HDPA (Greece) - 4/2023: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=4/2...") |
mNo edit summary |
||
| Line 65: | Line 65: | ||
}} | }} | ||
The HDPA imposed | The HDPA imposed a fine of 30.000 euros on a bank that transferred financial data of the data subject to an unauthorized third party, in violation of articles Articles 5(1)(a) and (f) , Article 33 and Article 34 GDPR. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The | The data controller, Pinaeus Bank, granted access to financial transaction and balance records to an unauthorized third party, who subsequently used it the context of a lawsuit against the data subject. The data subject filed a complaint with the HDPA claiming that the processing of their personal data was illegal as it was carried out without prior consent. In response, the data controller argued that the data subject had a joint accounts with a person that passed away nand that the deceased’s legal heir requested the information. After investigating the matter, the data controller acknowledged that its employee committed a mistake by providing the requested information without realizing that the accounts were joint accounts and without seeking the opinion of the Legal Department before processing the data. They also claimed to have taken all necessary technical and organizational measures to ensure the security of data processing, which, however, cannot prevent individual human errors. Finally, the controller considered not to be obliged to notify the DPA or the data subject about the data breach. | ||
=== Holding === | === Holding === | ||
Firstly, HDPA recalled that the GDPR establishes principles for the lawful, fair and transparent processing of personal data. It reinforced the responsibility that controllers have to adopt security appropriate technical and organizational measures and highlighted that data breaches can have serious negative impacts on data subjects, including physical, material or moral damages. For this reason, data breaches must be reported to the authority within 72 hours after the data controller becomes aware of them, in accordance with article 33 GDPR. Likewise, the data subject must be notified according to Article 32. In the case at hand, despite initiating internal investigations, the controller did comply with its notification duties. | |||
Therefore, the HDPA found a violation of Articles 5(1)(a) and (f) , Article 33 and Article 34 GDPR, imposing for a fine of 30.000 euros. | |||
== Comment == | == Comment == | ||
''Share your comments here!'' | ''Share your comments here!'' | ||
Revision as of 10:11, 4 April 2023
| HDPA - 4/2023 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(f) GDPR Article 33 GDPR Article 34 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 18.01.2023 |
| Decided: | 02.02.2023 |
| Published: | 30.03.2023 |
| Fine: | 30.000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 4/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | ANASTASIA TSERMENIDOU |
The HDPA imposed a fine of 30.000 euros on a bank that transferred financial data of the data subject to an unauthorized third party, in violation of articles Articles 5(1)(a) and (f) , Article 33 and Article 34 GDPR.
English Summary
Facts
The data controller, Pinaeus Bank, granted access to financial transaction and balance records to an unauthorized third party, who subsequently used it the context of a lawsuit against the data subject. The data subject filed a complaint with the HDPA claiming that the processing of their personal data was illegal as it was carried out without prior consent. In response, the data controller argued that the data subject had a joint accounts with a person that passed away nand that the deceased’s legal heir requested the information. After investigating the matter, the data controller acknowledged that its employee committed a mistake by providing the requested information without realizing that the accounts were joint accounts and without seeking the opinion of the Legal Department before processing the data. They also claimed to have taken all necessary technical and organizational measures to ensure the security of data processing, which, however, cannot prevent individual human errors. Finally, the controller considered not to be obliged to notify the DPA or the data subject about the data breach.
Holding
Firstly, HDPA recalled that the GDPR establishes principles for the lawful, fair and transparent processing of personal data. It reinforced the responsibility that controllers have to adopt security appropriate technical and organizational measures and highlighted that data breaches can have serious negative impacts on data subjects, including physical, material or moral damages. For this reason, data breaches must be reported to the authority within 72 hours after the data controller becomes aware of them, in accordance with article 33 GDPR. Likewise, the data subject must be notified according to Article 32. In the case at hand, despite initiating internal investigations, the controller did comply with its notification duties.
Therefore, the HDPA found a violation of Articles 5(1)(a) and (f) , Article 33 and Article 34 GDPR, imposing for a fine of 30.000 euros.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Article 2: Material scope Article 2.2.c: Exclusively personal or domestic activity Article 3: Territorial scope Article 4.1: Personal data (definition) Article 4.1: Data subject (definition) Article 4.2: Processing (definition) Article 4.3: Restriction of processing (definition) Article 4.4 : Profiling (definition) Article 4.5 : Pseudonymization (definition) Article 4.6 : Filing system (definition) Article 4.7 : Controller (definition) Article 4.8 : Processor (definition) Article 4.9 : Recipient (definition) Article 4.10 : Third party (definition) Article 4.11 : Consent (definition) Article 4.12 : Breach of personal data (definition) Article 4.13 : Genetic data (definition) Article 4.14 : Biometric data (definition) Article 4.15 : Data concerning health (definition) Article 4.16 : Main establishment (definition) Article 4.17 : Representative (definition) Article 4.18 : Enterprise (definition) Article 4.19 : Group of enterprises (definition) Article 4.20 : Binding corporate rules (definition) Article 4.21 : Supervisory authority (definition) ) Article 4.22 : Relevant supervisory authority (definition) Article 4.23 : Cross-border processing (definition) Article 4.24 : Relevant and reasoned objection (definition) Article 4.25 : Information society service (definition) Article 4.26 : International organization (definition) Article 5.1 : Principles of data processing Article 5.1.a : Principle of legality, objectivity and transparency Article 5.1.b : Principle of purpose limitation Article 5.1.c : Principle of data minimization Article 5.1.d : Principle of accuracy Article 5.1.e : Principle of limitation of storage period Article 5.1.f : Principle of integrity and confidentiality Article 5.2 : Principle of accountability Article 6.1.a : Legal basis of consent Article 6.1.b : Legal basis of contract execution Article 6.1.c : Legal basis of compliance with a legal obligation Article 6.1 .d: Legal basis for safeguarding vital interest Article 6.1.e: Legal basis for fulfilling a public duty Article 6.1.f: Legal basis for overriding legal interest Article 6.4: Compatibility of processing for another purpose Article 7: Conditions for consent Article 8: Consent of a child for services information society Article 9.1: Special categories of personal data Article 9.2.a: Express consent Article 9.2.b: Fulfillment of labor law obligations, etc. Article 9.2.c: Protection of vital interests Article 9.2.d: Processing of data of special categories of members of an institution, organization etc. Article 9.2.e: Overt disclosure Article 9.2.g: Substantial public interest Article 9.2.f: Establishment, exercise or support of legal claims Article 9.2.h: Processing by a health professional Article 9.2.i: Public interest in the field of public health Article 9.2.i: Archiving, scientific or historical research - statistics Article 10: Processing of data of criminal convictions and offenses Article 11: Processing which does not require identity verification Article 12: Transparent information Article 12.2: Facilitation for the exercise of rights Article 12.3: Deadline for response in right Article 12.4: Deadline for informing non-action in right Article 12.5: Manifestly unfounded or excessive right requests Article 12.6: Information necessary to confirm the identity of the subject Article 13: Information during collection from the data subject Article 14: Information when the collection is not done by the data subject Article 15: Right of access Article 16: Right of correction Article 17: Right of deletion Article 18: Right to limit processing Article 19: Obligation to notify correction, deletion or restriction Article 20: Right to portability Article 21: Right of objection Article 22: Automated individual decision-making Article 23: Limitations of rights Article 24: Responsibility of the controller Article 24.2: Implementation of appropriate data protection policies Article 25.1: Data protection by design Article 25.2: Data protection by definition Article 26: Joint controllers Article 27: Representatives of managers or executors outside the EU Article 28: Processor of processing (regulations) Article 28.3: Arrangements of a contract (or other legal act) with processors Article 29: Processing under the supervision of the person in charge or the processor Article 30: Records of processing activities Article 31 - Law 4624/2019 article 66: Cooperation with the supervisory authority Article 32: Processing security Article 33: Notification of a personal data breach Article 34: Notification of a personal data breach Article 35: Impact assessment regarding data protection Article 36: Prior consultation Article 37 - Law 4624/ 2019 article 6: Definition of the data protection officer Article 38 - Law 4624/2019 article 7: Position of the data protection officer Article 39 - Law 4624/2019 article 8: Duties of the data protection officer Article 40: Codes of ethics Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Article 45: Transfers based on adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 49: Derogations for special situations Article 50: International cooperation Article 55: Jurisdiction of the supervisory authority Article 56: Competence of the lead supervisory authority Article 56.2: Competence in local affairs Article 60: Cooperation between the head and interested supervisory authorities Article 61: Mutual assistance Article 62: Joint undertakings Article 63: Coherence mechanism Article 66: Urgent procedure Article 80 - n .4624/2019 article 41: Representation of data subjects Article 83: General conditions for imposing administrative fines Article 86 - n.4624/2019 article 42: Processing and public access to official documents Article 87: National identity number Article 89.1: Safeguards for purposes archiving, scientific or historical research, statistics Article 95 : Relationship with Directive 2002/58/EC
