Greek Oil Company Responsible for Data Leak

26 Apr 2019
The Greek Data Protection Authority ascertained that the Hellenic Petroleum processed sensitive information without having any legal basis and, no adequate and appropriate measures were taken to prevent the Data Leak online.
 
On April 8, 2019 the Hellenic Data Protection Authority (HDPA) published its decision to fine the Hellenic Petroleum €30,000. This fine was imposed for two main reasons. The first one was the fact that they processed sensitive personal data without having the Data Subjects’ authorisation or any other lawful basis. In addition, these personal data appeared online and thus the oil company had not taken the appropriate measures to prevent their publishing online. These violations took place under the previous National Data Protection Law before the GDPR (Law 2472/1997), where the maximum fine was €150.000.

More specifically, the Hellenic Petroleum had commissioned the marketing company ONE TEAM to conduct a review that included personal data (e.g. full names) and sensitive personal data (e.g. political convictions or trade union memberships). This review appeared online and was accessible to anyone. However, when the HDPA addressed the issue to the oil company, they claimed that the review assumed by One TEAM should not have contained personal data and not have appeared online. So, the Data Collection and their publishing online were done without the oil company’s authorisation.

After research on this case, the HDPA found that the Hellenic Petroleum was Data Controller and thus responsible for the sensitive data collection since the contractual agreement between the two companies provided that ONE TEAM had to collect sensitive data in order to conduct the review on behalf of the oil company. Under the article 10 §3 of the National Law 2472/1997, data collection and data processing must be based on a lawful basis. In this case, the data were illegally processed as they had not asked for any authorisation. Moreover, the HDPA ascertained that appropriate security measures to prevent the data leak online, had not been taken.

After taking into consideration the nature and severity of these two violations, the HDPA decided to impose on the company a fine of €30.000 in total which consisted of the amount of €20.000 for the illegal processing and the amount of €10.000 for failing to take appropriate security measures to prevent the data leak.
MORE RELATED NEWS

EADPP at the EDPB Stakeholder Event on processing of personal data for scientific purposes
Our Director, Maria Raphael, was a speaker at the 3rd Digital & Payments Conference
Privacy Minders’ co-founder was elected the President of the EADPP
Personal Data Protection Fines in Cyprus from July to September 2019
Larnaca, Cyprus

57 Spyrou Kyprianou Avenue,
Bybloserve Business Center, Larnaca 6051, Cyprus

London, United Kingdom

71-75 Shelton Street
London WC2H 9JQ
United Kingdom

Get in touch

Tel: +357 24812581/82
Fax: +357 24812583
Email: info@privacyminders.com

Click here to Subscribe