HDPA (Greece) - 38/2019
HDPA - 38/2019 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 4(1) GDPR |
Type: | n/a |
Outcome: | Violation |
Decided: | 18.10.2019 |
Published: | n/a |
Fine: | 20,000 EUR |
Parties: | Wind Hellas and ΠΛΕΓΜΑ ΝΕΤ |
National Case Number: | 38/2019 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language: |
Greek |
Original Source: | HDPA (GR) |
The HDPA imposed a fine of € 20.000 and a reprimand to the telecommunication company Wind Hellas and ΠΛΕΓΜΑ ΝΕΤ for violation of the GDPR and the national data protection law and privacy in the telecommunication sector.
English Summary
Facts
The HDPA examined six complaints against the telecommunication company Wind Hellas (hereafter "Wind") and ΠΛΕΓΜΑ ΝΕΤ for unsolicited calls with human intervention for direct marketing purposes. Wind claimed, among others, that it should not be the only liable due to the role of the contracting companies which operate as call centers as either data controllers or data processors. It claimed that some of them are data processors, because Wind provides them with lists with telephone numbers and with explicit orders for specific advertising activities; some others are data controllers, since they process lists with numbers they compile themselves, without Wind being aware of them. Wind also claimed that the purpose of the calls is research and not advertising.
Dispute
1) Does a telephone number constitute personal data?
2) Who is the controller?
3) Do the processing activities pursue (even partially) advertising purposes?
4) Is the data subjects’ consent valid?
Holding
The HDPA found that:
1) The telephone number constitutes personal data according to Article 4 (1) GDPR as the owner can be indirectly identified.
2) In both cases above, Wind is the data controller as it exclusively determines the purpose of the processing while the contracting companies are data processors.
3) The processing activities are intended to pursue (at least partially) advertising purposes.
4) The data subjects’ consent is not valid.
In addition to those issues, the HDPA admitted all the complaints and found that Wind Hellas had violated Article 14 GDPR and the national law on the protection of personal data and privacy in the telecommunication sector, while the processor ΠΛΕΓΜΑ ΝΕΤ had violated Article 32 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the Greek original for more details.
published decision AP. 39/2019