HDPA (Greece) - 25/2023
HDPA - 1510/12-06-2023 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1) GDPR Article 5(2) GDPR Article 15 GDPR Article 25(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 13.12.2022 |
Decided: | 12.06.2023 |
Published: | 27.07.2023 |
Fine: | 100.000 EUR |
Parties: | n/a |
National Case Number/Name: | 1510/12-06-2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Greek |
Original Source: | HDPA (in EL) |
Initial Contributor: | ANASTASIA TSERMENIDOU |
The Greek DPA issued a fine of 100 000 EUR to a bank for unlawful processing of personal data and breach of right of access.
English Summary
Facts
A bank (Piraeus Bank S.A.) sent the somplainant a letter were they informed the complainant that the bank has entrusted the management of the banks claims arising from loans and/or credits to the loan and credit management company (AFS). The letter stated that the complainant was a a party to a claim transmitted to the AFS and that their personal data has been transferred to the AFs for the purposes of managing its claims under the complainant's contract(s).
At the time of the assignment of the aforementioned claims management, AFS was part of the bank's group and, in particular, was a wholly owned subsidiary of the bank.
The complainant argued that the bank had transmitted their personal data to a loan and credit management company (AFS) without any legal basis, since there was no claims anymore against the complainant by the bank arising from loans or credits. Furthermore, the complainant argued that the bank did not provide him with a sufficient reply to his access request under Article 15 GDPR.
On the basis of the information available to date, no transfer of the data of the above-mentioned persons to the Loan and Credit Claims Management Company has occurred (the Bank proceeded, in accordance with the provisions of Law 4354/2015 as in force, an agreement to entrust the management of its receivables from loans/credit to debtors whose debts had become fully or partially due and/or terminated or settled to the Loan and Credit Claims Management Company).
The HDPA stated that she expressly reserves the right to exercise its powers in this regard in the future, given that the general audit is ongoing and has not yet been completed. Finally, the HDPA has found that the complainant's right of access has not been respected.
Holding
The Greek DPA found that a bank processed the personal data of the complainant and a large number of its customers in breach of the principle of lawfulness and, moreover, without having taken appropriate and effective technical and organisational measures to process only the data necessary for a specific purpose, thus violating the principles of lawfulness of processing and data protection by design.
The HDPA held that the Bank had not taken the appropriate technical and organisational measures measures and did not have the appropriate procedures in place to ensure that the creation of the list of its customers with debts in question was drawn up in accordance with proper systemic configure. Moreover that the high degree of responsibility owns the Bank in relation to the absence of technical and organisational measures.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary The Authority found that the complained bank processed the personal data of the complainant and a large number of its customers in violation of the principle of legality and, moreover, without having taken appropriate and effective technical and organizational measures so that only the data that they are necessary to serve a specific purpose, thus violating the principles of legality of processing and data protection by design. With the information available to date, there has been no transmission of the data of the above persons to the Loan and Credit Receivables Management Company. The Authority expressly reserves the right to exercise its powers in relation to this particular issue in the future, given that the overall audit is ongoing and not yet complete. Finally, the Authority established the non-satisfaction of the complainant's right of access.