8 October 2019

The Hellenic Data Protection Authority (the “Authority” or the “Hellenic DPA”) published a press release on 7 October 2019 about their decision regarding the administrative fine on a telephone service provider.

Telephone subscribers of Hellenic Telecommunications Organization (“OTE”) reported their complaints to the Authority, and they accused OTE of receiving unrequested calls from other companies about the advertisement of products and services even though they are registered in the OTE’s do-not-call register.

After these complaints, the Hellenic DPA started an investigation and it showed that OTE deleted these subscribers’ names from the do-not-call register because they filed a portability request for transfer to another telephone service provider. On the other hand, there wasn’t any useful procedure to acknowledge the subscribers who canceled their portability requests and register them again to the do-not-call register. This situation caused by an error in two systems of OTE; international system of the providers' customer service which includes subscribers’ names and do-not-call register which includes these subscribers' phone numbers did not have the same content.

Based on these findings, the Authority decided, OTE failed to satisfy the right to object when keeping personal data of subscribers and  principles of data protection. (GDPR Article 25 and Article 5) Therefore, it imposed an administrative fine of  €200.000 on OTE.

Additionally, the Authority also received complaints from recipients of advertising messages. They accused the OTE about the incapability to unsubscribing from the list of recipients of advertising messages. After the investigation of the complaints, it appeared that since 2013, because of a technical error, the unsubscribe link did not operate functionally and removal from the list of recipients of advertising message did not conclude successfully. Consequently, the Authority stated the lack of having appropriate organizational measures and incapability of satisfying the data subject’s right to object.

Afterward, OTE removed approximately 8.0000 people from the list of recipients of advertising messages. The Authority found an infringement of the right to object to the processing for direct marketing purposes (Article 21 (3) of the GDPR) as well as Article 25 (data protection by design) of the GDPR and fined OTE €200.000.

You can find the text of the press release here.

Should you have any queries and/or remarks, please do not hesitate to contact us. 

Kind regards,

Zumbul Attorneys-at-Law