HDPA (Greece) - 24/2023
|HDPA - 24/2023
|Article 5(1) GDPR
|National Case Number/Name:
|European Case Law Identifier:
|Hellenic Data Protection Authority (in EL)
After the data subject had withdrawn a complaint, the Hellenic DPA continued with an ex officio investigation into the sending of unauthorized advertising messages and issued a reprimand on the controller for violation of Article 5(1)(a) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject, a pharmacist, received several emails advertising pharmaceutical products from the company Infinity Pack, the controller. The data subject filed a complaint with the Hellenic DPA, claiming that they had agreed to receive promotional content at some personal email addresses. However, they stated that they never had any commercial relationship with the controller through that other specific email, which was used exclusively for communications with public bodies.
The DPA notified the controller asking for clarifications on how it became aware of that specific email address. The controller responded that it could not determine the source of the information, but admitted that its representatives travel to many regions in Greece and collect 'market information' such as business cards and contact details of potential clients.
Although the data subject withdrew the claim during the course of the procedure, the Hellenic DPA decided to continue with ex officio investigations.
Holding[edit | edit source]
The DPA highlighted that Article 5(1) GDPR establishes that personal data must be processed lawfully, fairly and in a transparent manner, while also being collected for specified, explicit and legitimate purposes. Moreover, Article 5(2) provides that the controller is responsible for demonstrating compliance with these obligations.
The DPA then reffered to the Greek national law. It clarified that, although the law authorizes controllers to send advertising messages to emails legally obtained in the context of their commercial transactions, even without prior consent, it requires that an easy way to object the data processing be made available.
In the case under analysis, the DPA held that the controller was not able to demonstrate the source of the data and, therefore, cannot claim that they were obtained in the context of its commercial activities. Similarly, the controller did not demonstrate that it had obtained the consent of the data subject.
For these reasons, DPA found a violation of Article 5(1)(a) GDPR. However, taking into account the fact that the complaint was of an individual nature and that no other violations were found, as well well as the fact that the controller , soon after being notified, adjusted its conduct, the DPA only issued a reprimand.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.