HDPA (Greece) - 44/2019

From GDPRhub
Revision as of 13:04, 1 April 2021 by Maria Konstantinou (talk | contribs) (Corrected the hyperlink.)
HDPA - 44/2019
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1) GDPR

Article 5(2) GDPR

Article 6(1) GDPR

Article 32 GDPR

Article 33 GDPR

Article 58(2)(d) GDPR

Article 58(2)(i) GDPR

Article 83(5)(a) GDPR

Type: Complaint
Outcome: Upheld
Decided: 19.12.2019
Published: n/a
Fine: EUR 150,000
Parties: AEGEAN BUNKERING SERVICES INC ("ABS").

ERNST&YOUNG HELLAS CERTIFIED AUDITORS-ACCOUNTANTS ("EY Greece")

Aegean Marine Petroleum Network Inc. ("AMPNI") (Reorganized as Minerva Bunkering)

National Case Number: 44/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language:

Greek

Original Source: [HDPA]

The HDPA issued EUR 150,000 fine against Greek supplier of marine bunker fuels and lubricants for violations of the principles of lawfulness, fairness and transparency and the security of processing according to the GDPR, while carrying out data processing operations in computer infrastructures (server hardware and software).

English Summary

Facts

ABS filed a complaint against companies AMPNI and EY Greece for alleged violations of Article 33 GDPR. According to the complainant people related to the defendants entered without authorisation ABS's data room and illegally copied to mobile data carriers the entire digital content of the server which contains digital documents, e-mails and other electronic communications of ABS's employees with third parties as well as of third parties' employees. Then, these people created a clone server. Further, 11 other complaints filed before the HDPA by data subjects in relation to this incident.

Dispute

The DPA had to assess whether there was violation by both defendants regarding the notification obligation for personal data breaches to the supervisory authority.

Holding

The HDPA ordered AMPNI as the data controller in this case to bring the processing operations at stake into compliance with the GDPR within three months from the receipt of this decision as foreseen under Article 58(2)(d) GDPR. The company must take all necessary measures for internal compliance and accountability according to Article 5(1) GDPR, Article 5(2) GDPR and Article 6(1) GDPR. Since the company had totally ignored the its compliance with the mentioned provisions, the HDPA issued a fine EUR 150,000 according to Article 58(2)(i) GDPR and Article 83(5)(a) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

There is no available machine translated decision. Please refer to the Greek original decision for details.