HDPA (Greece) - 20/2021

From GDPRhub
HDPA (Greece) - 20
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 17(1) GDPR
Article 21(2) GDPR
Article 25 GDPR
Article 11 law 3471/2006
Article 11 law 3471/2006
Type: Complaint
Outcome: Upheld
Decided: 17.02.2021
Published: 28.05.2021
Fine: 5000 EUR
Parties: «ΚΑΡΙΕΡΑ Α.Ε.»
National Case Number/Name: 20
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: ΑΠΔΠΧ (in EL)
Initial Contributor: LV

The Greek DPA fined a service provider €5000 for failure to properly execute a data's subject request for erasure due to a technical error which meant that their personal data had been duplicated on the company's servers. The DPA found that 79 other data subjects had also been affected by this error.

English Summary


The complainant requested to stop receiving promotional emails by the company. The promotional emails didn't stop even after he followed all the directions on the company's website and even after he submitted a request of erasure of his personal data held by the company, for which he received a confirmation email stating that all his data we deleted by the company's servers. The company stated that due to technical errors and duplicate registration of the data subject's email address, the process of the deletion of the complainant's data was not successful.

The personal data processed by the company were recorded electronically in a database referred to as the ‘Master Database'. All changes to personal data, such as deletions from email lists or requests submitted by data subjects are initially entered in the Master Database, and are then integrated/ copied into the individual databases that connect to the Main Database through a synchronization process which takes place automatically on a daily basis. One of these such databases linked to the Main Database is also the Email Database.

Due to a technical error in the computer systems, there was a double registration of the email address of the complainant in the Email Database. This double entry error was detected and corrected immediately so as not to be repeated in the future. However, the duplicate address file remained in the E-mail Database, with the result while the first address file was deleted, the address file remained in the E-mail Database. Thus, when the complainants requested deletion from the E-mail Database using the delete / unsubscribe link, the request was recorded successfully in the Master Data Sheet, but the synchronization process failed to replace / delete the duplicate entry of the email address of the complainant in the E-mail Database. This is the reason why the complainant continued to receive emails about jobs offered by the company.


After examination of the facts of the case and after examination of 79 other data subjects data which were not successfully deleted from the company's data base, the authority decided that the company failed to implement the appropriate procedural and security measures to detect the error and to secure the deletion of the users' data. In the light of these violations the authority fined the company 5.000€.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

                                                             Athens, 12-05-2021
                                                              No. Prot.1207

                              DECISION 20/2021


     The Personal Data Protection Authority met at

Composition of the Department via video conference on 17-02-2021 at 10:00, after

invitation of its President to consider the case

refers to the history hereof. Presented by George Batzalexis,

Deputy Chairman, disabled by the President of the Authority Konstantinos

Menoudakou, and the alternate members Grigorios Tsolias and Evangelos

Papakonstantinou, as rapporteur, replacing the regular members

Charalambou Anthopoulos and Konstantinos Lambrinoudakis respectively, who,

although they were legally summoned in writing, they did not attend due to obstruction. The regular

member Spyridon Vlachopoulos, although legally summoned in writing, did not attend

due to obstruction. The meeting was attended by Georgia, by order of the President
Panagopoulou, expert scientist - auditor as assistant rapporteur and Irini

Papageorgopoulou, employee of the Administrative Affairs Department of the Authority,

as secretary.

     The Authority took into account the following:

     Submitted to the Authority or with no. prot. Γ / ΕΙΣ / 6076 / 09-09-2019 complaint against


the distinctive title "CAREER SA" about sending emails


1-3 Kifissias Ave., 11523 Athens
T: 210 6475 600 • E: contact@dpa.gr • www.dpa.gr of advertising content to the complainant while he had

repeatedly request its removal from the list of recipients.

     Specifically, according to the document G / EIS / 6076 / 09-09-2019 the complainant

states that from ψε he ceased to wish to receive further electronically

messages from kariera.gr. Tried to make use of that link

is embedded in each email, selecting the appropriate options on the web page
displayed but emails kept coming in normally.

… Sent an email with a request to be deleted from the email lists. Of

a specific procedure was indicated by the ticketing method, in which

proceeded directly to… and by which he demanded the complete deletion of all

data relating to his person from their databases. Then

confirmation of his contact details and request, received on…
information that all his personal data have been deleted

receives by mail suggestions of ads similar to ads in which he had in

past show interest. On λε sent a new message on the issue via

of the ticketing method without receiving a response and on… sent a warning

to appeal to the Authority, if the issue is not resolved, without any response

     The Authority with the no. prot. G / EX / 6076-1 / 03-10-2019 document informed her

CAREER for the complaint and asked for her views.

     CAREER answered with no. prot: G / EIS / 7394 / 30-10-2019 her document,

in which he analyzes the history of the communications of the complainant company

in an attempt to remove it from the list of eligible advertisements
messages. A specific technical problem has been identified, which is described

in the document as follows: The personal data processed by the Company

are recorded electronically in a data table that the Company calls

‘Master Data Table’ (hereinafter the ‘Main Data Table’). All changes to

personal data, such as deletions from email lists or requests

submitted by data subjects through the Platform
Data Management, are initially entered in the Main Data Table and in

are then integrated / copied into the individual databases that

                                                                             2connected to the Main Data Table, through a synchronization process

which takes place automatically on a daily basis. One of these sub

databases linked to the Main Database is also the "Database
Data E-mail ». Due to a technical error in the computer systems

of the Company, a double registration of the electronic address was created

of the complainant in the E-mail Database. This technique

double entry error was detected and corrected immediately in order to

not repeated in the future. However, the duplicate address log file

e-mail of the complainant remained at the Base
E-mail data, with the result while the first registration file was deleted

normally, the second file remained in the E-mail Database. Thus, when the

Complainants requested deletion from the E-mail Database, making

using the delete / unsubscribe link, the request was recorded

successfully in the Master Data Sheet, but the synchronization process failed

replace / delete the duplicate entry of the email address
of the complainant in the E-mail Database. Therefore, he

is the reason why the complainant continued to receive emails about

jobs offered by the Company.

   Subsequently, the Authority sent a prototype number G / EX / 931 / 05-02-2020 with

which requested the following clarifications: For how long did it exist in

systems the technical error by duplicating the email address

mail and how was it located? How many emails have been entered in

systems during this time? How many requests to delete e-mails
were visitors received during this time? There have been relative complaints from

recipients of emails?

     CAREER answered with no. prot. G / EIS / 1765 / 06-03-2020 document at
which clarifies the following: The technical error occurred 6 months before…,

ie during the period between…. The technical error was detected through

investigation carried out due to the complaint forwarded by

Principle. A total of 26,969 e-mails have been entered on the Greek website (Kariera.gr)

during the existence of the technical error. 76 applications were submitted

                                                                             3deletion of e-mail visitors of the website www.kariera.gr during the period

this. 5 requests for "Customer Service" were also received during

period of existence of the technical problem, on the grounds that the user does not
can be successfully unsubscribed.

     Following the above, the Authority proceeded to call the company for

section meeting on 11-11-2020, with reference number C / EX / 6076-1 / 30-10-2020
her document. The company attended the meeting through its legal representative

Theofilos Vassiliadis and through the lawyer of Panagiotis Kontogeorgakopoulos

(…). He also attended the first company. After receiving the deadline, the company submitted

Memorandum No. G / EIS / 7991 / 20-11-2020, which refers to the

previous documents and further clarifies that the response to his request

subject and its satisfaction are two different stages of it
process of deleting his personal data, and that its response

The company was in the middle, but due to a technical problem, no description was given.

The company has as its permanent policy and makes every reasonable effort

in order to complete that deletion process within one (1)

month from the submission of the respective deletion request, paying each
possible effort to respond to the needs of the subjects and to

do not use the possibility of extending the response time by two (2)

further months, provided in accordance with the Regulation under certain conditions.

Also, when the technical problem was resolved, the complainant's details but

and all other data subjects experienced similar

problem, including the five subjects who had done the
requests-complaints, were successfully deleted from its information systems

company. In the context of continuous improvement and the company's commitment to

the proper management of personal data, the company continues to

develops new systems, which in the near future the company will be able to

proceeds to delete and generally manage them with greater immediacy and

convenience.The aim of the company is, from the moment of confirmation of the request
the simplification of the internal deletion procedure

so that the response time is significantly reduced.

                                                                            4 The Authority, after examining the data in the file, after hearing him

rapporteur and clarifications from the assistant rapporteur, who attended without

and withdrew after the discussion of the case and before
the conference and decision-making, after a thorough discussion,

                        THOUGHT ACCORDING TO THE LAW

1. From the provisions of articles 51 and 55 of the General Protection Regulation

Data (Regulation (EU) 2016/679 - hereinafter GCC) and Article 9 of the Law
4624/2019 (Government Gazette AD 137) it appears that the Authority has the competence to supervise the

implementation of the provisions of the GCC, this law and other regulations that

concern the protection of the individual from the processing of personal data.

2. According to article 4 lit. 7 of the GCC, which is implemented by

on 25 May 2018, the person in charge of processing is defined as “the natural or legal

person, public authority, service or other body which, alone or jointly with
others, determine the purposes and manner of data processing

of a personal nature ".

3. The issue of making unsolicited communications with

any means of electronic communication, without human intervention, for

for the purpose of direct marketing of products or services and for each
for advertising purposes, is regulated by Article 11tun.3471 / 2006for

protection of personal data in the field of electronic communications, o

which incorporated Directive 2002/58 / EC into national law. According

this article, such communication is allowed only if the subscriber

expressly agreed in advance. Exceptionally, according to article 11 par.

3 of Law 3471/2006, the contact details of the e-mail that
acquired legally, in the context of the sale of goods or services or otherwise

transaction, can be used for direct promotion

similar products or services of the supplier or for service

similar purposes, even when the recipient of the message has not given out

with his prior consent, provided that he is provided with

                                                                            5 way clear and distinct the ability to oppose, in an easy way and

for free, in the collection and use of his electronic data and that

when collecting contact information, as well as in each message, in case
that the user did not initially disagree with this use.

4. According to article 17 par. 1 of the GCP, “The data subject

has the right to request the deletion from the controller

personal data relating to it without justification

delay and the controller is required to delete data

without undue delay, if one of the
the following reasons: (…) (c) the data subject objects to

processing in accordance with Article 21 (1) and are not mandatory

and legitimate reasons for processing or the data subject object

processing in accordance with Article 21 (2) ". Further, in the article

21 par. 2 of the GCP stipulates that “If personal data

processed for the purpose of direct marketing, the
data subject is entitled to object at any time to

processing of personal data concerning it for the en

due to marketing, including profiling, if relevant

with this direct marketing promotion. "

5. Article 25 of the GCC stipulates that “Taking into account the latter
developments, application costs and nature, scope, context and

processing purposes, as well as the risks of different probability

and the seriousness of the rights and freedoms of natural persons

persons from the processing, the controller applies

effectively, both at the time of determining the processing media and

and at the time of processing, appropriate technical and organizational measures, such as
the pseudonym, designed to apply the principles of protection of

data, such as data minimization, and their integration

necessary guarantees in the processing in such a way that the

requirements of this Regulation and to protect their rights

data subjects. "

6. In this case, data processing was performed

                                                                            6 personal character of the complainant for the purpose of promoting products and

services by the company CAREER, which is the person in charge of processing. THE

legality of the original collection is not judged by the present, as the
complainant admits that he had provided his information to the company.

7. The complainant, as appears from the original complaint, expressed

objection to sending messages for product promotion purposes. THE

The controller had to have the appropriate procedures in place to

respond. The controller did not act to interrupt it

sending advertising messages, as it should, as well as opposition and
deletion in case of direct marketing must be done

respected. This happened only after the intervention of the Authority. Therefore, from

An initial complaint is an infringement of Article 17 in conjunction with Article

21 par. 2 of the GKPD.

8. Only after the complaint was forwarded by the Authority to the company were they made

appropriate actions to investigate the reason for their deletion
of the complainant had not been made, and during this investigation

it was found what the technical error was. From the data below

requested Authority and following the investigation of the controller emerged

that there were another 78 cases of failure to satisfy the right

deletion of subjects as well as 5 requests-protests for this issue, the
which the controller had not identified through the procedures

nor did the technical error. It is therefore established that the company

did not have in practice the necessary procedures to ensure the

delete the data in order to meet the requirements of the GCP and to

the rights of data subjects are protected. Therefore,

there is a violation of article 25 par. 1 of the GCP.
9. The Authority takes note that the violation is related to practice

rights of the data subject, that the technical error lasted

of one semester and had affected 79 data subjects, that there were

protests of 5 data subjects which due to wrong procedures do not

received a reply, that the controller has an online store

and uses electronic communication techniques, therefore it should have

                                                                              7Take care of the correct response to requests for rights.

Further, according to publicly available data in GEMI, company against

the year 2019 had a turnover of € 4,202,734.53 and profits after taxes

€ 879,150.88. As a mitigating factor, it's the first offense for her

specific company, that after the intervention of the Authority the person in charge

took action to investigate and correct it
problem and finally, the unfavorable economic situation due to the pandemic


10. In view of the above, the Authority unanimously considers that in accordance with Article 17 in

in conjunction with Article 21 para. 3 of the GCP and Article 25 para. 1 of the GCP

the conditions for enforcement against the controller are met, with

based on article 58 par. 2 i of the GCP and taking into account its criteria

article 83par.2 of the GCPD, of the administrative sanction referred to in the operative part

of the present, which is considered proportionate to the gravity of the infringement.

                           FOR THESE REASONS

The Authority imposes, in the "CAREER SOLE SHAREHOLDER SA


SPECIAL EDITIONS "with the distinctive title" CAREER SA " the effective,

proportionate and dissuasive administrative fine appropriate to

specific case according to its more specific circumstances, amount

five thousand euros (5,000.00) euros, for the above violations
of article 17 in combination with article 21 par. 3 of the GCP and article 25

par. 1 of the GCPD.

       The Deputy Chairman The Secretary

         George Batzalexis Irini Papageorgopoulou