HDPA (Greece) - 20/2022

From GDPRhub
Revision as of 12:36, 17 August 2022 by Jg (talk | contribs)
HDPA - 20/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 12(3) GDPR
Article 17 GDPR
Article 21 GDPR
Article 83(2)(a) GDPR
Type: Other
Outcome: n/a
Started: 23.03.2022
Decided: 25.07.2022
Published: 28.07.2022
Fine: 5.000 EUR
Parties: Mizuno Online Store
National Case Number/Name: 20/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Jette

The Greek DPA partially revoked its previous decision and recuded the fine from €20.000 to €5.000 on a company that sells sports clothing in light of new evidence revealing that the violation of the right to object was due to an isolated error and not to malicious intent.

English Summary

Facts

In a previous decision (hub: 13/2021), the Greek DPA imposed a fine of €20.000 on a company that sells sports clothing (the controller). The controller failed to comply with a data subject's erasure request (Article 17 GDPR) and kept on sending them unwanted marketing-SMS despite their opt-out (Article 21(1) GDPR). The DPA held that the controller also violated Article 25(2) GDPR.

In the case at hand, the controller requested the decision to be annulled. The controller submitted new evidence about the steps that were taken to remove the data subject from its contact list. The controller argued that all necessary procedures were in order and that it has done everything that could be reasonably required to handle the data subject's requests. The controller explained that the conduct for which the company had been fined was due to an isolated error.

The controller further stated that the DPA violated (1) the principle of proportionality and (2) the criteria for the imposition and assessment of fines for violations of the GDPR by imposing a €20.000 fine.

Holding

After considering the new evidence provided by the controller, the DPA found the following two mitigating circumstances pursuant to Article 83(2)(a) GDPR. First of all, the DPA agreed that the violation seemed to be caused by the controller's negligence (an isolated error) and not malicious intent. Second, the controller appeared to have implemented and followed the appropriate procedures to ensure the correct handling of the right to object (Article 21 GDPR) and the right to erasure (Article 17 GDPR) of data subjects. Therefore the controller was not found in breach of Article 25(2) GDPR. The DPA partially revoked its previous decision n. 13/2021, but confirmed its judgement that Article 17, Article 21(1) and Article 12(3) GDPR were violated. Therefore the DPA reduced the fine from €20.000 to €5.000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

  Athens, 07-25-2022 Prot. No.: 1905 DECISION 20/2022 (Department) The Personal Data Protection Authority met as a Department by teleconference on 03-23-2022 at 09.30 a.m. at the invitation of its President, in order to examine the case referred to in the present history. Konstantinos Menudakos, President of the Authority, and alternate members Maria Psalla and Demosthenes Vougioukas attended, as rapporteur, in place of regular members Konstantinos Lambrinoudakis and Grigorio Tsolias, respectively, who, despite being legally summoned in writing, did not attend due to disability. The meeting was attended by order of the President, Haris Symeonidou and Spyridon Papastergiou, specialist scientists - auditors as assistant rapporteurs and Irini Papageorgopoulou, an employee of the Authority's administrative affairs department, as secretary. The Authority took into account the following: With no. prot. C/EIS/4316/30-06-2021 document by the company with the name "MZN HELLAS ANONYMI ATHLITIKI EMPORIKI ETEIRIA" with distinctive title "MZN HELLAS A.E." (hereinafter referred to as the applicant) submitted a treatment application against her with no. 13/2021 of the Authority's Decision, which was issued following the no. prot. C/EIS/4863/10-07-2019 and C/EIS/7689/07-11-2019 of complaints submitted against her by A (hereinafter referred to as the complainant). With the above complaints, the complainant complained about the sending of unsolicited SMS messages to his mobile phone number for the purposes of commercial promotion of the applicant's products, even though he had explicitly expressed his objection. After examining the above complaints, the Authority, with the contested decision 13/2021, accepted the complaints and imposed on the applicant a fine of twenty thousand (20,000.00) euros for the established violation of article 17 in combination with article 21 par. 3 and article 12 paragraph 3 of the GDPR and article 25 paragraph 1 of the GDPR. For its judgment, the Authority specifically took into account the following (paragraphs 10 and 11): "10. In his first memorandum, the controller assured the Authority that he has deleted the complainant's mobile phone and email address and that they have taken all necessary steps to prevent it from happening again in the future for any other customer. It turns out that the above statement was not accurate. Even if the company's argument about a single error by employees is accepted, which is not based on electronic or other evidence that cannot be disputed, but only on written statements of the employees involved, it follows that the data controller did not take actions to that a similar incident does not happen again in the future to another customer. Therefore, with the sending of the second message on 6/11/2019, it is established that the company did not have in practice the necessary procedures to ensure the deletion of the data, to meet the requirements of the GDPR and to protect the rights of the data subjects . Therefore, there is a violation of article 25 paragraph 1 of the GDPR. It is pointed out that based on the principle of accountability (Article 5 para. 2 GDPR) the data controller bears the responsibility and is able to prove his compliance with the basic principles of legal processing. It should be noted that the argument of not using the deletion function integrated in the SMS and using it after 6/11/2019, specifically on 11/12/2019, is not accepted. The complainant, as explained, was not obliged to exercise his right in this particular way, while it is not proven that he was the one who activated the deletion process, as during this period the details of the complaint were also known to other persons (e.g. e.g. to the Authority). 11. The Authority takes into account aggravatingly, that the data controller did not submit documentation of the deletion procedures, that the violation is related to the exercise of rights of the data subject, that the company declared to the Authority that it took the appropriate measures and in fact for all customers of her, while in practice this had not happened with regard to the complainant, that the controller has an online store and uses electronic communication techniques, therefore he should have taken care of the correct response to the requests to exercise rights. Furthermore, according to the publicly available data at GEMI [https://www.businessregistry.gr/publicity/show/9178201000], the company in the year 2019 had a turnover of €1,343,513.99 and profits after taxes of €50,151, €92. As mitigating factors, it takes into account that while there was a nuisance, there was no financial loss to the data subject due to the non-satisfaction of the right, that it is the first violation for the specific company and finally, the adverse financial situation due to the Covid-19 pandemic". With the current treatment request, the applicant requests the revocation of the challenged decision in its entirety and the deletion of the imposed fine for the following reasons: A) Submission of new and critical evidence regarding the procedures for deleting the complainant from the applicant's contact list and its actions/procedures to this end. Specifically, the applicant maintains that she did everything required to the extent possible for her compliance with the requirements of the Regulation, having arranged all the required procedures for this purpose, and having given the necessary instructions and orders to her competent employee, B , who in turn always assured her that he had done everything necessary to satisfy the complainant's right to be deleted from the applicant's customer list, so that the sending of advertising messages to his phone would stop. In order to confirm the above, the applicant submits and invokes the following new evidence, which concerns the alleged facts and came to her knowledge after the contested decision was issued: i. the under no. ..../2021 affidavit of the applicant's employee, Mr. B before the Athens Magistrate's Court (Ref. 1), in which the facts of the case are described in detail as well as the critical omissions on the part of the employee, which led on the one hand in the non-completion of the deletion of the complainant's data, on the other hand in the mistaken belief of the applicant's management that the necessary legal procedures have been fully followed, on which its argumentation to the Authority was based. In particular, the employee asserts his failure to confirm that the deletion of the complainant's details has been completed through the EasySMS platform in August 2019 by contacting the TERN technical support company and his failure to properly inform the management of the applicant (C) in context of the complaint, as well as his incorrect action in November 2019, to export an earlier list of recipients (and not the updated one), resulting in the 2nd SMS being sent to the complainant and the 2nd complaint being submitted. ii. The letter dated 14-4-2021 from the applicant (Ref. 2) through her attorney to the company TERN INFORMATION SYSTEMS – administrator of the EasySMS platform and processor, with which the applicant - controller cooperated during the critical period to send promotional messages to its customers. With the letter in question, the assistance of the TERN company to the applicant was requested, through the provision of information and electronic data (full information history) to prove the procedures followed and the process of deleting the data of the complainant. iii. The reply letter dated 4-27-2021 (Ref. 3) from the company TERN INFORMATION SYSTEMS, which includes electronic traces – the history of all deletions of telephone numbers by the applicant on the EasySMS platform, and which proves its constant compliance applicant with the requests to delete the subjects she accepts and her claim is strengthened that the non-completion of the process of deleting the number of the complainant in August 2019 is due to a detour by the above employee. B) Violation of the principle of proportionality and the criteria for the imposition and measurement of administrative fines for the violation of the GDPR, due to the amount of the fine imposed (€20,000.00). The Authority, after examining the elements of the file, after hearing the rapporteur and the assistant rapporteurs, and after a thorough discussion, THINKS IN ACCORDANCE WITH THE LAW 1. Article 24 par. 1 of the Law. 2690/1999 (KDDiad) stipulates that "If the relevant provisions do not provide for the possibility of exercising, according to the next article, a special administrative or interlocutory appeal, the interested party, for the restoration of material or moral damage to his legal interests caused by an individual administrative act may, for any reason, with his application, request, either from the administrative authority that issued the act, its revocation or amendment (remedial request), or from the authority that is in charge of the one that issued the act , its annulment (hierarchical appeal)". In the true sense of the provision, the request for treatment aims to revoke or modify the contested individual administrative act for legal or factual defects of it that go back to the regime under which it was issued. 2. As can be seen from the content of the present application, the applicant first of all repeats her claim of a single error in the process of deleting the number of the complainant, due to an omission by her competent employee, who had been submitted to the Authority before the issuance of the decision, with the applicant's memorandum. However, the claim in question is now substantiated with the above-mentioned new evidence presented and invoked by the applicant. In particular, from the affidavit of the employee Mr. B (Ref. 1) and the letter of the TERN company (Ref. 3), it appears that the sending of the 2nd message to the complainant is indeed due to an individual error by the employee and not to incomplete procedures of the applicant. It should be noted that the employee is not a "processor" as incorrectly stated on p. 25 of the treatment request, but acts under the supervision and at the behest of the applicant (Article 29 GDPR) and therefore for his actions or omissions according to the GDPR, his employer, as data controller, is responsible. In any case, following the aforementioned affidavit, it is recognized that the applicant had tried to satisfy the complainant's opposition request and the violation was clearly not due to fraud, but to negligence.
3. In view of the above new evidence submitted, the Authority assesses as mitigating circumstances according to article 83 par. 2 GDPR the fact that a) the violation is due to negligence and not fraud on the part of the applicant, and b) the applicant appears that according to rule follows the appropriate procedures that ensure the satisfaction of the rights of opposition and deletion of the data subjects, therefore no violation of article 25 par. 1 GDPR is found. There is, therefore, a case of a partial revocation of the Authority's decision 13/2021, and specifically in the part where this decision was deemed to have violated this article, which was included in the calculation of the fine.
FOR THOSE REASONS
The beginning
1. Partially accepts the request for treatment, in view of the presentation and invocation of new information on behalf of the applicant.
2. Revokes Decision 13/2021 as far as it was judged that there was a violation of article 25 par. 1 GDPR.
3. Imposes on the company "MZN HELLAS ANONYMI ATHLITIKI EMPORIKI ETERIA" the effective, proportionate and dissuasive administrative monetary fine appropriate to the specific case according to its special circumstances, in the amount of five thousand (5,000.00) euros, for the established violations of the article 17 in combination with article 21 par. 3 and article 12 par. 3 of the GDPR, for the reasons stated in Decision 13/2021, in combination with the rationale of this decision.
 
The President The Secretary
 
Konstantinos Menudakos Irini Papageorgopoulou