HDPA (Greece) - 51/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA (Greece) |DPA_With_Country=HDPA (Greece) |Case_Number...")
 
 
(7 intermediate revisions by 3 users not shown)
Line 23: Line 23:
|Currency=
|Currency=


|GDPR_Article_1=Article 21 GDPR
|GDPR_Article_1=Article 22 GDPR
|GDPR_Article_Link_1=Article 21 GDPR
|GDPR_Article_Link_1=Article 22 GDPR
|GDPR_Article_2=Article 22(1) GDPR
|GDPR_Article_2=Article 21(1) GDPR
|GDPR_Article_Link_2=Article 22 GDPR#1
|GDPR_Article_Link_2=Article 21 GDPR#1




|National_Law_Name_1=ν. 3758/2009
|National_Law_Name_1=Law 3758/2009
|National_Law_Link_1=
|National_Law_Link_1=https://www.e-nomothesia.gr/sunegoros-tou-katanalote/n-3758-2009.html


|Party_Name_1=
|Party_Name_1=
Line 52: Line 52:
}}
}}


The HDPA rejected a data's subject complaints, since the Article 22 did not apply and the Article 21(1), the right to objection, did not exercised.  
The Hellenic DPA rejected a complaint by a data subject about possible automated decision-making by a bank on the grounds that there was no new evidence brought forward by the claimant. The DPA also highlighted that the data subject did not exercise their right to object under [[Article 21 GDPR#1|Article 21(1) GDPR]].  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The HDPA rejected the legal remedy, which was attested by a data subject, since there were no essential proofs that the data’s subject rights were offended.   
In a previous case, a data subject informed the Hellenic DPA (HDPA) that during the period from July to September they were getting frequent phone calls and nuisances by the representatives of a Greek bank on debt matters from a consumer loan, and filed a complaint on the grounds that this practice constitutes automated decision-making (including profiling) according to [[Article 22 GDPR]]. 
 
The Hellenic DPA rejected the claim and did not apply legal remedy since there was no substantial documentation or essential proof that any processing activity through automated decision-making had taken place, or that the data subject's rights were infringed upon.   
 
The data subject then submitted a new complaint regarding the same issue.   


=== Holding ===
=== Holding ===
At first the data subject complained and informed the HDPA that during the period from July to September was accepting constant and frequent phone calls and nuisances by the representatives from a Greek Bank on debt matters from a consumer loan. According to the applicant, this practice constitutes automated decision making (including profiling) , according to article 22 of the GDPR. The HDPA examined carefully the complaints of the data subject and rejected and filed the legal remedy, since there it lacked of substantial documentation. There were no proofs for any processing activity based on neither automated decision making (including profiling) nor a breach of the rights of the data subject. Moreover, the Greek Authority stated that the data subject could exercise his rights through the right to objection, which should be addressed to the Controller first (in this case to the Controller of the Greek Bank), according to Articles 21 and 22 of the GDPR. The HDPA indicated there is a specific legal framework for the proper information of bank clients and debtors, which is defined by the national law 3758/2009. The data subject submitted a complained for the same case, but the HDPA rejected and filed the complaint again, since there were no new evidence.   
The HDPA rejected this new complaint on the grounds that there was no new evidence brought forward by the claimant in this case. Moreover, the HDPA stated that the data subject could exercise their rights through the right to object under [[Article 21 GDPR#1|Article 21(1) GDPR]], which should be addressed to the controller first (the Greek bank in this case). The HDPA also indicated there is a specific national legal framework ([https://www.e-nomothesia.gr/sunegoros-tou-katanalote/n-3758-2009.html Law 3758/2009]) regulating information related to bank clients and debtors.   


== Comment ==
== Comment ==

Latest revision as of 15:30, 6 December 2023

HDPA (Greece) - 51/19-11-2021
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 22 GDPR
Article 21(1) GDPR
Law 3758/2009
Type: Complaint
Outcome: Rejected
Started:
Decided: 19.11.2021
Published: 19.11.2021
Fine: None
Parties: n/a
National Case Number/Name: 51/19-11-2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: https://www.dpa.gr/el/enimerwtiko/prakseisArxis (in EL)
Initial Contributor: Anastasia Tsermenidou

The Hellenic DPA rejected a complaint by a data subject about possible automated decision-making by a bank on the grounds that there was no new evidence brought forward by the claimant. The DPA also highlighted that the data subject did not exercise their right to object under Article 21(1) GDPR.

English Summary

Facts

In a previous case, a data subject informed the Hellenic DPA (HDPA) that during the period from July to September they were getting frequent phone calls and nuisances by the representatives of a Greek bank on debt matters from a consumer loan, and filed a complaint on the grounds that this practice constitutes automated decision-making (including profiling) according to Article 22 GDPR.

The Hellenic DPA rejected the claim and did not apply legal remedy since there was no substantial documentation or essential proof that any processing activity through automated decision-making had taken place, or that the data subject's rights were infringed upon.

The data subject then submitted a new complaint regarding the same issue.

Holding

The HDPA rejected this new complaint on the grounds that there was no new evidence brought forward by the claimant in this case. Moreover, the HDPA stated that the data subject could exercise their rights through the right to object under Article 21(1) GDPR, which should be addressed to the controller first (the Greek bank in this case). The HDPA also indicated there is a specific national legal framework (Law 3758/2009) regulating information related to bank clients and debtors.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Article 2: Substantive scope Article 2.2.c: Exclusively personal or domestic activity Article 3: Territorial scope Article 4.1: Personal data (definition) Article 4.1: Data subject (definition) Article 4.2: Processing (definition) Article 4.3: Restriction of processing (definition) Article 4.4: Profileing (definition) Article 4.5: Aliasing (definition) Article 4.6: Archiving system (definition) Article 4.7: Processor (definition) Article 4.8: Executor (definition) Article 4.9: Recipient (definition) Article 4.10: Third (definition) Article 4.11: Consent (definition) Article 4.12: Violation of personal data (definition) Article 4.13: Genetic data (definition) Article 4.14: Biometric data (definition) Article 4.15: Health data (definition) Article 4.16: Main establishment ( definition) Article 4.17: Representative (definition) Article 4.18: Business (definition) Article 4.19: Group of companies (definition) Article 4.20: Binding company rules (definition) Article 4.21: Supervisory authority (definition) Article 4.22: Interesting supervisory authority (definition) Article 4.23: Cross-border processing (definition) Article 4.24: Relevant and reasoned objection (definition) Article 4.25: Information society service (definition) Article 4.26: International organization (definition) Article 5.1: Data processing principles Article 5.1.a: Principle of legality, objectivity and transparency Article 5.1. b: Principle of limitation of purpose Article 5.1.c: Principle of data minimization Article 5.1.d: Principle of accuracy Article 5.1.e: Principle of limitation of the storage period Article 5.1.f: Principle of integrity and confidentiality Article 5.2: Principle of accountability Article 6.1.a: Legal basis of consent Article 6.1.b: Legal basis ext Termination of contract Article 6.1.c: Legal basis for compliance with a legal obligation Article 6.1.d: Legal basis for safeguarding a vital interest Article 6.1.e: Legal basis for the performance of a public duty Article 6.1.f: Legal basis of a higher legal interest Article 6.4: Compatibility of processing for other Article 7: Conditions for consent Article 8: Child consent for information society services Article 9.1: Special categories of personal data Article 9.2.a: Explicit consent Article 9.2.b: Execution of labor law obligations etc. Article 9.2.c: Protection of vital interests Article 9.2.d: Edit protection of data of special categories of members of an institution, organization, etc. Article 9.2.e: Explicit disclosure Article 9.2.g: Substantial public interest Article 9.2.f: Establishment, exercise or support of legal claims Article 9.2.h: Processing by a health professional Article 9.2.i: Public interest in the field of public health Article 9.2.i: Archiving, scientific or historical research - statistics Article 10: Processing of criminal convictions and offenses Article 11: Processing which does not require identification Article 12: Transparent information Article 12.2: Facilitation exercise of rights Article 12.3: Deadline for responding to a right Article 12.4: Deadline for informing of a non-action on a right Article 12.5: Manifestly unfounded or excessive claims of a right Article 12.6: Information necessary to confirm the identity of the subject Article 13: Information collected by the data subject Article 14: Information when the collection is not Article 15: Right of access Article 16: Right of correction Article 17: Right of deletion Article 18: Right of limitation of processing Article 19: Obligation to notify of correction, deletion or restriction Article 20: Right of portability Article 21: Right of a Article 22: Automated individual decision-making Article 23: Restrictions on rights Article 24: Responsibility of the controller Article 24.2: Implementation of appropriate data protection policies Article 25.1: Data protection already by design Article 25.2: Data protection by default Article 26: Joint controllers Article 27: Representatives of non-EU managers or executors Article 28: Executor (arrangements) Article 28.3: Arrangements of a contract (or other legal act) with executor Article 29: Processing under the supervision of the responsible or executor Article 30: Records of processing activities Article 31 - Law 4624/2019 article 66: Cooperation with the supervisory authority Article 32: Processing security Article 33: Notification of personal data breach Article 34: Notification of personal data breach Article 35: Impact assessment on data protection Article 36: Prior consultation Article 37 - Law 4624 / 2019 article 6: Appointment of the data protection officer Article 38 - n .4624 / 2019 article 7: Position of the data protection officer Article 39 - n.4624 / 2019 article 8: Duties of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Article 45: Transfers on the basis of a decision of competence Article 46: Transfers subject to appropriate guarantees Article 47: Binding corporate rules Article 49: Derogations for special situations Article 50: International cooperation Article 55: Responsibility of supervisory authority Article 56: Supervisory authority Article 56.2: Jurisdiction over local affairs Article 60: Cooperation of supervisors and supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint ventures Article 63: Cohesion mechanism Article 66: Urgent procedure Article 80 - Law 4624/2019 Article 41: Representation of Article 83: General conditions for the imposition of administrative fines Article 86 - Law 4624/2019 Article 42: Processing and public access to official documents Article 87: National identity number Article 89.1: Safeguards for the purposes of archiving, scientific or historical research, statistics Article 95 Relation to Directive 2002/58 / EC