HDPA (Greece) - 51/2021: Difference between revisions

From GDPRhub
(Thank you so much for this summary! I changed the wording for more clarity or to avoid repetition, but the most important part that I changed was moving things from holding to facts. It's best to make sure to differentiate which are facts and which are holding. In this case it was a bit tricky, because part of the facts were the holding of a previous case, which are now facts regarding this case. Thanks again! :))
 
(3 intermediate revisions by 2 users not shown)
Line 52: Line 52:
}}
}}


The Hellenic DPA rejected a complaint citing lack of proof for any violation of rights or automated decision-making under [[Article 22 GDPR]], and noted that the data subject did not exercise their right to object under [[Article 21 GDPR#1|Article 21(1) GDPR]].  
The Hellenic DPA rejected a complaint by a data subject about possible automated decision-making by a bank on the grounds that there was no new evidence brought forward by the claimant. The DPA also highlighted that the data subject did not exercise their right to object under [[Article 21 GDPR#1|Article 21(1) GDPR]].  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
In a previous case, a data subject informed the Hellenic DPA (HDPA) that during the period from July to September they were getting frequent phone calls and nuisances by the representatives from a Greek bank on debt matters from a consumer loan, and issued a complaint on the grounds that this practice constitutes automated decision-making (including profiling) according to [[Article 22 GDPR]].   
In a previous case, a data subject informed the Hellenic DPA (HDPA) that during the period from July to September they were getting frequent phone calls and nuisances by the representatives of a Greek bank on debt matters from a consumer loan, and filed a complaint on the grounds that this practice constitutes automated decision-making (including profiling) according to [[Article 22 GDPR]].   


The Hellenic DPA rejected the claim and did not apply legal remedy since there was no substantial documentation or essential proof that any processing activity through automated decision-making had taken place, or that the data subject's rights were infringed upon.   
The Hellenic DPA rejected the claim and did not apply legal remedy since there was no substantial documentation or essential proof that any processing activity through automated decision-making had taken place, or that the data subject's rights were infringed upon.   


The data subject then submitted a new complaint for this same case.     
The data subject then submitted a new complaint regarding the same issue.     


=== Holding ===
=== Holding ===
The HDPA rejected this new complaint on the grounds that there was no new evidence brought forward by the claimant in this case.
The HDPA rejected this new complaint on the grounds that there was no new evidence brought forward by the claimant in this case. Moreover, the HDPA stated that the data subject could exercise their rights through the right to object under [[Article 21 GDPR#1|Article 21(1) GDPR]], which should be addressed to the controller first (the Greek bank in this case). The HDPA also indicated there is a specific national legal framework ([https://www.e-nomothesia.gr/sunegoros-tou-katanalote/n-3758-2009.html Law 3758/2009]) regulating information related to bank clients and debtors.   
 
Moreover, the HDPA stated that the data subject could exercise their rights through the right to object under [[Article 21 GDPR#1|Article 21(1) GDPR]], which should be addressed to the controller first (the Greek bank in this case). The HDPA also indicated there is a specific national legal framework ([https://www.e-nomothesia.gr/sunegoros-tou-katanalote/n-3758-2009.html Law 3758/2009]) regulating information related to bank clients and debtors.   


== Comment ==
== Comment ==

Latest revision as of 15:30, 6 December 2023

HDPA (Greece) - 51/19-11-2021
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 22 GDPR
Article 21(1) GDPR
Law 3758/2009
Type: Complaint
Outcome: Rejected
Started:
Decided: 19.11.2021
Published: 19.11.2021
Fine: None
Parties: n/a
National Case Number/Name: 51/19-11-2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: https://www.dpa.gr/el/enimerwtiko/prakseisArxis (in EL)
Initial Contributor: Anastasia Tsermenidou

The Hellenic DPA rejected a complaint by a data subject about possible automated decision-making by a bank on the grounds that there was no new evidence brought forward by the claimant. The DPA also highlighted that the data subject did not exercise their right to object under Article 21(1) GDPR.

English Summary

Facts

In a previous case, a data subject informed the Hellenic DPA (HDPA) that during the period from July to September they were getting frequent phone calls and nuisances by the representatives of a Greek bank on debt matters from a consumer loan, and filed a complaint on the grounds that this practice constitutes automated decision-making (including profiling) according to Article 22 GDPR.

The Hellenic DPA rejected the claim and did not apply legal remedy since there was no substantial documentation or essential proof that any processing activity through automated decision-making had taken place, or that the data subject's rights were infringed upon.

The data subject then submitted a new complaint regarding the same issue.

Holding

The HDPA rejected this new complaint on the grounds that there was no new evidence brought forward by the claimant in this case. Moreover, the HDPA stated that the data subject could exercise their rights through the right to object under Article 21(1) GDPR, which should be addressed to the controller first (the Greek bank in this case). The HDPA also indicated there is a specific national legal framework (Law 3758/2009) regulating information related to bank clients and debtors.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Article 2: Substantive scope Article 2.2.c: Exclusively personal or domestic activity Article 3: Territorial scope Article 4.1: Personal data (definition) Article 4.1: Data subject (definition) Article 4.2: Processing (definition) Article 4.3: Restriction of processing (definition) Article 4.4: Profileing (definition) Article 4.5: Aliasing (definition) Article 4.6: Archiving system (definition) Article 4.7: Processor (definition) Article 4.8: Executor (definition) Article 4.9: Recipient (definition) Article 4.10: Third (definition) Article 4.11: Consent (definition) Article 4.12: Violation of personal data (definition) Article 4.13: Genetic data (definition) Article 4.14: Biometric data (definition) Article 4.15: Health data (definition) Article 4.16: Main establishment ( definition) Article 4.17: Representative (definition) Article 4.18: Business (definition) Article 4.19: Group of companies (definition) Article 4.20: Binding company rules (definition) Article 4.21: Supervisory authority (definition) Article 4.22: Interesting supervisory authority (definition) Article 4.23: Cross-border processing (definition) Article 4.24: Relevant and reasoned objection (definition) Article 4.25: Information society service (definition) Article 4.26: International organization (definition) Article 5.1: Data processing principles Article 5.1.a: Principle of legality, objectivity and transparency Article 5.1. b: Principle of limitation of purpose Article 5.1.c: Principle of data minimization Article 5.1.d: Principle of accuracy Article 5.1.e: Principle of limitation of the storage period Article 5.1.f: Principle of integrity and confidentiality Article 5.2: Principle of accountability Article 6.1.a: Legal basis of consent Article 6.1.b: Legal basis ext Termination of contract Article 6.1.c: Legal basis for compliance with a legal obligation Article 6.1.d: Legal basis for safeguarding a vital interest Article 6.1.e: Legal basis for the performance of a public duty Article 6.1.f: Legal basis of a higher legal interest Article 6.4: Compatibility of processing for other Article 7: Conditions for consent Article 8: Child consent for information society services Article 9.1: Special categories of personal data Article 9.2.a: Explicit consent Article 9.2.b: Execution of labor law obligations etc. Article 9.2.c: Protection of vital interests Article 9.2.d: Edit protection of data of special categories of members of an institution, organization, etc. Article 9.2.e: Explicit disclosure Article 9.2.g: Substantial public interest Article 9.2.f: Establishment, exercise or support of legal claims Article 9.2.h: Processing by a health professional Article 9.2.i: Public interest in the field of public health Article 9.2.i: Archiving, scientific or historical research - statistics Article 10: Processing of criminal convictions and offenses Article 11: Processing which does not require identification Article 12: Transparent information Article 12.2: Facilitation exercise of rights Article 12.3: Deadline for responding to a right Article 12.4: Deadline for informing of a non-action on a right Article 12.5: Manifestly unfounded or excessive claims of a right Article 12.6: Information necessary to confirm the identity of the subject Article 13: Information collected by the data subject Article 14: Information when the collection is not Article 15: Right of access Article 16: Right of correction Article 17: Right of deletion Article 18: Right of limitation of processing Article 19: Obligation to notify of correction, deletion or restriction Article 20: Right of portability Article 21: Right of a Article 22: Automated individual decision-making Article 23: Restrictions on rights Article 24: Responsibility of the controller Article 24.2: Implementation of appropriate data protection policies Article 25.1: Data protection already by design Article 25.2: Data protection by default Article 26: Joint controllers Article 27: Representatives of non-EU managers or executors Article 28: Executor (arrangements) Article 28.3: Arrangements of a contract (or other legal act) with executor Article 29: Processing under the supervision of the responsible or executor Article 30: Records of processing activities Article 31 - Law 4624/2019 article 66: Cooperation with the supervisory authority Article 32: Processing security Article 33: Notification of personal data breach Article 34: Notification of personal data breach Article 35: Impact assessment on data protection Article 36: Prior consultation Article 37 - Law 4624 / 2019 article 6: Appointment of the data protection officer Article 38 - n .4624 / 2019 article 7: Position of the data protection officer Article 39 - n.4624 / 2019 article 8: Duties of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Article 45: Transfers on the basis of a decision of competence Article 46: Transfers subject to appropriate guarantees Article 47: Binding corporate rules Article 49: Derogations for special situations Article 50: International cooperation Article 55: Responsibility of supervisory authority Article 56: Supervisory authority Article 56.2: Jurisdiction over local affairs Article 60: Cooperation of supervisors and supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint ventures Article 63: Cohesion mechanism Article 66: Urgent procedure Article 80 - Law 4624/2019 Article 41: Representation of Article 83: General conditions for the imposition of administrative fines Article 86 - Law 4624/2019 Article 42: Processing and public access to official documents Article 87: National identity number Article 89.1: Safeguards for the purposes of archiving, scientific or historical research, statistics Article 95 Relation to Directive 2002/58 / EC