HDPA (Greece) - 56/2021

From GDPRhub
Revision as of 19:46, 8 February 2022 by Anastasia.tsermenidou (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA (Greece) |DPA_With_Country=HDPA (Greece) |Case_Number...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HDPA (Greece) - 56/13-12-2021
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4(7) GDPR
Article 5(1) GDPR
Article 5(2) GDPR
Article 13 GDPR
Article 14 GDPR
Article 15 GDPR
Article 21 GDPR
Article 11 of national law 3471/2006
Type: Complaint
Outcome: Upheld
Started:
Decided: 31.12.2021
Published: 31.12.2021
Fine: 30.000 EUR
Parties: INFO COMMUNICATION SERVICES
National Case Number/Name: 56/13-12-2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Anastasia.Tsermenidou

The HDPA held that when companies are using automated procedures for marketing purposes should clarify the data's subject valid consent, in order to continue with the processing activity of personal data, according to Article 13 and Article 14 GDPR.

English Summary

Facts

The HDPA received a great number of complaints, concerning automated (without human intervention) telephone harassment on purpose the promotion of products or services, without informing about the identity of the person on his behalf being determined if these calls are made, while all are by telephone numbers started with the same prefix. The complaints included also text messages harassment. The HDPA conducted a thorough and careful research and reached out the following: the Greek company (the controller) did violate the GDPR, since as a controller it should have kept up with several obligations, according to the GDPR. First of all, the controller continued with the processing of personal data, without having obtained a crystal clear consent of the data subject, as the Article 6(2) GDPR points out and Article 11 of National Law 3471/2006. Specifically, the controller makes automated calls to promote services and products without prior valid consent of data subjects. And this because the key claim of the controller that the automated calls carried out only to those who have given an explicit prior to this consent, is unfounded, since it is not confirmed by the evidence. Moreover, the controller did not inform the data subject about his identity, the purpose of the processing activity, if the processing was lawful and transparent and if as a controller is able to demonstrate compliance with those principles at any time. In addition the company did not inform the data subject about his/her right, like the right to access and the right to object. The HDPA, taking into account the above violations and especially the breaches of Articles 13 and 14 GDPR and the Article 11 of National Law 3471/2006 imposed a penalty of 30.000 €, which effective, proportional and dissuasive.

Holding

The HDPA imposed a fine of 30.000 € to a Greek company for breaching Articles 13 and 14 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority examined nine complaints regarding automated telephone promotions from the company INFO COMMUNICATION SERVICES ADVERTISING - PROMOTIONAL - COMMERCIAL - RESEARCH AND PUBLICATION as a regarding the promotional activities it carries out. The Authority found violations of article 11 par. 1 of law 3471/2006 (carrying out automated telephone operations without prior consent - since, apart from the fact that the company did not prove that it receives consent, the very procedure it described that follows does not guarantee the receipt as well as Articles 13 and 14 of the GIP (non-disclosure of data subjects - since, inter alia, the complainants did not initially know the name of the company that made the calls) and fined € 30,000 for infringements found above.