HDPA (Greece) - 22/2023

From GDPRhub
Revision as of 20:17, 20 October 2023 by Eirini.saranti (talk | contribs)
HDPA - 22/2023
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 12(2) GDPR
Article 12(3) GDPR
Article 15 GDPR
Article 58(2)(b) GDPR
Type: Complaint
Outcome: Upheld
Started: 30.03.2023
Decided: 04.09.2023
Published: 04.09.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 22/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: eirini.saranti

The Hellenic DPA issued a reprimand to an electricity supplier because they delayed in three cases to satisfy the data subjects' exercised rights of access, while in one case they made it difficult to exercise the disputed right of access.

English Summary

Facts

The Hellenic DPA examined three related data subject complaints against an electricity supplier, the data controller, because of a delay to satisfy their exercised rights of access to their recorded conversations. When examining these complaints, the Authority requested clarifications on whether the complainants exercised their right to access their personal data and if and how the controller responded or why they didn't respond in a timely manner. The Hellenic DPA also wanted to know if the conversations with the complainants were recorded, their content, how long they were kept, and the company's policy on recording customer conversations, including which calls are recorded, how long they are stored, and how data subject access requests are handled. The electricity supplier confirmed the receipt of the access requests and explained that they couldn't respond to them promptly due to a high volume of inquiries that came as a result of the energy crisis and the covid pandemic. They stated that they record conversations for legal and contractual purposes, keeping them for one year and up to five years with consent. Access requests for recorded conversations are handled by the Customer Service Department through specific email submissions.

Holding

The Authority determined that the electricity supplier has committed three violations of Article 12(3) GDPR , because the company delayed to satisfy the complainants' right to access the recorded conversations and they did not inform them within a month of receiving these requests for an extension to fulfill the contested right. Additionally, they did not provide an explanation for the delay. The DPA also determined that there was a violation of Article 12(2) GDPR because the controller made it difficult for one of the complainants to exercise their right of access, as the company required that it should be exercised under a specific form. As a result, the Authority issued a reprimand in accordance with Article 58(2)(b) GDPR for these established violations. The DPA issued an order, as per Article 15(4)(b) of the Greek Law 4624/2019, directing the supplier to reorganize its internal processes within three months. This reorganization should serve as an organizational security measure, particularly in emergency situations, to ensure the timely fulfillment of data subjects' rights under Article 12(3) GDPR. The company is also required to inform the authority about these changes.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority considered three related complaints of violation of the right of access to recorded conversations against an electricity supplier. He found, first of all, that the recording of the disputed conversations is legal, as it constitutes a legal professional practice according to article 4 paragraph 3 of Law 3471/2006 in conjunction with article 3 of Annex III of the Electricity Supply Code and, further, that there was a violation of articles 12 par. 2, 3 of the GDPR, to the extent that the complained company delayed in all three cases to satisfy the complainants' exercised rights of access, while in one case it made it difficult to exercise the disputed right of access.

At the same time, he ordered the complainant to act, within three (3) months of the decision being made, in order to shape the organization of its internal procedures in such a way, as an organizational safety measure, especially in the context of any existing emergency conditions, in order to facilitate the exercise of the rights of the data subjects and to satisfy the exercised rights within the deadlines provided for in article 12 par. 3 of the GDPR, and to inform the Authority accordingly.