HDPA (Greece) - 13/2021: Difference between revisions

From GDPRhub
(Changed GDPR article wording to comply with style guide. Changed last paragraph for clarity. Changed 'The HDPA' to 'The Greek DPA' to comply with style guide. Good summary otherwise, clear and to the point.)
No edit summary
Line 58: Line 58:
}}
}}


The HDPA fined a sports clothing company €20,000 for repeatedly failing to comply with a data subject's data erasure requests, and for sending them marketing material despite their requests.
The Greek DPA fined a sports clothing company €20,000 for repeatedly failing to comply with a data subject's data erasure requests, and for sending them marketing material despite their requests.


== English Summary ==
== English Summary ==

Revision as of 14:35, 13 October 2021

HDPA (Greece) - 13/2021
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 12(3) GDPR
Article 17 GDPR
Article 21 GDPR
Article 25(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 17.02.2021
Published: 07.04.2021
Fine: 20000 EUR
Parties: n/a
National Case Number/Name: 13/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Greek
Original Source: HDPA full text (in EL)
HDPA summary (in EL)
Initial Contributor: Adrian

The Greek DPA fined a sports clothing company €20,000 for repeatedly failing to comply with a data subject's data erasure requests, and for sending them marketing material despite their requests.

English Summary

Facts

The HDPA imposed a €20,000 fine to a sports clothing company for failing to uphold a data subject's data erasure rights. Initially, the company ignored the subject's request. After an initial intervention by the HDPA, the company reassured that the subject's contact information were deleted, but then kept sending marketing communications. The data subject had to complain for a second time, leading to this new decision and fine which was deemed necessary and proportionate.

Holding

The HDPA held that for its first intervention, even though the data controller informed the HDPA that it took corrective measures (deletion of contact information), the controller didn't inform the data subject about this, thus being in violation of Article 17 GDPR in combination with Articles 21(2) and 12(3) GDPR.

Furthermore, the controller's communications included a method to opt out (a link to opt out in each SMS message sent) which the data subject didn't use. Instead, the data subject contacted the controller's customer support in order to express their request for deletion, which the controller argued was not sufficient due to the existence of the opt-out link. The HDPA held that the data subject's rights should have been respected regardless of how they were communicated to the controller.

Crucially, even after the DPA's first intervention the controller has continued sending marketing communications to the data subject, despite claiming that the data has been deleted. Thus, the controller unlawfully failed to comply with (a) the data subject's request and (b) the HDPA order to bring the processing into compliance. The HDPA viewed this as an aggravating circumstance, thus justifying its unusually high fine as proper and proportionate for the situation.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

                                                             Athens, 07-04-2021
                                                              No. Prot.1024


                              DECISION 13/2021

                                   (Department)




     The Personal Data Protection Authority met at

Composition of the Department via video conference on 17-02-2021 at 10:00, after

at the invitation of its President to consider the case

refers to the history hereof. Presented by George Batzalexis,

Deputy Chairman, disabled by the President of the Authority Konstantinos

Menoudakou, and the alternate members Grigorios Tsolias and Evangelos

Papakonstantinou, as rapporteur, replacing the regular members

Charalambou Anthopoulos and Konstantinos Lambrinoudakis respectively, who,

although they were legally summoned in writing they did not attend due to obstruction. The regular

member Spyridon Vlachopoulos, although legally summoned in writing, did not attend

due to obstruction. The meeting was attended by George, chaired by the President
Roussopoulos, Specialist Scientist-Auditor as Assistant Rapporteur and Irini

Papageorgopoulou, employee of the Administrative Affairs Department of the Authority,

as secretary.




     The Authority took into account the following:




     Complaint No. G / EIS / 4863 / 10-07-2019 was submitted to the Authority

in which the complainant received a text message on 09/07/2019

character from the company «MZN HELLAS SOCIETE ANONYME COMMERCIAL


                                                                             1

1-3 Kifissias Ave., 11523 Athens
T: 210 6475 600 • E: contact@dpa.gr • www.dpa.gr COMPANY "with the distinctive title" MZN HELLAS A.E. " (hereinafter referred to as "Responsible

while expressly objecting. With the complaint

Attached is a copy of the email from which
it appears that, following a dispute that arose following an order he made

to the company, had objected to receiving any information

related products and offers of the company

delete via hyperlink.

     The complaining company was informed about the complaint with the no.

prot.C / EX / 4863-1 / 09-08-2019 document of the Authority with which it was requested to submit

her views on the complaint. The company responded with the prot.

Γ / ΕΙΣ / 5868 / 27-08-2019 her document, stating, among other things, that the

prior approval of the complainant, due to his previous transaction
and that messages are sent in bulk and automatically by affiliate software

company, to which they can not intervene immediately. But after investigation

the complainant's email was found. The company considers that by his negligence

employee was not currently deleted from the list and

confirms that they have deleted their mobile phone and e-mail address
of the post office and have taken the necessary steps so as not to

happen again in the future for no other customer. Finally, they report that

complainant disputes the receipt of an order and acts intentionally and fraudulently

as it had the ability to stop receiving messages through

advertising message.

     Following this reply, the complainant returned to

Complaint No. G / EIS / 7689 / 07-11-2019, stating that

received, again, a message on his cell phone number for purposes

promotion of the products and services of the company MZN on 06-11-2019,
declaration of the company that was deleted from the telephone list. The Authority

sent the document number C / EX / 7689-1 / 13-12-2019 to the company,

asking for its views on the new complaint. The complained company

responded to the Authority with its document number G / EIS / 394 / 17-01-2020. In

this argues that the complaint is inadmissible, distrustful and unfounded.


                                                                            2He mentions again that there was an initial approval of the complainant, who did not

used the opt-out feature from SMS, but sent

e-mail to her e-mail address
customer service. The complainant has just received a new promotional message

on 06-11-2019. It further states that it has enabled the opt-out option

later, on 11-12-2019 to be permanently deleted based on his own

actions from the company contact list. Further, the company argues

the complainant states that no objection has been raised, and

that he did not object.

     In relation to the deletion that should have been done, as reported in

previous memorandum company, claims that there was a mistake / omission

of the employee operating the electronic platform, with effective
do not finally validate the deletion of the complainant number, while the error does not

was not noticed either by this employee or by the management of the company. THE

company claims that the third company that has developed and manages the

platform, which is not named, disclosed the reasons for not

deletion. The company also states that it does not provide its details
employee as there is no substantive reason, but if they are not considered valid

her explanations, will rely on and provide full evidence of this.


     Following the above, the Authority proceeded to call the company for
meeting of the department on 15-07-2020, with reference number C / EX / 4491 / 29-06-2020

her document. With the call the company was informed that during its examination

The above two complaints will be discussed. The company attended

meeting through the lawyer of Aristides Karabeazis while, after receiving

deadline, submitted its memorandum number G / EIS / 5315 / 29-07-2020. In

this summarizes the following: The complainant did not appear and therefore
It is presumed that the request and the formality of his complaints are impractical. The

complaints are inadmissible for formal reasons. Specifically, wrong

the complainant states so much that he was not given the opportunity in every message

as well as any objections to the sending of messages.

the complainant provided approval for the sending of informative / promotional SMS


                                                                            3 at the completion of his transaction. In any case, he had the opportunity

"Opt-out" with one click, in which case it would not be possible to re-register

inadvertence. Activate this option after his complaint (11/12/2019)
to be removed from the list.


     In essence, the company claims that while their removal was requested

of the complainant, a subsequent error / omission arose
employed in the operation of the electronic platform resulting in

remain on her contact list. The mistake was not realized and

did not become known to the company until after the second complaint, while it was

the only time such a mistake happened. The company states that it requested from

partner company to provide it with any "electronic traces", but received

answer that no such data is stored on the server. The company supports
that this is an incidental matter, which is proved by the relevant

correspondence of its operator with its partner (which although it is stated that

attached (not contained in the relevant memorandum) and cites

principle of leniency. It also argues that the complainant does not claim damages

or persistent harassment considers the complainant's motives to be questioned
older transactions.


     The Authority, after examining the data in the file, after hearing him

rapporteur and clarifications from the assistant rapporteur, who attended without
and withdrew after the discussion of the case and before

the conference and decision-making, after a thorough discussion,




                        THOUGHT ACCORDING TO THE LAW




1. From the provisions of articles 51 and 55 of the General Regulation of Protection
Data (Regulation (EU) 2016/679 - hereinafter GCC) and Article 9 of the Law

4624/2019 (Government Gazette AD 137) it appears that the Authority has the competence to supervise the

implementation of the provisions of the GCC, this law and other regulations that

concern the protection of the individual from the processing of personal data.


                                                                             42. According to article 4 lit. 7 of the GCC, which is implemented by

on 25 May 2018, the controller is defined as “the natural or legal

person, public authority, service or other body which, alone or in association with
others, determine the purposes and manner of data processing

of a personal nature ".

3. The issue of making unsolicited communications with

any means of electronic communication, without human intervention, for

for the purpose of direct marketing of products or services and for each

for advertising purposes, is regulated by Article 11tun.3471 / 2006for
protection of personal data in the field of electronic communications, o

which incorporated Directive 2002/58 / EC into national law. According

this article, such communication is allowed only if the subscriber

expressly agreed in advance. Exceptionally, according to article 11 par.

3 of Law 3471/2006, the contact details of the e-mail that

acquired legally, in the context of the sale of goods or services or otherwise
transaction, can be used for direct promotion

similar products or services of the supplier or for service

similar purposes, even when the recipient of the message has not given out

with his prior consent, provided that he is provided with

in a clear and distinct way the ability to object, in an easy way and
for free, in the collection and use of his electronic data and that

during the collection of contact information, as well as in each message, in case

that the user did not initially disagree with this use.

4. According to article 17 par. 1 of the GCP, “The data subject

has the right to request the deletion from the controller

personal data relating to it without justification
delay and the controller is required to delete data

without undue delay, if one of

the following reasons: (…) (c) the data subject objects to

processing in accordance with Article 21 (1) and there are no imperatives

and legitimate reasons for processing or the data subject object

processing in accordance with Article 21 (2) ". Further, in the article

                                                                             521 par. 2 of the GCP stipulates that “If personal data

processed for the purpose of direct marketing, the

data subject is entitled to object at any time to
processing of personal data concerning it for the en

due to marketing, including profiling, if relevant

with this direct marketing promotion. "

5. Article 12 par. 2 and 3 of the GCP stipulates that “2. The person in charge

facilitates the exercise of the rights of their subjects

data provided for in Articles 15 to 22. (…) "and" 3. The person responsible
processing provides the data subject with energy information

carried out on request under Articles 15 to 22 without

delay and in any case within one month of receipt of the request.

This period may be extended by a further two months, provided that

required, taking into account the complexity of the request and its

number of requests. The controller informs the subject of
data for the said extension within one month of receipt of the request,

as well as for the reasons of the delay. (…) ».

6. Article 25 of the GCC stipulates that “Taking into account the latter

developments, implementation costs and their nature, scope, context and

processing purposes, as well as the risks of different probability
and the seriousness of the rights and freedoms of natural persons

persons from the processing, the controller applies

effectively, both at the time of determining the processing media and

and at the time of processing, appropriate technical and organizational measures, such as

the pseudonym, designed to apply the principles of protection of

data, such as data minimization, and their integration
necessary guarantees in the processing in such a way that the

requirements of this Regulation and to protect their rights

data subjects. "

7. The Authority does not accept the arguments of the controller and

considers the complaint to be admissible. The complainant was not summoned, as he was not

his personal presence is necessary for the examination of the complaint.

                                                                            6Furthermore, although the company rightly claims that the complainant is wrong

states that he was not given the opportunity to object to every message, the fact

that some of the complainant's allegations are not substantiated,
does not make all his allegations inadmissible. These allegations

are examined below.

8. In this case, data processing was performed

personal nature of the complainant by the controller, for

for the purpose of promoting products and services. The legality of the original collection

is not judged by the present, as the complainant accepts that it existed
previous transaction under which it had granted the

his details in the company.

9. The complainant, as appears from the original complaint, expressed

objection to sending messages for product promotion purposes and

services by email on 05/06/2019. The complainant

did not use the automated deletion feature available
built-in SMS promotions, but this does not affect that it exercised properly

the right of cancellation, addressed to the customer service of the company.

And this if we take into account that the GCP does not set a requirement for a specific way

but states that the controller must

facilitates the exercise of the rights of data subjects. The
The complainant's request was clearly worded, with specific reference to the GIP,

therefore there is no doubt that the controller should have

the appropriate procedures to meet, regardless of other differences

with the complainant. The controller did not act to interrupt

sending advertising messages, as it should, as well as opposition and

deletion in case of direct marketing must be done
respected. This happened only after the first intervention of the Authority. In fact, and

in this case, the person responsible replied to the Authority, without informing him

complainant. The initial complaint therefore results in a breach

Article 17 in conjunction with Article 21 (2) and Article 12 (3) of the GCC.

10. In his first memorandum, the controller assured

Principle that he has deleted his mobile phone and email address

                                                                             7 of the complainant's correspondence and that they have taken all the necessary steps

actions to prevent it from happening again in the future for any other customer. Of the

It turns out that the above statement was not accurate. Even if
accept the company's argument of individual wrongdoing, the

but which is not based on electronic or other data which can not

disputed, except in written statements of the officials involved,

it appears that the controller did not take action to not

a similar incident happens to another customer in the future. Therefore, with

Sending the second message on 6/11/2019, it is found that the company does not
had in practice the necessary procedures to ensure deletion

data so that the requirements of the GCP are met and protected

the rights of data subjects. There is therefore an infringement

of article 25 par. 1 of the GCP. It is pointed out that based on the principle of accountability

(article 5 par. 2 GCP) the controller is responsible and is responsible

to demonstrate its compliance with the basic principles of legal processing. To
Note that the argument about not using the built-in SMS

deletion operation and its use after 6/11/2019 and specifically on

11/12/2019, not accepted. The complainant, as explained, was not

obliged to exercise his right in this way, while no

it turns out that he was the one who triggered the deletion process as well
at this time the details of the complaint were known and so on

persons (eg in the Authority).

11. The Authority takes note that the controller does not

submitted evidence of deletion procedures, that the breach

related to the exercise of rights of the data subject, that the company

stated to the Authority that it had taken the appropriate measures and in fact for all of them
its clients, while in practice this had not been the case with regard to the complainant,

that the controller has an online store and uses

electronic communication techniques, therefore he should have taken care of

proper response to requests for rights. Further, according to





                                                                              8 publicly available data in GEMI, the company in the year 2019 had a cycle

works € 1,343,513.99 and profits after taxes € 50,151.92. As relievers

takes into account that if there was a nuisance there was no financial loss to the subject

of data from the dissatisfaction of the right, that it is the first

infringement for the specific company and finally, the unfavorable financial

circumstance due to the Covid-19 pandemic.
12. In view of the above, the Authority unanimously considers that in accordance with Article 1 7 in

in conjunction with Article 21 (3) and Article 12 (3) of the GIPA and Article 25

par. 1 of the GCP meet the conditions of enforcement against the person in charge

processing, based on article 58 par. 2 i of the GCP and taking into account the

criteria of article 83 par. 2 of the GCP, of the administrative sanction mentioned

in the operative part of the present, which is deemed proportional to its weight

infringement.



                           FOR THOSE REASONS

The Authority imposes, on "MZN HELLAS SOCIETE ANONYME ATHLETIC COMMERCIAL COMPANY"

with the distinctive title "MZN HELLAS A.E." the effective, proportional and

a deterrent administrative fine appropriate to that

case according to its more specific circumstances, amounting to twenty thousand

(20,000.00) euros, for the above violations of Article 17

in combination with article 21par.3 and article 12par.3 of GKPD and article

25 par. 1 of the GKPD.




       The Deputy Chairman The Secretary





         George Batzalexis Irini Papageorgopoulou





1
 https://www.businessregistry.gr/publicity/show/9178201000

                                                                              9