HDPA (Greece) - 52/2021: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(4 intermediate revisions by 2 users not shown)
Line 20: Line 20:
|Date_Published=08.12.2021
|Date_Published=08.12.2021
|Year=2021
|Year=2021
|Fine=30.000
|Fine=30,000
|Currency=EUR
|Currency=EUR


|GDPR_Article_1=Article 4(7) GDPR
|GDPR_Article_Link_1=Article 4 GDPR#7
|GDPR_Article_2=Article 4(8) GDPR
|GDPR_Article_Link_2=Article 4 GDPR#8
|GDPR_Article_3=Article 28(1) GDPR
|GDPR_Article_Link_3=Article 28 GDPR#1
|GDPR_Article_4=Article 28(3) GDPR
|GDPR_Article_4=Article 28(3) GDPR
|GDPR_Article_Link_4=Article 28 GDPR#3
|GDPR_Article_Link_4=Article 28 GDPR#3
|GDPR_Article_5=Article 32 GDPR
|GDPR_Article_5=Article 32(2) GDPR
|GDPR_Article_Link_5=Article 32 GDPR
|GDPR_Article_Link_5=Article 32 GDPR#2
|GDPR_Article_6=Article 58(2) GDPR
|GDPR_Article_6=Article 32(4) GDPR
|GDPR_Article_Link_6=Article 58 GDPR#2
|GDPR_Article_Link_6=Article 32 GDPR#4
|GDPR_Article_7=Article 83 GDPR
|GDPR_Article_Link_7=Article 83 GDPR
 
|EU_Law_Name_1=Guidlines 07/2020 EDPB
|EU_Law_Link_1=https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-072020-concepts-controller-and_en
 
|National_Law_Name_1=N. 3471/2006
|National_Law_Name_1=N. 3471/2006
|National_Law_Link_1=https://www.lawspot.gr/nomikes-plirofories/nomothesia/n-3471-2006/arthro-11-nomos-3471-2006-mi-zititheisa-epikoinonia
|National_Law_Link_1=https://www.lawspot.gr/nomikes-plirofories/nomothesia/n-3471-2006/arthro-11-nomos-3471-2006-mi-zititheisa-epikoinonia


|Party_Name_1=
|Party_Name_1=ZENITH
|Party_Link_1=
|Party_Link_1=https://www.zenith.gr/
|Party_Name_2=
|Party_Name_2=One Way Private Company
|Party_Link_2=
|Party_Link_2=https://www.one1way.gr/
|Party_Name_3=
|Party_Name_3=
|Party_Link_3=
|Party_Link_3=
Line 64: Line 52:
}}
}}


The Hellenic DPA fined a processor €30,000 and issued reprimand to a controller for failing to grant an appropriate level of security of personal data in a procedure under [[Article 32 GDPR#2|Article 32(2) GDPR]].
The Hellenic DPA fined a processor €30,000 for failing to grant an appropriate level of security of personal data under [[Article 32 GDPR|Article 32(2)]], [[Article 32 GDPR|Article 32(4) GDPR]] and [[Article 28 GDPR#3|Article 28(3) GDPR]], and also issued a reprimand against the controller for a breach of [[Article 28 GDPR#3|Article 28(3) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Seventeen individuals submitted complaints before the Hellenic DPA (HDPA) against a gas supplier company ZENITH (controller) for unlawful processing of personal data for purely marketing purposes. Zenith signed a contract with One Way Private Company (processor) which undertook the processing of the controller's customers' personal data  for marketing purposes. The processor used an automated mechanism randomly selecting telephone numbers from a list of customer contact details in order to contact individuals for marketing purposes. Some customers had previously clearly waived their consent for the controller to have their contact details. The telephone numbers of these individuals were supposed to be precluded from this list. However, due to a mistake by one of the processor's employees, many of these customers were not left out from that list and consequently received calls from the processor for marketing purposes.  
Seventeen individuals submitted complaints before the Hellenic DPA (HDPA) against gas supplier company ZENITH (controller) for unlawful processing of personal data for purely marketing purposes. Zenith signed a contract with One Way Private Company (processor) which undertook the processing of the controller's customers' personal data  for marketing purposes. The processor used an automated mechanism randomly selecting telephone numbers from a list of customer contact details in order to contact individuals for marketing purposes. Some customers had previously clearly waived their consent for the controller to have their contact details. The telephone numbers of these individuals were supposed to be precluded from this list. However, due to a mistake by one of the processor's employees, many of these customers were not excluded from the list and consequently received calls from the processor for marketing purposes.  


=== Holding ===
=== Holding ===
After reviewing the facts of the case, the HDPA first stated that the telephone number of an individual constitutes "personal data" under [[Article 4 GDPR#1|Article 4(1) GDPR]] because it makes a person identifiable. Moreover, the HDPA held that ZENITH, who transferred the contact details of its customers to the processor based on a contract signed between them in order for the latter to conduct calls for marketing purposes, must be considered as a "controller" under [[Article 24 GDPR]] and the latter company as a "processor" under [[Article 28 GDPR]].  
After reviewing the facts of the case, the HDPA first stated that the telephone number of an individual constitutes "personal data" under [[Article 4 GDPR#1|Article 4(1) GDPR]] because it makes a person identifiable. Moreover, the HDPA held that ZENITH, who transferred the contact details of its customers to the processor based on a contract signed between them in order for the latter to conduct calls for marketing purposes, must be considered as a "controller" under [[Article 4 GDPR#7|Article 4(7) GDPR]] and the latter company as a "processor" under [[Article 4 GDPR#8|Article 4(8) GDPR]].  


Furthermore, the HDPA stated that both the controller and the processor companies were in breach of GDPR provisions. Specifically, the processor failed to implement appropriate technical and organisational measures for ensuring an appropriate level of security under [[Article 32 GDPR#2|Article 32(2) GDPR]] since it was their employee who made the relevant mistake. On the other hand, the controller was responsible for offering the appropriate tools and guidelines in order to prevent unlawful calls from being conducted and for supervising the processor's methods. Lastly, the HDPA states that it was the controller's duty to act upon the individuals' complaints. However, according to the HDPA, instead of addressing the problem and offering specific guidelines to the processor, the controller only provided them with general and inadequate guidelines.
Furthermore, the HDPA stated that both the controller and the processor companies were in breach of GDPR provisions. Specifically, the processor failed to implement appropriate technical and organisational measures for ensuring an appropriate level of security under [[Article 32 GDPR#2|Article 32(2) GDPR]] since it was their employee who made the relevant mistake. On the other hand, the controller was responsible for offering the appropriate tools and guidelines in order to prevent unlawful calls from being conducted and for supervising the processor's methods. Lastly, the HDPA states that it was the controller's duty to act upon the individuals' complaints. However, according to the HDPA, instead of addressing the problem and offering specific guidelines to the processor, the controller only provided them with general and inadequate guidelines.

Latest revision as of 10:00, 22 December 2021

HDPA (Greece) - 52/2021
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law:
Article 28(3) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
N. 3471/2006
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.06.2021
Published: 08.12.2021
Fine: 30,000 EUR
Parties: ZENITH
One Way Private Company
National Case Number/Name: 52/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Hellenic Data Protection Authority (in EL)
Initial Contributor: Eleni Papadopoulou

The Hellenic DPA fined a processor €30,000 for failing to grant an appropriate level of security of personal data under Article 32(2), Article 32(4) GDPR and Article 28(3) GDPR, and also issued a reprimand against the controller for a breach of Article 28(3) GDPR.

English Summary

Facts

Seventeen individuals submitted complaints before the Hellenic DPA (HDPA) against gas supplier company ZENITH (controller) for unlawful processing of personal data for purely marketing purposes. Zenith signed a contract with One Way Private Company (processor) which undertook the processing of the controller's customers' personal data for marketing purposes. The processor used an automated mechanism randomly selecting telephone numbers from a list of customer contact details in order to contact individuals for marketing purposes. Some customers had previously clearly waived their consent for the controller to have their contact details. The telephone numbers of these individuals were supposed to be precluded from this list. However, due to a mistake by one of the processor's employees, many of these customers were not excluded from the list and consequently received calls from the processor for marketing purposes.

Holding

After reviewing the facts of the case, the HDPA first stated that the telephone number of an individual constitutes "personal data" under Article 4(1) GDPR because it makes a person identifiable. Moreover, the HDPA held that ZENITH, who transferred the contact details of its customers to the processor based on a contract signed between them in order for the latter to conduct calls for marketing purposes, must be considered as a "controller" under Article 4(7) GDPR and the latter company as a "processor" under Article 4(8) GDPR.

Furthermore, the HDPA stated that both the controller and the processor companies were in breach of GDPR provisions. Specifically, the processor failed to implement appropriate technical and organisational measures for ensuring an appropriate level of security under Article 32(2) GDPR since it was their employee who made the relevant mistake. On the other hand, the controller was responsible for offering the appropriate tools and guidelines in order to prevent unlawful calls from being conducted and for supervising the processor's methods. Lastly, the HDPA states that it was the controller's duty to act upon the individuals' complaints. However, according to the HDPA, instead of addressing the problem and offering specific guidelines to the processor, the controller only provided them with general and inadequate guidelines.

Therefor, the HDPA fined the processor €30,000 under Article 58(2) GDPR and Article 83(4) GDPR for the breach of Article 32(2), Article 32(4) GDPR and Article 28(3) GDPR. As for the controller, the HDPA issued a reprimand under Article 58(2) GDPR for the breach of Article 28(3) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.



  
    

  
  
    
  
    Category
              Decision
          

  
    Date
              08/12/2021

          

  
    Transaction number
              52
          

  
    Thematic unit
          
              09. Promotion of products and services
              
      

  
    Applicable provisions
          
              Article 28: Perform the processing (arrangements)
          Article 32: Processing security
          Article 11.1: Unsolicited electronic communication
              
      

  
    Summary
              The Authority received 17 complaints regarding illegal telephone calls aimed at promoting products or services of the company ZENITH - Gas Supply Company of Thessaloniki, Thessaly SA. For this specific processing ZENITH has the position of controller, and One Way Private Company has the position of executor. The examination of the case revealed that due to an error in the implementation of the processor, telephone calls were made to subscribers who had been registered in register 11, in violation of article 11 of Law 3471/2006. The Authority imposed on the processing One Way Private Company a fine of 30,000 euros for violation of article 32 par. 2 and 4 of the GCP in combination with article 28 par. 3, c. He also imposed on the person in charge of processing ZENITH, the sanction of the reprimand for violation of article 28 par. 3 case c of GKPD.

          

  
    PDF Decision
              52_2021anonym.pdf272.69 KB
          

  


    
  
    Category
              Decision
          

  
    Date
              08/12/2021

          

  
    Transaction number
              52
          

  
    Thematic unit
          
              09. Promotion of products and services
              
      

  
    Applicable provisions
          
              Article 28: Perform the processing (arrangements)
          Article 32: Processing security
          Article 11.1: Unsolicited electronic communication
              
      

  
    Summary
              The Authority received 17 complaints regarding illegal telephone calls aimed at promoting products or services of the company ZENITH - Gas Supply Company of Thessaloniki, Thessaly SA. For this specific processing ZENITH has the position of controller, and One Way Private Company has the position of executor. The examination of the case revealed that due to an error in the implementation of the processor, telephone calls were made to subscribers who had been registered in register 11, in violation of article 11 of Law 3471/2006. The Authority imposed on the processing One Way Private Company a fine of 30,000 euros for violation of article 32 par. 2 and 4 of the GCP in combination with article 28 par. 3, c. He also imposed on the person in charge of processing ZENITH, the sanction of the reprimand for violation of article 28 par. 3 case c of GKPD.

          

  
    PDF Decision
              52_2021anonym.pdf272.69 KB