HDPA (Greece) - 7/2023: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(7 intermediate revisions by 3 users not shown)
Line 29: Line 29:


|GDPR_Article_1=Article 15 GDPR
|GDPR_Article_1=Article 15 GDPR
|GDPR_Article_Link_1=
|GDPR_Article_Link_1=Article 15 GDPR
|GDPR_Article_2=Article 13 GDPR
|GDPR_Article_2=Article 13 GDPR
|GDPR_Article_Link_2=
|GDPR_Article_Link_2=Article 13 GDPR




Line 62: Line 62:
}}
}}


Responding to an access request by the data subject, Vodafone sent a recording of someone else's conversations with its call center. Upon learning of the fact, it failed to notify the DPA and to provide the right copy. The DPA imposed a fine of €40,000 for violation of [[Index.php?title=Article 15 GDPR#3|Articles 15(3)]] and [[Article 33 GDPR|33 GDPR]].
The Hellenic DPA fined Vodafone €40,000 for sending the data subject a copy of another person's conversation with its call center, failing to properly respond to an access request, in violation of [[Article 15 GDPR#3|Articles 15(3)]] and [[Article 33 GDPR|33 GDPR]].


== English Summary ==
== English Summary ==
Line 74: Line 74:


=== Holding ===
=== Holding ===
The Greek DPA underlined that the right of access to personal data also includes the right to obtain a copy of the data being processed [[Article 15 GDPR#3|Article 15(3)]] GDPR. It also emphasized that the exercise of this right does not need to be justified by a legitimate interest, as transparency is a condition for the effective protection of personal data.  
The Hellenic DPA underlined that the right of access to personal data also includes the right to obtain a copy of the data being processed [[Article 15 GDPR#3|Article 15(3)]] GDPR. It also emphasized that the exercise of this right does not need to be justified by a legitimate interest, as transparency is a condition for the effective protection of personal data.  


In addition, DPA recalled that, in accordance with [[Article 4 GDPR#12|Article 4(12)]], 'personal data breach' means a breach of security leading to the accidental or unauthorised disclosure of personal data. When this occurs, the data subject may suffer physical, material or moral damages. For this reason, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority ([[Article 33 GDPR]]).
In addition, the DPA recalled that, in accordance with [[Article 4 GDPR#12|Article 4(12)]] GDPR, 'personal data breach' means a breach of security leading to the accidental or unauthorised disclosure of personal data. When this occurs, the data subject may suffer physical, material or moral damages. For this reason, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority ([[Article 33 GDPR]]).


In the case at stake, the DPA held that the controller failed to comply with both obligations and imposed a fine of €40,000.
In the case at hand, the DPA held that the controller failed to comply with both obligations and imposed a fine of €40,000.


== Comment ==
== Comment ==

Latest revision as of 12:15, 8 May 2023

HDPA - 7/2023
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 15 GDPR
Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started: 25.01.2023
Decided: 20.02.2023
Published: 30.03.2023
Fine: 40.000 EUR
Parties: Vodafone
Citizen
National Case Number/Name: 7/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Anastasia Tsermenidou

The Hellenic DPA fined Vodafone €40,000 for sending the data subject a copy of another person's conversation with its call center, failing to properly respond to an access request, in violation of Articles 15(3) and 33 GDPR.

English Summary

Facts

The data subject made an access request to the controller, Vodafone, asking for a copy of the recordings of the conversations they had with the company's call center. However, the data subject received a CD with the recording of the conversations of another person. Concerned that their conversations were also mistakenly sent to someone else's address, the data subject contacted the controller to inform it of what had happened.

Although the controller was immediately notified, it did not take any action to investigate the incident. On the contrary, it sought to transfer responsibility to the processor and suggested that the data subject contact it to return the CD.

Not satisfied with this solution, the data subject filed a complaint with the Greek DPA.

Holding

The Hellenic DPA underlined that the right of access to personal data also includes the right to obtain a copy of the data being processed Article 15(3) GDPR. It also emphasized that the exercise of this right does not need to be justified by a legitimate interest, as transparency is a condition for the effective protection of personal data.

In addition, the DPA recalled that, in accordance with Article 4(12) GDPR, 'personal data breach' means a breach of security leading to the accidental or unauthorised disclosure of personal data. When this occurs, the data subject may suffer physical, material or moral damages. For this reason, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority (Article 33 GDPR).

In the case at hand, the DPA held that the controller failed to comply with both obligations and imposed a fine of €40,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Article 2: Material scope Article 2.2.c: Exclusively personal or domestic activity Article 3: Territorial scope Article 4.1: Personal data (definition) Article 4.1: Data subject (definition) Article 4.2: Processing (definition) Article 4.3: Restriction of processing (definition) Article 4.4 : Profiling (definition) Article 4.5 : Pseudonymization (definition) Article 4.6 : Filing system (definition) Article 4.7 : Controller (definition) Article 4.8 : Processor (definition) Article 4.9 : Recipient (definition) Article 4.10 : Third party (definition) Article 4.11 : Consent (definition) Article 4.12 : Breach of personal data (definition) Article 4.13 : Genetic data (definition) Article 4.14 : Biometric data (definition) Article 4.15 : Data concerning health (definition) Article 4.16 : Main establishment (definition) Article 4.17 : Representative (definition) Article 4.18 : Enterprise (definition) Article 4.19 : Group of enterprises (definition) Article 4.20 : Binding corporate rules (definition) Article 4.21 : Supervisory authority (definition) ) Article 4.22 : Relevant supervisory authority (definition) Article 4.23 : Cross-border processing (definition) Article 4.24 : Relevant and reasoned objection (definition) Article 4.25 : Information society service (definition) Article 4.26 : International organization (definition) Article 5.1 : Principles of data processing Article 5.1.a : Principle of legality, objectivity and transparency Article 5.1.b : Principle of purpose limitation Article 5.1.c : Principle of data minimization Article 5.1.d : Principle of accuracy Article 5.1.e : Principle of limitation of storage period Article 5.1.f : Principle of integrity and confidentiality Article 5.2 : Principle of accountability Article 6.1.a : Legal basis of consent Article 6.1.b : Legal basis of contract execution Article 6.1.c : Legal basis of compliance with a legal obligation Article 6.1 .d: Legal basis for safeguarding vital interest Article 6.1.e: Legal basis for fulfilling a public duty Article 6.1.f: Legal basis for overriding legal interest Article 6.4: Compatibility of processing for another purpose Article 7: Conditions for consent Article 8: Consent of a child for services information society Article 9.1: Special categories of personal data Article 9.2.a: Express consent Article 9.2.b: Fulfillment of labor law obligations, etc. Article 9.2.c: Protection of vital interests Article 9.2.d: Processing of data of special categories of members of an institution, organization etc. Article 9.2.e: Overt disclosure Article 9.2.g: Substantial public interest Article 9.2.f: Establishment, exercise or support of legal claims Article 9.2.h: Processing by a health professional Article 9.2.i: Public interest in the field of public health Article 9.2.i: Archiving, scientific or historical research - statistics Article 10: Processing of data of criminal convictions and offenses Article 11: Processing which does not require identity verification Article 12: Transparent information Article 12.2: Facilitation for the exercise of rights Article 12.3: Deadline for response in right Article 12.4: Deadline for informing non-action in right Article 12.5: Manifestly unfounded or excessive right requests Article 12.6: Information necessary to confirm the identity of the subject Article 13: Information during collection from the data subject Article 14: Information when the collection is not done by the data subject Article 15: Right of access Article 16: Right of correction Article 17: Right of deletion Article 18: Right to limit processing Article 19: Obligation to notify correction, deletion or restriction Article 20: Right to portability Article 21: Right of objection Article 22: Automated individual decision-making Article 23: Limitations of rights Article 24: Responsibility of the controller Article 24.2: Implementation of appropriate data protection policies Article 25.1: Data protection by design Article 25.2: Data protection by definition Article 26: Joint controllers Article 27: Representatives of managers or executors outside the EU Article 28: Processor of processing (regulations) Article 28.3: Arrangements of a contract (or other legal act) with processors Article 29: Processing under the supervision of the person in charge or the processor Article 30: Records of processing activities Article 31 - Law 4624/2019 article 66: Cooperation with the supervisory authority Article 32: Processing security Article 33: Notification of a personal data breach Article 34: Notification of a personal data breach Article 35: Impact assessment regarding data protection Article 36: Prior consultation Article 37 - Law 4624/ 2019 article 6: Definition of the data protection officer Article 38 - Law 4624/2019 article 7: Position of the data protection officer Article 39 - Law 4624/2019 article 8: Duties of the data protection officer Article 40: Codes of ethics Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Article 45: Transfers based on adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 49: Derogations for special situations Article 50: International cooperation Article 55: Jurisdiction of the supervisory authority Article 56: Competence of the lead supervisory authority Article 56.2: Competence in local affairs Article 60: Cooperation between the head and interested supervisory authorities Article 61: Mutual assistance Article 62: Joint undertakings Article 63: Coherence mechanism Article 66: Urgent procedure Article 80 - n .4624/2019 article 41: Representation of data subjects Article 83: General conditions for imposing administrative fines Article 86 - n.4624/2019 article 42: Processing and public access to official documents Article 87: National identity number Article 89.1: Safeguards for purposes archiving, scientific or historical research, statistics Article 95 : Relationship with Directive 2002/58/EC