Hellenic Data Protection Authority imposed a fine on a toll management company for delay to respond to request for access right exercised by a car owner to the said company.
In particular, the toll company operates a video surveillance system for the purpose of detecting infringements of non-payment of tolls. After informing the car owner of the fine imposed on him, he exercised his right of access to the company in order to obtain videos from the cameras and a copy of the incident book in relation to the incident.
Initially, the company replied that the car crossing had been recorded by the toll station’s system, but that it could not provide data unless there is an order by the public prosecutor and only under the permission of Hellenic Data Protection Authority. After the intervention of Hellenic Data Protection Authority, the company provided data, which however did not include visual material from the cameras. It should be noted that the Hellenic Data Protection Authority had already informed the company in 2017 in relation to the fact that such requests constitute exercise of right of access and it is obliged to comply with this.
Finally Hellenic Data Protection Authority imposed a fine for delay of a right taking into account, among other factors, a) the nature of breach concerning GDPR right, b) the fact that the data controller had been informed by the Hellenic Data Protection Authority of its obligations in relation to the satisfaction of the right of access in the context of a review of a similar case, c) that the data subject was not in a position to assert its rights against the company while suffering a potential future financial burden.
From the decisions of Hellenic Data Protection Authority, like this one, we understand that it is necessary for every company to take all those organizational, technical and legal measures in order to be GDPR compliant. Compliance is not enough to be not only “formal”, but also substantial meaning that a company should have all necessary documents such as privacy policy)/notices etc. recorded & incorporate internally its policies/procedures in order to be able to respond timely to requests from subjects for the exercise of their rights under GDPR.
For the full text of the decision click here
https://www.dpa.gr/sites/default/files/2022-01/1_2022%20anonym.pdf
