Editing HDPA (Greece) - 7/2021

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 60: Line 60:
 
}}
 
}}
  
The Greek DPA decided that the Athens Bar Association (ABA) was allowed to share the personal data of its members with the candidates for the elections of the ABA, as long as the further processing of these data remains compliant with the GDPR.  
+
The Greek DPA decided that the Athens Bar Association (ABA) was allowed to share the personal data of its members with the candidates to the elections of the ABA, as long as the further processing of these data remains compliant with the GDPR.  
  
 
== English Summary ==
 
== English Summary ==
  
 
=== Facts ===
 
=== Facts ===
The Athens Bar Association (ABA), in the context of the upcoming elections of its representatives, asked the Hellenic Data Protection Authority (HDPA) whether they were allowed under the GDPR to provide the candidates with the names and contact details of the members of ABA. The main purpose was to allow those candidates to reach out to members of the ABA to share projects and ideas as part of the upcoming electoral campaign.
+
The Athens Bar Association (ABA), in the context of the upcoming elections of its representatives, asked the Hellenic Data Protection Authority (HDPA) whether they were allowed under the GDPR to provide the candidates to the elections with the names and contact details of the members of ABA. The main purpose was to allows those candidates to reach out to members to share their projects and ideas with a view of getting elected.
  
 
=== Holding ===
 
=== Holding ===
After reviewing the facts of the case, the HDPA first stated that each candidate for the elections should be considered as a 'third party' in the sense of [[Article 4 GDPR|Article 4(10) GDPR]] in relation to the disclosure of the personal data by the ABA, and also as a separate controller in the sense of [[Article 4 GDPR|Article 4(7) GDPR]] when further processing the personal data of the members of the ABA.  
+
After reviewing the facts of the case, the HDPA first stated that each candidate to the election should be considered as a 'third party' in the sense of [[Article 4 GDPR|Article 4(10) GDPR]] in relation to the transfer of data from ABA, and also as a separate controller in the sense of [[Article 4 GDPR|Article 4(7) GDPR]] when processing the personal data of other members of the ABA.  
  
 
Regarding the lawfulness of the processing, the HDPA considered that the processing of personal data by the ABA for its own internal organisation is allowed under [[Article 6 GDPR|Article 6(1)(e) GDPR]], in the sense that such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. As a consequence, the HDPA decided that the ABA may generally process the personal data of its members when necessary for its organization, without having to obtain the prior consent of the individuals concerned.  
 
Regarding the lawfulness of the processing, the HDPA considered that the processing of personal data by the ABA for its own internal organisation is allowed under [[Article 6 GDPR|Article 6(1)(e) GDPR]], in the sense that such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. As a consequence, the HDPA decided that the ABA may generally process the personal data of its members when necessary for its organization, without having to obtain the prior consent of the individuals concerned.  
  
Regarding the sharing of members' personal data with candidates for the elections, the HDPA further considered that, even though the data subjects (i.e. ABA's members) did not specifically consent to this type of processing, it would still be permitted under the [[Article 6 GDPR|Article 6(4)  GDPR]], since such processing  is compatible with the purpose for which the personal data were initially collected at the time each member registered with the ABA.  
+
Regarding the sharing of members' personal data with candidates to the elections, the HDPA further considered that, even though the data subjects (i.e. ABA's members) did not specifically consent to this type of processing, it would still be permitted under the [[Article 6 GDPR|Article 6(4)  GDPR]], since such processing  is compatible with the purpose for which the personal data were initially collected at the time each member registered with the ABA.  
  
In order for the sharing of the members' personal data with the elections' candidates to remain lawful, however, the HDPA specified that each candidate must grant to these members the right to object to the processing of their personal data at any time, in accordance with the [[Article 21 GDPR]].   
+
In order for the sharing of the members' personal data with the elections' candidates to remain lawful, the HDPA specified that each candidate to the election must grant to these members the right to object to the processing of their personal data at any time, in accordance with the [[Article 21 GDPR]].   
  
Furthermore, in their capacity as controllers, each candidate must ensure to comply with their other obligations under the GDPR when processing such data, including by indicating the exact period of time after which those personal data will be deleted, and by ensuring that those data are only processed in a manner which is compatible with the purpose for which they were initially collected.  
+
Furthermore, in their capacity as controllers, each candidate must ensure to comply with their other obligations under the GDPR, including by indicating the exact period of time after which those personal data will be deleted, and by ensuring that those data are only processed in a manner which is compatible with the purpose for which they were initially collected.  
  
 
== Comment ==
 
== Comment ==

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: