HDPA (Greece) - 35/2022

From GDPRhub
HDPA - 35/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 12 GDPR
Article 14 GDPR
Article 15 GDPR
Article 27 GDPR
Type: Complaint
Outcome: Upheld
Started: 26.05.2021
Decided: 13.07.2022
Published: 15.07.2022
Fine: 20,000,000 EUR
Parties: Clearview AI Inc
Homo Digitalis
National Case Number/Name: 35/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Jette

The Greek DPA fined Clearview AI €20,000,000 for unlawful processing of biometric data and ordered it to stop the collection of such data, as well as to delete all existing data.

English Summary

Facts

The controller (Clearview AI) sells personal identification services, including facial recognition software to law enforcement agencies in the US. The data subjects are the people in Greece.

The data subject submitted an access request with the controller. However, she was not satisfied with how the controller handled her request. Homo Digitalis, a non-profit dedicated to the protection of internet users in Greece, submitted a complaint with the DPA on behalf of the data subject.

Holding

The DPA noted that GDPR is applicable, because Clearview AI uses its software to monitor the behavior of people in Greece, even though the company is based in the U.S. and does not offer its services in Greece or the EU. The DPA further found that the data processing had no legal basis and that there was a lack of transparency concerning the processing operations. Collecting images for a biometric search engine is illegal.

The DPA held that the controller violated the principles of lawfulness and transparency (Article 5(1)(a), 6 and 9 GDPR) as well as its obligations under Article 12, 14, 15 and 27 GDPR.

The DPA fined the controller €20,000,000 for these violations.

The DPA further ordered the controller (1) to satisfy the data subject's access request. In addition, (2) to stop the collection and processing of personal data of subjects located in Greek territory, using methods involved in the facial recognition service and (3) to delete such existing data. Lastly the DPA ordered the controller (4) to appoint a representative in the EU, to enable EU citizens to exercise their rights more easily and so regulators have a contact person in the EU.

Comment

An alliance of organizations, including noyb, Privacy International (PI), Hermes Center, and Homo Digitalis, filed a series of complaints against Clearview AI Inc. in May 2021. The company claims to have "the largest known database of more than 10 billion facial images" and is aiming to reach 100 billion within the next year to make almost every person worldwide identifiable. The images for this come from social media accounts and other online sources. Complaints have been filed with data protection authorities in France, Austria, Italy, Greece and the United Kingdom.[1]

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.


1-3 Kifisias St., 11523 Athens, Tel: 210 6475600, Fax: 210 6475628, contact@dpa.gr / www.dpa.gr
Athens, 13-07-2022
Prot. No.: 1809
DECISION 35/2022
The Personal Data Protection Authority met in a meeting via
teleconference on 04-19-2022, following the meeting of 03-29-2022, after
invitation of its President, in order to consider the case referred to
history of the present. The President of the Authority, Konstantinos Menoudakos and
the regular members of the Authority, Grigorios Tsolias and Christos Kalloniatis as rapporteurs,
Spyridon Vlachopoulos, Konstantinos Lambrinoudakis, Charalambos Anthopoulos and
Ekaterini Iliadou. Present, without the right to vote, were Fotini Karvela, Maria
Alikakou, Anastasia Kaniklidou, Kyriaki Karakasi, legal auditors - lawyers as well as
and Georgios Rousopoulos and Pantelis Kammas, IT auditors, as assistants
rapporteurs and Irini Papageorgopoulou, employee of the administrative department
affairs, as secretary.
The Authority took into account the following:
With the no. prot. C/EIS/3458/26-05-2021 complaint, which was submitted to the Authority
by the Urban Non-Profit Company under the name "Homo Digitalis" for
account of the complainant, A, a violation of the right is complained of in principle
of access exercised by the latter before the establishment in the U.S. company
Clearview AI (214 W 29th St, 2nd Floor, New York City, NY, 10001). The said complaint,
which also requests the examination of the arrest records of each company
in terms of privacy, it was filed at the same time as four
other relevant content such before the supervisory authorities of Austria, the
of France, Italy and the United Kingdom, with a view to pursuing one
coordinated response to the practices of the above company by the authorities
supervisory bodies.
2
In the context of the case under consideration, the complainant sent on 03-24-2021
electronic message to the complained company, exercising it according to article 15 thereof
General Data Protection Regulation (Regulation (EU) 2016/679 - hereinafter, GDPR)
right of access to its personal data, which is processed by the said
company, while on the same date he received confirmation of the successful receipt of the aforementioned
request from the recipient thereof. Subsequently, on 26-04-2021 the complainant
reinstated the above request with a relevant reminder message to the complainant.
On 04-30-2021 the above complainant was informed by a representative of Clearview AI
that the above request submitted by e-mail was not detected
she was asked to attach her photo in order to forward her request as
urgent, in case he has used an email address other than that one
through which he submitted the disputed request for the first time. The complainant, on 05-05-
2021 and in response to the above sent the email from 03-24-2021
confirmation of receipt of her request by the defendant, while on 26-05-2021 she submitted
before the Authority the complaint under consideration.
The Authority, in the context of examining the above complaint, with no. prot. C/EIS/4752/16-
07-2021 her document, she addressed the complained company and, after reminding
the provisions of articles 3 par. 2 and 27 of the GDPR regarding the territorial scope of
GDPR and on representatives of controllers or non-processors
established in the European Union (hereinafter: EU), requested from the company in question
information about the details of its representative in the E.E., if it is based in a country
outside the EU. For the case where the company has an establishment within the EU,
a series of questions were asked to be answered about his identity
controller or processor for the subject
processing, the possibility of having more than one of its facilities
data controller or the data processor on EU territory. and
indication of the main installation in case of existence of several such. In addition,
and in continuation of the above questions, the clarification of its nature was requested
processing as cross-border or in the sense that it is carried out in the context of
activities of any more facilities of the complainant in more
Member States, either in the sense that it affects or can significantly affect