HDPA Imposes EUR 20 million Fine to AI Company

/in /by
Warning: count(): Parameter must be an array or an object that implements Countable in /home/seelegal/public_html/wp-content/plugins/team-showcase/tshowcase.php on line 3993
Untitled

HDPA Imposes EUR 20 million Fine to AI Company

August 2022, KG Law Firm

In Decision 35/2022, the Greek data watchdog, the Hellenic Data Protection Authority (“the Authority”), imposed a EUR 20 million fine on a US-based software company, for its web scraping techniques and functioning of its automated facial recognition system.

The Authority’s investigation was instigated by a complaint concerning the AI company’s failure to respond to a data subject’s access request.

The company’s activities fell under the scope of the General Data Protection Regulation (GDPR) given the latter’s extra-territorial applicability to processing activities that are related to the rendering of services to individuals in the EU (Article 3(2) of the GDPR). The findings revealed that the personal data collected by the company, including biometric data, were processed unlawfully and conducted automated decision-making besides the lack of the relevant legal prerequisites, as well as lacking an appropriate legal basis and failing to provide any information to the data subjects.

The Authority concluded that the company does not comply with the principles of legality and transparency as enshrined in Articles 5(1)(a), 6, and 9 of the GDPR, as well as the obligations arising therefrom in Articles 12, 14, 15 and 27 of the GDPR.

In particular, the company’s infringements were held to be the following:

  • Failure to designate a representative in the territory of the European Union pursuant to Article 27 of the GDPR.
  • Failure to provide an appropriate legal basis pursuant to Articles 6 and 9 of the GDPR.
  • Failure to provide the data subject with the information necessary to ensure fair and transparent processing pursuant to Articles 5(1)(a) and 14 of the GDPR.
  • Failure to take action on the data subject’s request concerning the right of access is pursuant to Articles 12 and 15 of the GDPR. 

Therefore, the Authority imposed a ban on any further collection and processing of personal data concerning persons in the territory of Greece and ordered the erasure of already collected said data. Such judgment forms part of a series of decisions issued from other national Data Protection Authorities including those in the UK, Italy, and France.

August 2022, KG Law Firm

In Decision 35/2022, the Greek data watchdog, the Hellenic Data Protection Authority (“the Authority”), imposed a EUR 20 million fine on a US-based software company, for its web scraping techniques and functioning of its automated facial recognition system.

The Authority’s investigation was instigated by a complaint concerning the AI company’s failure to respond to a data subject’s access request.

The company’s activities fell under the scope of the General Data Protection Regulation (GDPR) given the latter’s extra-territorial applicability to processing activities that are related to the rendering of services to individuals in the EU (Article 3(2) of the GDPR). The findings revealed that the personal data collected by the company, including biometric data, were processed unlawfully and conducted automated decision-making besides the lack of the relevant legal prerequisites, as well as lacking an appropriate legal basis and failing to provide any information to the data subjects.

The Authority concluded that the company does not comply with the principles of legality and transparency as enshrined in Articles 5(1)(a), 6, and 9 of the GDPR, as well as the obligations arising therefrom in Articles 12, 14, 15 and 27 of the GDPR.

In particular, the company’s infringements were held to be the following:

  • Failure to designate a representative in the territory of the European Union pursuant to Article 27 of the GDPR.
  • Failure to provide an appropriate legal basis pursuant to Articles 6 and 9 of the GDPR.
  • Failure to provide the data subject with the information necessary to ensure fair and transparent processing pursuant to Articles 5(1)(a) and 14 of the GDPR.
  • Failure to take action on the data subject’s request concerning the right of access is pursuant to Articles 12 and 15 of the GDPR. 

Therefore, the Authority imposed a ban on any further collection and processing of personal data concerning persons in the territory of Greece and ordered the erasure of already collected said data. Such judgment forms part of a series of decisions issued from other national Data Protection Authorities including those in the UK, Italy, and France.