"A" โ Complaint Upheld (Greece, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Hellenic Data Protection Authority upheld a complaint against the Athens Medical Association for improperly collecting Covid-19 vaccination certificates from its members. This ruling matters because it emphasizes the need for organizations to follow proper data retention practices. Medical associations must ensure they handle sensitive information correctly to avoid future issues.
What happened
The Hellenic DPA upheld a complaint regarding the Athens Medical Association's collection of Covid-19 vaccination certificates.
Who was affected
Members of the Athens Medical Association were affected by the improper collection of their vaccination certificates.
What the authority found
The Hellenic DPA ruled that while the collection was lawful, the Athens Medical Association retained the certificates longer than allowed by data protection rules.
Why this matters
This case highlights the importance of adhering to data retention policies. Organizations should regularly review their data handling practices to ensure compliance with privacy laws.
GDPR Articles Cited
National Law Articles
Entities Involved
On 12 January 2022, a doctor and member of the Board of the Athens Medical Association (AMA) submitted a complaint to the Hellenic DPA (HDPA) against the Athens Medical Association. The complaint alleged the illegal collection of the AMA members' Covid-19 vaccination certificates. The AMA had requested its members who managed private practices to electronically send their Covid-19 vaccination certificates and upload them to an electronic platform created by the Athens Medical Association. In their complaint to the HDPA, the data subject requested the HDPA to prohibit the AMA from collecting members' Covid-19 vaccination certificates or, in any event, if the collection was deemed lawful, to order the AMA bring their processing into compliance with the GDPR. The HDPA contacted the AMA and requested more information from them about their vaccination certificate collection. The AMA replied that the collection was carried out under Articles 6(1)(e) and 9(1)(i) GDPR, in line with Article 206 of Law No. 4820/2021 which prescribed the mandatory vaccination of staff employed in health care. The AMA stated that the purpose of the processing was to allow it to fulfil its duties in inspecting the compliance of health care institutions and professionals under its responsibility. The HDPA held that the processing carried out by the AMA was lawful for the purposes of Articles 5(1)(a) , 6(1)(e) and 9(2)(i) GDPR, but that the AMA had retained the certificates beyond the retention period prescribed by Article 5(1)(e) GDPR. Firstly, in relation to Articles 5(1)(a) , 6(1)(e) and 9(2)(i) GDPR the HDPA took into account Article 206 of Law No. 4820/2021. It held that Article 206 of Law No. 4820/2021 fulfilled the requirements of Article 6(3)(b) GDPR, as it provided for the overriding public interest of protecting public health workers against the Covid-19 virus. Secondly, in relation to the transparency requirements under Article 5(1)(a) GDPR, the HDPA held that the platform used by t
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for "A" in GR
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. "A" - Greece (2023). Retrieved from cookiefines.eu
Last updated: