposes archiving, scientific or historical research, statistics Article 95 : Relationship with Directive 2002/58/EC