Τhe Hellenic Data Protection Authority issued a decision in which it did not impose a fine but issued a reprimand to the complainant who sent an email to the data subject while the latter had not given its consent and furthermore does not have the status of a journalist to whom the email was addressed.
The Hellenic Data Protection Authority does not focus on whether consent had been given by the data subject as the sending of the email can be based on the complainant’s legitimate interest. However, it focuses on its reasoning that the complainant should have taken appropriate organizational measures when sending the email, such as the use of “hidden notification” or the sending of individual messages, if possible, as the number of recipients was very high. It further considered, given that the complainant indicated that the data subject’s email address was included in the email in question by mistake, that there were no appropriate measures in place to ensure the principle of accuracy as the complainant should have checked beforehand whether the address corresponded to a journalist.
It is therefore not enough to merely legitimize the processing of the personal data in question by obtaining consent or other basis to consider that the data controller is GDPR compliant. It is equally important that all the principles commanded by the GDPR are adhered to and, in addition, that the data controller takes organizational measures consisting of both the formulation of appropriate procedures and the reflection of these in its policies and notifications both internally and to third parties.
For the full text of the decision (in Greek) click here