HDPA (Greece) - 42/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA (Greece) |DPA_With_Country=HDPA (Greece) |Case_Number...")
 
(Summary changes for newsletter.)
 
(3 intermediate revisions by 2 users not shown)
Line 21: Line 21:
|Type=Complaint
|Type=Complaint
|Outcome=Upheld
|Outcome=Upheld
|Date_Decided=21.04.2021
|Date_Decided=21.09.2021
|Date_Published=21.09.2021
|Date_Published=21.09.2021
|Year=2021
|Year=2021
Line 38: Line 38:
|Party_Name_1=Party A (anonymized)
|Party_Name_1=Party A (anonymized)
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=Party B (anonymized)
|Party_Name_2=Party B, Member of the Hellenic Parliament (anonymized)
|Party_Link_2=
|Party_Link_2=
|Party_Name_3=
|Party_Name_3=
Line 56: Line 56:
}}
}}


The Greek DPA held that sending bulk email by including recipients' email addresses in the "To" field is not compliant with Article 32 of the GDPR, recommending instead the use of BCC.
The Greek DPA held that sending bulk emails with all recipients' email addresses entered in the "To" field is not compliant with Article 32 of the GDPR. It recommended the use of BCC as an alternative.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject complained to the HDPA about having received a press release via email by a Member of the Hellenic Parliament (considered the data controller in the context of this decision), without the subject's consent. Furthermore, the data subject's email address was visible to other recipients (the "To" field was used instead of BCC).
The data subject complained to the Greek DPA (the HDPA) about having received a press release via email by a member of the Hellenic Parliament (the latter being considered the data controller in the context of this decision), without the data subject's consent. Furthermore, the data subject's email address was visible to other recipients (the "To" field was used instead of BCC).


=== Holding ===
=== Holding ===
The HDPA issued a warning towards the data controller, recommending the use of the BCC field in order for mass email communication to remain compliant with Article 32 of the GDPR. No other measures were deemed necessary, because of the data controller's stance that the inclusion of the subject's email was made by mistake (falsely believing that the data subject was a journalist, thus the data processing would be in accordance to Article 6(1)(f), and because the controller took corrective measures, by removing the subject's personal details from their systems.
The HDPA issued a warning towards the data controller, recommending the use of the BCC field in order for mass email communication to remain compliant with [[Article 32 GDPR]]. No other measures were deemed necessary, because of the data controller's stance that the inclusion of the subject's email was made by mistake (more particularly, the controller had wrongly thought the data subject was a journalist, and that the data processing would thus be in accordance to [[Article 6 GDPR|Article 6(1)(f) GDPR]]), and because the controller took corrective measures by removing the data subject's personal details from the mailing list.


== Comment ==
== Comment ==

Latest revision as of 08:42, 29 September 2021

HDPA (Greece) - 42/2021
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(d) GDPR
Article 5(1)(f) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 21.09.2021
Published: 21.09.2021
Fine: None
Parties: Party A (anonymized)
Party B, Member of the Hellenic Parliament (anonymized)
National Case Number/Name: 42/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Greek
Original Source: HDPA (in EL)
HDPA (in EL)
Initial Contributor: Adrian

The Greek DPA held that sending bulk emails with all recipients' email addresses entered in the "To" field is not compliant with Article 32 of the GDPR. It recommended the use of BCC as an alternative.

English Summary

Facts

The data subject complained to the Greek DPA (the HDPA) about having received a press release via email by a member of the Hellenic Parliament (the latter being considered the data controller in the context of this decision), without the data subject's consent. Furthermore, the data subject's email address was visible to other recipients (the "To" field was used instead of BCC).

Holding

The HDPA issued a warning towards the data controller, recommending the use of the BCC field in order for mass email communication to remain compliant with Article 32 GDPR. No other measures were deemed necessary, because of the data controller's stance that the inclusion of the subject's email was made by mistake (more particularly, the controller had wrongly thought the data subject was a journalist, and that the data processing would thus be in accordance to Article 6(1)(f) GDPR), and because the controller took corrective measures by removing the data subject's personal details from the mailing list.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details. 



  
    

  
  
    
  
    Category
              Decision
          

  
    Date
              21/09/2021

          

  
    Transaction number
              42
          

  
    Thematic unit
          
              09. Promotion of products and services
              
      

  
    Applicable provisions
          
              Article 5.1.d: Principle of accuracy
          Article 5.1.f: Principle of integrity and confidentiality
          Article 32: Processing security
              
      

  
    Summary
              The Authority reprimanded a controller who sent e-mails to a large number of recipients, placing the recipients' details in the "To" field. When an e-mail address is addressed to a large number of recipients who are natural persons, the controller must take appropriate measures to ensure that the recipients' addresses are not disclosed to a large number of persons. Therefore, in these cases it is better to use the "hidden notification" option or to send individual messages, when possible.

          

  
    PDF Decision
              42_2021anonym.pdf243.23 KB
          

  


    
  
    Category
              Decision
          

  
    Date
              21/09/2021

          

  
    Transaction number
              42
          

  
    Thematic unit
          
              09. Promotion of products and services
              
      

  
    Applicable provisions
          
              Article 5.1.d: Principle of accuracy
          Article 5.1.f: Principle of integrity and confidentiality
          Article 32: Processing security
              
      

  
    Summary
              The Authority reprimanded a controller who sent e-mails to a large number of recipients, placing the recipients' details in the "To" field. When an e-mail address is addressed to a large number of recipients who are natural persons, the controller must take appropriate measures to ensure that the recipients' addresses are not disclosed to a large number of persons. Therefore, in these cases it is better to use the "hidden notification" option or to send individual messages, when possible.

          

  
    PDF Decision
              42_2021anonym.pdf243.23 KB
Retrieved from "https://gdprhub.eu/index.php?title=HDPA_(Greece)_-_42/2021&oldid=20191"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki