HDPA - 2/2020

From GDPRhub
HDPA - 2/2020
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 12(4) GDPR

Article 15(3) GDPR

Type: Complaint
Outcome: Upheld
Decided: 21. 2. 2020
Published: n/a
Fine: EUR 5,000
Parties: Hellenic Public Power Corporation S.A. (ΔΕΗ Α.Ε.)
National Case Number: 2/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language:

Greek

Original Source: HDPA (GR)

The HDPA imposed a EUR 5,000 fine on the biggest electric power company in Greece because it did not respond to data subject's right to access. The HDPA highlighted that even when the data controller does not keep any record of the data subject's personal data, it should notify the data subject of its inability to respond to the access request according to Article 12(4) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant exercised their right of access asking the DPO of the Hellenic Public Power Corporation SA to provide them copy of any correspondence from 2015 until the present, but they did not receive any response. The HDPA asked the company to clarify its position.

Holding[edit | edit source]

The HDPA stressed that the fulfillment of the right to information and access does not require the data subject to prove any legitimate interest; this interest is inherent in the right to access, so that transparency and legitimacy of processing can be assured. Similarly, there is no requirement for the data subject to invoke any particular reasons why they want to exercise their right to access.

The HDPA emphasised that, following the case law of the Greek Council of State, even in the case that the data controller does not keep any record of the data subject's personal data, it will still have the obligation to reply pursuant to Article 12(4) GDPR.

The HPDA found that after one month from the receipt of the data subject's complaint, the company as data controller did not notify the data subject of its inability to promptly respond to their request. Thus, the HDPA imposed a fine of EUR 5,000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

This is an available machine translated decision. Please refer to the Greek original decision for details.

PERSONAL DATA PROTECTION AUTHORITY
DECISION 2/2020
(part)
The Personal Data Protection Authority met in Section formation at its headquarters on 19.02.20 at the invitation of its President to examine the case referred to in the previous record. The Deputy President, Mr Batzaleas, prevented by the President of the Authority, Mr Papaconstantinou, and the alternate members of the Authority, Mr E. Papaconstantinou, Mr E. Papakonstantinou, as the rapporteur, were also represented in the replacement of the regular members X. Anthopoulos, K. Lambrinoudakis and E. Martsoukou, respectively, who, although legally invited, did not appear on the grounds of being prevented from attending. Mr Karvelis, qualified scientist, lawyer, as assistant rapporteur, who left after the hearing of the case and before the conference and decision and Ms Papageorgopoulou, an official in the Administration Department of the Authority, as a secretary, were present without voting rights.
The Authority has taken into account the following:
Letter ref. C/ΕΙΣ/5370/06-08-2019 to the Authority, A denounces the PPC for failure to comply with its right of access to data concerning it. 
As specifically mentioned in its complaint to the Authority, the complainant had submitted a request for access to PPC’s Personal Data Protection Officer, requesting a copy of their physical and electronic communication for the period from 2015 to the present, but has not received a response.
In the light of the above, the Authority sent letter ref. C/ΕΞ/5370-1/15-10-2019 requesting clarifications to DEI, which, in its reply from... and with reference number... to the Authority, stated that (a) he received from the complainant a... e-mail requesting a copy of their physical and electronic communication for the period from 2015 up to the present, (b) after a thorough inspection of its competent services, it was found that there was no physical and electronic communication to and from the complainant, (c) i. the supply of... concerned a business invoice and an electricity  supplier has been transferred to the supplier of electricity for more than three years, pursuant to Article 1 (3) of the Electricity Supply Code, in the event of failure by the customer to comply with the conditions of the settlement of arrears, he reserves the right to submit to the corresponding operator a power to switch off the supply, even if a supply contract has been concluded with a new supplier’.PPC SA as a previous supplier made a request to the administrator (DEDDIE S.A.) to disable the supply as the complainant did not respect the settlement conditions. The manager actually switched off her vi. vi. on the day of the interruption, the complainant contacted DEI and requested that the electricity supply be re-connected to that service. For this communication, a written note from the service of 11770 has been drawn up. PPC has informed the complainant that the reconnection will take place once the debt has been repaid, (d) for the year 2015 to date, there is no correspondence of physical and electronic mail from PPC to the complainant, and vice versa, except for electricity bills and the written note of the telephone number 11770, which are not correspondence or communication.
Therefore, the Authority in its ref. C/ΕΞ/325/15.01.20 called on PPC to attend the meeting of the Authority’s Department on 29.01.20 in order to hear the company on the possibility of a breach of the applicable legislation on the protection of personal data. At the hearing of 29.01.20, Mr Dimitrios Dorosoybean, lawyer,..., who, orally, presented his views on the case and in particular stated that PPC S.A. received from the complainant a... e-mail requesting a copy of their physical and electronic communication for the period from 2015 to the present, and after a thorough scrutiny of its competent services it was found that there is no physical and electronic communication to and from the complainant, except for electricity bills and the written note of the telephone number 11770, which are not correspondence or communication.
After examination of the information in the file, the Authority, having heard the rapporteur and the assistant rapporteur, who left after the case was discussed and before the deliberation and decision, after an in-depth discussion
AFTER DUE CONSIDERATION
1.	The General Data Protection Regulation (hereinafter referred to as ‘GDPR’), which replaced Directive 95/56, has been applicable since 25 May 2018.
In accordance with the provisions of Article 15 (1) GDPR, the data subject shall have the right to obtain from the controller confirmation as to whether or not the personal data concerning him or her are being processed and, if so, the right of access to the personal data and information detailed in the cases referred to in that paragraph, whereas paragraph 3 of the same Article provides that the controller shall provide the data subject with a copy of the personal data processed.
In order to satisfy the right to information and access, a legitimate interest is not required, since this is inherent in and forms the basis of the data subject’s right of access in order to obtain knowledge of him/her and is entered in a file kept by the controller, in order to give effect to the basic principle of the law on the protection of personal data, which is transparency of processing as a condition for any further scrutiny of the data subject’s lawfulness by the data subject (see MFF 16/2017).Similarly, it is not necessary to rely on the reasons for which the data subject wishes to exercise the right of access.
If the controller does not act on the data subject’s request, he shall inform within one month of receipt of the request the data subject of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy (Article 12 (4) GDPR).This deadline may be extended by an additional two months, if necessary, taking into account the complexity of the request and the number of requests (Article 12 (3) GDPR).Please note that even when the controller does not keep a record of data of the subject, it is not therefore exempted from its obligation to provide a negative response (CoE 2627/2017).
Furthermore, in accordance with the provisions of Article 58 (2) (i) of the GDPR, each supervisory authority has, inter alia, the power to impose an administrative fine under Article 83, depending on the circumstances of each individual case.
2.	Evidence in the file and the hearing led to the following:
The complainant A by email to the Public Data Protection Officer of PPC S.A. had submitted a request for access to their physical and electronic communication for the period from 2015 to the present, but has not received a response. PPC divided by the Data Protection Officer through the clarifications document (No...) to the Authority, it replied that there is no physical and electronic correspondence requested by the complainant from the year 2015 to date. In addition, it stated that the administrator (HEDNO SA) made a de-activation of the benefit at the request of PPC, as the complainant did not comply with the settlement conditions and failed to pay off the debts due.
However, DEI, as the controller, did not respond to the complainant within one month of receiving the request and, as it should have been, did not inform the complainant within one month of receipt of the request, of the inability to respond immediately and of satisfaction of its request and of the reasons for the delay, in breach of the provisions of Article 12 (3) and (4) of the GDPR.The same infringement, namely the late reply of the PPC as a controller after one month from the receipt of the request, was found in the Authority’s previous Decision 15/2019.
3.	In view of the specific infringement that, after one month from the receipt of the request, PPC S.A., as the controller, did not respond to the complainant that it was not immediately successful, and in view of its repeated infringement as a result of the previous same infringement found in the above-mentioned Authority’s Decision 15/2019, the Authority finds by unanimity that, in the circumstances of this case, on the basis of the circumstances found, the first sentence of Article 58 (2) of the GDPR should be applied in an effective, proportionate and dissuasive administrative fine in accordance with the provisions of of the GDPR.83 GDPR to punish such unlawful behaviour.
FOR THESE REASONS
Having regard to the above:
It shall impose on DEI AE the effective, proportionate and dissuasive administrative pecuniary fine appropriate to the circumstances of the case, in accordance with the particular circumstances of this case, amounting to EUR 5.000,00. 
The Deputy Chairman