The Hellenic Regulator Imposed Fines on Telecommunications Provider for infringing Privacy-byDesign and Accuracy Privacy Principles
TOPICS: Data Protection, Data Subject Rights, Privacy by Design, GPDR, Greece, Europe
The Hellenic Data Protection Authority ("Hellenic DPA") imposed two administrative fines OTE") after
receiving complaints from telephone subscribers of OTE.
The first fine was issued after the Hellenic DPA received a complaint from subscribers who received unsolicited calls from third party companies for the promotion of products and services, notwithstanding the fact that the subscribers were registered to the OTE's donot-call register. The Hellenic DPA investigation demonstrated that the subscribers in question submitted a portability request to transfer their subscription to another provider. As a result, OTE deleted their entries from the do-not-call register. When the subscribers cancelled their portability requests, their entries were not updated properly. Although they were re-instated to the do-not-call internal lists of OTE, their numbers were not included in the lists sent to the advertisers.
The Hellenic DPA found the incident infringed Articles 5(1) (principle of accuracy) and 25 (data protection by design) of the General Data Protection Regulation ("GDPR"), as it affected a large number of subscribers. As a result, the Hellenic DPA issued an
Another fine was imposed on OTE when the Hellenic DPA received complaints from the recipients of advertising messages by OTE. The recipients claimed that they could not unsubscribe from the service. During the course of examination, the Hellenic DPA found that, from 2013 onwards, the unsubscribe link in the advertising messages sent by OTE did not work due to a technical error. As a result, recipients who used the link were not removed from the list and kept receiving advertising materials.
OTE, which did not have the appropriate measures to detect such technical error, subsequently removed approximately 8,000 persons from the list of recipients, who could not previously unsubscribe due to the technical error. The Hellenic DPA fined OTE wit to processing for direct marketing purposes) and Article 25 of the GDPR.
These cases demonstrate the importance of practically implementing data protection related procedures and tools with respect to all handling of personal data. We will be happy to advise our clients on the related implications.
This update was published as part of our Technology & Regulation monthly client update. To read more about HFN's Technology & Regulation Department, click here.