Greek Oil Company Responsible for Data Leak

26 Apr 2019
The Greek Data Protection Authority ascertained that the Hellenic Petroleum processed sensitive information without having any legal basis and, no adequate and appropriate measures were taken to prevent the Data Leak online.
 
On April 8, 2019 the Hellenic Data Protection Authority (HDPA) published its decision to fine the Hellenic Petroleum €30,000. This fine was imposed for two main reasons. The first one was the fact that they processed sensitive personal data without having the Data Subjects’ authorisation or any other lawful basis. In addition, these personal data appeared online and thus the oil company had not taken the appropriate measures to prevent their publishing online. These violations took place under the previous National Data Protection Law before the GDPR (Law 2472/1997), where the maximum fine was €150.000.

More specifically, the Hellenic Petroleum had commissioned the marketing company ONE TEAM to conduct a review that included personal data (e.g. full names) and sensitive personal data (e.g. political convictions or trade union memberships). This review appeared online and was accessible to anyone. However, when the HDPA addressed the issue to the oil company, they claimed that the review assumed by One TEAM should not have contained personal data and not have appeared online. So, the Data Collection and their publishing online were done without the oil company’s authorisation.

After research on this case, the HDPA found that the Hellenic Petroleum was Data Controller and thus responsible for the sensitive data collection since the contractual agreement between the two companies provided that ONE TEAM had to collect sensitive data in order to conduct the review on behalf of the oil company. Under the article 10 §3 of the National Law 2472/1997, data collection and data processing must be based on a lawful basis. In this case, the data were illegally processed as they had not asked for any authorisation. Moreover, the HDPA ascertained that appropriate security measures to prevent the data leak online, had not been taken.

After taking into consideration the nature and severity of these two violations, the HDPA decided to impose on the company a fine of €30.000 in total which consisted of the amount of €20.000 for the illegal processing and the amount of €10.000 for failing to take appropriate security measures to prevent the data leak.
MORE RELATED NEWS

Saudi Arabia Data Protection Compliance: National Register for Controllers and Data Protection Officer Requirements
Raphael Legal and Privacy Minders Author the Cyprus Chapter in the ICLG Data Protection Guide 2024
How IAB Europe TCF v2.2 Enhances Digital Advertising Privacy Compliance
ENISA Report on Engineering Personal Data Protection in EU Data Spaces
Larnaca, Cyprus

32 Konstantinou Paleologou Street,
The Square, 2nd Floor,
6036 Larnaca, Cyprus

London, United Kingdom

71-75 Shelton Street
London WC2H 9JQ
United Kingdom

Get in touch

Tel: +357 24 32 33 33
Email: info@privacyminders.com

Click here to Subscribe