Infinity Pack – Complaint Upheld (Greece, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Hellenic Data Protection Authority found that Infinity Pack sent promotional emails to a pharmacist without a clear source for the email address. This matters because businesses must know where they get personal data and have a legal reason to use it.
What happened
Infinity Pack sent promotional emails to a pharmacist without knowing how they obtained the email address.
Who was affected
A pharmacist who received promotional emails at an email address used only for public body communications.
What the authority found
The Hellenic DPA decided that Infinity Pack couldn't prove how they got the email address, violating GDPR's requirement for lawful and transparent data processing.
Why this matters
This case highlights the importance of businesses keeping track of where they get personal data and ensuring they have a legal basis for using it. Companies should review their data collection practices to avoid similar issues.
GDPR Articles Cited
The data subject, a pharmacist, received several emails advertising pharmaceutical products from the company Infinity Pack, the controller. The data subject filed a complaint with the Hellenic DPA, claiming that they had agreed to receive promotional content at some personal email addresses. However, they stated that they never had any commercial relationship with the controller through that other specific email, which was used exclusively for communications with public bodies. The DPA notified the controller asking for clarifications on how it became aware of that specific email address. The controller responded that it could not determine the source of the information, but admitted that its representatives travel to many regions in Greece and collect 'market information' such as business cards and contact details of potential clients. Although the data subject withdrew the claim during the course of the procedure, the Hellenic DPA decided to continue with ex officio investigations. The DPA highlighted that Article 5(1) GDPR establishes that personal data must be processed lawfully, fairly and in a transparent manner, while also being collected for specified, explicit and legitimate purposes. Moreover, Article 5(2) provides that the controller is responsible for demonstrating compliance with these obligations. The DPA then reffered to the Greek national law. It clarified that, although the law authorizes controllers to send advertising messages to emails legally obtained in the context of their commercial transactions, even without prior consent, it requires that an easy way to object the data processing be made available. In the case under analysis, the DPA held that the controller was not able to demonstrate the source of the data and, therefore, cannot claim that they were obtained in the context of its commercial activities. Similarly, the controller did not demonstrate that it had obtained the consent of the data subject. For these reasons, DPA found a viol
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Infinity Pack in GR
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Infinity Pack - Greece (2022). Retrieved from cookiefines.eu
Last updated: