In a series of recent rulings, the Hellenic Data Protection Authority (HDPA) has taken decisive actions to enforce data protection regulations, shedding light on critical issues surrounding the lawful processing of personal information.
The decisions analyzed below constitute an attempt to examine the data protection landscape in Greece and the decisive role played by the HDPA in safeguarding the rights of individuals in the digital era.

1. The principles of lawfulness, fairness, and transparency
The HPDA imposed fines to a company for improperly monitoring their employees without a valid legal basis. The HDPA pointed out that relying on consent can be problematic due to the inherent power imbalance in the employer-employee dynamic, where the employee might feel pressured to consent under the threat of negative consequences. The HDPA also examined the use of contracts as a legal basis, stressing the need for specialization in terms of continuous monitoring of video and audio data. Additionally, it was highlighted that legitimate interest as a legal basis required clear evidence of necessity and suitability in the processing. The lack of a distinct legal basis not only created confusion but also deprived the employee of crucial information about their data processing rights, violating transparency and accountability principles.

2. Automated processing
The HDPA imposed fines on a US-based company engaged in automated processing of publicly available personal data, such as photos and metadata of individuals within the EU, to analyze their preferences and behaviors. This practice raised concerns as it was considered to constitute ‘profiling’. The concerns focused mainly on the fact that the company violated the principles of legality, there was neither a legal basis for profiling nor adequate information to data subjects about such processing. The HDPA rejected the use of legitimate interests as a legal basis, emphasizing on the absence of a relationship between the subjects and the company, along with the data subjects’ lack of reasonable expectation regarding the processing of their online photos.

3. Unsolicited marketing emails
The HDPA has issued a series of decisions imposing fines against companies for sending unsolicited marketing emails to the email addresses of legal entities without prior consent or an established commercial relationship. The HDPA clarified that compliance with regulations for electronic communications is lawful upon obtaining prior consent or sending promotional messages within the context of an existing business relationship. The HDPA stated that these standards apply uniformly to both natural and legal persons.

4. Right to object/erasure
The HDPA has imposed fines against multiple companies for violating a data subject’s right to object to unsolicited marketing messages and for delays in complying with the right to erasure of processed personal data. The HDPA emphasized the responsibility of the data controllers to facilitate the exercise of these rights promptly and effectively, highlighting that data subjects are not obliged to follow specific procedures. Such decisions serve as a reminder of the proactive measures companies should take to uphold privacy rights, particularly in the realm of online activities.

In conclusion, as technology continues to shape the way businesses operate, these decisions underline the importance of compliance in the rapidly evolving digital landscape. This serves as a pivotal moment for companies to reassess their data protection strategies alongside their business strategies, making privacy and GDPR compliance a core focus of their operations.

The Editorial Team