Greek DPA Fines the Country’s Largest Technology Company EUR 400,000 for GDPR Violations

On October 7, 2019, the European Data Protection Board announced that the Greek (Hellenic) Data Protection Authority (DPA) imposed fines in the total amount of EUR 400,000 on the Hellenic Telecommunications Organization (“OTE”), the largest technology company in Greece, for violating several GDPR provisions, including an obligation to ensure that privacy issues are considered at the design phase of the company’s systems and processes and throughout their life cycle (data protection by design principle).

The investigation conducted by the DPA revealed that when OTE’s telephone subscribers submitted portability requests for the transfer of their subscription to another provider, OTE deleted their entries from the do-not-call registry, a list of phone numbers of consumers who do not want to receive telemarketing calls.  However, when those subscribers canceled their portability requests, OTE had no internal procedure to also cancel their removal from the registry.  Although the subscribers were listed as “do not call” registrants in the company’s internal system, their telephone numbers were not included in the registry sent by OTE to advertisers, as the two systems did not have the same content due to an interconnection error.  As a result, the affected subscribers received unsolicited calls from third-party advertisers. The DPA found that this incident violated the obligations imposed on OTE by the GDPR Article 25 (data protection by design) and Article 5 (1)(c) (principle of accuracy).

In addition, the DPA received complaints that the recipients of advertising messages from OTE that they were not able to unsubscribe from the advertisements.  The investigation revealed that beginning in 2013, due to a technical error, whenever recipients of advertising messages clicked on the “unsubscribe” link, their data was not removed the list of recipients.  Furthermore, OTE did not have a defined organizational procedure that would have detected that the data subject’s right to object was not satisfied.  The DPA found that this infringement, which affected around 8,000 individuals, violated Article 25, as well as Article 21(3) (right to object to the processing for direct marketing purposes) of the GDPR.

The fine imposed by the Hellenic DPA was the second fine imposed for an infringement on data protection by design requirements under Article 25 and underscores the importance of considering privacy compliance issues when designing and maintaining company’s systems and processes.

As businesses are faced with mounting compliance costs, selecting the right provider to facilitate GDPR compliance is crucial. Clarip’s enterprise privacy software is built to help your company navigate the GDPR.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653