HDPA (Greece) - 20/2023: Difference between revisions

From GDPRhub
(Changes were made to adapt to GDPRHub guidelines. - establish at the outset who is the controller and who is the data subject and use this nomenclature throughout the summary - refer to the data subject as 'they' when the gender is unknown - put the facts in chronological order: what happened, what the data subject claimed, what the controller replied - put what the DPA decided in the holding)
m (Inder-kahlon moved page HDPA (Greece) - 20/29-05-2023 to HDPA (Greece) - 20/2023: HDPA decision format corrected)
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{DISPLAYTITLE:HDPA (Greece) - 20/2023}}
{{DPAdecisionBOX
{{DPAdecisionBOX


Line 7: Line 8:
|DPA_With_Country=HDPA (Greece)
|DPA_With_Country=HDPA (Greece)


|Case_Number_Name=20/29-05-2023
|Case_Number_Name=20/2023
|ECLI=
|ECLI=


Line 69: Line 70:
}}
}}


The HDPA issued a compliance order and imposed a fine on a telecommunications provider for the violation of the rights of access and objection.
The Hellenic DPA fined a telecommunications company a total of €150,000 for sending unsolicited advertising messages, for not responding to an access request and for not facilitating the objection to processing of personal data.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject was a client of a telecommunications services provider, the controller. Although they had expressly objected the receipt of advertising messages through the Register provided for in Article 11 Law 3471/2004, the controller continued to send them promotional electronic messages.
The data subject was a client of a telecommunications services provider, the controller. Although they had expressly objected the receipt of advertising messages through the Register provided for in Article 11 of Law 3471/2004, the controller continued to send them promotional electronic messages.


The data subject submitted an access request, but the controller argued that it would be necessary for them to go to a store or send a registered letter in order to have their identity verified.
The data subject submitted an access request, but the controller argued that it would be necessary for them to go to a store or send a registered letter in order to have their identity verified.


The data subject then filed a complaint with the Hellenic DPA, claiming that the controller violated their data protection rights. In defense, the controller argued that there was a specific procedure described in its privacy policy for data subjects to request access to their data and this procedure had not been followed.
The data subject then filed a complaint with the Hellenic DPA claiming that the controller violated their data protection rights. In defense, the controller argued that there was a specific procedure described in its privacy policy for data subjects to request access to their data and this procedure had not been followed.


=== Holding ===
=== Holding ===
The Hellenic DPA acknowledged the fact that the data subject did not follow the procedure established by the controller, but stated that this was not a legitimate reason to not comply with the access request. The DPA also found that the controller made it difficult for the data subject to exercise their rights by requesting their physical presence in the store or the sending of a registered letter. Finally, the DPA held that the controller did not implement appropriate measures to enable the exercise of the right to object the processing of personal data for promotional purposes, failing to comply with the requirements of the GDPR.
The Hellenic DPA acknowledged the fact that the data subject did not follow the procedure established by the controller, but stated that this was not a legitimate reason to not comply with the access request. The DPA also found that the controller made it difficult for the data subject to exercise their rights by requesting their physical presence in the store or the sending of a registered letter. Finally, the DPA held that the controller did not implement appropriate organizational and technical measures to enable the exercise of the right to object to the processing of personal data for promotional purposes, failing to comply with the requirements of the GDPR.


As such, the DPA ordered the controller to comply with the access raccess and issued a fine of:  
As such, the DPA ordered the controller to comply with the access request and issued a fine of:  


a) €60,000 for the violation of Article 21 (3) GDPR as the controller sent five promotional messages after the data subject had expressly objected the processing of their data for this purpose;
a) €60,000 for the violation of Article 21(3) GDPR as the controller sent five promotional messages after the data subject had expressly objected the processing of their data for this purpose;


b) €60,000 because the telecommunications provider didn't respond to the complainant's right of access and made it difficult for him to exercise it and
b) €60,000 for the violation of Articles 15(1) and 12(2), (3) and (4) as the controller did not respond to the access request and did not facilitate the exercise of the data subject's rights;


c) €30,000 for violation of Article 25 (1) GDPR because the telecommunications provider did not in practice have the necessary procedures for the complainant to exercise the right to object and for them to stop the processing of the personal data for promotional purposes.
c) €30,000 for the violation of Article 25(1) GDPR as the controller did not implement organizational and technical measures to enable the data subject to exercise the right to object the processing of the personal data for promotional purposes.


== Comment ==
== Comment ==
Line 106: Line 107:
The Authority imposed a fine a) 60,000 euros for violation of Article 21 (3) GDPR due to the sending of five promotional messages despite the opposition and the removal of the complainant's telephone number from the Register of Article 11 Law 3471/2004 for a period of three months without to have requested it himself, b) 60,000 euros for failure to satisfy the right of access, failure to provide an answer, even if negative, and making it difficult to exercise the right of access, pretextually citing the inability to correctly identify the complainant in other ways than physical presence in the store or through by registered letter in violation of article 15 (1) cond. 12 par. 2, 3 and 4 GDPR and c) 30,000 euros for violation of Article 25 (1) GDPR because it did not in practice have the necessary procedures to ensure the right to object and stop the processing of the data for the promotional purpose.
The Authority imposed a fine a) 60,000 euros for violation of Article 21 (3) GDPR due to the sending of five promotional messages despite the opposition and the removal of the complainant's telephone number from the Register of Article 11 Law 3471/2004 for a period of three months without to have requested it himself, b) 60,000 euros for failure to satisfy the right of access, failure to provide an answer, even if negative, and making it difficult to exercise the right of access, pretextually citing the inability to correctly identify the complainant in other ways than physical presence in the store or through by registered letter in violation of article 15 (1) cond. 12 par. 2, 3 and 4 GDPR and c) 30,000 euros for violation of Article 25 (1) GDPR because it did not in practice have the necessary procedures to ensure the right to object and stop the processing of the data for the promotional purpose.
</pre>
</pre>
{{DEFAULTSORT:HDPA_(Greece)_-_20/2023}}

Latest revision as of 17:48, 17 July 2023

HDPA - 20/2023
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 12(2) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 15 GDPR
Article 21 GDPR
Article 25(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 14.06.2022
Decided: 29.05.2023
Published: 29.05.2023
Fine: 150.000 EUR
Parties: n/a
National Case Number/Name: 20/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: eirini.saranti

The Hellenic DPA fined a telecommunications company a total of €150,000 for sending unsolicited advertising messages, for not responding to an access request and for not facilitating the objection to processing of personal data.

English Summary

Facts

The data subject was a client of a telecommunications services provider, the controller. Although they had expressly objected the receipt of advertising messages through the Register provided for in Article 11 of Law 3471/2004, the controller continued to send them promotional electronic messages.

The data subject submitted an access request, but the controller argued that it would be necessary for them to go to a store or send a registered letter in order to have their identity verified.

The data subject then filed a complaint with the Hellenic DPA claiming that the controller violated their data protection rights. In defense, the controller argued that there was a specific procedure described in its privacy policy for data subjects to request access to their data and this procedure had not been followed.

Holding

The Hellenic DPA acknowledged the fact that the data subject did not follow the procedure established by the controller, but stated that this was not a legitimate reason to not comply with the access request. The DPA also found that the controller made it difficult for the data subject to exercise their rights by requesting their physical presence in the store or the sending of a registered letter. Finally, the DPA held that the controller did not implement appropriate organizational and technical measures to enable the exercise of the right to object to the processing of personal data for promotional purposes, failing to comply with the requirements of the GDPR.

As such, the DPA ordered the controller to comply with the access request and issued a fine of:

a) €60,000 for the violation of Article 21(3) GDPR as the controller sent five promotional messages after the data subject had expressly objected the processing of their data for this purpose;

b) €60,000 for the violation of Articles 15(1) and 12(2), (3) and (4) as the controller did not respond to the access request and did not facilitate the exercise of the data subject's rights;

c) €30,000 for the violation of Article 25(1) GDPR as the controller did not implement organizational and technical measures to enable the data subject to exercise the right to object the processing of the personal data for promotional purposes.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority examined complaints from a subscriber of WIND, now NOVA, in which he complained about repeated receipt of e-mails for promotional purposes despite his opposition and repeated protests, as well as non-satisfaction of requests to exercise the right of access.

The Authority imposed a fine a) 60,000 euros for violation of Article 21 (3) GDPR due to the sending of five promotional messages despite the opposition and the removal of the complainant's telephone number from the Register of Article 11 Law 3471/2004 for a period of three months without to have requested it himself, b) 60,000 euros for failure to satisfy the right of access, failure to provide an answer, even if negative, and making it difficult to exercise the right of access, pretextually citing the inability to correctly identify the complainant in other ways than physical presence in the store or through by registered letter in violation of article 15 (1) cond. 12 par. 2, 3 and 4 GDPR and c) 30,000 euros for violation of Article 25 (1) GDPR because it did not in practice have the necessary procedures to ensure the right to object and stop the processing of the data for the promotional purpose.