Difference between revisions of "HDPA (Greece) - 7/2021"

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA (Greece) |DPA_With_Country=HDPA (Greece) |Case_Number...")
 
(I made some grammatical and syntax changes to ensure clarity ; I added the missing hyperlinks to the articles of the GDPR (make sure to say "Article 6(4) GDPR" and not "Article 6(4) of the GDPR ;-)) ; I erased the numbering in line with our Style Guidelines (NB. normally, numbering/bullet point should only be used for example to list names of parties or specific conditions ; here however, the points made by the HDPA were on different topics, such as the qualification of parties or lawfulness))
Line 60: Line 60:
 
}}
 
}}
  
The Greek DPA decided that the Athens Bar Association candidates are allowed under the GDPR provisions to collect and process the personal data of the members, but only under some specific terms and conditions. Which are they?
+
The Greek DPA decided that the Athens Bar Association (ABA) was allowed to share the personal data of its members with the candidates to the elections of the ABA, as long as the further processing of these data remains compliant with the GDPR.  
  
 
== English Summary ==
 
== English Summary ==
  
 
=== Facts ===
 
=== Facts ===
Having as a cause the forthcoming Bar Association elections, the Athens Bar Association asked the Hellenic Data Protection Authority(HDPA) whether or not the Association's register department decision to provide the Association's candidates with the personal data(contact details) of the Association's members would be in compliance with the GDPR provisions.
+
The Athens Bar Association (ABA), in the context of the upcoming elections of its representatives, asked the Hellenic Data Protection Authority (HDPA) whether they were allowed under the GDPR to provide the candidates to the elections with the names and contact details of the members of ABA. The main purpose was to allows those candidates to reach out to members to share their projects and ideas with a view of getting elected.
  
 
=== Holding ===
 
=== Holding ===
After reviewing the facts of the case, the Greek DPA held that:
+
After reviewing the facts of the case, the HDPA first stated that each candidate to the election should be considered as a 'third party' in the sense of [[Article 4 GDPR|Article 4(10) GDPR]] in relation to the transfer of data from ABA, and also as a separate controller in the sense of [[Article 4 GDPR|Article 4(7) GDPR]] when processing the personal data of other members of the ABA.  
1. Each candidate is considered to be a 'third party'(Article 4(10) of the GDPR) in relation to the Association as regards his contact with the members as he is a separate 'controller'.  
+
 
2. The actions taken for the unhampered operation of the Bar Association are encompassed within the meaning of '...performance of a task carried out in the public interest or in the exercise of official authority vested in the controller '(Article 6(1)(e) of the GDPR) and as such,  the transmission of the personal data and their processing by the third parties, does not need the consent of the data subject in order to be legal.
+
Regarding the lawfulness of the processing, the HDPA considered that the processing of personal data by the ABA for its own internal organisation is allowed under [[Article 6 GDPR|Article 6(1)(e) GDPR]], in the sense that such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. As a consequence, the HDPA decided that the ABA may generally process the personal data of its members when necessary for its organization, without having to obtain the prior consent of the individuals concerned.
3. Even though the data subjects(members) did not give particularly their consent for their personal data to be given to third parties(candidates), this action is permitted under the Article 6(4) of the GDPR, since it is deemed to be a purpose relevant to the main one to which they agreed at the stage of registration.
+
 
4. In order for the transmission of the Association's members' personal data to the Association's candidates to be conducted legally, what is needed is that each candidate must grant the members the 'right to object' to the processing of their personal data at any time. Specifically, the 'right to object' must be given even prior to the personal data transmission, for the purposes of compliance with the Article 21 of the GDPR.  
+
Regarding the sharing of members' personal data with candidates to the elections, the HDPA further considered that, even though the data subjects (i.e. ABA's members) did not specifically consent to this type of processing, it would still be permitted under the [[Article 6 GDPR|Article 6(4) GDPR]], since such processing  is compatible with the purpose for which the personal data were initially collected at the time each member registered with the ABA.  
5. Each candidate must take appropriate and specified measures as regards the processing of the personal data he collected, in order for his behaviour to be compliant with the Article 6(4) of the GDPR and declare the exact period of time after which those personal data will be deleted.
+
 
6. In general, each candidate bears all the responsibilities a 'controller' has under the GDPR provisions.  
+
In order for the sharing of the members' personal data with the elections' candidates to remain lawful, the HDPA specified that each candidate to the election must grant to these members the right to object to the processing of their personal data at any time, in accordance with the [[Article 21 GDPR]].
 +
 
 +
Furthermore, in their capacity as controllers, each candidate must ensure to comply with their other obligations under the GDPR, including by indicating the exact period of time after which those personal data will be deleted, and by ensuring that those data are only processed in a manner which is compatible with the purpose for which they were initially collected.  
  
 
== Comment ==
 
== Comment ==

Revision as of 13:42, 15 November 2021

HDPA (Greece) - 7/2021
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4(7) GDPR
Article 4(10) GDPR
Article 6(1)(e) GDPR
Article 6(4) GDPR
Article 21 GDPR
Article 103 etc from National Law 4194/13(Lawyers' Code)
Article 11§3,4 from National Law 3471/06
Type: Advisory Opinion
Outcome: n/a
Started:
Decided: 14.10.2021
Published: 01.11.2021
Fine: None
Parties: n/a
National Case Number/Name: 7/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Greek
Original Source: Greek DPA (in EL)
Initial Contributor: Eleni.papadopoulou

The Greek DPA decided that the Athens Bar Association (ABA) was allowed to share the personal data of its members with the candidates to the elections of the ABA, as long as the further processing of these data remains compliant with the GDPR.

English Summary

Facts

The Athens Bar Association (ABA), in the context of the upcoming elections of its representatives, asked the Hellenic Data Protection Authority (HDPA) whether they were allowed under the GDPR to provide the candidates to the elections with the names and contact details of the members of ABA. The main purpose was to allows those candidates to reach out to members to share their projects and ideas with a view of getting elected.

Holding

After reviewing the facts of the case, the HDPA first stated that each candidate to the election should be considered as a 'third party' in the sense of Article 4(10) GDPR in relation to the transfer of data from ABA, and also as a separate controller in the sense of Article 4(7) GDPR when processing the personal data of other members of the ABA.

Regarding the lawfulness of the processing, the HDPA considered that the processing of personal data by the ABA for its own internal organisation is allowed under Article 6(1)(e) GDPR, in the sense that such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. As a consequence, the HDPA decided that the ABA may generally process the personal data of its members when necessary for its organization, without having to obtain the prior consent of the individuals concerned.

Regarding the sharing of members' personal data with candidates to the elections, the HDPA further considered that, even though the data subjects (i.e. ABA's members) did not specifically consent to this type of processing, it would still be permitted under the Article 6(4) GDPR, since such processing is compatible with the purpose for which the personal data were initially collected at the time each member registered with the ABA.

In order for the sharing of the members' personal data with the elections' candidates to remain lawful, the HDPA specified that each candidate to the election must grant to these members the right to object to the processing of their personal data at any time, in accordance with the Article 21 GDPR.

Furthermore, in their capacity as controllers, each candidate must ensure to comply with their other obligations under the GDPR, including by indicating the exact period of time after which those personal data will be deleted, and by ensuring that those data are only processed in a manner which is compatible with the purpose for which they were initially collected.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.



  
    

  
  
    
  
    Category
              Opinion
          

  
    Date
              01/11/2021

          

  
    Transaction number
              7
          

  
    Thematic unit
          
              16. Other
              
      

  
    Applicable provisions
          
              Article 4.10: Third (definition)
          Article 6.1.e: Legal basis for fulfillment of public duty
          Article 21: Right of objection
          Article 11.3: Use of previous contact details for electronic communication
          Article 11.4: Conditions for sending an e-mail
              
      

  
    Summary
              Following a question from the Athens Bar Association to the Authority as to whether it is in accordance with the legislation on personal data protection, the Authority provided the candidates with the contact details of the Lawyers - members of the DSA, the Authority considered that a) the candidate for the DSA is a third party, as he is a separate controller (he completely determines the means, even if the purpose is of the association), b) the membership of the DSA is not a given of special categories (related to professional status by law), c) the legality of the transfer may be based on Article 6.1.e of the GCC - public interest in the operation of the DSA and in the conduct of recruitment in such a way as to ensure the visibility of all candidates, d) the subjects have not been informed at the collection stage, but there may be an application of Article 6.4 GCP, as the purpose is relevant to the original, e) the DSA for the transmission must take measures (such as setting conditions for the use of data corresponding to those of promotional messages in articles 11 par. 3 and 4 of Law 3471/2006), which should be precisely determined by him, and in ) each candidate, as the controller, must satisfy any submitted right of objection of the members-subjects of the data.

          

  
    PDF Decision
              gnomodotisi 7_2021anonym.pdf278.93 KB
          

  


    
  
    Category
              Opinion
          

  
    Date
              01/11/2021

          

  
    Transaction number
              7
          

  
    Thematic unit
          
              16. Other
              
      

  
    Applicable provisions
          
              Article 4.10: Third (definition)
          Article 6.1.e: Legal basis for fulfillment of public duty
          Article 21: Right of objection
          Article 11.3: Use of previous contact details for electronic communication
          Article 11.4: Conditions for sending an e-mail
              
      

  
    Summary
              Following a question from the Athens Bar Association to the Authority as to whether it is in accordance with the legislation on personal data protection, the Authority provided the candidates with the contact details of the Lawyers - members of the DSA, the Authority considered that a) the candidate for the DSA is a third party, as he is a separate controller (he completely determines the means, even if the purpose is of the association), b) the membership of the DSA is not a given of special categories (related to professional status by law), c) the legality of the transfer may be based on Article 6.1.e of the GCC - public interest in the operation of the DSA and in the conduct of recruitment in such a way as to ensure the visibility of all candidates, d) the subjects have not been informed at the collection stage, but there may be an application of Article 6.4 GCP, as the purpose is relevant to the original, e) the DSA for the transmission must take measures (such as setting conditions for the use of data corresponding to those of promotional messages in articles 11 par. 3 and 4 of Law 3471/2006), which should be precisely determined by him, and in ) each candidate, as the controller, must satisfy any submitted right of objection of the members-subjects of the data.

          

  
    PDF Decision
              gnomodotisi 7_2021anonym.pdf278.93 KB