HDPA (Greece) - 8/2025
| HDPA - 8/2025 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 31 GDPR art. 11, par. 1, Law 3471/2006 Regulation on Management and Assignment of [.gr Domain Names] |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 05.02.2024 |
| Decided: | 13.11.2024 |
| Published: | 05.02.2025 |
| Fine: | 45,000 EUR |
| Parties: | Dating agency under the name ANOIXIS |
| National Case Number/Name: | 8/2025 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | Vasiliki Kalantzi |
The DPA imposed a fine of €45,000 on a dating agency after it repeatedly sent unsolicited SMS to data subjects. The DPA found that the dating agency thus violated the Greek e-privacy implementation and failed to cooperate and comply with the DPA's (prior) actions against them.
English Summary
Facts
Throughout 2024, the DPA received 15 complaints from various data subjects, regarding unsolicited communication via short text messages (SMS) by the dating agency ANOIXIS, the controller.
The DPA considered the sender of these unsolicited SMS to be the same controller who had been previously fined €54,000 according to the DPA's decision 16/2022, for unsolicited communication, after having received 36 complaints from data subjects.
As part of the examination of the complaints, the DPA sent the controller a number of documents equal to the number of complaints (15), requesting their views on the attached complaints, none of which were answered.
Subsequently, the DPA sent the controller an official summons to a hearing on 30/10/2024 in order to present their views regarding the 15 filed complaints within the year 2024. The controller, however, did not attend.
Holding
The DPA held that the issue of conducting unsolicited communications through any means of electronic communication, without human intervention, for the purposes of direct commercial promotion of products or services and for any kind of advertising purposes, is regulated by Article 11 Law 3471/2006 on the protection of personal data in the field of electronic communications, which incorporated (eprivacy-)Directive 2002/58/EC into the national legal framework. According to Article 11(1) Law 3471/2006, such communication is only allowed if the subscriber has explicitly given prior consent.
According to Article 11(3) Law 3471/2006, any electronic message is permitted without the prior consent of the data subject only if the contact details have been lawfully obtained in the context of a previous sale of products or services or another transaction, and they can be used for the direct promotion of similar products or services of the provider or for similar purposes. Additionally, the data subject must have been informed at the time of data collection about their use for communication purposes and must not have objected to this use.
Furthermore, according to Article 31 of GDPR, the controller and the processor, and, where applicable, their representatives, shall cooperate, upon request, with the DPA in the performance of its tasks.
Finally, the DPA held that with its Decision 16/2022, a fine of €54,000 had already been imposed to the said controller, following the examination of thirty-six (36) complaints previously submitted to the DPA on the same matter. These complaints concerned the violation of the aforementioned provisions of Article 11 Law 3471/2006, as well as the lack of cooperation by the controller. Based on the above, there has been no compliance with the aforementioned Decision.
For the above reasons the DPA imposed a total fine of €45,000.
Additionally, the DPA requested that the Hellenic Telecommunications and Post Commission (EETT) examine the accuracy of the registration details of the domain name 'www.anoixisdate.gr' and take all appropriate actions, as, for example, the application of Article 10 of the Domain Name Management and Assignment Regulation for domain names ending in .gr or .ελ, regarding the deletion of the assigned domain name.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 05-02-2025 Original No: 507 DECISION 8/2025 The Personal Data Protection Authority met in plenary session by teleconference on Wednesday 13-11-2024 at the invitation of its Chairperson, in order to examine the case mentioned in the background of this document. George Batzalexis, Deputy Chairman, in the absence of the Chairman of the Authority, Konstantinos Menoudakos, and the alternate members Demosthenes Vougioukas, as rapporteur, and Maria Psalla, in place of the full members Konstantinos Lambrinoudakis and Gregorios Tsolias, who, although legally summoned in writing, did not attend due to their absence. The meeting was attended by Leonidas Roussos, as Assistant Rapporteur and, by order of the President, Irini Papageorgopoulou, as Secretary, an official of the Authority's Administrative Affairs Department. The Authority has taken note of the following: Following the Authority's Decision 16/2022 by which the Authority imposed a sanction on the dating agency "ANOIXIS" (hereinafter referred to as the "controller"), namely a fine of fifty-four thousand (54,000) Euros, for violation of the provisions of article 11 of Law no. 3471/2006, as well as its non-cooperation with the Authority, following the examination of thirty-six (36) complaints submitted to the Authority, fifteen (15) new complaints with the same subject matter were submitted to the Authority. In particular, as in the previous ones, the complaint concerned the sending of unsolicited electronic communications by means of short text messages (SMS) by the 1 Ave. 1-3 Kifissia Street, 11523 Athens, Greece T: 210 6475 600 - E:contact@dpa.gr - www.dpa.gr 2 processing for the purpose of marketing its services. As in the previous cases, complainants declare no prior business contact or other relationship with the Controller. In particular, the Authority received the following documents, registered as received by the Authority on 19 May 2012 (ref. C/EI/892/05-02-2024, C/EI/1680/01-03-2024, C/EI/2472/16-03-2024, C/EI/2720/22-03-2024, C/EI/2825/26-03-2024, C/EI/2833/26-03- 2024, C/EI/3056/02-04-2024, C/EI/3720/22-04-2024, C/EIS/4333/16-05-2024, C/EIS/4674/29-05-2024, C/EIS/4741/30-05-2024, C/EIS/6356/01-08-2024, C/EIS/6901/06-09- 2024, C/EIS/7653/04-10-2024 and C/EIS/7729/07-10-2024 new related complaints. In them it is documented that the complainants received SMS with the content "ANOIXIS OPINION OFFICE FIND YOUR MAN PURPOSE RELATIONSHIP - FUCK ATHENS THESSALONIKI PANELANDIC 2103251725 ADVERTISEMENTS TO www.anoixisdate.gr ADVERTISING MESSAGE" from the telephone number ..., by analogy with the advertising messages received by the complainants in the Authority's Decision 16/2022. The Authority sent a request to the telecommunications provider Cosmote - Mobile Telecommunications SA by document No. C/EXE/975/28-03-2024 to be informed about the person to whom the telephone number ... from which the messages in question were sent has been assigned, in order to verify the identity of the data controller and to facilitate the examination of the above complaints. The provider replied by letter C/EIS/3180/05-04-2024 that the telephone connection ... belongs since 14/4/2022 to A, a person who was already known to the Authority from the previous Decision against this Data Controller. By its letters C/EXE/974/28-03-2024 and C/EXE/1775/01-07-2024, the Authority requested the details of the person who had requested the registration of the specific domain name from the domain name registrars dnhost and pointer, the last two, i.e., the last two, in time, who served the specific function for the company in question. By their replies under reference C/EIS/3037/02-04-2024 and C/EIS/5588/01-07-2024, the above registrars provided the Authority with the above information. This information verifies the already known contact addresses as well as the persons involved in the case. In its letter to EETT No. C/EXE/1780/01-07-2024, the Authority, for reasons of completeness, requested the history of changes of the registrars of the domain name www.anoixisdate.gr. EETT replied by letter No. G/EIS/5765/08-07-2024, which shows the eight (8) renewals and changes of registrars, including the transfer of data to A. From a search in the public directory of the Central Association Chambers Greece 3 (https://www.businessregistry.gr/publicity/show/143491640000) shows that in the data of A operates a sole proprietorship with the distinctive title 'Anoixis', VAT number 170313098 and GEMI no. 143491640000, which is active since 15/06/2017 and whose address is located at MEG. ALEXANDROS 7 in LARISA, postal code 41222. In the context of the examination of the complaints, the Authority sent the Processing Manager an equal number of documents requesting his views on the above-mentioned complaints attached to the complaints, none of which were answered. Subsequently, the Authority sent to the Controller the summons to a hearing in its Department on 30/10/2024 (ref. C/EE/892/05-02-2024, C/EE/1680/01-03-2024, C/EE/2472/16-03-2024, C/EE/2720/22- 03-2024, C/EE/2825/26-03-2024, C/EE/3056/02-04-2024, C/EE/3720/22-04-2024, C/EIS/4333/16-05-2024, C/EIS/4674/29-05-2024, C/EIS/4741/30-05-2024, C/EIS/6356/01-08- 2024, C/EIS/6901/06-09-2024, C/EIS/7653/04-10-2024 and C/EIS/7729/07-10-2024 for violation of Articles 11 of Law 3471/2006 and Articles 6 and 21 of the Regulation, in its cooperation with the Authority, as provided for by Article 31 of the GDPR and in its compliance with the Authority's Decision 16/2022. At the same time, it sent to the Larissa Regional Police Station the transmittal document (ref. no. G/EXE/2775/15-10-2024) in order for it to serve the summons to the Processing Officer. The Larissa Prefecture sent to the Authority the proof of service of the summons (ref. no. G/EIS/8106/21-10-2024), according to which, as it could not find the legal representative, it delivered the summons to the address of the Processing Manager mentioned in the summons. At the meeting of the Authority's Division on 30-10-2024, at which the Processing Manager was summoned for a hearing, no one was present. The Authority set a conference date of 13-11-2024 to discuss the above matter. The Authority, after considering all the information on the record and referring to the deliberations of the meeting of 13-11-2024, having heard the Rapporteur and the clarifications of the Assistant Rapporteur, and after a thorough discussion, THOUGHT IN ACCORDANCE WITH THE LAW 1. In accordance with Article 4(4). 7 of the General Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, 4 Regulation), which has been in force since 25 May 2018, a controller is defined as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data". 2. The issue of making unsolicited communications by any means of electronic communication, without human intervention, for the purposes of direct marketing of products or services and for any kind of advertising purposes is regulated in article 11 of Law no. 3471/2006 on the protection of personal data in the electronic communications sector, which transposed Directive 2002/58/EC into national law. According to this article (paragraph 1), such communication is only allowed if the subscriber has given his/her explicit prior consent. According to paragraph 3 of the said article, any electronic mail without the prior consent of the data subject is allowed only if, among other things, the contact details have been lawfully obtained in the context of a previous sale of products or services or other transaction and may be used for the direct promotion of similar products or services of the supplier or for similar purposes and the data subject was informed at the time of collection of the data about the use of the data for the purpose of communication and did not disclose the data to the data subject. 3. Pursuant to Article 31 of the Regulation, the controller and the processor and, where applicable, their representatives shall cooperate, upon request, with the supervisory authority in the performance of its tasks. 4. As is apparent from the evidence in the files of the complaints under consideration, similarly to what was stated in the Authority's Decision 16/2022, none of the complainants had expressly consented in advance to receive promotional messages from the controller, nor did they have any prior commercial contact or other relationship with the in order to have their contact details lawfully obtained so as not to require their prior consent for the sending of those messages, as set out in the Authority's Decision 16/2022. 1 of Law no. 3471/2006. 5 5. Similarly to Decision 16/2022, the controller did not cooperate with the Authority as it did not reply, on several occasions, to any of the numerous documents clarifications sent to it e-mail and by post and did not attend the Authority's meeting, where it was invited to explain itself. 6. The Authority, by Decision 16/2022, has already imposed a sanction on this controller, namely a fine of fifty-four thousand (54,000) Euros, following the examination of thirty- six (36) complaints that had been submitted to the Authority previously with the same subject matter for violation of the above provisions of article 11 of Law no. 3471/2006, as well as for the lack of cooperation of the Processing Manager. On the basis of the above, no compliance has been made with the above Decision. 7. In accordance with Article 13 par. 3 of Law 3471/2006, the cases in which an opinion of the National Telecommunications and Postal Commission (NTC) is foreseen, the latter gives its opinion upon a subscriber's request or a request of the Personal Data Protection Authority or ex officio. On the basis of the above, the Authority unanimously considers that, in accordance with Article 11 of Law No. 3471/2006 and Article 31 of the GDPR, the conditions for the imposition of a penalty against the controller are met, on the basis of Article 13 of the Act. 3471/2006, in conjunction with Article 58(58) of Regulation (EC) No 3471/2006. 2(i) of the GDPR, the administrative sanction referred to in the operative part of this order, which is proportionate to the gravity of the infringement. FOR THESE REASONS Impose on the controller the effective, proportionate and dissuasive administrative fine appropriate to the specific case in accordance with the specific circumstances of the case, amounting to forty-five thousand Euro (45.000,00 €), for above violations of article 11 of Law No. 3471/2006 and Article 31 of the GDPR. It requests the National Telecommunications and Postal Services Commission (EETT) to examine the accuracy of the data in the registration declaration of the 'www.anoixisdate.gr' Domain Name and to take any appropriate action, such as, for example, the application of Article 10 of the Regulation on the Management and Assignment of Domain Names ending in .gr or .ελ. regarding the deletion of the assigned Domain Name. The Deputy President The Secretary George Batzalexis Irini Papageorgopoulou
