HDPA (Greece) - 38/2020

From GDPRhub
HDPA - 38/2020
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4(7) GDPR
Article 11 L. 3471/2006
Type: Complaint
Outcome: Upheld
Published: 02.10.2020
Fine: 2000 EUR
Parties: Anonymous
National Case Number/Name: 38/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Antigoni Logotheti

The Hellenic DPA (HDPA) fined a politician €2000 for unsolicited political communication (email) without consent or any other legal basis according to the national provisions on unsolicited communications.

English Summary


Individual submitted a complaint on unsolicited political communications (email) he received by politician. The politician collected the complainant's contact details through his professional occupation for different purposes.



The HDPA found that the politician acts as data controller for this communication and that he did not obtain the recipient's consent. Moreover, he initially collected the complainant's contact details for different purposes. However, the politician provided and satisfied the complainant's right to objection.

The HDPA upheld the complaint and imposed the proportionate fine of EUR 2000.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

The Personal Data Protection Authority met in a department composition at its headquarters on 19-02-2020 at the invitation of its President, in order to examine the case mentioned in the history of the present.Attended by Georgios Batzalekis, Deputy President, prevented by the President of the Authority Konstantinos Menoudakos, the regular member of the Authority Charalambos Anthopoulos and the alternate members Evangelos Papakonstantinou and Emmanuel Dimogenontakis, as rapporteur, replacing the regular members Konstantinos Lambrinoudaki and Elenis Martsoukou respectively, who, although they were not elected due to the law in writing, were present.The meeting was attended by Georgios Roussopoulos, special scientist – auditor as assistant rapporteur and Irene Papageorgopoulou, employee of the administrative affairs department of the Authority, as secretary.
The Authority took into account the following:
The Authoritywas submitted to the Authority first.C/ES/3409/13-05-2019 complaint by A concerning receipt of an unclaimed communication policy (e-mail message) to promote the candidacy of B as...F.
In particular, according to the complaint, the complainant received an e-mail to his e-mail address from 
the complainant, which was political in order to promote his candidacy for the forthcoming self-administration elections of 26 May 2019, without – as the complainant claims – having any previous relationship with him.
In the context of the examination of this complaint, the Authority sent the complainant the number one.C/EX/3409-1/07-06-2019 document requesting his views on the complainants, taking into account the Authority’s political communication guidelines.
The complainant replied to the Authority late with number one.C/ES/5940/02-09-2019, in which it summarises:
1)	The complainant’s contact details were legally obtained in the context of a previous professional relationship.
2)	The e-mail message was sent by mistake.
3)	In any case where a recipient did not wish to receive updates about his candidacy, it was possible to request the deletion of his e-mail address from my list of recipients, in accordance with the provisions of Article 18 GDPR.
4)	He proceeded to remove the recipient’s e-mail address from the list of recipients promoting his candidacy.
5)	It was an isolated incident.
Then the Authority, by no.C/EX/7597/05-11-2019, the complainant was invited to a hearing at the meeting of the Authority’s Section on 04-12-2019.After number one.C/ES/8386/03-12-2019 of the complainant, the Authority with the no.C/EX/8466/04-12-2019, the complainant again called for a hearing at the meeting of its Chamber on 11-12-2019, during which the above-mentioned complaint was discussed and the general practice followed for communication of a political character by electronic means.The complainant did not attend the meeting but gave his views in writing under number one.C/ES/8667/11-12-2019 memorandum.In addition to the original document, this memorandum states:
1)	He has created a personal list of recipients, which is largely identified with the professional list of recipients, at the risk of a “human” error, which is in no way advisable.
2)	The complainant actually received a message, raised an objection, which was satisfied, by removing his e-mail address from the list of recipients.
3)	The company of the complainant (under the name “B AND CIA” and D.t. “...”) issues and manages the communal properties of the apartment building in which the complainant resides as tenant.The person complained of knows personally the manager of the building.The complainant gave his e-mail to the communiqué company in order to receive notices of the shared debts of that department as well as proof of payment.His e-mail was noted in the details of the apartment along with the owner’s e-mail.Since the two e-mails do not indicate their owner/holder, the complainant added it to his list, thinking he was addressing another person.He has therefore acted in the belief that it is addressed to another recipient who has the approval and knows him personally.
The Authority, after examination of the evidence in the file, the hearing after hearing the rapporteur and the Assistant rapporteur, who left after the case and before the conference and the decision, and after an in-depth discussion
1.	According to the article.That’s 4 bets.7 of General Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as Regulation), which is applicable from 25 May 2018, is defined as 'the natural or legal person, public authority,serviceor other body which, alone or jointly with others, determines the purposes and manner of processing personal data’.
2.	The issue of making unsolicited communications by any means of electronic communication, without human intervention, for direct marketing purposes of products or services and for all types of advertising purposes, is regulated in article 11 of Law 3471/2006 for the protection of personal data in the field of electronic communications.According to this article, such communication is permitted only if the subscriber expressly consents in advance.Exceptionally, according to Art.11 par.3 of Law 3471/2006, the e-mail contact details obtained legally, in the context of the sale of products or services or other transaction, may be used to directly promote similar products or services of the supplier or to serve similar purposes, even when the recipient of the message has not given his prior consent, provided that he is given in a clear and distinct manner the possibility of objecting, in an easy and free manner, to the collection and use of the data, as well as to the collection and use of the data, as well as to the use of the information.
the use ofit.
3.	Specifically for political communication through electronic means without human intervention and in accordance with the Authority’s guidelines on the processing of personal data for the purpose of political communication, taking into account both article 11 of Law 3471/2006, and the Authority’s Directive 1/2010 on political communication and the General Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data, which is implemented from 25 May 2018, the following shall apply:
Political communication is of  interest from the point of view of the protection of personal data, at any time, whether pre-electional or otherwise, by political parties, MPs, MEPs, factions and holders of elected positions in local government or candidates in parliamentary elections, elections to the European Parliament and local elections.Such persons shall become controllers in accordance with Regulation (EU) 2016/679, Article 4, point.7) where they define the purpose and method of processing.For example, when Members of Parliament or candidates receive data from political parties and process them for their personal political communication, they also become controllers.In this capacity and on the basis of the principle of accountability, they must be able to demonstrate compliance with their obligations and processing rules.
4.	When political communication is made using electronic means of communication, without human intervention, through public communication networks, such as the case of emails, the communication presupposes,¬in accordance with article 11 par.1 Law 3471/2006, as applicable, the prior consent of the data subject, without prejudice to paragraph 3 of the same article, as applicable.
5.	Political communication by electronic means without human intervention and without the consent of the data subject shall be permitted only if the following conditions are cumulatively met:
(a)The contact details have been lawfully obtained in the context of previous, similar contact with data subjects, and the subject during the collection of the data was informed of their use for the purpose of political communication, was given the opportunity to object to this use but did not express it.Prior contact need not be purely political, e.g. it is legitimate to send messages when the e-mail data were collected in the context of a previous invitation to participate in an event or action, regardless of its political nature.On the contrary, it is not considered to constitute such contact and it is not lawful to use electronic contact information for the purpose of the communication policy when these data were obtained in the context of a professional relationship, such as the use of the client file by a candidate.The controller shall provide the data subject with the opportunity to exercise the right of objection in an easy and clear manner, including in any political communication message.Each communication requires a clear and clear indication of the identity of the sender or person for whose benefit the message is sent, as well as a valid address to which the recipient of the message may request the termination of the communication.
6.	In this particular case, the complainant, on the basis of the above, has, as a controller, made a political communication by sending an e-mail.Therefore, the legality of the mission is ensured only if the provisions referred to in paragraph 4 above have been complied with.The responses of the controller shall indicate the
As follows:
7.	The controller had not received prior consent from the person to whom he sent a political communication message.Also, the contact details of the recipient of the message had not come into his possession as part of a previous similar contact with him.On the contrary, his personal information was acquired in the context of the professional activity of the controller through the company he maintains.The data were obtained for another purpose, namely the issue of joint ventures.The argument of the controller that the complainant’s e-mail was recorded in the details of the apartment together with the owner’s e-mail is not accepted in principle as no evidence is provided for its documentation other than the pleading.Furthermore, even if accepted, the controller is not entitled to use the data held in his company’s filing systems for his/her own purposes as a candidate for municipal council.
8.	The controller did not specify to the Authority the exact number of messages sent.
9.	The controller provided the data subject with the opportunity to exercise the right of opposition in an easy and clear manner.In fact, the complainant exercised a right of opposition and the controller responded.
10.	The controller cooperated with the Authority by replying to the documents for clarification, albeit with an initial delay.It did, however, provide information in its pleadings in particular with regard to this complaint.
11.	No administrative penalty has been imposed on the controller by the Authority in the past.
On the basis of the foregoing, the Authority unanimously considers that, according to article 11 of Law 3471/2006, the conditions of enforcement against the controller, based on article 13 of Law 3471/2006 in conjunction with article 21 par. 1 verse b of Law 2472/1997 and the article of 84 Law 4624/2019, the administrative penalty mentioned in the operative part of the present, which is judged proportionate to the gravity of the infringement.
The Personal Data Protection Authority:
It imposes on B the effective, proportionate and dissuasive administrative fine appropriate in this particular case according to its specific circumstances, 
amounting to EUR two thousand (EUR 2,000,00) for the aforementioned infringement of article 11 of Law 3471/2006.
The Deputy	PresidentThe Secretary
Irene Papageorgopoulou