GREEK DPA ISSUES EUR 30,000 FINE

RETURN TO MAIN BLOG


Hellenic Petroleum S.A. was fined €30,000 by the Greek Data Protection Authority on the 8th of April 2019 for the unlawful processing of personal data and failing in implementing appropriate data security measures in accordance with the General Data Protection Regulation (GDPR).

The fine issued was for 2 key violations. The first being €10,000 for not implementing appropriate data security measures and the second was for €20,000 for the unlawful processing of personal data. The fine could have reached as high as €300,000.

Hellenic Petroleum S.A. had outsourced a third party to conduct a study on its behalf. The results of the study were publicly listed online and included sensitive personal data including political opinions, trade union membership and participation in various associations.

The Greek Data Protection Authority findings clearly identified that Hellenic Petroleum S.A. was the data controller and the third party was the data processor and, as such, Hellenic Petroleum S.A. was responsible for the third parties processing of the personal found in their possession.

The Greek Data Protection Authority concluded that the processing of sensitive data took place without a legal basis and outside of the permitted regulations of the GDPR. Furthermore the Greek Data Protection Authority directly held Hellenic Petroleum S.A. responsible for failing to implement the appropriate technical and organizational measures for the protection of its personal data.

The final outcome was delivered by Konstantinos Menoudakos (President of the Greek Data Protection Authority) and Irene Papageorgopoulou (Secretary of the Greek Data Protection Authority)

Summarizing the outcomes delivered by the Greek Data Protection, Hellenic Petroleum S.A. failed compliance on the following:

    1. unlawful processing of personal data
    2. failing to implement the appropriate data security measures
    3. failing to implement the appropriate technical measures
    4. failing to implement the appropriate organizational measures
    5. failing to process sensitive personal data with a legal basis (legitimate interest)
    6. failing to process sensitive personal data within the permitted regulations of the GDPR
EMIN HASIC – INTERNATIONAL DATA PROTECTION AUDITOR