HDPA - 3/2020
|HDPA - 3/2020|
|Relevant Law:||Article 15 GDPR
Article 12 L. 2472/1997 (Former national law on data protection)
|Decided:||26. 2. 2020|
|Parties:||Golf Centre of the Municipality of Glyfada|
|National Case Number:||3/2020|
|European Case Law Identifier:||n/a|
|Original Source:||HDPA (GR)|
The HDPA imposed a 5,000 EUR fine on a municipal golf centre for violation of a data subject's right of access under the data protection legislation prior to the GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant asked copy of video records from the video surveillance system that the Golf Centre of the Municipality of Glyfada (data controller) operated. The records he asked included incident with the complainant and an employee of the Centre. The data controller did not response and the complainant sent his request again. The data controller did not response and the complainant sent the request for a third time, this time asking for all documents concerning him. The data controller responded too late and not in the e-mail address the complainant had indicated.
Holding[edit | edit source]
The HDPA found that the alleged violation took place prior to the GDPR and that it does not qualify a continuing infringement, thus the former Law 2472/1997 should be applicable.
The HDPA found that the data controller had not notified the authority of the video surveillance system as it had to and that it did not comply with its duty to respond to the complainant's access request. Thus, it imposed a fine of EUR. 5,000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
This is a machine translated decision from the original. Please refer to the Greek original decision for details.
HELLENIC REPUBLIC Athens, 26-02-2020 Ref.:C/ΕΞ/1552/26-02-2020 DECISION NO. 3/2020 (part) The Personal Data Protection Authority met in a Chamber at its headquarters on Wednesday 12 February 2020, at the invitation of its President, to examine the case referred to in the previous record.Georgios Batziletos, Deputy President, excused by the President of the Authority, Mr Konstandinos Menotis, and his deputy, Evangelos Papakonstantinou, Grigorios Tsangonas and Mr Emmanouil ΔPatisakis, were present as rapporteur.They were not represented because they were prevented from attending, although the regular members Konstantinos Lamprinyoudakis, Haralambos Anthopoulos and Eleni Martsoukou were duly summoned in writing.The meeting was attended by Georgios Rousopoulos, a specialist scientist — investigator as assistant rapporteur and Irini Papageorgopoulou, an official of the Authority’s Administrative Department, as secretary to the meeting. The Authority took into account the following: The Authority’s letter ref.C/ΕΙΣ/8963/12-12-2017 of A’s complaint that on... the above by email and in parallel to a fax mission, for which he received a proof of delivery, the issue of a copy of the video system of the ‘Mentoiki Municipality of GLADOADAE golf company AE’ (hereinafter ‘Glyfada GAAR’) which includes an event with the complainant and an employee of the company.This request was repeated on..., without the company replying.The complainant lodged a further application on... with a reference number...The request also requested copies of documents relating to him, such as a third party inquiry, investigation documents, decision of the board of directors, and again did not receive a reply. By letter ref.C/ΕΞ/2245/21-03-2018 sent a copy of the complaint to the Glyfada company and invited it, within fifteen (15) days of receiving it, to provide its views on the complaint.At the same time, it called upon the complainant to immediately examine the complainant’s requests, satisfying the right of access and providing him with any document or electronic record of request. The company replied to the Authority in its letter NoC/ΕΙΣ/3668/15-05-2018, stating that it had drawn up a reply from them, but the complainant did not receive it.At the same time, it stated that it does not keep any files stored from a closed circuit television.Furthermore, it is apparent from that document that, following the interventions of the Authority and the Ombudsman, the company stated that it intended to send a reply immediately to A. It should be noted that, before that reply, the company submitted letter ref.ΕΙΣ/1314/09-05-2018 notification of the operation of a video surveillance system on its premises. In a more recent letter (ref.C/ΕΞ/3668-1/08-08-2018) informed the company complained of the implementation of Regulation (EU) 2016/679 (hereafter GDPR) and the way in which the Authority’s Directive 1/2011 on video surveillance systems should be interpreted in the light of the Regulation.It also found in the same document that the company’s response would raise the following issues: The company replied belatedly to the data subject’s request, as the reply was given a reference number on., while the request had been submitted electronically by email on... and in writing with a reference number on...The reply was not sent to the address already indicated by the complainant, but remained in the company.As regards the substance of the reply, with regard to the video surveillance system, although the company stated in its note that it does not keep stored files from a closed circuit, the above mentioned notification stated to the Authority that it keeps records for a period of five (5) days.It was therefore not clear whether the video surveillance system was regulated to record. The Authority requested that the above issues be clarified by producing appropriate documents, attestations and other documents with a certain date, indicating the timing of the activation of the video surveillance system and whether the time of the sending of the original request of the data subject (in...) that system was set to be capable of recording. The company reported late (and following its letter ref.C/ΕΞ/3668-2/24-12-2018In its letter ref. c/ΕΙΣ/1057/08-02-2019, in which it stated that ‘ Since the beginning of 2017, the above-mentioned system does not allow data to be stored due to technical problems in the storage system and the failure to repair them up to now, as is apparent from the company’s letter of 04-01¬ 2019 under the name ‘Zariropoulos S.A.’, which we attach.’It is apparent from that letter that the company Zariropoulos S.A. carried out a visit to the Glyfada site on..., but again it is not clear whether the existing video surveillance system at the time was capable of recording or whether the recording was not operational since the beginning of 2017, as stated by Gcolas Glyfada.For clarification, the Authority sent letter ref.Document c/ΕΞ/1328/18-02-2019 from Zariropoulos S.A. asking: (a) If it has established that the video surveillance system which is (or was) installed in the Glyfada offices of Glyfada, has ceased to be capable of recording, and if it is established that this has occurred since the beginning of 2017, specifying as far as possible the downtime. (b) When and how it was informed by Glyfada company Glyfada about a malfunction of the video surveillance system installed in its premises. The company Zariropoulos S.A. replied by letter ref.¬2019 letter (c/ΕΙΣ/3248/07-05) of the fact that, following an audit of... in the CCTV cany MASTER system, it was found that the power supply of the cameras at the management office was burnt.It also found that the deposit located on the site of the reservoir was burnt, while one of the parties in the warehouse was burnt and the warehouse record of the warehouse does not appear online.For this system, the acceptance of an offer to remedy the damage has taken place and the intervention on..In relation to three other video surveillance systems, the company states that no visit took place in 2017. Subsequently, the Authority, by letter ref.Document C/ΕΞ/8101/22-11-2019 Hearing, in relation to the complaint.The complainant was also informed of the meeting by letter ref.C/ΕΞ/8139/25-11-2019 of the Authority.After the meeting of 11/12/2019 was adjourned, because the attorney of the company complained of was prevented from acting (see letter ref.C/ΕΙΣ/8669/11-12-2019 and c/ΕΙΣ/8678/11-12-2019 of the Authority met on 18/12/2019.This meeting was attended by the defendant company, Apostolos Georgoulas, lawyer with a Athens Bar Association, while the complainant was also present in person.The representative of the company and the complainant received a deadline and lodged submissions.In particular: Letter ref.C/ΕΙΣ/265/14-01-2020The company replied to the complainant’s request stating that no image files concerning him were stored in its letter of...The complainant was contacted by telephone, but in bad faith did not attend for the receipt.The company considers that the complainant seeks to impose a penalty on it for reasons related to earlier disputes with the members of its Board of Directors.However, it sent the document to him on.As regards the failure to provide image files, the company insists that its image has never been recorded as the system was, at the material time, out of operation.Although Zariopoulos SA had not checked the Registry’s system at that time, the Gcolas Glyfada submits that the fact that it was subsequently forced to re-establish it and obtain a new recorder, as is apparent from the decision of the board of directors of the company, confirms its claim. It should be noted that, as a result of the decision of the board of directors of Glyfada, a decision of the Board of Directors of Glyfada, all the charts in the four subsystems of its establishments have been replaced. Complainant’s letter ref.C/ΕΙΣ/273/14-01-2020 memo, presented the background of the case and its relationship with the Glyfada Gencolas.The matters relating to the processing of personal data and the incident to which the complaint relates give a brief indication of the following:The initial request for access was submitted on... via FAX to number... around the time... p.m., then by e-mail about the time..., and due to a missed connection, on... were repeated on... at...Finally, on... lodged an application.The complainant mentions that he has been a member of the management of the company for many years, which he definitely had his contact details, such as his email, which he used to inform her of matters.He therefore considers that it was easy to send the reply to the request.The company in question has the legal obligation to employ a safety technician and has for that reason concluded annual contracts which the complainant cites.From the year 2015 up to and including 2019, the Board of Directors of the company has taken eight decisions related to the operation of a video surveillance system, without informing the Authority as then required. It should also be noted that the complainant raises a question of non-legal representation of the company, arguing that the lawyer who appeared was not entitled to appear after the company had entered into a contract with another lawyer, who has also submitted documents relating to the same case previously. After having heard the rapporteur and giving the details of the assistant’s rapporteur, who left after the debate and before the deliberations and taking of a decision, and after a detailed discussion, the Authority, after having heard the rapporteur and the details of the rapporteur, AFTER DUE CONSIDERATION 1. With regard to the question of the lawyer’s lawyer Glyfada’s lawyer who was not legally represented, the Authority accepts that, on the basis of the documents submitted, the company was validly represented before it, as it is free to choose the way in which it is represented. 2. The issue raised concerns a lack of satisfaction of a request to exercise the right of access, which was exercised on....It is therefore a suspected infringement that took place in a period prior to the implementation of Regulation (EU) 2016/679 (GDPR).As the processing activity does not relate to a period of time during which the GDPR applied and, according to the subject of the complaint, a possible infringement of a right of access is not a ‘continuous’ infringement, the applicable provisions are those of the then applicable statutory framework (see in this regard and opinion 8/2019 of the EDPB on the competence of the supervisory authority in the event of change of circumstances concerning the main or single establishment , paragraph 16).The provisions of Law 2472/1997 therefore apply to the present case. 3. As defined in Article 12 (1) and (2) of Law 2472/1997, the data subject has the right to know whether personal data relating to him or her are or have been processed (right of access).To that end, it shall be entitled to request and receive from the controller, without delay and in an easily understandable and clear manner, information including all personal data concerning him or her and the origin thereof.Furthermore, for the particular case of video surveillance systems, Article 13 (1) of the Authority’s Directive 1/2011 on the use of video surveillance systems for the protection of persons and goods states that “The controller shall be obliged to grant within fifteen (15) days of the submission of the relevant request a copy of the section of the registration mark record where the data subject has been registered or the data subject has been documented, or, as appropriate, to inform the person concerned in writing within the same time limit or that the relevant part of the registration is not destroyed.Alternatively, subject to the agreement of the data subject, the controller can only directly demonstrate this part.To this end, the data subject shall indicate the exact time and place found in the reach of the cameras.When providing a copy of an image, the controller must cover the image of a third person (e.g. by blurring of a part of the image), as long as their right to privacy may be violated.In the case of mere demonstration, the coverage of the image of the third party shall not be required.” 4. As follows from Article 12 (4) of Law 2472/1997, the controller was required to respond to requests for access within fifteen (15) days and, if he/she does not respond or if the reply is not satisfactory, the data subject has the right to appeal to the Authority.Where the controller refuses to comply with the complainant’s request, it must communicate his response to the Authority and inform the person concerned that he or she may have recourse to it.Please note that the period of fifteen (15) days after the application of the GDPR has been extended to thirty days. 5. The controller states that at the time of the incident and the right of access was exercised, the recorder system was not operational.This is not confirmed by the statement of ZARIFOPOULOS S.A. stating that it was a broken different subsystem and did not check the subsystem of the area of the Secretariat.The company in question has not provided any documentation, either by the installation company or by an internal reference, such as a technical safety document, or a document from the management board showing that the subsystem of the Secretariat has not been functional.Indeed, in its letter ref./ΕΙΣ/1314/09-05-2018, which the controller submitted to the Authority with delay, stated to the Authority that it maintains records for a period of five (5) days.Consequently, the position of the company in question, that the recorder was out of operation, has not been established. 6. In any event, even if the recorder was out of service, the controller was required, on the basis of Article 12 (1) of Law 2472/1997, to reply to the complainant if personal data concerning him were processed, albeit negative, within the 15-day time limit.In the present case, it appears that the controller did not respond within the time limit set to the data subject’s requests.The response given by the controller that it has been prepared and made available to the data subject has not been communicated to him, except after the intervention of two public authorities and after a long delay.Indeed, it should be accepted that the complainant’s request for access was lodged on the original date, on... as the complainant provides a copy of the proof of dispatch.Gcolas Glyfada considers that the data subject’s request was lodged on., when the complainant received a reference number reiterating his request.However, the company had to respond to the initial requests made by email and by FAX, while it had to ensure that the rights of the data subjects were satisfied and that it was easy to exercise it. 7. The complainant was in the past held in the Board of Directors of Glyfada.It appears from the case file that there are other differences between the complainant and the company, which do not concern the law of the Authority and are therefore not examined and evaluated. 8. Therefore, it appears from the file of the case that the controller violated the provision of Article 12 of Law 2472/1997, in relation to the exercise of the complainant’s right of access to a physical video surveillance system which included his/her image.Furthermore, the Authority shall in particular take into account that the controller has displayed a lack of compliance with the applicable legislation at the time of the infringement, as at the time of the infringement the video surveillance system was not notified to the Authority, and that the cooperation of the controller with the Authority was particularly difficult. 9. In view of the above findings, the Authority considers, by unanimity, that the controller referred to in Article 21 (1) (b) of Law 2472/1997 should be subject to the penalty referred to in the operative part hereof, which is considered proportionate to the seriousness of the infringement found. FOR THESE REASONS Having regard to the above: (1) Effects, on the basis of Articles 19 (1) (f) and 21 of Law 2472/1997, shall be paid to the ‘unilateral shareholding limited by five thousand euros’ (EUR 5.000) for the above infringement of Law 2472/1997. The Deputy President Georgios Bareal Irini Papageorgopoulou