HDPA (Greece) - 36/2023

From GDPRhub
Revision as of 12:38, 9 January 2024 by Sh (talk | contribs)
HDPA - 36/2023
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 12(3) GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Type: Complaint
Outcome: Upheld
Started: 17.05.2022
Decided: 23.11.2023
Published: 27.12.2023
Fine: 10000 EUR
Parties: Alpha Bank
National Case Number/Name: 36/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Inder-kahlon

The Hellenic DPA imposed an administrative fine of €10,000 on Bank for failing to comply with DSAR, violating GDPR Article 12(3) and Article 15. The delay following the Data Retention Period led to deletion of requested data, violating Article 5(1) GDPR.

English Summary

Facts

A company, which was client of the data controller (Alpha Bank A.E.), suffered from electronic fraud. The data subject serving as the legal representative of the victim company, exercised their right of access under Article 15 GDPR requesting access to log files in relation to the incident and video recording of the data subject's visit to the bank.

The bank failed to provide the requested copies of the data in a timely manner, and while the bank acknowledged the delay in their response to the data subject stating the request is being processed, the bank failed to provide the reasons for the delay. Additionally, the bank didn't notify the data subject about the extension to the one-month period set in Article 12(3) GDPR.

On 17 May 2022, the data subject lodged a complaint before The Hellenic Data Protection Authority (HDPA) against the data controller. Later, while the bank provided the log files, but failed to provide the video recordings, stating that video recordings were no longer available due to the expiration of the retention period of 45 Days.

Holding

The Hellenic Data Protection Authority (HDPA) found that the controller had violated the data subject's right of access under Article 15 (1) GDPR and Article 15(3) GDPR. Furthermore, HDPA found that the data controller failed to fulfil its obligations under Article 5(1) and 12(3) of the GDPR.

a) The HDPA found that the controller did not act in a timely manner and also did not provided a reason for the delay and did not informed the data subject of an extension to the response time limit, thus violating its obligation under Article 12(3) GDPR.

b) The HDPA determined that, despite receiving the Data Subject Access Request (DSAR) within the 45-day data retention period while the material was still available, the controller proceeded with the destruction of the video footage in accordance with its data retention policy without providing a copy of the requested video recording to the data subject. Consequently, the controller breached the provisions of Article 15(1) GDPR, and Article 15(3) GDPR.

c) The HDPA stated that upon receiving a request for access to personal data, the data controller is obligated to promptly undertake necessary measures to avert the risk of planned deletion of such data. The examined the legality of the bank's erasure of visual material and decided that the company violated the Article 5(1) by deleting the requested data unlawfully.

As a result, The Hellenic DPA have imposed an administrative fine of €10,000 on Alpha Bank (the data controller).

Comment

Share your comments here!

Further Resources

Important to Note: Directive 1/2011, Article 16, paragraph 2 of the Hellenic Data Protection Authority, which impose a 45-day limit on video surveillance, with the possibility of extension under conditional circumstances such as instances of fraud or transactional disputes.

Directive 1/2011: Article 16 par. 2:

Banks and financial institutions may retain the data for a period not exceeding forty-five (45) days. If during that period of time incidents of organised financial fraud or disputed financial transactions are recorded, the relevant parts of the video surveillance system data may be kept in a separate file with appropriate security measures.

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

The Authority examined a complaint against Alpha Bank A.E. for not satisfying the right of access of its customer, who exercised the right of access to the recorded material from the video surveillance system (CCTV) of the store. It emerged that the Bank failed to deal with the complainant's request in a timely manner, resulting in the material being scheduled to be deleted when the retention period expired. The Authority found a violation of Articles 12 para. 3 and 15 para. 1 and 3 GDPR from the non-fulfillment of the right of access and a violation of the principle of legality of processing (Article 5 para. 1 a) GDPR) from the deletion of the data without legal basis and a fine of €10,000 was imposed on the Bank.