ZENITH – €30,000 Fine (Greece, 2021)

Seventeen individuals submitted complaints before the Hellenic DPA (HDPA) against gas supplier company ZENITH (controller) for unlawful processing of personal data for purely marketing purposes. Zenith signed a contract with One Way Private Company (processor) which undertook the processing of the controller's customers' personal data for marketing purposes. The processor used an automated mechanism randomly selecting telephone numbers from a list of customer contact details in order to contact individuals for marketing purposes. Some customers had previously clearly waived their consent for the controller to have their contact details. The telephone numbers of these individuals were supposed to be precluded from this list. However, due to a mistake by one of the processor's employees, many of these customers were not excluded from the list and consequently received calls from the processor for marketing purposes. After reviewing the facts of the case, the HDPA first stated that the telephone number of an individual constitutes "personal data" under Article 4(1) GDPR because it makes a person identifiable. Moreover, the HDPA held that ZENITH, who transferred the contact details of its customers to the processor based on a contract signed between them in order for the latter to conduct calls for marketing purposes, must be considered as a "controller" under Article 4(7) GDPR and the latter company as a "processor" under Article 4(8) GDPR. Furthermore, the HDPA stated that both the controller and the processor companies were in breach of GDPR provisions. Specifically, the processor failed to implement appropriate technical and organisational measures for ensuring an appropriate level of security under Article 32(2) GDPR since it was their employee who made the relevant mistake. On the other hand, the controller was responsible for offering the appropriate tools and guidelines in order to prevent unlawful calls from being conducted and for supervising the processo