HDPA (Greece) - 13/2021 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 12(3) GDPR Article 17 GDPR Article 21 GDPR Article 25(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 17.02.2021 |
Published: | 07.04.2021 |
Fine: | 20000 EUR |
Parties: | n/a |
National Case Number/Name: | 13/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek Greek |
Original Source: | HDPA full text (in EL) HDPA summary (in EL) |
Initial Contributor: | Adrian |
The Greek DPA (HDPA) fined a sports clothing company €20,000 for repeatedly failing to comply with a data subject's data erasure requests and for sending them marketing material despite their opt-out.
English Summary
Facts
The HDPA imposed a €20,000 fine to a sports clothing company for failing to uphold a data subject's data erasure rights.
The company ignored the subject's first request. After an initial intervention by the HDPA, the company claimed that the subject's contact information were deleted. It nonetheless kept sending them marketing communications. The data subject had to complain for a second time, leading to this new decision and fine which was deemed necessary and proportionate.
Holding
The HDPA held that for its first intervention, even though the data controller informed the HDPA that it took corrective measures (deletion of contact information), the controller didn't inform the data subject about this, thus being in violation of Article 17 GDPR in combination with Articles 21(2) and 12(3) GDPR.
Furthermore, the controller's communications included a method to opt out (a link to opt out in each SMS message sent) which the data subject didn't use. Instead, the data subject contacted the controller's customer support in order to express their request for deletion, which the controller argued was not sufficient due to the existence of the opt-out link. The HDPA held that the data subject's rights should have been respected regardless of how they were communicated to the controller.
Crucially, even after the DPA's first intervention the controller has continued sending marketing communications to the data subject, despite claiming that the data has been deleted. Thus, the controller unlawfully failed to comply with (a) the data subject's request and (b) the HDPA order to bring the processing into compliance. The HDPA viewed this as an aggravating circumstance, thus justifying its unusually high fine as proper and proportionate for the situation.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 07-04-2021 No. Prot.1024 DECISION 13/2021 (Department) The Personal Data Protection Authority met at Composition of the Department via video conference on 17-02-2021 at 10:00, after at the invitation of its President to consider the case refers to the history hereof. Presented by George Batzalexis, Deputy Chairman, disabled by the President of the Authority Konstantinos Menoudakou, and the alternate members Grigorios Tsolias and Evangelos Papakonstantinou, as rapporteur, replacing the regular members Charalambou Anthopoulos and Konstantinos Lambrinoudakis respectively, who, although they were legally summoned in writing they did not attend due to obstruction. The regular member Spyridon Vlachopoulos, although legally summoned in writing, did not attend due to obstruction. The meeting was attended by George, chaired by the President Roussopoulos, Specialist Scientist-Auditor as Assistant Rapporteur and Irini Papageorgopoulou, employee of the Administrative Affairs Department of the Authority, as secretary. The Authority took into account the following: Complaint No. G / EIS / 4863 / 10-07-2019 was submitted to the Authority in which the complainant received a text message on 09/07/2019 character from the company «MZN HELLAS SOCIETE ANONYME COMMERCIAL 1 1-3 Kifissias Ave., 11523 Athens T: 210 6475 600 • E: contact@dpa.gr • www.dpa.gr COMPANY "with the distinctive title" MZN HELLAS A.E. " (hereinafter referred to as "Responsible while expressly objecting. With the complaint Attached is a copy of the email from which it appears that, following a dispute that arose following an order he made to the company, had objected to receiving any information related products and offers of the company delete via hyperlink. The complaining company was informed about the complaint with the no. prot.C / EX / 4863-1 / 09-08-2019 document of the Authority with which it was requested to submit her views on the complaint. The company responded with the prot. Γ / ΕΙΣ / 5868 / 27-08-2019 her document, stating, among other things, that the prior approval of the complainant, due to his previous transaction and that messages are sent in bulk and automatically by affiliate software company, to which they can not intervene immediately. But after investigation the complainant's email was found. The company considers that by his negligence employee was not currently deleted from the list and confirms that they have deleted their mobile phone and e-mail address of the post office and have taken the necessary steps so as not to happen again in the future for no other customer. Finally, they report that complainant disputes the receipt of an order and acts intentionally and fraudulently as it had the ability to stop receiving messages through advertising message. Following this reply, the complainant returned to Complaint No. G / EIS / 7689 / 07-11-2019, stating that received, again, a message on his cell phone number for purposes promotion of the products and services of the company MZN on 06-11-2019, declaration of the company that was deleted from the telephone list. The Authority sent the document number C / EX / 7689-1 / 13-12-2019 to the company, asking for its views on the new complaint. The complained company responded to the Authority with its document number G / EIS / 394 / 17-01-2020. In this argues that the complaint is inadmissible, distrustful and unfounded. 2He mentions again that there was an initial approval of the complainant, who did not used the opt-out feature from SMS, but sent e-mail to her e-mail address customer service. The complainant has just received a new promotional message on 06-11-2019. It further states that it has enabled the opt-out option later, on 11-12-2019 to be permanently deleted based on his own actions from the company contact list. Further, the company argues the complainant states that no objection has been raised, and that he did not object. In relation to the deletion that should have been done, as reported in previous memorandum company, claims that there was a mistake / omission of the employee operating the electronic platform, with effective do not finally validate the deletion of the complainant number, while the error does not was not noticed either by this employee or by the management of the company. THE company claims that the third company that has developed and manages the platform, which is not named, disclosed the reasons for not deletion. The company also states that it does not provide its details employee as there is no substantive reason, but if they are not considered valid her explanations, will rely on and provide full evidence of this. Following the above, the Authority proceeded to call the company for meeting of the department on 15-07-2020, with reference number C / EX / 4491 / 29-06-2020 her document. With the call the company was informed that during its examination The above two complaints will be discussed. The company attended meeting through the lawyer of Aristides Karabeazis while, after receiving deadline, submitted its memorandum number G / EIS / 5315 / 29-07-2020. In this summarizes the following: The complainant did not appear and therefore It is presumed that the request and the formality of his complaints are impractical. The complaints are inadmissible for formal reasons. Specifically, wrong the complainant states so much that he was not given the opportunity in every message as well as any objections to the sending of messages. the complainant provided approval for the sending of informative / promotional SMS 3 at the completion of his transaction. In any case, he had the opportunity "Opt-out" with one click, in which case it would not be possible to re-register inadvertence. Activate this option after his complaint (11/12/2019) to be removed from the list. In essence, the company claims that while their removal was requested of the complainant, a subsequent error / omission arose employed in the operation of the electronic platform resulting in remain on her contact list. The mistake was not realized and did not become known to the company until after the second complaint, while it was the only time such a mistake happened. The company states that it requested from partner company to provide it with any "electronic traces", but received answer that no such data is stored on the server. The company supports that this is an incidental matter, which is proved by the relevant correspondence of its operator with its partner (which although it is stated that attached (not contained in the relevant memorandum) and cites principle of leniency. It also argues that the complainant does not claim damages or persistent harassment considers the complainant's motives to be questioned older transactions. The Authority, after examining the data in the file, after hearing him rapporteur and clarifications from the assistant rapporteur, who attended without and withdrew after the discussion of the case and before the conference and decision-making, after a thorough discussion, THOUGHT ACCORDING TO THE LAW 1. From the provisions of articles 51 and 55 of the General Regulation of Protection Data (Regulation (EU) 2016/679 - hereinafter GCC) and Article 9 of the Law 4624/2019 (Government Gazette AD 137) it appears that the Authority has the competence to supervise the implementation of the provisions of the GCC, this law and other regulations that concern the protection of the individual from the processing of personal data. 42. According to article 4 lit. 7 of the GCC, which is implemented by on 25 May 2018, the controller is defined as “the natural or legal person, public authority, service or other body which, alone or in association with others, determine the purposes and manner of data processing of a personal nature ". 3. The issue of making unsolicited communications with any means of electronic communication, without human intervention, for for the purpose of direct marketing of products or services and for each for advertising purposes, is regulated by Article 11tun.3471 / 2006for protection of personal data in the field of electronic communications, o which incorporated Directive 2002/58 / EC into national law. According this article, such communication is allowed only if the subscriber expressly agreed in advance. Exceptionally, according to article 11 par. 3 of Law 3471/2006, the contact details of the e-mail that acquired legally, in the context of the sale of goods or services or otherwise transaction, can be used for direct promotion similar products or services of the supplier or for service similar purposes, even when the recipient of the message has not given out with his prior consent, provided that he is provided with in a clear and distinct way the ability to object, in an easy way and for free, in the collection and use of his electronic data and that during the collection of contact information, as well as in each message, in case that the user did not initially disagree with this use. 4. According to article 17 par. 1 of the GCP, “The data subject has the right to request the deletion from the controller personal data relating to it without justification delay and the controller is required to delete data without undue delay, if one of the following reasons: (…) (c) the data subject objects to processing in accordance with Article 21 (1) and there are no imperatives and legitimate reasons for processing or the data subject object processing in accordance with Article 21 (2) ". Further, in the article 521 par. 2 of the GCP stipulates that “If personal data processed for the purpose of direct marketing, the data subject is entitled to object at any time to processing of personal data concerning it for the en due to marketing, including profiling, if relevant with this direct marketing promotion. " 5. Article 12 par. 2 and 3 of the GCP stipulates that “2. The person in charge facilitates the exercise of the rights of their subjects data provided for in Articles 15 to 22. (…) "and" 3. The person responsible processing provides the data subject with energy information carried out on request under Articles 15 to 22 without delay and in any case within one month of receipt of the request. This period may be extended by a further two months, provided that required, taking into account the complexity of the request and its number of requests. The controller informs the subject of data for the said extension within one month of receipt of the request, as well as for the reasons of the delay. (…) ». 6. Article 25 of the GCC stipulates that “Taking into account the latter developments, implementation costs and their nature, scope, context and processing purposes, as well as the risks of different probability and the seriousness of the rights and freedoms of natural persons persons from the processing, the controller applies effectively, both at the time of determining the processing media and and at the time of processing, appropriate technical and organizational measures, such as the pseudonym, designed to apply the principles of protection of data, such as data minimization, and their integration necessary guarantees in the processing in such a way that the requirements of this Regulation and to protect their rights data subjects. " 7. The Authority does not accept the arguments of the controller and considers the complaint to be admissible. The complainant was not summoned, as he was not his personal presence is necessary for the examination of the complaint. 6Furthermore, although the company rightly claims that the complainant is wrong states that he was not given the opportunity to object to every message, the fact that some of the complainant's allegations are not substantiated, does not make all his allegations inadmissible. These allegations are examined below. 8. In this case, data processing was performed personal nature of the complainant by the controller, for for the purpose of promoting products and services. The legality of the original collection is not judged by the present, as the complainant accepts that it existed previous transaction under which it had granted the his details in the company. 9. The complainant, as appears from the original complaint, expressed objection to sending messages for product promotion purposes and services by email on 05/06/2019. The complainant did not use the automated deletion feature available built-in SMS promotions, but this does not affect that it exercised properly the right of cancellation, addressed to the customer service of the company. And this if we take into account that the GCP does not set a requirement for a specific way but states that the controller must facilitates the exercise of the rights of data subjects. The The complainant's request was clearly worded, with specific reference to the GIP, therefore there is no doubt that the controller should have the appropriate procedures to meet, regardless of other differences with the complainant. The controller did not act to interrupt sending advertising messages, as it should, as well as opposition and deletion in case of direct marketing must be done respected. This happened only after the first intervention of the Authority. In fact, and in this case, the person responsible replied to the Authority, without informing him complainant. The initial complaint therefore results in a breach Article 17 in conjunction with Article 21 (2) and Article 12 (3) of the GCC. 10. In his first memorandum, the controller assured Principle that he has deleted his mobile phone and email address 7 of the complainant's correspondence and that they have taken all the necessary steps actions to prevent it from happening again in the future for any other customer. Of the It turns out that the above statement was not accurate. Even if accept the company's argument of individual wrongdoing, the but which is not based on electronic or other data which can not disputed, except in written statements of the officials involved, it appears that the controller did not take action to not a similar incident happens to another customer in the future. Therefore, with Sending the second message on 6/11/2019, it is found that the company does not had in practice the necessary procedures to ensure deletion data so that the requirements of the GCP are met and protected the rights of data subjects. There is therefore an infringement of article 25 par. 1 of the GCP. It is pointed out that based on the principle of accountability (article 5 par. 2 GCP) the controller is responsible and is responsible to demonstrate its compliance with the basic principles of legal processing. To Note that the argument about not using the built-in SMS deletion operation and its use after 6/11/2019 and specifically on 11/12/2019, not accepted. The complainant, as explained, was not obliged to exercise his right in this way, while no it turns out that he was the one who triggered the deletion process as well at this time the details of the complaint were known and so on persons (eg in the Authority). 11. The Authority takes note that the controller does not submitted evidence of deletion procedures, that the breach related to the exercise of rights of the data subject, that the company stated to the Authority that it had taken the appropriate measures and in fact for all of them its clients, while in practice this had not been the case with regard to the complainant, that the controller has an online store and uses electronic communication techniques, therefore he should have taken care of proper response to requests for rights. Further, according to 8 publicly available data in GEMI, the company in the year 2019 had a cycle works € 1,343,513.99 and profits after taxes € 50,151.92. As relievers takes into account that if there was a nuisance there was no financial loss to the subject of data from the dissatisfaction of the right, that it is the first infringement for the specific company and finally, the unfavorable financial circumstance due to the Covid-19 pandemic. 12. In view of the above, the Authority unanimously considers that in accordance with Article 1 7 in in conjunction with Article 21 (3) and Article 12 (3) of the GIPA and Article 25 par. 1 of the GCP meet the conditions of enforcement against the person in charge processing, based on article 58 par. 2 i of the GCP and taking into account the criteria of article 83 par. 2 of the GCP, of the administrative sanction mentioned in the operative part of the present, which is deemed proportional to its weight infringement. FOR THOSE REASONS The Authority imposes, on "MZN HELLAS SOCIETE ANONYME ATHLETIC COMMERCIAL COMPANY" with the distinctive title "MZN HELLAS A.E." the effective, proportional and a deterrent administrative fine appropriate to that case according to its more specific circumstances, amounting to twenty thousand (20,000.00) euros, for the above violations of Article 17 in combination with article 21par.3 and article 12par.3 of GKPD and article 25 par. 1 of the GKPD. The Deputy Chairman The Secretary George Batzalexis Irini Papageorgopoulou 1 https://www.businessregistry.gr/publicity/show/9178201000 9