26 Apr 2019
The Greek Data Protection Authority ascertained that the Hellenic Petroleum processed sensitive information without having any legal basis and, no adequate and appropriate measures were taken to prevent the Data Leak online.
On April 8, 2019 the Hellenic Data Protection Authority (HDPA) published its decision to fine the Hellenic Petroleum €30,000. This fine was imposed for two main reasons. The first one was the fact that they processed sensitive personal data without having the Data Subjects’ authorisation or any other lawful basis. In addition, these personal data appeared online and thus the oil company had not taken the appropriate measures to prevent their publishing online. These violations took place under the previous National Data Protection Law before the GDPR (Law 2472/1997), where the maximum fine was €150.000.
More specifically, the Hellenic Petroleum had commissioned the marketing company ONE TEAM to conduct a review that included personal data (e.g. full names) and sensitive personal data (e.g. political convictions or trade union memberships). This review appeared online and was accessible to anyone. However, when the HDPA addressed the issue to the oil company, they claimed that the review assumed by One TEAM should not have contained personal data and not have appeared online. So, the Data Collection and their publishing online were done without the oil company’s authorisation.
After research on this case, the HDPA found that the Hellenic Petroleum was Data Controller and thus responsible for the sensitive data collection since the contractual agreement between the two companies provided that ONE TEAM had to collect sensitive data in order to conduct the review on behalf of the oil company. Under the article 10 §3 of the National Law 2472/1997, data collection and data processing must be based on a lawful basis. In this case, the data were illegally processed as they had not asked for any authorisation. Moreover, the HDPA ascertained that appropriate security measures to prevent the data leak online, had not been taken.
After taking into consideration the nature and severity of these two violations, the HDPA decided to impose on the company a fine of €30.000 in total which consisted of the amount of €20.000 for the illegal processing and the amount of €10.000 for failing to take appropriate security measures to prevent the data leak.