Five lawsuits against the Greek DPA

While the Greek Administrative Code clearly states that all citizens' cases must be dealt within a deadline of 50 days, the Greek Data Protection Authority steadily fails to comply with this legal obligation. 

According to an evaluation report on the effectiveness of the DPA for the year 2008, only in one case the DPA issued a decision in less than 50 days. 

Today, the Data&Protection information society legal services took legal proceedings against the Greek DPA with five lawsuits lodged with the Administrative Court of First Instance. It is about five cases pending -almost untouched by the persons in charge- since July 2007, October 2007, June 2008, September 2008 and December 2008.

The Greek data protection legislation provides for a minimum compensation of 5,869,41 EUR for each violation. 

The Data&Protection information society legal services deals with cases on intellectual property, data protection, access to documents and freedom of expression. 

Evaluation report for the Greek DPA

The Data&Protection information society legal services published on January 209 an Effectiveness Evaluation Report on the activities of the Greek Data Protection Authority in 2008.

The paper consists of six parts on the following criteria: 

(a) respect of the deadlines,

(b) consistency of decisions,

(c) consitutionality control and direct application of european/international legislation 

(d) own-initiative inquires

(e) proportionality of sanctions

(f) raising awareness policy 

You may download the Report here (English) (Greek).

Conclusions of the Report:

In 2008, the Greek Data Protection Authority did not satisfy the expectations for a new institution  with a 10 years experience, because: 

(a) it did  not react as rapid as the legislation and the information society demands for  an alternative dispute resolution mechanism, 

(b) its decisions were inconsistent and  did not meet the legal certainty standard, 

(c) its control on constitutionality and conformity with the european law was satisfactory, but should also extend to opinions and consultations on legislative proposals, 

(d) its own-initiative activities were oriented to sanctions and not to a more proactive approach, 

(e) there were serious inconsistencies in its sanctions policy, 

(f) its communication policy is restricted to the publication of the  Annual Report and the 

President's press conferences. 

Greek DPA: Robinson’s list does not cover e-marketing activities

With its recent Decision Nr. 57/2007, the Greek DPA dealt with a case concerning the lack of prior consent, in a direct marketing case (phone calls to individuals).

According to the general data protection law(L.2472/1997 = Dir.95/46), any person not wishing his personal data to be processed for direct marketing purposes may subscribe to a “Robinson’s list” (the “article 13” registry). Nevertheless, according to the sectoral e-privacy law (L.3471/2006=Dir.2002/58), e-marketing controllers or processors may not just rely on the “article 13” registry, since, with the exception of e-mail messages, the data subject must have previously stated its unambiguous consent.

Therefore, the DPA decided that:

- the traditional Robinson’s list does not apply to direct marketing telephone calls,

- the company that assigns to “independent co-operators” the campaign phone calls, since it defines the means and purposes of the data processing is responsible as a “controller”, while the “co-operators” are responsible as “controllers”.

The DPA warns correctly the company to ask for a previous consent, while, in the same time, the Authority does not provide for practical guidelines to the interested parties on the implementation of the legal requirements for prior consent. One solution may be a prior communication with the data subject, in order to inquire for its wishes. Needless to say, that this practice introduces a vicious circle.

Another -perhaps more traditional- way, may be a statement when the data subjects contact the company for a commercial purpose. Then, they may fill a form, providing for their consent or not. Thus, a target group may be limited to the persons that have already contacted the company, but why not? A wider audience may get the message from the public commercial campaigns: direct marketing is a much more effective tool for the rest, the special audience that really wishes to get the direct message.

It would be better for the Greek DPA, when handling cases in issues that hasn’t presented a remarkable rate of creativity, to consult the experts on best practices. In the said case, the DPA could have asked for relevant material the “FEDMA”, which is an expert trade union recognized by the WP 29.