HDPA (Greece) - 34/2023: Difference between revisions

HDPA - 34/2023
Authority:	HDPA (Greece)
Jurisdiction:	Greece
Relevant Law:	Article 5(1)(c) GDPR Article 15(1) GDPR
Type:	Complaint
Outcome:	Upheld
Started:	09.11.2020
Decided:	10.11.2023
Published:	29.11.2023
Fine:	20000 EUR
Parties:	ΠΕΙΡΑΙΩΣ ΧΡΗΜΑΤΟΔΟΤΙΚΕΣ ΜΙΣΘΩΣΕΙΣ ΜΟΝΟΠΡΟΣΩΠΗ ΑΝΩΝΥΜΗ ΕΤΑΙΡΕΙΑ (PEIRAIOS LEASING M.A.E)
National Case Number/Name:	34/2023
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Greek
Original Source:	HDPA (in EL)
Initial Contributor:	Inder-kahlon

The Hellenic DPA imposed an administrative fine of €20,000 on a leasing company. They fined them €10,000 for violating Article 5(1)(c) GDPR, and an additional €10,000 for violating Article 15(1) GDPR.

English Summary

Facts

The company Piraeus Leasing (the controller) posted an advertisement for the sale of property owned by CBP Leasing. In that advertisement there was a photo of the data subject's car. The property was previously owned by the data subject's father before it was seized. The data subject claimed that the license plate of his car was visible in the photograph, which allowed his social circle to become aware of the loss of his family property.

The data subject submitted a request for erasure of the personal data concerning him and an objection to processing to the controller's data protection officer ('DPO'), asking for his license plate to be removed from the advertisement. The DPO responded, stating the car's registration number was not visible, but in order to avoid any concern the photograph was removed from their website but it will remain in the company's archives as proof of the fact that the registration number of the car is not visible.

Later an acquaintance of the data subject who was a potential buyer of the property, shared emails with him revealing that the controller had shared images of the property with them, including the photo used in the advertisement, which clearly contained the data subject's car and his license plate.

Following this, the data subject filed a complaint against against Piraeus Leasing and another similar complaint against CBP Leasing (which was renamed to PIRAEUS FINANCIAL LEASING SINGLE MEMBER S.A.). However, since both of these companies ceased to exist, the beneficiary by formation for both companies for any pending lawsuits became PEIRAIOS LEASING M.A.E. Therefore, the HDPA considered the controller to be PEIRAIOS LEASING M.A.E., and considered both complaints together as they were filed by the same data subject against what now was the same defendant company.

Holding

Then the Hellenic Data Protection Authority found that the data controller PEIRAIOS LEASING M.A.E. had processed the data subject's personal data in violation of the GDPR. As such, the DPA issued a fine of:

a) €10,000 for the breach of the data minimisation principle outlined in Article 5(1)(c) of the GDPR.

b) €10,000 for the violation of Articles 15(1) Right of access by the data subject.

Comment

The unauthorised disclosure of personal data, even as basic as a car license plate, can have profound consequences, causing embarrassment, and disrupting one's peace of mind. This incident underscore the importance of safeguarding individual's privacy and the potential far-reaching impact of seemingly innocuous information.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority investigated a complaint by a natural person against a company related to the processing of a photo in which the license plate number of the complainant's car was visible and imposed a fine of €10,000 for a breach of Article 5 of the GDPR and a fine of €10,000 for a breach of Article 15 of the GDPR.