Party A (anonymized) – Complaint Upheld (Greece, 2021)

Complaint Upheld
Hellenic Data Protection Authority21 September 2021Greece
final
Complaint Upheld

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A Greek politician sent a press release via email to someone without their consent, and the email addresses were visible to all recipients. The Greek Data Protection Authority warned the politician to use the BCC field for emails to protect privacy. This case highlights the importance of using proper email practices to avoid privacy issues.

What happened

A member of the Hellenic Parliament sent an email with visible addresses to multiple recipients without consent.

Who was affected

Individuals whose email addresses were exposed in the mass email.

What the authority found

The Greek Data Protection Authority warned the politician to use the BCC field for mass emails to comply with GDPR's security requirements.

Why this matters

This case serves as a reminder for anyone sending mass emails to use the BCC field to protect recipients' privacy and comply with data protection laws.

GDPR Articles Cited

Art. 32 GDPR
Art. 5(1)(d) GDPR
Art. 5(1)(f) GDPR

Entities Involved

Party A (anonymized)
Party B, Member of the Hellenic Parliament (anonymized)
Greece enforcementHellenic Data Protection Authority actionsAll Party A (anonymized) actions
Full Legal Summary
Detailed

The data subject complained to the Greek DPA (the HDPA) about having received a press release via email by a member of the Hellenic Parliament (the latter being considered the data controller in the context of this decision), without the data subject's consent. Furthermore, the data subject's email address was visible to other recipients (the "To" field was used instead of BCC). The HDPA issued a warning towards the data controller, recommending the use of the BCC field in order for mass email communication to remain compliant with Article 32 GDPR. No other measures were deemed necessary, because of the data controller's stance that the inclusion of the subject's email was made by mistake (more particularly, the controller had wrongly thought the data subject was a journalist, and that the data processing would thus be in accordance to Article 6(1)(f) GDPR), and because the controller took corrective measures by removing the data subject's personal details from the mailing list.

Outcome

Complaint Upheld

A data subject complaint that was upheld by the DPA.

Related Enforcement Actions (0)

No other enforcement actions found for Party A (anonymized) in GR

This is the only recorded action for this entity in this jurisdiction.

Details

Decision Date

21 September 2021

Authority

Hellenic Data Protection Authority

GDPRhub ID

gdprhub-4086

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Party A (anonymized) - Greece (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: