HDPA - 44/2019

From GDPRhub
HDPA - 44/2019
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1) GDPR

Article 5(2) GDPR

Article 6(1) GDPR

Article 33 GDPR

Article 58(2)(d) GDPR

Article 58(2)(i) GDPR

Article 83(5)(a) GDPR

Type: Complaint
Outcome: Upheld
Decided: 19. 12. 2019
Published: n/a
Fine: EUR 150,000
Parties: AEGEAN BUNKERING SERVICES INC ("ABS").

ERNST&YOUNG HELLAS CERTIFIED AUDITORS-ACCOUNTANTS ("EY Greece")

Aegean Marine Petroleum Network Inc. ("AMPNI")

National Case Number: 44/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language:

Greek

Original Source: HDPA (GR)

The HDPA issued EUR 150,000 fine against Greek supplier of marine bunker fuels and lubricants for violations of the principles of lawfulness, fairness and transparency and the security of processing according to the GDPR, while carrying out data processing operations in computer infrastructures (server hardware and software).

English Summary[edit | edit source]

Facts[edit | edit source]

ABS filed a complaint against companies AMPNI and EY Greece for alleged violations of Article 33 GDPR. According to the complainant people related to the defendants entered without authorisation ABS's data room and illegally copied to mobile data carriers the entire digital content of the server which contains digital documents, e-mails and other electronic communications of ABS's employees with third parties as well as of third parties' employees. Then, these people created a clone server. Further, 11 other complaints filed before the HDPA by data subjects in relation to this incident.

Dispute[edit | edit source]

The DPA had to assess whether there was violation by both defendants regarding the notification obligation for personal data breaches to the supervisory authority.

Holding[edit | edit source]

The HDPA ordered AMPNI as the data controller in this case to bring the processing operations at stake into compliance with the GDPR within three months from the receipt of this decision as foreseen under Article 58(2)(d) GDPR. The company must take all necessary measures for internal compliance and accountability according to Article 5(1) GDPR, Article 5(2) GDPR and Article 6(1) GDPR. Since the company had totally ignored the its compliance with the mentioned provisions, the HDPA issued a fine EUR 150,000 according to Article 58(2)(i) GDPR and Article 83(5)(a) GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

There is no available machine translated decision. Please refer to the Greek original decision for details.