HDPA (Greece) - 30/2023

From GDPRhub
Revision as of 05:21, 23 October 2023 by E tsimpida (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=30/2023 |ECLI= |Original_Source_Name_1=HDPA |Original_Source_Link_1=https://www.dpa.gr/el/enimerwtiko/prakseisArxis/prostimo-ston-oasa-gia-epexergasia-dedomenon-sto-plaisio-toy-ilektronikoy |Original_Source_Language_1=Greek |Original_Source_Language__Code_1=EL |Original_Source_Name_2= |Original_Source...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HDPA - 30/2023
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(e) GDPR
Article 25(1) GDPR
Article 35(1) GDPR
Type: Other
Outcome: n/a
Started: 18.11.2019
Decided: 13.06.2023
Published: 25.09.2023
Fine: 50000 EUR
Parties: Athens Urban Transport Organization (OASA)
National Case Number/Name: 30/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Evangelia Tsimpida

The Greek DPA proceeded to impose a fine, a reprimand and a compliance order on Athens Urban Transport Organization (OASA) for violation of Articles 5 (1) (e), 25 (1) and 35 (1) GDPR concerning the processing of personal data in the context of electronic ticketing.

English Summary

Facts

On 18/11/2019, the Authority carried out an on-site inspection at the Athens Public Transport Authority (OASA) S.A., which is the data controller, regarding the protection of personal data in the context of e-ticketing. The authority had issued two opinions in 2017, regarding the processing of personal data in the context of an electronic system for travel by public transport and considered that OASA, as a controller, should carry out an Data protection impact assessment (DPIA), but also make certain amendments in order for the processing of personal data to be in compliance with GDPR, as in the context of the electronic ticketing system, the "digital fingerprint" ("hashed value") resulting from the combination of the passenger's AMKA (or passport number or other official identification document) and the 8-digit code (PIN), as well as the month and year of birth and the special category of the beneficiary is stored in the database of the controller. In November 2019, an audit was carried out by the Authority to determine compliance with the regulation and a report of findings was submitted. In March 2020, OASA submitted a memorandum including the new DPIA, the new OASA record of processing activities, as well as a technical report of the contractor "HELLAS SMARTICKET S.A.", based on the Authority's observations. The Authority, after requesting additional information from OASA, proceeded to issue a decision and impose a fine.

Holding

The DPA, following an audit at the Athens Urban Transport Authority (OASA) S.A., which is the data controller, found the unauthorised preparation of the data protection impact assessment (DPIA), the unclear content of the DPIA in terms of risks to the protection of personal data, a 20-year purpose of retention of personal data and the lack of description of the purposes of the record of processing activities. After taking into account the above-mentioned facts, as well as a memorandum submitted by the controller, the DPA (a) imposed a fine on the 'Organisation of Urban Transport S.A.' for a total amount of EUR 50,000, for breach of Article 5(1)(e) GDPR, (b) issued a reprimand to the 'Urban Communications Agency S.A.' 1 and Article 35(1) and Article 35(1) GDPR c) issued a compliance order to identify and document, within one (1) month, all data retention periods for the various processing purposes; d) issued a compliance order to revise, within three (3) months, the DPIA, because the updated one still contains ambiguities in the risk assessment.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority carried out an extraordinary on-site inspection at the Athens Urban Transport Organization (OASA) regarding the protection of personal data processed in the framework of the Automatic Fee Collection System (ASSC), a system also referred to by the term "electronic ticket".

Based on the findings, the Authority a) imposed a fine of a total of 50,000 euros on OASA, for the violation of article 5 par. 1 item. e' of the GDPR, b) reprimanded the OASA for the violations of the provisions of article 25 par. 1 and article 35 par. 1 of the GDPR, c) gave a compliance order to the OASA regarding the determination of the data retention times for the various processing purposes, but also to review the personal data impact assessment.