The Hellenic Data Protection Authority (DPA) recently imposed a €75,000 fine to a Greek company, Tiresias SA for violating Law 2472/1997 (the Greek Data Protection Act) by (i) not amending the purpose of its processing activities lawfully, failing to (ii) notify the DPA and (iii) inform the data subjects accordingly.
The company Tiresias SA (the Company), acting as data controller, initially started operating a system enabling to check the creditworthiness of individuals and business entities. It then expanded its operations by developing a financial health system to distribute data for marketing purposes to third parties, such as banks or credit assessment companies.
(I) PURPOSE OF THE PROCESSING
According to art. 4 of the Greek Data Protection Act, "in order to be lawfully processed, personal data must be collected fairly and lawfully for specific, explicit and legitimate purposes and fairly and lawfully processed in view of such purposes". Recital 28 of the EU Data Protection Directive mentions that, for the personal data to be fairly and lawfully processed, the purposes of the processing must be explicit and legitimate and must be determined at the time of collection of the data (emphasis added).
In a nutshell, the objective of data processing must be clear for data subjects before their personal data is collected.
It appeared that the company had obtained the data subjects' consent for collection of their personal data but data subjects were not made aware that their personal data would be shared with third parties for marketing purposes.
(II) FAILURE TO NOTIFY THE DPA
A controller needs to notify the DPA about the establishment or the operation of a file or the commencement of data processing as per art. 6 of the Greek Data Protection Act. The Company notified the DPA of its processing activities with an important delay: six months after having started the processing of the data and the DPA ruled that the notification was not timely.
(III) FAILURE TO INFORM THE DATA SUBJECTS – INFORMATION OF THE DATA SUBJECTS VIA THE RECIPIENTS OF THE DATA
The Company did not inform the data subjects about the basic elements of its processing activities, as imposed by art. 11 of the Greek Data Protection Act, according to which the controller must inform the data subject about the purposes of the processing at the stage the data is collected. Art. 11 also provides for the information of the data subject that his/her data will be disclosed to third parties before the data is communicated to third parties.
Notwithstanding the provisions of the law, the Company actually transferred its obligation to inform the data subjects on the recipient of the data (acting as a data processor) who provided for the information of the data subjects in its contracts as well as in all relevant printed materials.
The DPA ruled that the information of the data subject through the recipient of the data did not make it clear that the recipient was acting on behalf of the controller and therefore considered that the controller did not respect the principle of transparency according to which the data subject must be informed of the identity of the controller as well as any of its representatives.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.