HDPA (Greece) - 47/2023
From GDPRhub
| HDPA - 47/2023 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 12(1) GDPR Article 12(2) GDPR Article 15(1) GDPR Article 15(3) GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 47/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | Iliana Papantoni |
The DPA reprimanded a controller for failing to give a reasoned explanation for refusing to grant a copy of the data subject's personal data.
English Summary
Facts
The data subject filed multiple access requests with a Cultural Association ("controller") she was a part of: she submitted a first request in September 2017 requesting copies of the meetings of the board of directors regarding the termination of the cooperation with her, since they concerned her personally. In October 2017, the cooperation with the data subject was renewed, therefore, the controller felt that the justification for the request evolved and therefore they did not respond to the request.
In November 2019, the data subject repeated her request, seeking a response to her previous demand. The controller replied to this request indicating that according to the Association's statutes she could not receive copies of the minutes of the meetings, but could however read the minutes. They therefore invited the data subject in their offices to read the minutes of the meetings concerning her personally, which she did.
In May 2021, the data subject requested copies of the general meetings of the association, as well as minutes of the meetings that the association had held during the last 7 years. The controller refused this request and gave an oral explanation to this refusal.
In October 2021, the data subject requested "copies of the notes from the minutes of the board meetings concerning her person". This was also rejected by the controller stating that the request had already been answered previously.
The data subject therefore lodged a complaint with the Hellenic DPA ("HDPA").
Holding
The HDPA ruled on each one of these requests. Firstly, regarding the request from May 2021, the DPA held that the request did not contain a reference to the data subject's personal data and that therefore, it was not a request for a copy of personal data under Article 15(3) GDPR.
Secondly, regarding the request from September 2017, the HDPA noted that it was submitted before the entry into force of the GDPR. Therefore, the DPA examined the request in light of the previous regime of Directive 95/46/EU. The DPA found that taking into account the interpretation of Article 12 Directive 95/46/EU by the CJEU, a on-the-spot examination of the minutes of the Association would be considered a satisfactory way of responding to the data subject's access request.
Finally, regarding the request from October 2021, the HDPA pointed out that the lack of provision in the statutes of the Association concerning the possibility for members to receive copies of the minutes does not prevent the right of access from being satisfied by providing a copy of the data held in those records. It added that the absence of such a provision cannot be regarded as a waiver by members of their right under Article 15(3) GDPR to receive copies of their processed data either. The HDPA considered that an on-the-spot examination examination of the minutes of the Association was considered to be sufficient to comply with Article 15(3) GDPR.
However, the HDPA noted that the controller has an obligation to give a reasoned reply to an access request. In the event that it is a refusal to comply with the request, a detailed statement and adequate documentation of the relevant reasons of the refusal should be made, under Article 12(3) GDPR. The DPA considered that in the present case, regarding the request made in May 2021, the controller gave oral information to the data subject regarding the reasons for the rejection of her request but this could not be considered as sufficiently reasoned. Regarding the request made in October 2021, the controller simply rejected the request without giving any reasons.
The HDPA therefore addressed a reprimand to the controller for infringing Article 12(3) GDPR in conjunction with the provisions of Article 15(3) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 29-01-2024 Prot. No. 424 A P O F A S H 47 /2023 (Department) The Personal Data Protection Authority met as a Department following the invitation of its President via teleconference on Wednesday, October 4, 2023 in order to examine the case referred to in the present history. The Deputy President of the Authority, Georgios Batzalexis, who was in the way of the President of the Authority, Constantinos Menoudakos, and the alternate members of the Authority, Demosthenes Vougioukas and Maria Psalla, were present, replacing the regular Members Constantinos Lambrinoudakis and Grigorio Tsolias, who, although legally summoned, did not attend. due to disability, as well as George Kontis, as a substitute Member as rapporteur. Present without the right to vote were Anastasia Tritaki, legal scientist, as assistant rapporteur and Irini Papageorgopoulou, employee of the administrative affairs department, as secretary. The Authority took into account the following: With the no. Authority prot. C/EIS/3569/08-03-2022 complaint to the Authority A complained before the Authority that despite the multiple requests she submitted to Cultural Association X to receive copies of minutes 1-3 Kifisias Ave., 11523 Athens T: 210 6475 600 E: contact@dpa.gr www.dpa.gr 1 meetings of the board of directors and the general assembly concerning it, the complained association did not satisfy its request. In particular, the complainant states that on 22/9/2017 she submitted the first request to the board of directors of the association to obtain copies of minutes, which according to her claims was not answered. With her request on 28/11/2019, the complainant repeated her request, requesting a response to the previous request from 22/9/2017, and received a negative response from the board of directors on 29/12/2019. The complainant claims that she then submitted a new request for copies on 9/5/2021, which was also rejected by a letter from the association dated 7/6/2021. Following this, he submitted a new application on 3/10/2021, which was rejected with a letter from the association dated 2/11/2021, where it is stated that the request had already been answered with the 7/6/2021 response of the board of directors. The Authority, in the context of examining the above complaint, with the no. prot. C/EXE/1107/11-05-2022 her document, invited the defendant Cultural Association X to present their views on it. With the no. (No. Authority's request C/EIS/7437/26-05-2022) in its response, the defendant Cultural Association X argued before the Authority, among other things, the following: a) that from 22/ 9/2017 the complainant's request was not satisfied, as it concerned the granting of copies regarding the decision of the Board of Directors to terminate the cooperation with her as ..., however, one month later, in October 2017, the cooperation with her was renewed, therefore in accordance with the in the above response, the justifying basis of the request disappeared, b) that the complainant's request from 28/11/2019 was a resubmission of her request from 22/9/2017, upon which the Board of the Association called, with the from 29/12/2019 his response, the complainant to his offices, in order to read the minutes of the meetings that concerned her, in accordance with article 6 of the association's statutes, based on which it is provided that members can read the minutes (and not to receive copies); according to the claims of the 2nd defendant, the complainant came to the association's offices, read the minutes of the meetings that concerned her personally and left, d) that this also took place on 9/7/ 2021, following a new request from the complainant, e) that the complainant's other requests have been answered and brought to the attention of the Authority by the complainant. The defendant pointed out that in his opinion, the complainant's right of access to the records concerning her was fully satisfied twice, while the continued submission of requests "is checked as abusive". After examining the details of the file, the Authority sent letter no. Prot. Authority C/EXE/2801/07-11-2022 summons for hearing to the accused and the no. Authority letter C/EXE/2802/07-11-2022 to the complainant, in order to attend, via teleconference, a hearing before the Department of the Authority on Wednesday, November 16, 2022 at 12:00 p.m. regarding the discussion of the aforementioned complaint. During the above meeting, the complainant did not attend, either in person or through a lawyer's proxy, nor did she submit a memorandum until the beginning of the meeting, declaring her appearance before the Authority without being present at the meeting, in accordance with article 9 par. 1 of Regulation of Operation of the Authority. On behalf of the defendant Cultural Association X, the attorney of Hadzipemos Christos appeared. The Authority, after examining and determining that the complainant was summoned legally and in a timely manner, in accordance with article 9 par. 5 of the Regulation of Operation of the Authority, proceeded to the discussion of the case. During the above meeting, the defendant, through his attorney-at-law, orally developed his views on the complaint under consideration and answered the questions raised by the President and the Members of the Authority. The defendant was given a deadline to submit a memorandum to further support their claims until November 30, 2022, but no relevant memorandum was submitted by the defendant association. During the above meeting, the defendant Association argued, among other things, that it cannot provide copies of the minutes of the Board of Directors to the 3rd complainant, as this is not provided for by the Association's statutes, while these minutes contain a lot of personal data of third parties, while he pointed out that on multiple occasions, the complainant was notified through the Board of Directors that she can learn about the Association's practices that concern her by on-site study at the Association's offices. Furthermore, the defendant was asked to provide explanations regarding the fact that with her last request of 3/10/2021, the complainant requested the provision of copies of the points of the Board of Directors minutes that concerned her and were "necessary for the exercise of her legal rights" and in this regard the defendant claimed that the complainant did not specify the intended way of exercising her rights, so that the defendant would be able to respond more specifically to the said request. The Authority, after examining the elements of the file and what emerged from the hearing before it, after hearing the rapporteur and the clarifications from the assistant rapporteur, who was present without the right to vote, after a thorough discussion, DECIDED IN ACCORDANCE WITH THE LAW 1) Since the provisions of Articles 51 and 55 of the General Data Protection Regulation 2016/679 (GDPR) and Article 9 of Law 4624/2019 (Government Gazette A΄ 137) show that the Authority has the authority to supervise the implementation of the provisions of the GDPR, of Law 4624/2019 and other regulations concerning the protection of the individual from the processing of personal data. In particular, from the provisions of articles 57 par.1 item. f of the GDPR and 13 par. 1 item g΄ of Law 4624/2019 it follows that the Authority has the authority to deal with A's complaint against Cultural Association X, since the complaint under consideration concerns a request for access to personal data kept in the association's books, therefore included in an archiving system against the meaning of article 4 par. 2) and 6) GDPR, under processing under the regulatory scope of articles 2 par. 1 of the GDPR and 2 of Law 4624/2019. 4 2) Since, in relation to the complainant's submitted requests to the defendant association, the following should be noted first: a) With her request of 22/9/2017, the complainant requested copies of the decisions of the board of directors of on behalf of the association, regarding the termination of the cooperation with her as ..., since they concern her "personally", b) with her request of 28/11/2019, the complainant requested a response to the request of 22/9/2017, c) with her request of 9/5/2021, the complainant requested, among other things, copies of the general meetings of the association and copies of the minutes kept from the meetings of the board of directors of the association during the last 7 calendar years, without connection to the above of her request with her person, d) with her request from 3/10/2021, the complainant requested "copies of the notes from the minutes of the meetings of the board of directors concerning her person". From the above it is concluded that the complainant submitted on 22/9/2017 and 3/10/2021 to the Board of Cultural Association X requests to receive copies of the minutes of the Board, which contain data concerning her, while from 28/11 /2019 request, is not a new request, but a reminder of the 22/9/2017 request and the 9/5/2021 request does not contain a request to receive copies with reference to the complainant's data, therefore it is not a request to receive a copy in the sense of article 15 par. 3 GDPR and its examination is beyond the competence of the Authority. Therefore, the examination of the present complaint concerns the requests of the complainant to the defendant from 22/9/2017 and 3/10/2021. 3) Because, according to the provisions of article 4 par. 7 GDPR, as data controller means "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and manner of processing personal data; when the purposes and manner of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State". According to the Guidelines 07/2020 of the EDPS regarding the concepts 5 of the controller and the processor1, in cases where the law establishes an obligation or imposes on an entity the duty to collect and process specific data, the purpose of processing is often determined by law and the controller is usually appointed by law to achieve this purpose. Legislation may also impose an obligation on public or private entities to retain or provide certain data. The entities in question are generally considered responsible for processing in relation to the processing deemed necessary for the fulfillment of the specific obligation2. In this case, access to personal data is requested from the complainant, which are included in books that the club is required to keep under the relevant legislation , therefore in this case the legal entity Cultural Association X is the data controller. 4) Because, according to the provisions of article 5 paragraph 2 of the GDPR, the data controller bears the responsibility and must be able to prove his compliance with the processing principles established in paragraph 1 of article 5. As the Authority3 has judged, with the GDPR a new model of compliance was adopted, the central dimension of which is the principle of accountability in the context of which the data controller is obliged to plan, implement and generally take the necessary measures and policies, in order for the processing of data to be in accordance with the relevant legislative provisions. In addition, the controller is burdened with the further duty to prove himself and at all times his compliance with the principles of article 5 par. 1 GDPR. 5) Because with regard to the complainant's request of 22/9/2017, it should first of all be noted that it was submitted before the start of application of the General Data Protection Regulation 2016/679/EU, therefore the request in question will 1 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 2.0, Adopted on 07 July 2021, https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf 2 As above, par. 24. 3 Indicative Decision 26/2019 APDPH, available on its website. 6 must be examined in the light of the previous regime of Directive 95/46/EU, as incorporated into the Greek legal order with the previous Law 2472/1997 (Government Gazette A' 50). From the overview of the provisions on the subject's right of access to data concerning him, as guaranteed by article 12 of Law 2472/1997 (Government Gazette A' 50) and the corresponding provision of article 12 of Directive 95/46/EU, it follows that the right to obtain a copy of the data, as a way of satisfying the right of access, was not expressly provided for under the previous data protection legal framework. Interpreting the right of access under Directive 95/46/EU, the CJEU pointed out that "Directive 95/46 obliges the Member States to ensure to the interested parties the possibility to receive from the person responsible for the processing of personal data notification of all of the processed data concerning them, but leaves the Member States free to determine the specific material form of this notification, provided that it is carried out in an "intelligible way", i.e. in a way that allows the interested party to ascertain the accuracy of these data and for their processing in accordance with the directive, so that it can possibly exercise the rights granted to it by articles 12, items b΄ and c΄, 14, 22 and 23 of this directive (…) Therefore, as long as the purpose pursued by the right of access is fully served by another form of disclosure, the person to whom the data relate cannot project, neither on the basis of Article 12, point a', of Directive 95/46 nor on the basis of Article 8, paragraph 2, of the Charter, right to obtain a copy of the document or the original file in which this data is included. In order for the interested party not to have access to other information, apart from the personal data concerning him, he can be granted a copy of the original document or file with the said other information hidden. (..). In order to exercise this right, it is sufficient to provide the applicant with a complete picture of these data in an understandable manner, i.e. in a way that allows the interested party to ascertain the accuracy of these data and their processing in accordance with the 7 directive, so that to possibly be able to exercise the rights deriving from that directive.' 4 6) Because in the present case, based on what emerged from the examination of the elements of the file and the hearing procedure, the defendant Association did not respond to the complainant's request of 22/9/2017, before her relevant reminder, which took place on 28/11/2019, at which time the Board of Directors of the Association invited, with its reply from 29/12/2019, the complainant to take cognizance of the practices of the association by studying them on the spot. Taking into account the interpretation of Article 12 of Directive 95/46/EU by the CJEU, the satisfaction of the complainant's request with an on-site study of the records is considered a satisfactory way of responding to the complainant's access request. However, with regard to the deadline for satisfying the request from 22/9/2017, it is pointed out that in accordance with article 12 par. 4 of Law 2472/1997 (Government Gazette A' 50), as it was in force at the time the request was submitted: ". If the data controller does not respond within fifteen (15) days or if his response is unsatisfactory, the data subject has the right to appeal to the Authority (...)." In the present case, the defendant did not respond in any way to the complainant's request of 22/9/2017, before her relevant reminder, which took place on 28/11/2019, when the Board of the Association called, with his reply of 29/12/2019, the complainant to take cognizance of the club's practices by studying them on the spot, therefore the defendant did not comply with the requirement of article 12 par. 4 of Law 2472/1997 ( Official Gazette A' 50), deadline for reply. However, the aforementioned law has already been repealed and therefore any violation of the aforementioned provision on the part of the defendant as data controller no longer entails any sanction. 7) Because with regard to the complainant's request from 3/10/2021, the following must be taken into account: article 15 GDPR states that: "1. The data subject has the right to receive from the controller confirmation as to whether or not 4 CJEU, Joined Cases C-141/12 and 372/12, YS and Others, paras. of a nature concerning him are being processed and, if this is the case, the right to access the personal data and the following information: (…) . 2. (…) 3. The data controller provides a copy of the personal data being processed. For additional copies that may be requested by the data subject, the controller may charge a reasonable fee for administrative costs. If the data subject submits the request by electronic means, and unless the data subject requests otherwise, the information shall be provided in a commonly used electronic format. 4. The right to receive a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others." . Furthermore, in accordance with recital 63 of the GDPR "A data subject should have the right to access personal data collected and concerning him and be able to exercise this right easily and at reasonably regular intervals, in order to is aware of and to verify the legality of the processing. (…)" 8) Because further, according to Article 12 para. 1 GDPR "The data controller shall take the appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communication in the context of Articles 15 to 22 and of article 34 regarding the processing in a concise, transparent, comprehensible and easily accessible form, using clear and simple wording, especially when it comes to information addressed specifically to children. The information is provided in writing or by other means, including, if appropriate, electronically. When requested by the data subject, the information may be given verbally, provided that the identity of the data subject is proven by other means.", while according to paragraph 2 of the same article above: "The data controller facilitates the exercise of the rights of the data subjects provided for in articles 15 to 22.(...)" 9 9) Because, in the present case, from the examination of the elements of the file and the hearing procedure, it appears that from 3/10/ 2021, the complainant's request, in which she requested copies of "the notes from the minutes of the Board of Directors' meetings concerning her", in order, as she states, to exercise her rights, was rejected by the defendant's letter dated 2/11/ 2021. With the said letter, the defendant informed the complainant that the Board of Directors of the Association unanimously decided that her request had already been answered with its response letter of 7/6/2021 and with which the previous one of 9/5/2021 had been rejected 2021 request of the complainant to receive copies of the minutes of the Board of Directors and the General Meeting for the last 7 calendar years. Furthermore, during the above hearing, the defendant asserted that on multiple occasions, the board of the defendant association informed the complainant, through oral information, that she could obtain knowledge of the Association's practices concerning her through an on-site study at the Association's offices, refusing to satisfy her request to obtain copies of the minutes of the Board of Directors, due to a non-relevant provision in the association's statutes, as well as due to the reference to them of a large number of personal data of third parties, while regarding the "exercise of her rights" , the defendant association still argued during the hearing before the Authority, that the complainant should sufficiently specify the manner of the intended exercise of her rights, in order to be able to satisfy her request by providing a copy of her data. 10) Since, with regard to the reasons for the refusal of the controller from 3/10/2021 to comply with the complainant's request to obtain copies of the minutes of the Board of Directors concerning her, the following should be noted: denounced provision of the association's statutes (article 6 letter e of the Statutes) for the possibility of its members to read the minutes and the lack of a relevant provision for receiving copies of the minutes from the members, it is pointed out that the lack of a provision of the statutes for the possibility of the members to receive copies of the minutes, 10 in no way prevents the satisfaction of the right of access by providing a copy of the data kept in the books in question, according to the above analysis contained in the Guidelines of the ESPD. Nor can the absence of a provision in the articles of association for the possibility of members to receive copies of the minutes be considered as a waiver by the members of their right, guaranteed by Article 15 para. 3 GDPR, to receive copies of their data that is being processed. It should be noted that based on the hierarchy of the rules of law, legal acts - and therefore the statutory acts of the associations5 - constitute, according to the teaching that accepts the character of the latter as sources of Law, the lowest basis of the rules of law6. 11) Because, according to the Guidelines 1/2022 of the EDPS regarding the right of access7, the main way of providing access to the data to the subject is to provide a copy of the data8, but the obligation to provide a copy of the data should not be considered as an additional right of the subject, but as a way of providing access to his data. At the same time, the obligation to provide a copy of the data does not extend the purpose of the right of access, as it only concerns the copying of the data being processed and not necessarily the reproduction of original documents. The obligation to provide a copy serves the purpose of the right of access to enable the data subject to obtain knowledge and verify the legality of the processing (See also Recital 63 of the GDPR). In some circumstances, there may be other appropriate ways to satisfy the right of access9, and the controller may ensure the subject's right of access, through other 5 A.S. Georgiadis, General Principles of Civil Law, Publications Ant. N. Sakkoula, 3rd ed. 2002, p. 170. 6 K. Tsatsos, The problem of the sources of law, Ed. Ant. N. Sakkoula, rev. 1993, pp. 220-221. 7 European Data Protection Board, Guidelines 01/2022 on data subject rights - Right of access version.2.0, available at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022 - data-subject-rights-right-access_en 8 As above, p. 4 9 As above, par. 26, p. 14. 11 alternatives, for example through oral information, through study of files, through on-site or remote access, no downloadable10. The right to receive a copy of the data is not always understood as the right of the subject to receive a copy of the documents containing his data, but as the right to receive an exact copy of his data processed in these documents. Such a copy can be created by collecting in it all the data concerning the right of access, provided that the collection makes it possible to know and verify the legality of the processing for the data subject. 11. 12) Because with Decision C-487/2112, the Court of Justice of the EU also ruled that in the event of a conflict between, on the one hand, the exercise of the right of full access to personal data and, on the other hand, the rights or freedoms of third parties, the rights at issue must be weighed and "Whenever possible, methods of sharing personal data should be chosen that do not infringe the rights or freedoms of third parties, taking into account, however, that, as follows from Recital 63 GDPR, such factors must not "result in the denial of any information to the data subject"13. Further, as the Court held, “With regard to the purposes pursued by Article 15 of the GDPR, it is noted that, as specified in Recital 11, the purpose of the GDPR is to strengthen and specify in detail the rights of data subjects. Article 15 of this regulation provides, in this regard, the right to receive a copy, (...). Recital 63 of the GDPR clarifies that “[t]he data subject should have the right to access personal data collected and concerning him and to be able to exercise this right freely and at reasonably regular intervals, in order to is aware and 10 Ibid., para. 131, p. 41. 11 Ibid., para. 150, p. 46. 12 CJEU, C-487/21, F.F. v. Österreichische Datenschutzbehörde, 4 May 2023. 13 Ibid. sc. 44. 12 to verify the legality of the processing". (…) Therefore, the right of access provided for in Article 15 of the GDPR must provide the data subject with the possibility to ensure that the personal data concerning him is accurate and that it is processed in a legal manner (…)14" , while finally, the Court concludes "The right of the data subject to obtain from the data controller a copy of the personal data being processed presupposes the right to obtain copies of excerpts of documents or even entire documents or excerpts from databases containing, among others, the data in question, if the provision of such a copy is necessary for the interested party to effectively exercise the rights granted by the regulation, noting that the rights and freedoms of third parties must be taken into account in this regard"15. 13) Because based on the aforementioned in paragraphs 11 and 12, the purpose served by the provision of article 15 par. 3 GDPR, consists in providing transparency to the data subject, in order to enable the awareness and verification of the legality of the processing. From this, it follows that the right to receive a copy of article 15 par. 3 GDPR is not granted, in principle, for the purpose of protecting other rights or legal interests, such as for example the exercise of the right to judicial protection, which can however be achieved by other means (see AK 902 and KPolD 450-451 for the presentation of documents, KPolD 683- 703 for the special procedure of interim measures). Accordingly, the alternative proposal of the controller for an on-site study of the Association's records, as presented and documented before the Authority, is judged in this case to be sufficient and not contrary to the purpose of the provisions serving articles 15 par. 1 and 3 GDPR. 14 Ibid., sk. 33-34 and CJEU C-154/21 RW v. Österreichische Post AG, 12 January 2023, sc. 37. 15 CJEU, C-487/21, F.F. v. Österreichische Datenschutzbehörde, 4 May 2023, para. 45. 13 14) Because however, as the Authority has repeatedly judged, for the correct and complete observance of the provisions of Article 12 GDPR regarding the right of access of Article 15 GDPR, the data controller has the obligation to give a reasoned response to the complainant's access request, even in the negative16, while the refusal to satisfy the exercised right of access should take place in writing, with a detailed statement and sufficient documentation of the relevant reasons for rejection on the part of the data controller17, in order to meet the condition transparent information, according to article 12 par. 1 GDPR. In this case, the rejection of the complainant's request by the association's letter of 2/11/2021 does not contain the above-required reasoning and documentation of the reasons for rejecting the complainant's request, which is not contained in the letter of 7/6 /2021 response, even in the case that it wanted to be considered relevant to the substantially different request of the complainant being examined in this case from 3/10/2021, while her verbal information regarding the reasons for the rejection of her request cannot be considered as sufficient reasoned and documented rejection of her request for access to data concerning her. Furthermore, as has been judged by the Authority18, in the event that the provision of a copy may adversely affect the rights and freedoms of other persons according to article 15 par. 4 GDPR, as in this case is presented by the defendant association, it may be considered necessary the specificity of the access request, in order for the data controller to be able to examine, within the framework of the principle of accountability, whether there is a question of an adverse effect on the rights and freedoms of others, and therefore whether there is a legitimate reason for not granting the data. However, based on the principle of accountability, in accordance with Article 5 para. 2 GDPR, it is the duty of the controller to facilitate the exercise of the subject's right, in accordance with Article 12 para. 2 GDPR, by inviting him to specify the access request, 16 Decision 20/2023, available on the website of the Authority. See also StE (StE 2627/2017). 17 Decisions 36/2021 and 39/2021, available on its website. 18 Decision 19/2022 APDPH, available on its website. 14 in order to be able to satisfy the exercised right while at the same time preserving any data of third parties19. In this particular case, the defendant Association, as already established above, with its reply dated 2/11/2021 to the complainant, rejected the request for access to the parts of the minutes of the Board of Directors that concern her, without citing reasons and presented the said claim only before the Authority. Accordingly, a violation of the provisions of article 12 para. 1, 2 GDPR in combination with the provisions of article 15 para. 1, 3 GDPR is established on the part of the controller. Following all of the above, in view of the above-mentioned repeal of Law 2472/1997, only the violation of the provisions of article 12 par. 1, 2 GDPR in combination with the provisions of article 15 par. 1, 3 GDPR, regarding the complainant's access request from 3/10/2021. The Authority considers that in relation to the violations described in detail above, there is a case of exercising its corrective powers under article 58 paragraph 2 GDPR, as the content of this is supplemented by recital 148 GDPR. In particular, the Authority, taking into account all the circumstances of the case under consideration, considers that in relation to the violations reported in detail above, there is a case of application of the provision of article 58 par. 2 item. b) GDPR, and the Authority should address a reprimand to the responsible controller for the violation of the above provisions of the GDPR. FOR THESE REASONS, the Authority 19 Ibid.. see also Decision 26/2021, regarding the facility to exercise the right of access, available on its website. 15 finds that the defendant Cultural Association X violated the right of access of the complainant, in violation of the provisions of article 12 para. 1, 2 GDPR in combination with the provisions of article 15 para. 1, 3 GDPR, and addresses a reprimand according to article 58 par. 2 item. b) GDPR to the defendant Cultural Association X, for the reasons that are extensively analyzed in the rationale of this present. The President The Secretary Georgios Batzalexis Irini Papageorgopoulou 16
