HDPA - 18/2020
|HDPA - 18/2020|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 5(2) GDPR
Article 6(1) GDPR
Article 83(2) GDPR
|Parties:||New York College S.A.|
|National Case Number/Name:||18/2020|
|European Case Law Identifier:||n/a|
|Original Source:||HDPA (in EL)|
The Hellenic DPA (HDPA) fined private college € 5.000 because it failed to prove the lawfulness of data processing with regard to phone offers of seminars to unemployed people. The college violated the principles of lawfulness of processing and accountability.
English Summary[edit | edit source]
Facts[edit | edit source]
Data subject complained that the private college, New York College, made targeted phone call offering their participation in seminar for unemployed people. In the call the College approached them as if it knew their status as unemployed. The data subject had requested from the data controller information on how and why their personal data was processed but did not get any satisfying response.
Dispute[edit | edit source]
Holding[edit | edit source]
The HDPA held that according to the principle of accountability as provided for in Article 5(2) GDPR, the college as data controller has the burden of proof as to the lawfulness of processing. The HDPA found that the controller did not provide any information to this end, violating the principle of accountability. Moreover, the processing was conducted in an opaque way with regard to both its general policy and dealing with the data subject's request in particular.
The HDPA ordered the controller to bring its processing operations into compliance with the GDPR and take all necessary measures to full internal compliance and accountability as foreseen in Articles 5(1) and (2) and 6(1) GDPR. Finally, it imposed the fine of € 5.000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
HELLENIC REPUBLIC OF DATA PROTECTION Athens, 29-06-2020 No, for example: C/EX/4512/29-06-2020 FA IN NO 18/2020 (Department) The Personal Data Protection Authority met in a department composition at its headquarters on Wednesday 12-02-2020 at the invitation of its President, in order to examine the case mentioned in the history of the present. The President of the Authority, Konstantinos Menoudakos and the alternate members, Evangelos Papakonstantinou, Gregory Tsolias and Emmanuel Dimogenontakis, attended the presence of the members of Konstantinos Lambrinoudakis, Charalambos Anthopoulos and Eleni Martsoukou respectively, who, although legally called in writing, did not attend due to impediment. The meeting was attended by Georgia Panagopoulou, special scientist – auditor as assistant rapporteur and Irene Papageorgopoulou, official of the administrative affairs department of the Authority, as secretary. The Authority took into account the following: Submitted to the Authority or by No..C/ES/6013/04-09-2019 complaint in which Mr A (hereinafter referred to as ‘the complainant’) complains NEW YORK COLLEGE S.A. (hereinafter referred to as ‘the complainant’) for making a targeted telephone call proposing its participation in an OAED-subsidised seminar addressed to unemployed persons. His telephone communication was addressed knowing his status as unemployed. The complainant states that he tried to exercise the right of information and access, sought the data protection officer, but considered that the correspondence and the replies received were not satisfactory since he was not informed of the type and origin of the data held by the company complained about his person and why he received the specific telephone communication. The Authority, in the context of an examination of this complaint, sent the complainant the no. C/EX/6013-1/03-10-2019 document in which it requested its views on the complainants. The company complained responded by no. C/ES/7002/15-10-2019 document in which he challenged the making of the call while in the hypothetical case it claimed that the complainant himself may have declared an interest in any of the subsidised programmes and the call related to the company’s response to this interest. The complainant then sent the letter by no. C/ES/7242/22-10-2019 additional document proving that the call has been made, since the list of incoming calls received from the provider’s telecommunications provider includes the telephone number belonging to the company complained of. Then the Authority called the no. No. C/EX/6013-2/13-11-2019 document New York College S.A. hearing, in order to discuss the above complaint as well as the general practice followed in such telephone calls. With the no. No. C/EX/6013-2/13-11-2019 call was also notified by no. C/ES/7242/22-10-2019 additional document of the complainant containing the presumption of making the telephone call. The company complained was present at the meeting of 25-11-2019 through the attorney of Georgia’s Sitou with MTF..., which presented its views orally and, after having received a deadline, submitted it by no. C/ES/8534/06-12-2019 memorandum. The memo repeats what he said in No..C/ES/7002/15-102019 document, i.e. that (a)-the telephone number from which the telephone call was made belongs to the company and in particular to the Annex Thessaloniki, (b) no information concerning the working situation and contact details of the complainant in the records kept by the company (c) could not be identified under what circumstances and for the reason why the call was made in the company’s legal notice, and that the complaint itself may have indicated an interest in the subsidised programmes at that time. The Authority, after examining all the elements of the dossier, having heard the rapporteur and the explanations of the Assistant Rapporteur, who left after the debate and before the conference and the decision, and after a thorough discussion, HE THOUGHT ACCORDING TO THE LAW. 1. Article 4(7) of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) defines the controller as '... the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of processing personal data...’. 2. In accordance with the provisions of Article 5(1)(a) of the GDPR, personal data shall be processed lawfully and fairly in a transparent manner with respect to the data subject (‘legality, objectivity, transparency’). 3. Natural persons (data subjects) have the right to be informed accurately and clearly about the collection and use (processing) of their personal data. This right is governed by the basic principle of GDPR, the principle of transparency (relevant Articles 12-14 of the GDPR). 4. The GDPR introduces the principle of accountability, according to which controllers who collect and process personal data must formulate their procedures and technical and organisational systems in such a way that they can demonstrate, at any time, both before the supervisory authorities and the courts, that they are fully in compliance with the provisions of the GDPR.The introduction of the principle of accountability shifts the ‘weight of proof’, in terms of the legality of the processing and compliance with the GDPR, to the controllers themselves or the executors. The controller is obliged, on the basis of the principle of accountability (see Article 5(2) in conjunction with Articles 24 and 32 of the GDPR) to choose the appropriate legal basis provided for in Article 6(1) of the GDPR, as well as to be able to demonstrate, in the context of internal compliance, compliance with the principles set out in Article 5(1) GDPR. 5. In the present case, New York College S.A. is the controller since it is proven that it has processed the complainant’s personal data by telephone to the complainant in his capacity as unemployed. The call is also confirmed by the submitted list of incoming calls. 6. The controller did not provide any evidence explaining how he processed the complainant’s personal data, i.e. he was unable to substantiate the lawfulness of the processing, contrary to the principle of accountability. It did not provide any information on either the complainant’s specific case or the general policy pursued for such processing, and these were requested by the Authority. Furthermore, the processing was carried out in a non-transparent manner to the data subject, as both during the conduct of the call and following the exercise of the right, the information provided in the GDPR was not provided to him. 7. As a controller, it follows that New York College violated the principles of Article 5(1) of the GDPR as well as the obligation of accountability by article.5 par.2 GDPR, i.e. it violated fundamental principles of the GDPR on the protection of personal data. 8. As a consequence of the above infringement, it was not possible to satisfy the right of information and access exercised by the complainant. 9. The Authority, after finding out the above breaches of the provisions of the GDPR, which are included in the infringements referred to in Article 83(5) of the GDPR, taking into account: a) that it is unlikely that this is an isolated incident as the infringement concerns a category of processing, i.e. the processing of personal data of interested parties or candidates for participation in the nature of the damage and in particular the feeling created by the citizen that is targeted by a controller with knowledge of personal data that is not publicly available; (c) that it is not personal data referred to in Articles 9 and 10 of the GDPR, according to the information put forward by the Authority; that no administrative sanction has been imposed by the Authority on the controller in the past; that the turnover of the controller for 2018 as shown by No. No. C/ES/8534/06-12-2019 of its memorandum, amounted to EUR 5.972.436, it considers, on the basis of the criteria set out in Article 83(2) of the GDPR, that the effective, proportionate and dissuasive fine appropriate to the above infringement is five thousand (5.000) euros. FOR THEIR SAKES The Personal Data Protection Authority: A. Orders the company NEW YORK COLLEGE S.A. within three (3) months of receipt of this, informing the Authority: i. to comply with the provisions of the GDPR for the processing of personal data relating to those concerned for participation in subsidised training programmes; ii. take all necessary measures of internal compliance and accountability with the principles of Article 5(1) and par.2 in conjunction with Article 6(1) GDPR. B. imposes on NEW YORK COLLEGE S.A. the effective, proportionate and dissuasive administrative fine appropriate in this particular case according to its specific circumstances, amounting to five thousand (5,000,00) euros. The secretary Konstantinos Menoudakos Irene Papageorgopoulou