HDPA (Greece) - 25/2022
|HDPA - Decision 25/2022|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 5(2) GDPR
Article 6(1)(b) GDPR
Article 12(2) GDPR
|National Case Number/Name:||Decision 25/2022|
|European Case Law Identifier:||n/a|
|Original Source:||HDPA (in EL)|
The Greek DPA fined a credit claim management company €20,000 for failing to prove the lawfulness of processing according to Article 6(1)(b) GDPR and for violating Article 12(2) GDPR by creating undue barriers to the exercise of the data subject rights.
English Summary[edit | edit source]
Facts[edit | edit source]
A loan and credit management Company (controller) was repeatedly contacting a data subject by telephone-call regarding the repayment of their alleged debt.
The data subject had already declared personal bankruptcy according to Article 8(2) Law Nr. 3869/2010 and the insolvency court had granted a discharge of the debt in question. After that, the attorney of the data subject filed an objection to the processing of their data according to Article 21 GDPR. The data subject requested the controller to cease contacting them regarding the alleged debt and to erase their personal data according to Article 17 GDPR.
The controller refused to respond to the request claiming that the data subject could not be identified with certainty, due to the data subject's ID number stated on the power of attorney not matching the one kept in the controller's record. The controller claimed that the data subject should first update their personal identification information by visiting a branch office in person.
Consequently, the data subject lodged a complaint with the DPA regarding the processing of their data. The controller stated before the DPA that the data processing was lawful according to Article 6(1)(b) GDPR, since the data subject was still obliged to repay the debt on a legal basis not covered by precedent created from the insolvency court's decision. Regarding the data subject's requests, the controller argued that the data subject acted in bad faith by refusing to update their identification information.
Holding[edit | edit source]
The DPA held that the controller processed personal data in absence of a valid contractual relationship with the data subject. In particular, the controller had full access to all crucial information (especially the decision of the insolvency court and records kept in public registries) proving that the data subject was not obliged to repay the debt in question. The controller failed to prove the lawfulness of the processing in violation of its accountability obligation. For this reason, DPA imposed a €10,000 fine for the violation Articles 5(1)(a), 5(2), and 6 GDPR.
The DPA also held that the controller created undue barriers to the exercise of the data subject’s rights by demanding the update of the identification information. The controller had at its disposal a variety of personal identification information such as VAT number, date of birth, and father's name. The identification of the data subject was possible even without the ID number. For this reason, the DPA fined the controller €10,000 for violating Article 12(2) GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
1-3 Kifisias St., 11523 Athens, Tel: 210 6475600, Fax: 210 6475628, email@example.com / www.dpa.gr Athens, 19-07-2022 Prot. No.: 1866 DECISION 25/2022 (Department ) The Personal Data Protection Authority met as a Department via teleconference on 11-05-2022 at the invitation of its President, in order to examine the case referred to in the present history. Georgios Batzalexis, Deputy President, due to the disability of the President of the Authority, Constantinos Menoudakou, was present, the deputy member, Maria Psalla as rapporteur, in place of the regular member Grigorio Tsolias, who, although he had been legally invited in writing, was absent due to disability, and the alternate members Nikolaos Livos and Demosthenes Vougioukas to replace regular members Charalambos Anthopoulos and Konstantinos Lambrinoudakis respectively, who, although they were legally invited in writing, were absent due to disability. The meeting was attended by order of the President, Kyriaki Karakasi, legal auditor - lawyer, as assistant rapporteur and Irini Papageorgopoulou, employee of the Authority's administrative affairs department, as secretary. The Authority took into account the following: With the no. prot. C/EIS/3939/15-06-2021 her complaint A complains that since September 2020 she has been receiving phone calls from representatives of the complained anonymous company with the name "doValue Greece Anonymous Company for the Management of Loans and Credits" regarding its debts to Eurobank, which were assigned to the former for management. Subsequently, on 2 04-02-2021, she submitted, through her attorney, a statement of opposition to the above processing, requesting the immediate cessation of the harassment and the deletion of her personal data from the company's list of debtors (see documents attached to the complaint as well as the authorization from 04-02-2021 of the complainant to the attorney-at-law, while it was preceded by the one from 07-01- 2021 its relevant authorization). He pointed out in the context of this above request that following its issue with no. ... Decision of the Magistrate's Court [region] X, by which she was subject to the law 3869/2010 on over-indebted households, her debts were settled for four years, including the disputed ones for which she is being harassed by phone by the complained company, while with the no. ... A decision of the same Court certified her exemption from the rest of her debts, due to the normal performance of the obligation imposed on her by the first court decision in the context of article 8 par. 2 of Law 3869/2010. However, according to the complainants, the telephone harassment from the complainant company continued. Subsequently, after the complainant was informed by telephone that the disputed nuisances are related to the already dissolved joint venture bearing the name "... O.E", in which the complainant was a general partner, he sent another message to the complainant, on 22- 02-2021, with which she reinstated the request to stop the telephone harassment stressing that she is not responsible for the debts in question either as a guarantor or as a former general partner, since with her subjection to the provisions of Law 3869/2010 both were diagnosed above properties. Following this, the complainant states that the company never responded to the above deletion request, while in May 2021 she received the complainant's letter of 14-01-2021, in which she was informed that the data of the Police Report listed in the above authorization Her identity did not coincide with the relevant ones kept in the complainant's file, and therefore in order to accept the authorization in question, it is necessary to go to a Eurobank branch to update her identification information, in order to resubmit the authorization form in which it is correct referred to in said letter. The complainant points out that with the said letter, the complained company refused to respond to her request, explaining the reason for the processing of her personal data, while also refusing to satisfy her 3 right to delete her data from its files. The Authority, in the context of examining the above complaint, with no. prot. C/EX/1995/02-09-2021 her document, requested from the company in question clarifications about the complainants, focusing in particular on whether there was a legal basis for the telephone harassment of the complainant, as well as whether they were carried out on her behalf her specific rights, as a data subject, if and what exactly they answered her about them, as well as the reasons for any delayed response, while requesting that the relevant request of the complainant and any response to it be attached. Following this, with the no. prot. C/EIS/5909/20-09-2021 her response document, the complainant, refers to the two disputed loan agreements that were concluded with the above already dissolved general partnership (presenting before the Authority the published in the Chamber of Commerce and Industry [area ] X from 15-11-2010 relevant private termination agreement), confirming that he is aware of the two aforementioned decisions of the Magistrate's Court [region] X, which he presents to the Authority after the relevant application of the complainant to bring her under the provisions of n 3869/2010. It clarifies, however, that the dismissal of the complainant with no. ...the above Decision referred exclusively to its liability as a guarantor in the context of the above contracts, without taking into account the liability arising from its capacity as a general partner of the above company, invoking the provisions of articles 22 of the Commercial Law and 258 of Law 4072/2012. It also concludes that in view of the above there was a legal basis for making phone calls to the complainant, which took place following a dispatch to the last of the 18- 06-2019 letters, with which she was informed about the transfer of her personal data to the complainant (see attached documents in her response)1. In addition, it confirms the content of the above letter dated 14-01-2021 to the complainant, pointing out the inability to identify her, for the necessity of verification of which the relevant regulatory framework mentions, due to the aforementioned discrepancy in the number of her Police Identity Card 1 At that time, the complainant carried the name "Eurobank FPS Anonymous Company for the Management of Claims from Loans and Credits" 4 and the consequent risk, according to her, of leaking her personal data. In fact, the complainant states that even on 22-02-2021, when the complainant again addressed this authorization to her, the request for her representation by a third party was not completed, as it was not possible to identify her, while she claims that the phone calls that took place after sending the above authorizations were aimed at informing her about the shortcomings of the latter as well as about the need to update her personal information. Regarding the non-satisfaction of the objection and erasure rights exercised by the complainant, it is stated that these could not be satisfied for the aforementioned reasons, also referring to relevant, according to her claims, telephone conversations with the complainant. The Authority called with no. Prot. C/EXE/432/15-02-2022 and C/EXE/429/15-02- 2022 calls both parties to a hearing, via teleconference, so that they can be heard at the meeting of the competent Department from 23-02-2022, giving a deadline for presenting any memoranda to further support their claims until 11-03-2022. At the above meeting, the complainant appeared through her lawyer, Vassiliou Avramidis (with AM ...), and the complainant through the lawyers Menelaos Karpathakis (with AM ...) and Vassiliou Saliaris (with AM ...), also attended by B, an employee of of the complained-about company and C, Data Protection Officer of the complained-about company, in the event that there was a need for further clarification. Subsequently, the complainant timely submitted the no. prot. C/EIS/3758/09-03-2022 memorandum after the relevant documents. With the above memorandum, the claims of the complained-about company are contradicted, while it is argued, among other things, that the latter, in violation of a res judicata arising from a court decision, invokes a non-existent debt as a legal basis for the collection and processing of data in the context of the execution of a contract, imputing, in fact, to the complainant status of non-cooperative borrower in updating identification details. In particular, the complainant denies that she was harassed by the complained-about company in her capacity as manager of a general partnership, as already on 06-02-2009 the private amendment agreement of 29-01-2009 had been published in the books of the Court of First Instance [region] X of the disputed general partnership 5 (while the above change is also mentioned in the private dissolution agreement of the company dated 11-15-2011 published in the Court of First Instance of [region] X dated 11-15- 2010, see documents attached to the above-mentioned memorandum), by which another person was designated as its administrator and representative, and therefore concludes that the relevant argument of the complainant regarding telephone harassment in her capacity as administrator is pretextually presented, namely the first during the hearing before of the beginning. It also points out that the termination of her capacity as administrator was already known to the complainant both from the evidentiary procedure before the court in view of her issuance with no. ... of the decision of the Magistrate's Court [region] X as well as from the publicly accessible books of the Court of First Instance [region] X, as well as from the communication that her attorney had with the complainant, and therefore he had no obligation to further update the complainant status of the general partnership. Finally, it refutes the claim of the complainant regarding the maintenance of the responsibility of the complainant as a general partner as a legal basis for the telephone harassment in question, with direct reference, among others, to no. ... and ... irrevocable decisions of the Magistrate's Court [region] X (see the certificates submitted under no. prot. ... and ... respectively certificates of the Magistrate's Court [region] X regarding the non-exercise of appeals against the above decisions), resulting in the non-foundation of the legal basis of the execution of a contract for the processing in question, insofar as there was no debt from a loan contract. The complained company with no. prot. C/EIS/4124/11-03-2022 her memorandum briefly mentions, among other things, the following: first of all she mentions the letters from Eurobank dated 18-06-2019, with which the complainant was informed about the transfer of the disputed claims by the Bank and for the designation of the complainant herself as their manager in relation to the further processing of the relevant personal data. In fact, according to the allegations of the complained-about company, the information in question was addressed to the complainant both as manager and legal representative of the first-filing general partnership and as a guarantor, while it also included the need to update the identification and contact information kept. The letter from Eurobank dated 31-08-2012 to the aforementioned general company regarding the need to update the details of its representatives is also provided. 6 Next, and given that the complainant did not update her information, the complainant admits that the telephone harassment in question took place from August 2019 to February 2021, as far as, even after the systems were updated them for the on the basis of with no. ... decision of the Magistrate's Court [region] X exonerating the complainant, she was still involved in her capacity as a general partner, even more so since she was still registered in the company's systems both as a general partner and as a manager and legal representative of the above general partnership. In addition, the complained company describes the history of its conversations with the complainant and her attorney stating, among other things, that the power of attorney to the latter could not be accepted solely and solely due to a difference in the number of the complainant's identity card mentioned in it in relation to the corresponding one kept in the records of the complainant. It further recalls its letter dated 14-01-2021 to the complainant, while emphasizing that the complainant's information was never updated and the letter dated 15- 11-2010 private dissolution agreement of the first-filing general partnership was sent by the complainant's lawyer for the first time in the context of his last electronic communication with the complainant, who was then the first to be informed that the said company was put into liquidation with a person other than the complainant appointed as liquidator and legal representative. In addition, the complainant states that the updating of the identification information is done in person and in principle requires a physical presence, while its remote conduct is subject to a strict regulatory framework. The complainant notes that after the initiation of the process of authorizing the complainant to her lawyer, the phone calls had as their sole purpose the need to update her information. In addition, the complainant invokes the execution of the loan agreements in question as a legal basis for processing the complainant's personal data, repeating that her judicial exemption does not take into account her status as a regular partner, while emphasizing that it was only in February 2021 that she was informed that the complainant is not now a legal representative of the first registered general partnership and in any case not in the appropriate way, so as to entail the change of its relevant data in its systems. It concludes in 7 that the complainant was registered as the main contact person on behalf of the first applicant general partnership, since she appeared to be registered as a legal representative of the latter, and therefore was legally harassed by phone in order to inform about the overdue debts of the said company . Therefore, in view of its responsibility as a general partner of the first applicant company, there was no possibility, according to the complainant's claims, to satisfy the complainant's request to stop the harassment and delete her personal data, while the complainant company also refers to its obligation to maintains the complainant's personal data in its still existing capacity as a general partner of the first applicant company. Furthermore, regarding the issue of the complainant's authorization to a third party, and since the complainant justifies the existence of standardized templates of relevant authorizations for the sake of the seamless service of the large number of her customers and also for the sake of avoiding leaks of personal data, she points out that in this case the cause of her non-acceptance of the authorization in question was the above-mentioned discrepancy in the number of the complainant's Police Identity Card, aggravated by the latter's failure to update her data and the failure to send a copy of her new identity card. In addition, the complainant clarifies the procedure for identifying the complainant by its representatives in the cases of incoming and outgoing telephone calls, stating that the data used each time is the tax identification number for incoming calls and the patronymic and date of birth for outgoing calls (cf. art. 4 par. 4 of Law 3758/2009). Finally, the complainant alleges anti-transactional behavior by the complainant based on the non-updating of the aforementioned information. The Authority, after examining the elements of the file, after hearing the rapporteur and the clarifications from the assistant rapporteur, and after a thorough discussion, DECIDED IN ACCORDANCE WITH THE LAW 1. With article 5 par. 1 of the General Regulation (EU) 2016/ 679 for the protection of natural persons against the processing of personal data 8 (hereinafter GDPR) sets out the principles that must govern a processing. In particular, paragraph 1 states that: "1. Personal data: a) are processed lawfully and legitimately in a transparent manner in relation to the data subject ("legality, objectivity and transparency"), b) are collected for specified, explicit and lawful purposes and are not further processed against in a manner incompatible with those purposes; further processing for archiving purposes in the public interest or for scientific or historical research or statistical purposes shall not be deemed incompatible with the original purposes pursuant to Article 89(1) ("purpose limitation"), c) are appropriate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimization") ...'. In accordance with the principle of accountability introduced by the second paragraph of the aforementioned article, it is expressly defined that the data controller "bears the responsibility and is able to demonstrate compliance with paragraph 1 ("accountability")". This principle, which is a cornerstone of the GDPR, entails the obligation of the data controller to be able to demonstrate compliance. In addition, it enables the data controller to be able to control and legally document a processing carried out in accordance with the legal bases provided by the GDPR and national data protection law. 2. According to article 6 par. 1 sec. b and f of the GDPR "1. The processing is lawful only if and as long as at least one of the following conditions applies: …… b) the processing is necessary for the performance of a contract to which the data subject is a party or to take measures at the request of the data subject before from the conclusion of a contract, ... f) the processing is necessary for the purposes of the legal interests pursued by the controller or a third party, unless these interests are overridden by the interest or the fundamental rights and freedoms of the data subject that require protection of personal data, in particular if the data subject is a child". Furthermore, Article 12 paragraph 2 of the GDPR provides that: "The data controller shall facilitate the exercise of the data subjects' rights provided for in Articles 15 to 22. In the cases provided for in Article 11 paragraph 2, the data controller shall not refuse to act at the request of the 9 data subject to exercise his rights under Articles 15 to 22, unless the controller demonstrates that he is unable to ascertain the identity of the data subject.' Paragraph 1 of Article 21 of the GDPR on the right to object provides that: "The data subject has the right to object, at any time and for reasons related to his particular situation, to the processing of personal data concerning him, which is based on Article 6(1)(e) or (f), including profiling under those provisions. The controller no longer processes the personal data, unless the controller demonstrates compelling and legitimate reasons for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or support of legal claims claims". According to article 17 par. 1 f. c' and d': "The data subject has the right to request from the data controller the deletion of personal data concerning him without undue delay and the data controller is obliged to delete personal data without undue delay if one of the following reasons applies: … c) the data subject objects to the processing in accordance with Article 21(1) and there are no compelling and legitimate grounds for the processing or the data subject objects in the processing according to Article 21 paragraph 2 , d) the personal data were processed unlawfully…”. 3. In addition, according to article 4 par. 2 of the GDPR as processing means "any act or sequence of actions carried out with or without the use of automated means, in personal data or in sets of personal data, such as collecting, recording, organizing, structuring, storing, adapting or change, retrieval, information search, use, disclosure by transmission, h dissemination or any other form of disposal, association or combination, restriction, h erasure or destruction", while according to item 7 of the aforementioned article is defined as a data controller "the natural or legal person, the public authority, h agency or other body that, alone or jointly with others, determine the purposes and the way of processing personal data; when the purposes and the way 10 of this processing are determined by the law of the Union or the law of a Member State, the controller or the specific criteria for his appointment may provided for by Union law or the law of a Member State"... 4. Furthermore, according to article 4 par. 4 of Law 3758/2009 on Information Companies Debtors "Before any Notification action is required from the lender to the debtor confirmation of debts in any available way and his identification debtor, as well as informing him about the transmission of his data to the Company [EEO] in accordance with article 11 of Law 2472/1997, as it applies from time to time. ...". According to article 9 par. 6 of Law 3758/2009, as amended and in force "The provisions of articles 4, 5 and 8 also apply to lenders when they proceed to repeatedly informing debtors about their overdue debts". 5. It is also noted that a new compliance model was adopted with the GDPR, a central dimension of which constitutes the above-mentioned principle of accountability, in the context of which the controller is obliged to design, implement and in general takes the necessary measures and policies, in order for the processing of the data to is in accordance with the relevant legislative provisions. In addition, the person in charge processing is burdened with the further duty to prove by itself and per at all times its compliance with the principles of article 5 par. 1 GDPR. It's not a coincidence that the GDPR includes accountability (already mentioned above article 5 par. 2 GDPR) in the regulation of the principles (article 5 par. 1 GDPR) governing the processing, giving it the operation of a compliance mechanism, essentially reversing its "burden proof" as to the legality of the processing (and in general the observance of the principles of article 5 par. 1 GDPR), transferring it to the data controller, so that it is validly argued that he bears the burden of invoking and proving it legality of processing2. 6. In this case and in accordance with the above, the complained Management Company Claims from Loans and Credits has the status of data controller, v the article 4 para. 7 GDPR, as the last admission follows directly from the form information about the processing of personal data of the complainant herself company that it is independently responsible for data processing 2 See in this regard, Decisions of the Authority 26/2019, sc. 7 and 43/2019, s. 6. 11 relating to its general compliance with the resulting obligations from the applicable legal, regulatory and supervisory framework, including of the relevant communication and information of natural persons for the management of of their existing debts (see also relevant information on its website, https://www.dovaluegreece.gr/enimerosi-gia-tin-epexergasia-prosopikon-dedomenon-apo tin-dovalue-greece). This is also deduced from no. prot. G/EIS/5909/20-09-2021 its response to the Authority. The complainant, as a Claims Management Company from Loans and Credits, as it appears from the above as well as from the actual ones incidents of the case in question, having taken over the management of its claims Bank Eurobank against the complainant, determines, as independently responsible processing, the purposes and method of processing its personal data, and therefore becomes liable to comply first with the principles which are introduced by Article 5 GDPR as well as to its other consequential obligations in the context of the regulatory protection of personal data3. As the controller, the complained-about company acted according to its confession (see also page 4 of the memorandum with reference no. C/EIS/4124/11-03-2022 complained of) in making phone calls to the complainant, while ex of the above memorandum that he submitted after the hearing before the Authority, emerges that it bases the disputed processing on the legal basis of article 6 par. 1 para. b GDPR and in particular in the execution of loan agreements in which the above general partnership is a contracting party (see in particular p. 8 of with no. prot. C/EIS/4124/11-03-2022 of the complainant's memorandum), insofar as, according to the allegations, the complainant is still fully liable for her debts of the aforementioned and already dissolved general partnership in its capacity as regular partner, to the extent that with no. ... Decision of the Magistrate's Court [region] X takes possession of her exemption only in her capacity as guarantor in the disputes loan agreements. 7. However, in the context of examining the above claim, the evaluation of which constitutes preliminary necessary, in order for the Authority to decide on the existence of a legal entity 3 See in this regard also Decisions of the Authority 134/2017, sc. 3 as well as 87/2017, s. 2, where the powers of the claims management companies, which in essence take its place lender. See and in this regard also the no. 18/2019 Decision of the Authority. 12 basis for the disputed processing, namely the following: With no. … aforementioned Decision of the Magistrate's Court [region] X, the complainant already has freed himself from the disputed debts, for which he was harassed by phone denounced. The issue of the complainant's responsibility as a regular partner - and therefore as a merchant - he was judged with no. ... Decision of the same above Court (n which is irrevocable, as can be seen from the relevant certificate provided of the Magistrate's Court [region] X), which rejected, in fact, her relevant claim of the bank's licensee regarding the commercial status of the complainant, insofar as preceded in time the cessation of the commercial activity of the complainant - debt, and later the latter stopped payments, a fact that legalized to be subject to the provisions of law 3869/20104. Since the complainant - debt ceased to retain its commercial status, continued its payments and then she stopped them, legally submitting the relevant application for her affiliation to provisions of Law 3869/20105. Otherwise, if, that is, the debt retained commercial capacity, the above application would be rejected. Debtors are discharged from the debts once and through a single procedure, i.e. either that of the Bankruptcy Code, or, as in this case, of Law 3869/2010 and always in accordance with the legislative regime that was in force at the critical time of submitting the complainant's application. Therefore, the accused's claim of continued guilt complaining as a merchant - general partner, cannot prosper, as long as would lead to the impasse that the latter cannot be included in the provisions of the law. 3869/2010, to which it was subject6. 8. From the above it follows that there was no valid legal basis for the processing which consisted of telephone harassment to the complainant, as far as he was concerned that the release of the latter from the disputed debts for which he was complaining, occupies both its capacity as a guarantor and its capacity as a co-regulator partner, according to the foregoing, any legal basis for the aforementioned disappeared nuisances. Regarding the claim of the complained company, which 4 See in this regard I. Venieris – Th. Katsas, Application of Law 3869/2010 for over-indebted natural persons, Law Library, 2011, pp. 56 - 59. 5 See IrPatron 218/2020, IrAtal 183/2016, IrAth 142/2011 & 127/2011. 6 See in this regard I. Venieris – Th. Katsas, ibid., p. 57. 13 is shown first after the ones with no. prot. C/EIS/5909/20-09-2021 documents clarifications of the alleged legal basis for the telephone harassment, regarding the listing of the complainant in its systems as manager and legal representative of the above general partnership, is rejected, as the definition of another person in relation to the complainant as liquidator and manager of the general partnership in question was known to denounced company, which already with the aforementioned (with no. prot. C/EIS/5909/20-09-2021) clarifications before the Authority, presented as relevant the disputed published in the Chamber of Commerce and Industry [region] X from 15-11- 2010 private dissolution agreement, where the appointment of a new administrator is mentioned and representative of the above company. Besides, it also appears presumptively that the definition of another administrator was already known to the complained-about company, since from 15- 11-2010 published in the Court of First Instance of [region] X private dissolution agreement of general partnership, which, as mentioned above, included the definition liquidator and administrator of the latter, had become an element of the case file in view of its edition with no. ... as above decision of the Magistrate's Court [region] X. Therefore, h complained company carried out illegal processing of personal data of the complainant in violation of the principle of article 5 par. 1 paragraph a of the GDPR, in particular in view of the fact that he was making phone calls to a debt, which he had been cleared for its disputed debts already known to the complained company irrevocable court decision, which, in fact, occupied every capacity of the complainant (as guarantor and as a regular partner), and therefore in this particular case, by virtue of according to the above court decision, the legal basis for said nuisances disappeared. In addition, in addition to the above, it is emphasized that in order for personnel data character to be subject to legal processing, i.e. processing in accordance with requirements of the GDPR, the application conditions should be met cumulatively and compliance with the principles of article 5 par. 1 GDPR, as also emerges from the recent Decision of the Court of Justice of the European Union (CJEU) of 16-01-2019 in case C 496/2017 Deutsche Post AG v. Hauptzollamt Koln7. The existence of a legal foundation 7 "57. However, any processing of personal data must be in accordance, on the one hand with the principles to be observed in terms of data quality, which are set by Article 6 thereof directive 95/46 or article 5 of regulation 2016/679 and, on the one hand, to the basic principles of the legal 14 (art. 6 GDPR) does not release the controller from the obligation to comply of the principles (art. 5 para. 1 GDPR) regarding the legitimate character, the necessity and proportionality as well as the minimization principle. In case of which violates any of the principles provided for in article 5 par. 1 GDPR, such as in this case, the processing in question appears to be illegal (subject to the provisions of the GDPR) and the examination of the conditions of application of its legal bases is omitted Article 6 GDPR. Thus, the violation of the principles of Article 5 GDPR not legal processing of personal data is not cured by existence legitimate purpose and legal basis8, which, however, still does not exist in this case, as explained in detail9. The above are not negated by logical necessity from the allegation of the complainant that after her dispatch authorization of the complainant, finally the telephone harassment stopped. 9. Furthermore, from the above facts, as they arise from the elements of the case file in question, the complainant, despite the date of 04-02-2021 exercising the rights of objection and deletion, as repeated on 02-22-2021, did not essentially examine them (see the aforementioned from 01-14-2021 letter from the complainant to the complainant and the no. first C/EIS/5909/20-09-2021 its response document to the Authority), insofar as, as claimed, a question of her identification arose due to the fact that on the body of the relative power of attorney to her lawyer had a different card number identity card from the person who had been registered in the files of the denounced. In view of the above, it is noted that the complained Company of Loans and Credits Receivables Management had as such, complete details of assigned to it to manage files, including those that related to the disputed claims against the complainant, including, therefore, all the data of the latter, as they arose from the disputed ones loan contracts (in which, for example, the VAT number of the borrower/guarantor is also mentioned), data processing listed in Article 7 of this Directive or Article 6 of this Regulation (cf. judgments of 20 May 2003, Österreichischer Rundfunk and others, C-465/00, C-138/01 and C-139/01, EU:C:2003:294, paragraph 65, and of 13 May 2014, Google Spain and Google, C-131/12, EU:C:2014:317, paragraph 71)'. 8 See Decision of the Authority 26/2019, sc. 5, cf. Decision of the Authority 38/2004. 9 See, for example, Decision of the Authority 30/2021. 15 as well as all the documents of the case file in view of its inclusion complainant in the provisions of Law 3869/2010. Therefore, he had a series of personal data of the complainant, without excluding the other details of the report her identity other than the number of 10, based on which she could easily safely identify the latter by contrasting them with what appears in body of said authorization thus, much more since the moment he had preceded by lots of telephone communications with the complainant not only about existing - according to the allegations of the complainant - debts of the complainant, but also in order for the latter to express her will as represented by lawyer to exercise her rights, as the complainant herself admits (see pp. 2-3 of the aforementioned response to the Authority document). Not noted in this regard, the contradiction between the above claim about the deriving from the above authorization of doubt as to the identification of the complainant and her of the complainant's admission that data such as VAT number, patronymic and date of birth were sufficient to identify the complainant in the context of above of incoming and outgoing calls that took place (see p. 13 of me no. prot. C/EIS/4124/11-03-2022 of the complainant's memorandum), but not for the substantial examination of the above requests of the complainant, as the subject of data. 10. Therefore, in view of the above, the complainant did not prove herself as Responsible Processing on the one hand that it complied with the provisions of the GDPR according to article 5 par. 2 of this, on the one hand, that he was not able to ascertain the identity of the complainant, especially in view of the fact that he admits the telephone communications that took place both with initiative of the complainant herself as well as the complainant in the context relevant complaints about the nuisances but also an explicit statement of her representation by a lawyer (see in this regard p. 10 of the memorandum with reference no. C/EIS/4124/11-03-2022 of the complainant, where the subject of the latter's conversations with the complainant). It arises as a result, and in view of all of the above of the complainant's personal data that the complainant already possessed, that the allegation of alleged doubt as to the identity of the first as subject 10 Compare in this regard Decision of the Authority 140/2017, sc. 5. 16 of data is displayed presumptively. In this way and essentially denying the complained company to consider the above objection and deletion rights, placed an unjustified obstacle in the exercise of these, in violation of its provision par. 2 of article 12 of GDPR11. In particular, these rights were never examined on the merits, insofar as the alleged Data Controller relies, and for the twice that it appears that these were exercised by proxy in front of her, issue of alleged impossibility of identifying the data subject. However, and given that, as discussed above, it was easy to identify her complainant, the complained company could carry out a substantive examination and response to the objection and erasure rights exercised, without it to mean that he would not take care, as he should, of updating the contention identity card number based on the existing regulatory framework. Therefore, no a question of violation of the latter arises in itself in the substantive examination of them rights exercised by the complainant, especially since her identification was possible by comparing a range of other data they already had (eg indicatively the TIN)12, according to the above, as the requested update will could take place regardless of the examination of the above rights and anyway without being set as a condition of this. And the obligation of the above substantive examination of the exercised rights of the complainant, is in no way negated by the possibility their non-satisfaction due to non-assistance of the relevant statutory bodies conditions according to the provisions of articles 17 and 21 of the GDPR. 11. Because, in this case, and according to the above, the complained company violated the provision of paragraph 2 of article 12 of the GDPR and did not consider the rights of opposition and deletion exercised before it by complainant through her attorney, while proceeding with the dispute processing of telephone calls in violation of the provisions of articles 5 par. 1 f. a', 5 par. 2 of the GDPR, as detailed in the aforementioned considerations and in any case without establishing any legal basis on which the last according to article 6 of the GDPR. 11 Cf. Decision of the Authority 48/2021, sc. 7. 12 Compare in this regard Decision of the Authority 140/2017, sc. 5. 17 12. Because the violation of the basic principles for the processing combined with the non establishment of a legal basis for the latter, as detailed above, lead to the imposition of the administrative sanctions of article 83 par. 5 item. a' of the GDPR, while the violation of the rights provided for in articles 12-22 of the GDPR subjects of the data, entails the imposition of the relevant sanctions according to article 83 par. 5 item II of the GDPR. And according to the GDPR (Rep. Sk. 148) in order to strengthen the enforcement of the rules of this Regulation, sanctions, including administrative fines, should be imposed for each violation of this Regulation, additionally or instead of the appropriate measures imposed by the supervisory authority pursuant to this Regulation. 13. Based on the above, the Authority considers that there is a case to exercise the following article 58 par. 2 of the GDPR its corrective powers in relation to the established violations. 14. The Authority further considers that the imposition of a corrective measure is not sufficient for the restoring compliance with the provisions of the GDPR that have been breached and that must, based on the circumstances established, be imposed, pursuant to it provision of article 58 par. 2 pcs. i' of the GDPR additional and effective, proportional and dissuasive administrative fine according to article 83 of the GDPR both to restoring compliance, as well as sanctioning illegal behavior13. 15. Furthermore, the Authority took into account the criteria for measuring the fine that are defined in article 83 par. 2 of the GDPR, paragraph 5 item a' and b' of the same article applicable to the present case and the Guidelines for it implementation and determination of administrative fines for the purposes of the Regulation 2016/679 issued on 03-10-2017 by the Article 29 Working Group (WP 253), as well as the facts of the case under consideration and in particular: i. The fact that the complained Loan Receivables Management company and Credits violated the provisions of article 5 par. 1 sec. 1 GDPR 13 See OE 29, Guidelines and the application and determination of administrative fines for the purposes of Regulation 2016/679 WP253, p. 6 18 principles of legality, objectivity and transparency, ie violated fundamental principle of the GDPR for the protection of personal data character. ii. The fact that the observance of the principles provided for by its provision article 5 par. 1 sec. a' of the GDPR is of capital importance, primarily, h principle of legality, so that if it is missing it becomes illegal from the beginning the processing, even if the other processing principles have been observed rather in this case where none of the provisions were established in article 6 of the GDPR legal basis for the disputed processing, according to aforementioned. iii. The fact that the complainant carrying out the disputed processing without legal basis and refusing to consider her rights in substance complainant as the subject of the data, setting, in fact, unjustified obstacle to the exercise thereof, in accordance with the detailed as above exposed, in violation of par. 2 of article 12 of the GDPR, no managed to demonstrate that it complied with the principle of legality, objective and transparent processing, thus violating the principle of accountability. iv. The fact that the disputed phone calls to the complainant had of a continuous nature carried out over a time horizon of several of one month, although there was no legal basis, as stipulated. v. The fact that the above in violation of the GDPR personal processing data in this case concerned one (1) natural person as the subject of personal data, whose rights, in fact, have been exercised opposition and deletion were not examined on the merits. vi. The fact that they were not affected by the violations found above special categories of personal data of the complainant. vii. The absence of previous violations of the accused company as a relevant audit shows that it has not been imposed until today administrative sanction from the Authority. viii. The fact that from the data brought to the attention of the Authority and based on which found the above GDPR violations, the person in charge 19 processing did not cause material damage to the complainant and does not arise to obtain some financial benefit from the above findings violations. ix. The fact that the complainant stopped the pending phone calls of the complaint submitted to the Authority (see her statement complainant during the hearing). x. The fact that the violation of the provisions on the basic principles for the processing as well as with the rights of the subjects subject to, according to with the provisions of article 83 par. 5 sec. a' and b' GDPR, in the upper class prescribed category of the grading system of administrative fines. xi. The fact that from the most recently available in GE.MH. elements of it of the complained company it appears that its turnover during the year of 2020 amounted to 71,496,048 euros (see https://www.businessregistry.gr/publicity/show/121602601000) 16. Based on the above, the Authority unanimously decides that it should be imposed on complained company, as controller, the one referred to in the ordinance administrative sanction, which is considered proportional to the gravity of the violation. FOR THOSE REASONS The beginning It imposes on the complained company with the name "doValue Greece Anonymous Loan and Credit Claims Management Company" as data controller, the effective, proportionate and dissuasive administrative fine that is appropriate in this particular case, according to its special circumstances, amounting to ten thousand (10,000) euros for the above found violation of the provision of the article 12 para. 2 of the GDPR and in the amount of ten thousand (10,000) euros for the above established violations of articles 5 par. 1 par. a, 5 par. 2 and 6 of the GDPR, such as those above were specialized, according to articles 58 par. 2 item i' and 83 par. 5 item a' and b' GDPR. 20 The Deputy President The Secretary Georgios Batzalexis Irini Papageorgopoulou