HDPA (Greece) - 20/2023
HDPA - 20/29-05-2023 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 12(2) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 15 GDPR Article 21 GDPR Article 25(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 14.06.2022 |
Decided: | 29.05.2023 |
Published: | 29.05.2023 |
Fine: | 150.000 EUR |
Parties: | n/a |
National Case Number/Name: | 20/29-05-2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | HDPA (in EL) |
Initial Contributor: | eirini.saranti |
The HDPA issued a compliance order and imposed a fine on a telecommunications provider for the violation of the rights of access and objection.
English Summary
Facts
The data subject was a client of a telecommunications services provider, the controller. Although they had expressly objected the receipt of advertising messages through the Register provided for in Article 11 Law 3471/2004, the controller continued to send them promotional electronic messages.
The data subject submitted an access request, but the controller argued that it would be necessary for them to go to a store or send a registered letter in order to have their identity verified.
The data subject then filed a complaint with the Hellenic DPA, claiming that the controller violated their data protection rights. In defense, the controller argued that there was a specific procedure described in its privacy policy for data subjects to request access to their data and this procedure had not been followed.
Holding
The Hellenic DPA acknowledged the fact that the data subject did not follow the procedure established by the controller, but stated that this was not a legitimate reason to not comply with the access request. The DPA also found that the controller made it difficult for the data subject to exercise their rights by requesting their physical presence in the store or the sending of a registered letter. Finally, the DPA held that the controller did not implement appropriate measures to enable the exercise of the right to object the processing of personal data for promotional purposes, failing to comply with the requirements of the GDPR.
As such, the DPA ordered the controller to comply with the access raccess and issued a fine of:
a) €60,000 for the violation of Article 21 (3) GDPR as the controller sent five promotional messages after the data subject had expressly objected the processing of their data for this purpose;
b) €60,000 because the telecommunications provider didn't respond to the complainant's right of access and made it difficult for him to exercise it and
c) €30,000 for violation of Article 25 (1) GDPR because the telecommunications provider did not in practice have the necessary procedures for the complainant to exercise the right to object and for them to stop the processing of the personal data for promotional purposes.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary The Authority examined complaints from a subscriber of WIND, now NOVA, in which he complained about repeated receipt of e-mails for promotional purposes despite his opposition and repeated protests, as well as non-satisfaction of requests to exercise the right of access. The Authority imposed a fine a) 60,000 euros for violation of Article 21 (3) GDPR due to the sending of five promotional messages despite the opposition and the removal of the complainant's telephone number from the Register of Article 11 Law 3471/2004 for a period of three months without to have requested it himself, b) 60,000 euros for failure to satisfy the right of access, failure to provide an answer, even if negative, and making it difficult to exercise the right of access, pretextually citing the inability to correctly identify the complainant in other ways than physical presence in the store or through by registered letter in violation of article 15 (1) cond. 12 par. 2, 3 and 4 GDPR and c) 30,000 euros for violation of Article 25 (1) GDPR because it did not in practice have the necessary procedures to ensure the right to object and stop the processing of the data for the promotional purpose.