HDPA (Greece) - 42/2021
| HDPA (Greece) - 42/2021 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(1)(d) GDPR Article 5(1)(f) GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 21.04.2021 |
| Published: | 21.09.2021 |
| Fine: | None |
| Parties: | Party A (anonymized) Party B (anonymized) |
| National Case Number/Name: | 42/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Greek Greek |
| Original Source: | HDPA (in EL) HDPA (in EL) |
| Initial Contributor: | Adrian |
The Greek DPA held that sending bulk email by including recipients' email addresses in the "To" field is not compliant with Article 32 of the GDPR, recommending instead the use of BCC.
English Summary
Facts
The data subject complained to the HDPA about having received a press release via email by a Member of the Hellenic Parliament (considered the data controller in the context of this decision), without the subject's consent. Furthermore, the data subject's email address was visible to other recipients (the "To" field was used instead of BCC).
Holding
The HDPA issued a warning towards the data controller, recommending the use of the BCC field in order for mass email communication to remain compliant with Article 32 of the GDPR. No other measures were deemed necessary, because of the data controller's stance that the inclusion of the subject's email was made by mistake (falsely believing that the data subject was a journalist, thus the data processing would be in accordance to Article 6(1)(f), and because the controller took corrective measures, by removing the subject's personal details from their systems.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Category
Decision
Date
21/09/2021
Transaction number
42
Thematic unit
09. Promotion of products and services
Applicable provisions
Article 5.1.d: Principle of accuracy
Article 5.1.f: Principle of integrity and confidentiality
Article 32: Processing security
Summary
The Authority reprimanded a controller who sent e-mails to a large number of recipients, placing the recipients' details in the "To" field. When an e-mail address is addressed to a large number of recipients who are natural persons, the controller must take appropriate measures to ensure that the recipients' addresses are not disclosed to a large number of persons. Therefore, in these cases it is better to use the "hidden notification" option or to send individual messages, when possible.
PDF Decision
42_2021anonym.pdf243.23 KB
Category
Decision
Date
21/09/2021
Transaction number
42
Thematic unit
09. Promotion of products and services
Applicable provisions
Article 5.1.d: Principle of accuracy
Article 5.1.f: Principle of integrity and confidentiality
Article 32: Processing security
Summary
The Authority reprimanded a controller who sent e-mails to a large number of recipients, placing the recipients' details in the "To" field. When an e-mail address is addressed to a large number of recipients who are natural persons, the controller must take appropriate measures to ensure that the recipients' addresses are not disclosed to a large number of persons. Therefore, in these cases it is better to use the "hidden notification" option or to send individual messages, when possible.
PDF Decision
42_2021anonym.pdf243.23 KB
