HDPA (Greece) - 48/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA (Greece) |DPA_With_Country=HDPA (Greece) |Case_Number...")
 
Line 67: Line 67:


=== Facts ===
=== Facts ===
Three data subjects filed complains with the Greek DPA against a marketing agency for processing their personal data for a purpose other than it was collected in first place. The data subjects claimed that the marketing agency was contacting them in order to promote its products without respecting their opt-out requests while the marketing agency was claiming that they contacted the data subject (being existing clients) for a customer satisfaction survey after having obtained their consent.
Three data subjects filed complains with the Greek DPA against a marketing agency for processing their personal data for a purpose other than it was collected in first place. The personal data was collected during purchases of goods. The data subjects claimed that the marketing agency was contacting them in order to promote its products without respecting their opt-out requests while the marketing agency was claiming that they contacted the data subject for a customer satisfaction survey after having obtained their consent.





Revision as of 21:43, 22 November 2021

HDPA (Greece) - 2322/14-10-2021
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4(11) GDPR
Article 4(12) GDPR
Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 6(1)(a) GDPR
Article 6(4) GDPR
Article 7 GDPR
Article 21 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 14.10.2021
Published: 14.10.2021
Fine: 20000 EUR
Parties: n/a
National Case Number/Name: 2322/14-10-2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Greek's DPA website (in EL)
Initial Contributor: Elisavet Dravalou

A company that conducts phone sales, processed customer personal data to promote its products and services to the customers, whose personal data was collected during the purchase of products. The controller held that consent was obtained but was unable to prove it and did not respect the data subject's opt-out requests.

English Summary

Facts

Three data subjects filed complains with the Greek DPA against a marketing agency for processing their personal data for a purpose other than it was collected in first place. The personal data was collected during purchases of goods. The data subjects claimed that the marketing agency was contacting them in order to promote its products without respecting their opt-out requests while the marketing agency was claiming that they contacted the data subject for a customer satisfaction survey after having obtained their consent.


Holding

The Greek DPA held that this processing constitutes use of personal data for a purpose other than that for which the personal data was originally collected, therefore the criteria of Article 6 (4) GDPR must be fulfilled and article 5 GDPR principles must be respected. In this case, it was found that the data subjects were not properly informed during the data collection stage that their personal data will be used for an additional different purpose, that their objections were not respected and the identity of the controller was not clear to the data subjects. Also, in relation to the application of the right of objection, the controller did not respect the data subject's opt-out requests and did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found, taken into consideration the duration and the intensity of the violations.

Comment

What is interesting in this case is that the controller claimed that they processed personal data for marketing purposes (promotion of products) based on data subjects' oral consent obtained during the purchase of products. The DPA couldn't find evidence to suggest that consent was given. Therefore, in the absence of evidence, it cannot be accepted that consent is accepted as the legal basis of this processing. The DPA stated that it could accept legitimate interest as a legal basis, given the soft opt-in exception. Given though that the processing was carried out for a purpose different that the one for which the personal data was collected in first place, the Greek DPA held that article 6(4) and 5 of the GDPR must be respected. In this specific case at least appropriate information should have been provided to data subject at the data collection stage so that data subjects know that their personal data will be used for an additional purpose, while at the same time providing them with the opportunity to express their objections.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.



  
    

  
  
    
  
    Category
              Decision
          

  
    Date
              14/10/2021

          

  
    Transaction number
              48
          

  
    Thematic unit
          
              09. Promotion of products and services
              
      

  
    Applicable provisions
          
              Article 4.11: Consent (definition)
          Article 4.12: Violation of personal data (definition)
          Article 5.2: Principle of accountability
          Article 6.1.a: Legal basis of consent
          Article 6.1.f: Legal basis of overriding legal interest
          Article 6.4: Compatibility of processing for another purpose
          Article 7: Conditions for consent
          Article 21: Right of objection
          Article 11.2: Register - Article 11
              
      

  
    Summary
              A company that conducts long distance telephone sales, used to promote its products and services the customer data, which it collected during the purchase of products. This processing is the use of personal data for a purpose other than that for which the data were originally collected, therefore the criteria of Article 6 par. In this case, it was found that the data subject was not properly informed during the data collection stage, so that he knows that his data will be used for an additional different purpose, that customer objections were not respected and it was not clear to the data subjects the identity of the controller. Also, in relation to the satisfaction of the right of objection, the controller did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found.

          

  
    PDF Decision
              48_2021anonym.pdf299.82 KB
          

  


    
  
    Category
              Decision
          

  
    Date
              14/10/2021

          

  
    Transaction number
              48
          

  
    Thematic unit
          
              09. Promotion of products and services
              
      

  
    Applicable provisions
          
              Article 4.11: Consent (definition)
          Article 4.12: Violation of personal data (definition)
          Article 5.2: Principle of accountability
          Article 6.1.a: Legal basis of consent
          Article 6.1.f: Legal basis of overriding legal interest
          Article 6.4: Compatibility of processing for another purpose
          Article 7: Conditions for consent
          Article 21: Right of objection
          Article 11.2: Register - Article 11
              
      

  
    Summary
              A company that conducts long distance telephone sales, used to promote its products and services the customer data, which it collected during the purchase of products. This processing is the use of personal data for a purpose other than that for which the data were originally collected, therefore the criteria of Article 6 par. In this case, it was found that the data subject was not properly informed during the data collection stage, so that he knows that his data will be used for an additional different purpose, that customer objections were not respected and it was not clear to the data subjects the identity of the controller. Also, in relation to the satisfaction of the right of objection, the controller did not provide appropriate documents or instructions to prove that he was able to respond to such requests. The Authority imposed a fine of 20,000 euros for the violations found.

          

  
    PDF Decision
              48_2021anonym.pdf299.82 KB