HDPA (Greece) - 13-/2021
|HDPA - 13|
|Relevant Law:||Article 12 GDPR|
Article 17 GDPR
Article 4 GDPR
Article 25 GDPR
|National Case Number/Name:||13|
|European Case Law Identifier:||n/a|
|Original Source:||Αρχή Προστασία Προσωπικών Δεδομένων (in EL)|
The Greek DPA fined a sports company €20,000 for unlawful communication for promotional purposes and for failure to respond to a request for deletion of personal data.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant filed a complaint against the DPA for unsolicited communication. The sports company «MZN HELLAS A.E.», sent promotional SMS to the complainant even though he had clearly and explicitly expressed his refusal through an email and even though he had requested for his data to be deleted. The company stated that by fault of one of its employees the complainant's details were not deleted from their servers. The company also stated that the data subject shouldn't have contacted the company's customer support services to ask for deletion of his details, but he should have used instead the opt out option in the SMS received.
Dispute[edit | edit source]
Was the communication with the complainant lawful under Articles 4, 12 and 17 GDPR?
Holding[edit | edit source]
The DPA held that according to Articles 4, 12, 17 and 25 GDPR the company proceeded to unlawful communication with the complainant. The complainant explicitly requested for a deletion of his details. The fact that the opt out form was not used does not harm the validity of his request. The DPA fined the company 20.000€ for violation of the GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 07-04-2021 No. Prot.1024 DECISION 13/2021 (Department) The Personal Data Protection Authority met at Composition of the Department via video conference on 17-02-2021 at 10:00, after invitation of its President to consider the case refers to the history hereof. Presented by George Batzalexis, Deputy Chairman, disabled by the President of the Authority Konstantinos Menoudakou, and the alternate members Grigorios Tsolias and Evangelos Papakonstantinou, as rapporteur, replacing the regular members Charalambou Anthopoulos and Konstantinos Lambrinoudakis respectively, who, although they were legally summoned in writing, they did not attend due to obstruction. The regular member Spyridon Vlachopoulos, although legally summoned in writing, did not attend due to obstruction. The meeting was attended by George, chaired by the President Roussopoulos, Specialist Scientist-Auditor as Assistant Rapporteur and Irini Papageorgopoulou, employee of the Administrative Affairs Department of the Authority, as secretary. The Authority took into account the following: Complaint No. G / EIS / 4863 / 10-07-2019 was submitted to the Authority in which the complainant received a text message on 09/07/2019 character from the company «MZN HELLAS SOCIETE ANONYME COMMERCIAL 1 1-3 Kifissias Ave., 11523 Athens T: 210 6475 600 • E: firstname.lastname@example.org • www.dpa.gr COMPANY "with the distinctive title" MZN HELLAS A.E. " (hereinafter referred to as "Responsible processing ”), while he had explicitly expressed his objection. With the complaint Attached is a copy of the email from which it appears that, following a dispute that arose following an order he made to the company, had objected to receiving any information related products and offers of the company delete via hyperlink. The complaining company was informed about the complaint with the no. prot.G / EX / 4863-1 / 09-08-2019document of the Authority with which it was requested to submit her views on the complaint. The company responded with the prot. Γ / ΕΙΣ / 5868 / 27-08-2019 her document, stating, among other things, that the prior approval of the complainant, due to his previous transaction and that messages are sent in bulk and automatically by affiliate software company, to which they can not intervene immediately. But after investigation the complainant's email was found. The company considers that by his negligence employee at that time the phone was not removed from the list and confirms that they deleted their mobile phone and e-mail address of the post office and have taken the necessary steps so as not to happen again in the future for no other customer. Finally, they report that complainant disputes the receipt of an order and acts intentionally and fraudulently as it had the ability to stop receiving messages through advertising message. Following this reply, the complainant returned to Complaint No. G / EIS / 7689 / 07-11-2019, stating that received, again, a message on his mobile phone number for purposes promotion of the products and services of the company MZN on 06-11-2019, declaration of the company that was deleted from the telephone list. The Authority sent the document number C / EX / 7689-1 / 13-12-2019 to the company, asking for its views on the new complaint. The complained company responded to the Authority with its document number G / EIS / 394 / 17-01-2020. In this argues that the complaint is inadmissible, distrustful and unfounded. 2He mentions again that there was an initial approval of the complainant, who did not used the opt-out feature from SMS, but sent e-mail to her e-mail address customer service. The complainant just received a new promotional message on 06-11-2019. It further states that it has enabled the opt-out option later, on 11-12-2019 in order to be permanently deleted based on his own actions from the company contact list. Further, the company argues the complainant states that no objection has been raised, and that he did not object. In relation to the deletion that should have been done, as reported in previous memorandum company, claims that a mistake / omission occurred of the employee operating the electronic platform, with effective do not finally validate the deletion of the complainant number, while the error does not was not noticed either by this employee or by the management of the company. THE company claims that the third company that has developed and manages the platform, which is not named, disclosed the reasons for not deletion. The company also states that it does not provide its details employee as there is no substantive reason, but if they are not considered valid her explanations, will rely on and provide full evidence of this. Following the above, the Authority proceeded to call the company for section meeting on 15-07-2020, with reference number C / EX / 4491 / 29-06-2020 her document. With the call the company was informed that during its examination The above two complaints will be discussed. The company attended meeting through the lawyer of Aristides Karabeazis while, after receiving deadline, submitted its memorandum number G / EIS / 5315 / 29-07-2020. In this summarizes the following: The complainant did not appear and therefore It is presumed that the request and the form of his complaints are impractical. The complaints are inadmissible for formal reasons. Specifically, wrong the complainant states so much that he was not given the opportunity in every message and that they objected to the sending of messages. the complainant provided approval for the sending of informative / promotional SMS 3 at the completion of his transaction. In any case, he had the opportunity "Opt-out" with one click, in which case it would not be possible to re-register inadvertence. Activate this option after its complaint (11/12/2019) to be removed from the list. In essence, the company claims that while their removal was requested of the complainant, a subsequent error / omission occurred employed in the operation of the electronic platform resulting in remain on her contact list. The mistake was not realized and did not become known to the company until after the second complaint, while it was the only time such a mistake happened. The company states that it requested from partner company to provide it with any "electronic traces", but received answer that no such data is stored on the server. The company supports that this is an incidental matter, which is proved by the relevant correspondence of its operator with its partner (which although it is stated that attached (not contained in the relevant part of the memorandum) and refers to principle of leniency. It also argues that the complainant does not claim damages or persistent harassment considers the complainant's motives to be questioned older transactions. The Authority, after examining the data in the file, after hearing him rapporteur and clarifications from the assistant rapporteur, who attended without and withdrew after the discussion of the case and before the conference and decision-making, after a thorough discussion, THOUGHT ACCORDING TO THE LAW 1. From the provisions of articles 51 and 55 of the General Protection Regulation Data (Regulation (EU) 2016/679 - hereinafter GCC) and Article 9 of the Law 4624/2019 (Government Gazette AD 137) it appears that the Authority has the competence to supervise the implementation of the provisions of the GCC, this law and other regulations that concern the protection of the individual from the processing of personal data. 42. According to article 4 lit. 7 of the GCC, which is implemented by on 25 May 2018, the person in charge of processing is defined as “the natural or legal person, public authority, service or other body which, alone or jointly with others, determine the purposes and manner of data processing of a personal nature ". 3. The issue of making unsolicited communications with any means of electronic communication, without human intervention, for for the purpose of direct marketing of products or services and for each for advertising purposes, is regulated by Article 11tun.3471 / 2006for protection of personal data in the field of electronic communications, o which incorporated Directive 2002/58 / EC into national law. According this article, such communication is allowed only if the subscriber expressly agreed in advance. Exceptionally, according to article 11 par. 3 of Law 3471/2006, the contact details of the e-mail that acquired legally, in the context of the sale of goods or services or otherwise transaction, can be used for direct promotion similar products or services of the supplier or for service similar purposes, even when the recipient of the message has not given out with his prior consent, provided that he is provided with in a clear and distinct way the ability to object, in an easy way and for free, in the collection and use of his electronic data and that when collecting contact information, as well as in each message, in case that the user did not initially disagree with this use. 4. According to article 17 par. 1 of the GCP, “The data subject has the right to request the deletion from the controller personal data relating to it without justification delay and the controller is required to delete data without undue delay, if one of the the following reasons: (…) (c) the data subject objects to processing in accordance with Article 21 (1) and there are no imperatives and legitimate reasons for processing or the data subject object processing in accordance with Article 21 (2) ". Further, in the article 521 par. 2 of the GCP stipulates that “If personal data processed for the purpose of direct marketing, the data subject is entitled to object at any time to processing of personal data concerning it for the en due to marketing, including profiling, if relevant with this direct marketing promotion. " 5. Article 12 par. 2 and 3 of the GCP stipulates that “2. The person in charge facilitates the exercise of the rights of their subjects data provided for in Articles 15 to 22. (…) "and" 3. The person responsible processing provides the data subject with energy information carried out on request under Articles 15 to 22 without delay and in any case within one month of receipt of the request. This period may be extended by a further two months, provided that required, taking into account the complexity of the request and its number of requests. The controller informs the subject of data for the said extension within one month of receipt of the request, as well as for the reasons of the delay. (…) ». 6. Article 25 of the GCC stipulates that “Taking into account the latter developments, application costs and nature, scope, context and their processing purposes, as well as the risks of different probability and the seriousness of the rights and freedoms of natural persons persons from the processing, the controller applies effectively, both at the time of determining the processing media and and at the time of processing, appropriate technical and organizational measures, such as the pseudonym, designed to apply the principles of protection of data, such as data minimization, and their integration necessary guarantees in the processing in such a way that the requirements of this Regulation and to protect their rights data subjects. " 7. The Authority does not accept the arguments of the controller and considers the complaint to be admissible. The complainant was not summoned, as he was not his personal presence is necessary for the examination of the complaint. 6Furthermore, although the company rightly claims that the complainant is wrong states that he was not given the opportunity to object to every message, the fact that some of the complainant's allegations are not substantiated, does not make all his allegations inadmissible. These allegations are examined below. 8. In this case, data processing was performed personal nature of the complainant by the controller, for for the purpose of promoting products and services. The legality of the original collection is not judged by the present, as the complainant accepts that it existed previous transaction under which it had granted the his details in the company. 9. The complainant, as appears from the initial complaint, expressed objection to sending messages for product promotion purposes and services by email on 05/06/2019. The complainant did not use the automated deletion feature available built-in SMS promotions, but this does not affect that it exercised properly the right of cancellation, addressed to the customer service of the company. And this if we take into account that the GCP does not set a requirement for a specific way but states that the controller must facilitates the exercise of the rights of data subjects. The The complainant's request was clearly worded, with specific reference to the GCC, therefore there is no doubt that the controller should have appropriate procedures to meet, regardless of other differences with the complainant. The controller did not act to interrupt sending advertising messages, as it should, as well as opposition and deletion in case of direct marketing must be done respected. This happened only after the first intervention of the Authority. In fact, and in this case, the person in charge replied to the Authority, without informing him complainant. The initial complaint therefore results in a breach Article 17 in conjunction with Article 21 (2) and Article 12 (3) of the GCC. 10. In his first memorandum, the controller assured Principle that he has deleted his mobile phone and email address 7 of the complainant's correspondence and that they have taken all the necessary steps actions to prevent it from happening again in the future for any other customer. Of the It turns out that the above statement was not accurate. Even if accept the company's argument of individual wrongdoing, the but which is not based on electronic or other data which can not disputed, except in written statements of the officials involved, it appears that the controller did not take action to avoid a similar incident occurs in the future to another customer. Therefore, with Sending the second message on 6/11/2019, it is found that the company does not had in practice the necessary procedures to ensure deletion data so that the requirements of the GCP are met and protected the rights of data subjects. There is therefore an infringement of article 25 par. 1 of the GCP. It is pointed out that based on the principle of accountability (article 5 par. 2 GCP) the controller is responsible and is responsible to demonstrate its compliance with the basic principles of legal processing. To Note that the argument about not using the built-in SMS deletion operation and its use after 6/11/2019 and specifically on 11/12/2019, not accepted. The complainant, as explained, was not obliged to exercise his right in this way, while no it turns out that he was the one who triggered the deletion process as well at this time the details of the complaint were known and so on persons (eg in the Authority). 11. The Authority takes note that the controller does not submitted evidence of deletion procedures, that the breach related to the exercise of the data subject's rights, that the company stated to the Authority that it had taken the appropriate measures and in fact for all of them its clients, while in practice this had not been the case with regard to the complainant, that the controller has an online store and uses electronic communication techniques, therefore he should have taken care of proper response to requests for rights. Further, according to 8 publicly available data in GEMI, the company in the year 2019 had a cycle works € 1,343,513.99 and profits after taxes € 50,151.92. As relievers takes into account that if there was a nuisance there was no financial loss to the subject of data from dissatisfaction of the right, that it is the first infringement for the specific company and finally, the unfavorable financial circumstance due to the Covid-19 pandemic. 12. In view of the above, the Authority unanimously considers that in accordance with Article 1 7 in in conjunction with Article 21 (3) and Article 12 (3) of the GIPA and Article 25 par. 1 of the GCP meet the conditions of enforcement to the detriment of the person in charge processing, based on article 58 par. 2 i of the GCP and taking into account the criteria of article 83 par. 2 of the GCP, of the administrative sanction mentioned in the operative part of the present, which is deemed proportional to its weight infringement. FOR THOSE REASONS The Authority imposes, on "MZN HELLAS SOCIETE ANONYME ATHLETIC COMMERCIAL COMPANY" with the distinctive title "MZN HELLAS A.E." the effective, proportional and a deterrent administrative fine appropriate to that case according to its more specific circumstances, amounting to twenty thousand euros (20,000.00) euros, for the above violations of Article 17 in combination with article 21par.3 and article 12par.3 of the GCC and the article 25 par. 1 of the GKPD. The Deputy Chairman The Secretary George Batzalexis Irini Papageorgopoulou 1 https://www.businessregistry.gr/publicity/show/9178201000 9