Sending a letter as a personal data processing
With the no. 9/2008 , the Personal Data Protection Authority has ruled on a complaint which was brought to its attention concerning the dissemination of simple personal data by sending a letter from an insurance company to a broad circle of clients of the insurance company, in particular, the termination of the company's cooperation relationship with the complainant-insurance consultant.
In this decision, the Authority considered that the treatment in question complied with the provisions of Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data, referred to in the grounds of this Decision and the implementation of which is the responsibility of the Principle. However, the most crucial issue, in our view, is that, according to the Authority, the sending of a simple letter was considered to be a processing of personal data.
More specifically, the Authority has filed a complaint - an insurance consultant's complaint that the "* *" company, based in Thessaloniki, has disclosed to a wide circle of persons personal data concerning it. In particular, this company sent a large number of its customers (approximately 3,000, allegedly by the applicant) in early 2006, who were directly related to the applicant, a letter signed by the then manager of its customers, with the which informed them that it had terminated the contract, which linked it with the applicant, because he did not pay her part of the insurance premiums corresponding to the insurance policies which had been concluded through his mediation.
Regarding the crucial question whether the sending of a letter is a processing of personal data, the Authority states in a word:
Because, from the combination of the aforementioned provisions of articles 2 and 3 par. 1 of Law 2472/1997, the mission company complained of that letter with the specific content of the abovementioned recipients, constitutes an automated processing ( "spread") of simple personal data of the applicant, which held on this company records as controller . Therefore, the Authority has the competence to examine whether or not it complies with the provisions of Law 2472/1997.
A precondition for the application of Law 2472/1997 is the processing of personal data, ie information relating to a natural person. According to the law, the processing must be done either by automated methods or by non-automated methods, but the data should or should be included in a file.
In the present case, if it is a letter sent by post rather than by e-mail, we are dealing with non-automated processing. In order to subsequently apply Law 2472/1997 to non-automated processing, the data should be included in a file as mentioned above. However, it is not clear from the decision whether the personal data comes from a file, from a structured set of personal data accessible by specific criteria.
Of course, the Authority refers to automated processing, a fact that can not be inferred from the facts, because the sending of a letter is not an automated processing, but only partially automated processing could be given, since it would appear that the data contained in the letter have been inferred from other electronic data. This does not arise, nor does it substantiate the existence of a file - whether electronic or otherwise - concerning the applicant, which was kept by the insurance company.
Therefore, the Authority's argument on which the decision is based is gaps and shortcomings.
In this decision, the Authority considered that the treatment in question complied with the provisions of Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data, referred to in the grounds of this Decision and the implementation of which is the responsibility of the Principle. However, the most crucial issue, in our view, is that, according to the Authority, the sending of a simple letter was considered to be a processing of personal data.
More specifically, the Authority has filed a complaint - an insurance consultant's complaint that the "* *" company, based in Thessaloniki, has disclosed to a wide circle of persons personal data concerning it. In particular, this company sent a large number of its customers (approximately 3,000, allegedly by the applicant) in early 2006, who were directly related to the applicant, a letter signed by the then manager of its customers, with the which informed them that it had terminated the contract, which linked it with the applicant, because he did not pay her part of the insurance premiums corresponding to the insurance policies which had been concluded through his mediation.
Regarding the crucial question whether the sending of a letter is a processing of personal data, the Authority states in a word:
Because, from the combination of the aforementioned provisions of articles 2 and 3 par. 1 of Law 2472/1997, the mission company complained of that letter with the specific content of the abovementioned recipients, constitutes an automated processing ( "spread") of simple personal data of the applicant, which held on this company records as controller . Therefore, the Authority has the competence to examine whether or not it complies with the provisions of Law 2472/1997.
A precondition for the application of Law 2472/1997 is the processing of personal data, ie information relating to a natural person. According to the law, the processing must be done either by automated methods or by non-automated methods, but the data should or should be included in a file.
In the present case, if it is a letter sent by post rather than by e-mail, we are dealing with non-automated processing. In order to subsequently apply Law 2472/1997 to non-automated processing, the data should be included in a file as mentioned above. However, it is not clear from the decision whether the personal data comes from a file, from a structured set of personal data accessible by specific criteria.
Of course, the Authority refers to automated processing, a fact that can not be inferred from the facts, because the sending of a letter is not an automated processing, but only partially automated processing could be given, since it would appear that the data contained in the letter have been inferred from other electronic data. This does not arise, nor does it substantiate the existence of a file - whether electronic or otherwise - concerning the applicant, which was kept by the insurance company.
Therefore, the Authority's argument on which the decision is based is gaps and shortcomings.
About Jhon Petter
No comments