Mizuno Online Store – €5,000 Fine (Greece, 2022)

In a previous decision (hub: [https://gdprhub.eu/index.php?title=HDPA_(Greece)_-_13/2021 13/2021]), the Greek DPA imposed a fine of €20.000 on a company that sells sports clothing (the controller). The controller failed to comply with a data subject's erasure request (Article 17 GDPR) and kept on sending them unwanted marketing-SMS despite their opt-out (Article 21(1) GDPR). The DPA held that the controller also violated Article 25(2) GDPR. In the case at hand, the controller requested the decision to be annulled. The controller submitted new evidence about the steps that were taken to remove the data subject from its contact list. The controller argued that all necessary procedures were in order and that it has done everything that could be reasonably required to handle the data subject's requests. The controller explained that the conduct for which the company had been fined was due to an isolated error. The controller further stated that the DPA violated (1) the principle of proportionality and (2) the criteria for the imposition and assessment of fines for violations of the GDPR by imposing a €20.000 fine. After considering the new evidence provided by the controller, the DPA found the following two mitigating circumstances pursuant to Article 83(2)(a) GDPR. First of all, the DPA agreed that the violation seemed to be caused by the controller's negligence (an isolated error) and not malicious intent. Second, the controller appeared to have implemented and followed the appropriate procedures to ensure the correct handling of the right to object (Article 21 GDPR) and the right to erasure (Article 17 GDPR) of data subjects. Therefore the controller was not found in breach of Article 25(2) GDPR. The DPA partially revoked its previous decision n. 13/2021, but confirmed its judgement that Article 17, Article 21(1) and Article 12(3) GDPR were violated. Therefore the DPA reduced the fine from €20.000 to €5.000.