Dalnave - data subject – €10,000 Fine (Greece, 2023)

On 1 March 2021 the data subject filed a complaint with the DPA, for the fact that they had received unsolicited communication via email, and in particular the commercial promotion of digital advertising services, without having any prior relation with the controller. The data subject further stated that in response to their question regarding how their data became available to the controller, they received the generic answer that these had been collected through market research. After the DPA had made numerous attempts to contact the controller without response, they issued decision no. 23/2023, where: * According to Article 58 (2)(b) GDPR they reprimanded the controller. * According to Article 58(1)(a) GDPR they instructed the controller to immediately reply to the filed complaint. * Informed the controller that in case of non-compliance, they will impose an administrative fine according to Article 83 GDPR. The DPA held that: According to [https://search.et.gr/el/fek/?fekId=334206 Article 11 (1) Act 3471/2006] (Protection of personal data & privacy in electronic communications) the making of unsolicited communications by any means of electronic communication, [...] for any kind of advertising purposes, shall be permitted only if the subscriber has given his or her express prior consent. As the e-mail account to which the unsolicited promotion e-mail was sent, did not correspond to a natural person but to a legal person the GDPR is not applicable. However [https://search.et.gr/el/fek/?fekId=334206 Article 11 (7) Act 3471/2006] (Protection of personal data & privacy in electronic communications) also applies to legal persons. For the above reasons and because the controller did not implement the aforementioned decision no. 23/2023, the DPA imposed on the controller a total fine of €10,000 for the violation of [https://search.et.gr/el/fek/?fekId=334206 Article 11 (1) Act 3471/2006] (Protection of personal data & privacy in electronic communications).