metadata
language:
- en
license: apache-2.0
tags:
- sentence-transformers
- sentence-similarity
- feature-extraction
- generated_from_trainer
- dataset_size:1580
- loss:MatryoshkaLoss
- loss:MultipleNegativesRankingLoss
base_model: intfloat/multilingual-e5-large
widget:
- source_sentence: >-
What is the Data Protection Officer's responsibility with respect to the
data protection impact assessment?
sentences:
- >-
This Regulation is without prejudice to the application of Directive
2000/31/EC of the European Parliament and of the Council (2), in
particular of the liability rules of intermediary service providers in
Articles 12 to 15 of that Directive. That Directive seeks to contribute
to the proper functioning of the internal market by ensuring the free
movement of information society services between Member States.
- >-
Court (Civil/Criminal): Criminal
Provisions: Article 42 paragraphs 1, 2, 3, and 7 of Law 4557/2018
Time of commission of the act:
Outcome (not guilty, guilty):
Reasoning: Obligation of the payment service provider, such as banks, to
inform their contracting customer after receiving a relevant order for a
payment to be made on their behalf. Content of the above notification at
the stage of receiving the payment order and during its execution. Terms
of liability for the provider regarding compensation for non-execution,
erroneous, or delayed execution of payment transactions. In particular,
in the case of an unauthorized or erroneous payment, the user is
required to notify the provider within a specified timeframe as soon as
they become aware of the corresponding transaction. The provisions of
Law 4357/2018 establish mandatory legal regulations in favor of users of
payment services and cannot be contractually modified to their
detriment, but only to their benefit. Defenses available to payment
service providers to relieve them of liability. Burden of proof
distribution between the parties. This responsibility of banks may also
stem from Law 2251/1994, as they provide services to the public and are
considered suppliers. Conditions for supplier liability under the
aforementioned legislation. Distribution of the burden of proof between
the litigants to demonstrate liability for compensation under Law
2251/1994. Terms of concurrency between contractual and tort liability
for compensation. The court partially accepts the lawsuit.
Facts: On 01/09/2021, an unknown perpetrator sent an email to her from
the electronic address “...............”, in which they stated that for
security reasons she needed to confirm her account with the bank .......
Not realizing that it was a scam, she followed the attached hyperlink,
entered her personal information, resulting in an unknown perpetrator
intercepting her online banking credentials and making a transfer
totaling 7,000.00 euros to account number ................ of the bank
.........
C) The beneficiary of the aforementioned account is ......... born on
16/05/1995 in the Municipality of ........., residing at ..............,
with ID number .................... issued on 02/10/2009 by T.A
.............. and tax number ............. from the tax office
...................
D) The criminal proceeds reportedly arising from the above criminal
activity amount to a total of seven thousand euros (7,000.00€).
Following the above, serious suspicions arise that the aforementioned
criminal proceeds transferred to the aforementioned bank account were
unlawfully appropriated by her and subsequently mixed with other legally
held assets, which she used in her overall economic activities, aiming
to launder them, thus concealing their true origin and making it
impossible for them to be seized. Therefore, there are reasonable
suspicions that the aforementioned individual committed not only the
primary offense but also the criminal act of “Money Laundering” (Article
2 §1 a, d of Law 4557/2018, in conjunction with Article 4 subparagraph z
of the same law as it stands, as well as Article 39 paragraph 1
subparagraphs a & c of the same Law 4557/2018). Because there are
serious suspicions that the bank account numbered .......... maintained
at the bank ....................., whose beneficiary is ..... (Tax ID
....................), contains part of the monetary amount from the
aforementioned criminal activity that was placed behind banking secrecy
to conceal its true origin and ultimately to launder it. Because, in
this case, part of the criminal proceeds has been found while the
remainder has not been found in its entirety, there is a lawful reason
and an urgent case for prohibiting the sale or any other transfer of the
following assets, given that they are subject to seizure and forfeiture
according to Articles 40 and 42 of Law 4557/2018 as they currently
stand.
- >-
1.The data protection officer shall have at least the following tasks:
(a) to inform and advise the controller or the processor and the
employees who carry out processing of their obligations pursuant to this
Regulation and to other Union or Member State data protection
provisions; (b) to monitor compliance with this Regulation, with other
Union or Member State data protection provisions and with the policies
of the controller or processor in relation to the protection of personal
data, including the assignment of responsibilities, awareness-raising
and training of staff involved in processing operations, and the related
audits; (c) to provide advice where requested as regards the data
protection impact assessment and monitor its performance pursuant to
Article 35; (d) to cooperate with the supervisory authority; (e) to
act as the contact point for the supervisory authority on issues
relating to processing, including the prior consultation referred to in
Article 36, and to consult, where appropriate, with regard to any other
matter.
2.The data protection officer shall in the performance of his or her
tasks have due regard to the risk associated with processing operations,
taking into account the nature, scope, context and purposes of
processing. Section 5 Codes of conduct and certification
- source_sentence: What type of cases fall under the jurisdiction of the Court of Appeal?
sentences:
- >
Failure to notify the Authority of file establishment or permit changes
is punished by up to three years’ imprisonment and a fine of one to five
million Drachmas.
Maintaining a file without a permit or violating permit terms is
punished by at least one year’s imprisonment and a fine of one to five
million Drachmas.
Unauthorized file interconnection or without permit is punished by up to
three years’ imprisonment and a fine of one to five million Drachmas.
Unlawful interference with personal data is punished by imprisonment and
a fine; for sensitive data, at least one year’s imprisonment and a fine
of one to ten million Drachmas.
Controllers who fail to comply with Authority decisions or violate data
transfer rules face at least two years’ imprisonment and a fine of one
to five million Drachmas.
If acts were committed for unlawful benefit or to cause harm, punishment
is up to ten years’ imprisonment and a fine of two to ten million
Drachmas.
If acts jeopardize democratic governance or national security,
punishment is confinement in a penitentiary and a fine of five to ten
million Drachmas.
Acts committed due to negligence result in at least three months’
imprisonment and a fine.
If the Controller is not a natural person, the responsible party is the
representative or head of the organization with administrative or
managerial duties.
Authorized members of the Authority may carry out preliminary
investigations even without Prosecutor’s order for certain offenses.
The Authority's President must notify the Public Prosecutor of any
offenses under investigation, forwarding all relevant evidence.
Preliminary investigations must conclude within two months of charges,
and trial must begin within three months of completion.
Continuation of proceedings is allowed only once and for extremely
important reasons, with adjournment not exceeding two months.
Felonies under this law fall under the jurisdiction of the Court of
Appeal.
- >-
1.The Board shall act independently when performing its tasks or
exercising its powers pursuant to Articles 70 and 71
2.Without prejudice to requests by the Commission referred to in point
(b) of Article 70(1) and in Article 70(2), the Board shall, in the
performance of its tasks or the exercise of its powers, neither seek nor
take instructions from anybody.
- >-
An attacker intercepts communication between a victim and a trusted
entity, often using email spoofing. The goal is to eavesdrop or modify
communication to trick the user into disclosing sensitive data.
Scenario:
- A spoofed email (e.g., [email protected]) is used to redirect
users to fraudulent websites or request unauthorized payments.
- source_sentence: What will the Board do if the draft code complies with the Regulation?
sentences:
- >-
**Court (Civil/Criminal): Civil**
**Provisions:**
**Time of commission of the act:**
**Outcome (not guilty, guilty):**
**Reasoning:** Partially accepts the lawsuit.
**Facts:** The plaintiff, who works as a lawyer, maintains a savings
account with the defendant banking corporation under account number
GR.............. Pursuant to a contract dated June 11, 2010, established
in Thessaloniki between the defendant and the plaintiff, the plaintiff
was granted access to the electronic banking system (e-banking) to
conduct banking transactions remotely. On October 10, 2020, the
plaintiff fell victim to electronic fraud through the "phishing" method,
whereby an unknown perpetrator managed to extract and transfer €3,000.00
from the plaintiff’s account to another account of the same bank.
Specifically, on that day at 6:51 a.m., the plaintiff received an email
from the sender ".........", with the address ..........., informing him
that his debit card had been suspended and that online payments and cash
withdrawals could not be made until the issue was resolved. The email
urged him to confirm his details within the next 72 hours by following a
link titled "card activation."
The plaintiff read the above email on his mobile phone around 8:00 a.m.,
and believing it came from the defendant, he followed the instructions
and accessed a website that was identical (a clone) to that of the
defendant. On this page, he was asked to enter his login credentials to
connect to the service, which he did, and he was subsequently asked to
input his debit card details for the alleged activation, which he also
provided. Then, to complete the process, a number was sent to his mobile
phone at 8:07 a.m. from the sender ........, which he entered, and two
minutes later he received a message from the same sender in English
stating that the quick access code had been activated on his mobile. A
few minutes later, at 8:18 a.m., he received an email from the defendant
informing him of the transfer of €3,000.00 from his account to account
number GR ........... held at the same bank, with the beneficiary's
details being .......... As soon as the plaintiff read this, he
immediately called the defendant's call center and canceled his debit
card, the access codes for the service ......., and locked the
application .......... At the same time, he verbally submitted a request
to dispute and cancel the contested transaction, and in a subsequent
phone call, he also canceled his credit card. On the same day, he also
sent an email to the defendant informing them in writing of the above
and requesting the cancellation of the transaction and the return of the
amount of €3,000.00 to his account, as this transfer was not made by him
but by an unknown perpetrator through electronic fraud and was not
approved by him. It should also be noted that the plaintiff, as the sole
beneficiary according to the aforementioned contract for using the
defendant's Internet Banking service, never received any update via SMS
or the VIBER application from the bank regarding the transaction details
before its completion, nor did he receive a one-time code (OTP) to
approve the contested transaction. He subsequently filed a complaint
against unknown persons at the Cyber Crime Division for the crime of
fraud. The defendant sent an email to the plaintiff on October 16, 2020,
informing him that his request had been forwarded to the appropriate
department of the bank for investigation, stating that the bank would
never send him an email or SMS asking him to enter his personal data and
that as of October 7, 2020, there was a notice posted for its customers
regarding malicious attempts to steal personal data in the "Our News"
section on ....... A month after the disputed incident, on November 10,
2020, an amount of €2,296.82 was transferred to the plaintiff's account
from the account to which the fraudulent credit had been made. The
plaintiff immediately sent an email to the defendant asking to be
informed whether this transfer was a return of part of the amount that
had been illegally withdrawn from his account and requested the return
of the remaining amount of €703.18. In its response dated January 13,
2021, the defendant confirmed that the aforementioned amount indeed came
from the account to which the fraudulent credit had been made, following
a freeze of that account initiated by the defendant during the
investigation of the incident, but refused to return the remaining
amount, claiming it bore no responsibility for the leak of the personal
codes to third parties, according to the terms of the service contract
established between them.
From the entirety of the evidence presented to the court, there is no
indication of the authenticity of the contested transaction, as the
plaintiff did not give his consent for the execution of the transfer of
the amount of €3,000.00, especially in light of the provision in Article
72 paragraph 2 of Law 4537/2018 stating that the mere use of the
Internet Banking service by the plaintiff does not necessarily
constitute sufficient evidence that the payer approved the payment
action. Specifically, it was proven that the contested transaction was
not carried out following a strong identification of the plaintiff – the
sole beneficiary of the account – and his approval, as the latter may
have entered his personal codes on the counterfeit website; however, he
was never informed, before the completion of the contested transaction,
of the amount that would be transferred from his account to a
third-party account, nor did he receive on his mobile phone, either via
SMS or through the VIBER application or any other means, the one-time
code - extra PIN for its completion, which he was required to enter to
approve the contested transaction (payment action) and thus complete his
identification, a fact that was not countered by any evidence from the
defendant. Furthermore, it is noted that the defendant's claims that it
bears no responsibility under the terms of the banking services
contract, whereby it is not liable for any damage to its customer in
cases of unauthorized use of their personal access codes to the Internet
Banking service, are to be rejected as fundamentally unfounded. This is
because the aforementioned contractual terms are invalid according to
the provision of Article 103 of Law 4537/2018, as they contradict the
provisions of Articles 71, 73, and 92 of the same Law, which provide for
the provider's universal liability and its exemption only for unusual
and unforeseen circumstances that are beyond the control of the party
invoking them and whose consequences could not have been avoided despite
all efforts to the contrary; these provisions establish mandatory law in
favor of users, as according to Article 103 of Law 4537/2018, payment
service providers are prohibited from deviating from the provisions to
the detriment of payment service users, unless the possibility of
deviation is explicitly provided and they can decide to offer only more
favorable terms to payment service users; the aforementioned contractual
terms do not constitute more favorable terms but rather disadvantageous
terms for the payment service user. In this case, however, the defendant
did not prove the authenticity of the transaction and its approval by
the plaintiff and did not invoke, nor did any unusual and unforeseen
circumstances beyond its control, the consequences of which could not
have been avoided despite all efforts to the contrary, come to light.
Therefore, the contested transaction transferring the amount of
€3,000.00 is considered, in the absence of demonstrable consent from the
plaintiff, unapproved according to the provisions of Article 64 of Law
4537/2018, and the defendant's contrary claims are rejected, especially
since the plaintiff proceeded, according to Article 71 paragraph 1 of
Law 4537/2018, without undue delay to notify the defendant regarding the
contested unapproved payment action. Consequently, the defendant is
liable for compensating the plaintiff for the positive damage he
suffered under Article 73 of Law 4537/2018 and is obliged to pay him the
requested amount of €703.18, while the plaintiff’s fault in the
occurrence of this damage cannot be established, as he entered his
personal details in an online environment that was a faithful imitation
of that of the defendant, as evidenced by the comparison of the
screenshots of the fake website and the real website provided by the
plaintiff, a fact that he could not have known while being fully
convinced that he was transacting with the defendant. Furthermore, the
defendant’s liability to compensate the plaintiff is based on the
provision of Article 8 of Law 2251/1994, which applies in this case, as
the plaintiff's damage resulted from inadequate fulfillment of its
obligations in the context of providing its services, but also on the
provision of Article 914 of the Civil Code in the sense of omission on
its part of unlawfully and culpably imposed actions. In this case, given
that during the relevant period there had been a multitude of similar
incidents of fraud against the defendant's customers, the latter, as a
service provider to the consumer public and bearing transactional
obligations of care and security towards them, displayed gross
negligence regarding the security provided for electronic transaction
services, which was compromised by the fraudulent theft of funds, as it
did not comply with all required high-security measures for executing
the contested transaction, failing to implement the strict customer
identification verification process and to check the authenticity of the
account to which the funds were sent, thus not assuming the suspicious
nature of the transaction, did not adopt comprehensive and improved
protective measures to fully protect its customers against malicious
attacks and online fraud and to prevent the infiltration of unauthorized
third parties, nor did it fulfill its obligations to inform, accurately
inform, and warn its consumers - customers, as it failed to adequately
inform them of attempts to steal their personal data through the sending
of informative emails or SMS, while merely posting in a section rather
than on a central banner (as it later did) does not constitute adequate
information such that it meets the requirement of protecting its
customers and the increased safeguarding of their interests. Although
the plaintiff acted promptly and informed the defendant on the same day
about the contested incident, the defendant did not act as promptly
regarding the investigation of the incident and the freezing of the
account that held the fraudulent credit to prevent the plaintiff's loss,
but only returned part of the funds to the plaintiff a month later. This
behavior, beyond being culpable due to gross negligence, was also
unlawful, as it would have been illegal even without the contractual
relationship, as contrary to the provisions of Law 4537/2018 and Law
2251/1994, regarding the lack of security of the services that the
consumer is legitimately entitled to expect, as well as the building of
trust that is essential in banking transactions, elements that it was
obligated to provide within the sphere of the services offered, and
contrary to the principles of good faith and commercial ethics, as
crystallized in the provision of Article 288 of the Civil Code, as well
as the general duty imposed by Article 914 of the Civil Code not to
cause harm to another culpably. This resulted not only in positive
damage to the plaintiff but also in causing him moral harm consisting of
his mental distress and the disruption, agitation, and sorrow he
experienced, for which he must be awarded financial compensation. Taking
into account all the general circumstances of the case, the extent of
the plaintiff's damage, the severity of the defendant's fault, the
mental distress suffered by the plaintiff, the insecurity he felt
regarding his deposits, the sorrow he experienced, and the stress caused
by his financial loss, which occurred during the pandemic period when
his earnings from his professional activity had significantly decreased,
as well as the financial and social situation of the parties, it is the
court's opinion that he should be granted, as financial compensation for
his moral harm, an amount of €250.00, which is deemed reasonable and
fair. Therefore, the total monetary amount that the plaintiff is
entitled to for his positive damage and financial compensation for the
moral harm suffered amounts to a total of (€703.18 + €250.00) = €953.18.
- >-
1.Where Article 3(2) applies, the controller or the processor shall
designate in writing a representative in the Union.
2.The obligation laid down in paragraph 1 of this Article shall not
apply to: (a) processing which is occasional, does not include, on a
large scale, processing of special categories of data as referred to in
Article 9(1) or processing of personal data relating to criminal
convictions and offences referred to in Article 10, and is unlikely to
result in a risk to the rights and freedoms of natural persons, taking
into account the nature, context, scope and purposes of the processing;
or (b) a public authority or body. 4.5.2016 L 119/48
3.The representative shall be established in one of the Member States
where the data subjects, whose personal data are processed in relation
to the offering of goods or services to them, or whose behaviour is
monitored, are.
4.The representative shall be mandated by the controller or processor to
be addressed in addition to or instead of the controller or the
processor by, in particular, supervisory authorities and data subjects,
on all issues related to processing, for the purposes of ensuring
compliance with this Regulation.
5.The designation of a representative by the controller or processor
shall be without prejudice to legal actions which could be initiated
against the controller or the processor themselves.
- >-
1.The Member States, the supervisory authorities, the Board and the
Commission shall encourage the drawing up of codes of conduct intended
to contribute to the proper application of this Regulation, taking
account of the specific features of the various processing sectors and
the specific needs of micro, small and medium-sized enterprises.
2.Associations and other bodies representing categories of controllers
or processors may prepare codes of conduct, or amend or extend such
codes, for the purpose of specifying the application of this Regulation,
such as with regard to: (a) fair and transparent processing; 4.5.2016 L
119/56 (b) the legitimate interests pursued by controllers in
specific contexts; (c) the collection of personal data; (d) the
pseudonymisation of personal data; (e) the information provided to the
public and to data subjects; (f) the exercise of the rights of data
subjects; (g) the information provided to, and the protection of,
children, and the manner in which the consent of the holders of parental
responsibility over children is to be obtained; (h) the measures and
procedures referred to in Articles 24 and 25 and the measures to ensure
security of processing referred to in Article 32; (i) the notification
of personal data breaches to supervisory authorities and the
communication of such personal data breaches to data subjects; (j) the
transfer of personal data to third countries or international
organisations; or (k) out-of-court proceedings and other dispute
resolution procedures for resolving disputes between controllers and
data subjects with regard to processing, without prejudice to the rights
of data subjects pursuant to Articles 77 and 79
3.In addition to adherence by controllers or processors subject to this
Regulation, codes of conduct approved pursuant to paragraph 5 of this
Article and having general validity pursuant to paragraph 9 of this
Article may also be adhered to by controllers or processors that are not
subject to this Regulation pursuant to Article 3 in order to provide
appropriate safeguards within the framework of personal data transfers
to third countries or international organisations under the terms
referred to in point (e) of Article 46(2). Such controllers or
processors shall make binding and enforceable commitments, via
contractual or other legally binding instruments, to apply those
appropriate safeguards including with regard to the rights of data
subjects.
4.A code of conduct referred to in paragraph 2 of this Article shall
contain mechanisms which enable the body referred to in Article 41(1) to
carry out the mandatory monitoring of compliance with its provisions by
the controllers or processors which undertake to apply it, without
prejudice to the tasks and powers of supervisory authorities competent
pursuant to Article 55 or 56
5.Associations and other bodies referred to in paragraph 2 of this
Article which intend to prepare a code of conduct or to amend or extend
an existing code shall submit the draft code, amendment or extension to
the supervisory authority which is competent pursuant to Article 55. The
supervisory authority shall provide an opinion on whether the draft
code, amendment or extension complies with this Regulation and shall
approve that draft code, amendment or extension if it finds that it
provides sufficient appropriate safeguards.
6.Where the draft code, or amendment or extension is approved in
accordance with paragraph 5, and where the code of conduct concerned
does not relate to processing activities in several Member States, the
supervisory authority shall register and publish the code.
7.Where a draft code of conduct relates to processing activities in
several Member States, the supervisory authority which is competent
pursuant to Article 55 shall, before approving the draft code, amendment
or extension, submit it in the procedure referred to in Article 63 to
the Board which shall provide an opinion on whether the draft code,
amendment or extension complies with this Regulation or, in the
situation referred to in paragraph 3 of this Article, provides
appropriate safeguards.
8.Where the opinion referred to in paragraph 7 confirms that the draft
code, amendment or extension complies with this Regulation, or, in the
situation referred to in paragraph 3, provides appropriate safeguards,
the Board shall submit its opinion to the Commission.
9.The Commission may, by way of implementing acts, decide that the
approved code of conduct, amendment or extension submitted to it
pursuant to paragraph 8 of this Article have general validity within the
Union. Those implementing acts shall be adopted in accordance with the
examination procedure set out in Article 93(2)
10.The Commission shall ensure appropriate publicity for the approved
codes which have been decided as having general validity in accordance
with paragraph
11.The Board shall collate all approved codes of conduct, amendments and
extensions in a register and shall make them publicly available by way
of appropriate means.
- source_sentence: >-
What does Union or Member State law determine and specify for further
processing in certain cases?
sentences:
- >-
Any processing of personal data should be lawful and fair. It should be
transparent to natural persons that personal data concerning them are
collected, used, consulted or otherwise processed and to what extent the
personal data are or will be processed. The principle of transparency
requires that any information and communication relating to the
processing of those personal data be easily accessible and easy to
understand, and that clear and plain language be used. That principle
concerns, in particular, information to the data subjects on the
identity of the controller and the purposes of the processing and
further information to ensure fair and transparent processing in respect
of the natural persons concerned and their right to obtain confirmation
and communication of personal data concerning them which are being
processed. Natural persons should be made aware of risks, rules,
safeguards and rights in relation to the processing of personal data and
how to exercise their rights in relation to such processing. In
particular, the specific purposes for which personal data are processed
should be explicit and legitimate and determined at the time of the
collection of the personal data. The personal data should be adequate,
relevant and limited to what is necessary for the purposes for which
they are processed. This requires, in particular, ensuring that the
period for which the personal data are stored is limited to a strict
minimum. Personal data should be processed only if the purpose of the
processing could not reasonably be fulfilled by other means. In order to
ensure that the personal data are not kept longer than necessary, time
limits should be established by the controller for erasure or for a
periodic review. Every reasonable step should be taken to ensure that
personal data which are inaccurate are rectified or deleted. Personal
data should be processed in a manner that ensures appropriate security
and confidentiality of the personal data, including for preventing
unauthorised access to or use of personal data and the equipment used
for the processing.
- >-
Where a controller or a processor not established in the Union is
processing personal data of data subjects who are in the Union whose
processing activities are related to the offering of goods or services,
irrespective of whether a payment of the data subject is required, to
such data subjects in the Union, or to the monitoring of their behaviour
as far as their behaviour takes place within the Union, the controller
or the processor should designate a representative, unless the
processing is occasional, does not include processing, on a large scale,
of special categories of personal data or the processing of personal
data relating to criminal convictions and offences, and is unlikely to
result in a risk to the rights and freedoms of natural persons, taking
into account the 4.5.2016 L 119/15 Official Journal of the European
Union EN nature, context, scope and purposes of the processing or if
the controller is a public authority or body. The representative should
act on behalf of the controller or the processor and may be addressed by
any supervisory authority. The representative should be explicitly
designated by a written mandate of the controller or of the processor to
act on its behalf with regard to its obligations under this Regulation.
The designation of such a representative does not affect the
responsibility or liability of the controller or of the processor under
this Regulation. Such a representative should perform its tasks
according to the mandate received from the controller or processor,
including cooperating with the competent supervisory authorities with
regard to any action taken to ensure compliance with this Regulation.
The designated representative should be subject to enforcement
proceedings in the event of non-compliance by the controller or
processor.
- >-
The processing of personal data for purposes other than those for which
the personal data were initially collected should be allowed only where
the processing is compatible with the purposes for which the personal
data were initially collected. In such a case, no legal basis separate
from that which allowed the collection of the personal data is required.
If the processing is necessary for the performance of a task carried out
in the public interest or in the exercise of official authority vested
in the controller, Union or Member State law may determine and specify
the tasks and purposes for which the further processing should be
regarded as compatible and lawful. Further processing for archiving
purposes in the public interest, scientific or historical research
purposes or statistical purposes should be considered to be compatible
lawful processing operations. The legal basis provided by Union or
Member State law for the processing of personal data may also provide a
legal basis for further processing. In order to ascertain whether a
purpose of further processing is compatible with the purpose for which
the personal data are initially collected, the controller, after having
met all the requirements for the lawfulness of the original processing,
should take into account, inter alia: any link between those purposes
and the purposes of the intended further processing; the context in
which the personal data have been collected, in particular the
reasonable expectations of data subjects based on their relationship
with the controller as to their 4.5.2016 L 119/9 Official Journal of the
European Union EN further use; the nature of the personal data; the
consequences of the intended further processing for data subjects; and
the existence of appropriate safeguards in both the original and
intended further processing operations. Where the data subject has given
consent or the processing is based on Union or Member State law which
constitutes a necessary and proportionate measure in a democratic
society to safeguard, in particular, important objectives of general
public interest, the controller should be allowed to further process the
personal data irrespective of the compatibility of the purposes. In any
case, the application of the principles set out in this Regulation and
in particular the information of the data subject on those other
purposes and on his or her rights including the right to object, should
be ensured. Indicating possible criminal acts or threats to public
security by the controller and transmitting the relevant personal data
in individual cases or in several cases relating to the same criminal
act or threats to public security to a competent authority should be
regarded as being in the legitimate interest pursued by the controller.
However, such transmission in the legitimate interest of the controller
or further processing of personal data should be prohibited if the
processing is not compatible with a legal, professional or other binding
obligation of secrecy.
- source_sentence: >-
How long is the period that can be added due to the complexity of the
subject-matter?
sentences:
- >-
Each supervisory authority not acting as the lead supervisory authority
should be competent to handle local cases where the controller or
processor is established in more than one Member State, but the subject
matter of the specific processing concerns only processing carried out
in a single Member State and involves only data subjects in that single
Member State, for example, where the subject matter concerns the
processing of employees' personal data in the specific employment
context of a Member State. In such cases, the supervisory authority
should inform the lead supervisory authority without delay about the
matter. After being informed, the lead supervisory authority should
decide, whether it will handle the case pursuant to the provision on
cooperation between the lead supervisory authority and other supervisory
authorities concerned (‘one-stop-shop mechanism’), or whether the
supervisory authority which informed it should handle the case at local
level. When deciding whether it will handle the case, the lead
supervisory authority should take into account whether there is an
establishment of the controller or processor in the Member State of the
supervisory authority which informed it in order to ensure effective
enforcement of a decision vis-à-vis the controller or processor. Where
the lead supervisory authority decides to handle the case, the
supervisory authority which informed it should have the 4.5.2016 L
119/23 Official Journal of the European Union EN possibility to submit
a draft for a decision, of which the lead supervisory authority should
take utmost account when preparing its draft decision in that
one-stop-shop mechanism.
- >-
1.In order to ensure the correct and consistent application of this
Regulation in individual cases, the Board shall adopt a binding decision
in the following cases: (a) where, in a case referred to in Article
60(4), a supervisory authority concerned has raised a relevant and
reasoned objection to a draft decision of the lead authority or the lead
authority has rejected such an objection as being not relevant or
reasoned. The binding decision shall concern all the matters which are
the subject of the relevant and reasoned objection, in particular
whether there is an infringement of this Regulation; 4.5.2016 L 119/74
(b) where there are conflicting views on which of the supervisory
authorities concerned is competent for the main establishment; (c)
where a competent supervisory authority does not request the opinion of
the Board in the cases referred to in Article 64(1), or does not follow
the opinion of the Board issued under Article 64. In that case, any
supervisory authority concerned or the Commission may communicate the
matter to the Board.
2.The decision referred to in paragraph 1 shall be adopted within one
month from the referral of the subject-matter by a two-thirds majority
of the members of the Board. That period may be extended by a further
month on account of the complexity of the subject-matter. The decision
referred to in paragraph 1 shall be reasoned and addressed to the lead
supervisory authority and all the supervisory authorities concerned and
binding on them.
3.Where the Board has been unable to adopt a decision within the periods
referred to in paragraph 2, it shall adopt its decision within two weeks
following the expiration of the second month referred to in paragraph 2
by a simple majority of the members of the Board. Where the members of
the Board are split, the decision shall by adopted by the vote of its
Chair.
4.The supervisory authorities concerned shall not adopt a decision on
the subject matter submitted to the Board under paragraph 1 during the
periods referred to in paragraphs 2 and 3
5.The Chair of the Board shall notify, without undue delay, the decision
referred to in paragraph 1 to the supervisory authorities concerned. It
shall inform the Commission thereof. The decision shall be published on
the website of the Board without delay after the supervisory authority
has notified the final decision referred to in paragraph 6
6.The lead supervisory authority or, as the case may be, the supervisory
authority with which the complaint has been lodged shall adopt its final
decision on the basis of the decision referred to in paragraph 1 of this
Article, without undue delay and at the latest by one month after the
Board has notified its decision. The lead supervisory authority or, as
the case may be, the supervisory authority with which the complaint has
been lodged, shall inform the Board of the date when its final decision
is notified respectively to the controller or the processor and to the
data subject. The final decision of the supervisory authorities
concerned shall be adopted under the terms of Article 60(7), (8) and
(9). The final decision shall refer to the decision referred to in
paragraph 1 of this Article and shall specify that the decision referred
to in that paragraph will be published on the website of the Board in
accordance with paragraph 5 of this Article. The final decision shall
attach the decision referred to in paragraph 1 of this Article.
- >-
**Court (Civil/Criminal): Civil**
**Provisions:**
**Time of commission of the act:**
**Outcome (not guilty, guilty):**
**Reasoning:** Partially accepts the lawsuit.
**Facts:** The plaintiff, who works as a lawyer, maintains a savings
account with the defendant banking corporation under account number
GR.............. Pursuant to a contract dated June 11, 2010, established
in Thessaloniki between the defendant and the plaintiff, the plaintiff
was granted access to the electronic banking system (e-banking) to
conduct banking transactions remotely. On October 10, 2020, the
plaintiff fell victim to electronic fraud through the "phishing" method,
whereby an unknown perpetrator managed to extract and transfer €3,000.00
from the plaintiff’s account to another account of the same bank.
Specifically, on that day at 6:51 a.m., the plaintiff received an email
from the sender ".........", with the address ..........., informing him
that his debit card had been suspended and that online payments and cash
withdrawals could not be made until the issue was resolved. The email
urged him to confirm his details within the next 72 hours by following a
link titled "card activation."
The plaintiff read the above email on his mobile phone around 8:00 a.m.,
and believing it came from the defendant, he followed the instructions
and accessed a website that was identical (a clone) to that of the
defendant. On this page, he was asked to enter his login credentials to
connect to the service, which he did, and he was subsequently asked to
input his debit card details for the alleged activation, which he also
provided. Then, to complete the process, a number was sent to his mobile
phone at 8:07 a.m. from the sender ........, which he entered, and two
minutes later he received a message from the same sender in English
stating that the quick access code had been activated on his mobile. A
few minutes later, at 8:18 a.m., he received an email from the defendant
informing him of the transfer of €3,000.00 from his account to account
number GR ........... held at the same bank, with the beneficiary's
details being .......... As soon as the plaintiff read this, he
immediately called the defendant's call center and canceled his debit
card, the access codes for the service ......., and locked the
application .......... At the same time, he verbally submitted a request
to dispute and cancel the contested transaction, and in a subsequent
phone call, he also canceled his credit card. On the same day, he also
sent an email to the defendant informing them in writing of the above
and requesting the cancellation of the transaction and the return of the
amount of €3,000.00 to his account, as this transfer was not made by him
but by an unknown perpetrator through electronic fraud and was not
approved by him. It should also be noted that the plaintiff, as the sole
beneficiary according to the aforementioned contract for using the
defendant's Internet Banking service, never received any update via SMS
or the VIBER application from the bank regarding the transaction details
before its completion, nor did he receive a one-time code (OTP) to
approve the contested transaction. He subsequently filed a complaint
against unknown persons at the Cyber Crime Division for the crime of
fraud. The defendant sent an email to the plaintiff on October 16, 2020,
informing him that his request had been forwarded to the appropriate
department of the bank for investigation, stating that the bank would
never send him an email or SMS asking him to enter his personal data and
that as of October 7, 2020, there was a notice posted for its customers
regarding malicious attempts to steal personal data in the "Our News"
section on ....... A month after the disputed incident, on November 10,
2020, an amount of €2,296.82 was transferred to the plaintiff's account
from the account to which the fraudulent credit had been made. The
plaintiff immediately sent an email to the defendant asking to be
informed whether this transfer was a return of part of the amount that
had been illegally withdrawn from his account and requested the return
of the remaining amount of €703.18. In its response dated January 13,
2021, the defendant confirmed that the aforementioned amount indeed came
from the account to which the fraudulent credit had been made, following
a freeze of that account initiated by the defendant during the
investigation of the incident, but refused to return the remaining
amount, claiming it bore no responsibility for the leak of the personal
codes to third parties, according to the terms of the service contract
established between them.
From the entirety of the evidence presented to the court, there is no
indication of the authenticity of the contested transaction, as the
plaintiff did not give his consent for the execution of the transfer of
the amount of €3,000.00, especially in light of the provision in Article
72 paragraph 2 of Law 4537/2018 stating that the mere use of the
Internet Banking service by the plaintiff does not necessarily
constitute sufficient evidence that the payer approved the payment
action. Specifically, it was proven that the contested transaction was
not carried out following a strong identification of the plaintiff – the
sole beneficiary of the account – and his approval, as the latter may
have entered his personal codes on the counterfeit website; however, he
was never informed, before the completion of the contested transaction,
of the amount that would be transferred from his account to a
third-party account, nor did he receive on his mobile phone, either via
SMS or through the VIBER application or any other means, the one-time
code - extra PIN for its completion, which he was required to enter to
approve the contested transaction (payment action) and thus complete his
identification, a fact that was not countered by any evidence from the
defendant. Furthermore, it is noted that the defendant's claims that it
bears no responsibility under the terms of the banking services
contract, whereby it is not liable for any damage to its customer in
cases of unauthorized use of their personal access codes to the Internet
Banking service, are to be rejected as fundamentally unfounded. This is
because the aforementioned contractual terms are invalid according to
the provision of Article 103 of Law 4537/2018, as they contradict the
provisions of Articles 71, 73, and 92 of the same Law, which provide for
the provider's universal liability and its exemption only for unusual
and unforeseen circumstances that are beyond the control of the party
invoking them and whose consequences could not have been avoided despite
all efforts to the contrary; these provisions establish mandatory law in
favor of users, as according to Article 103 of Law 4537/2018, payment
service providers are prohibited from deviating from the provisions to
the detriment of payment service users, unless the possibility of
deviation is explicitly provided and they can decide to offer only more
favorable terms to payment service users; the aforementioned contractual
terms do not constitute more favorable terms but rather disadvantageous
terms for the payment service user. In this case, however, the defendant
did not prove the authenticity of the transaction and its approval by
the plaintiff and did not invoke, nor did any unusual and unforeseen
circumstances beyond its control, the consequences of which could not
have been avoided despite all efforts to the contrary, come to light.
Therefore, the contested transaction transferring the amount of
€3,000.00 is considered, in the absence of demonstrable consent from the
plaintiff, unapproved according to the provisions of Article 64 of Law
4537/2018, and the defendant's contrary claims are rejected, especially
since the plaintiff proceeded, according to Article 71 paragraph 1 of
Law 4537/2018, without undue delay to notify the defendant regarding the
contested unapproved payment action. Consequently, the defendant is
liable for compensating the plaintiff for the positive damage he
suffered under Article 73 of Law 4537/2018 and is obliged to pay him the
requested amount of €703.18, while the plaintiff’s fault in the
occurrence of this damage cannot be established, as he entered his
personal details in an online environment that was a faithful imitation
of that of the defendant, as evidenced by the comparison of the
screenshots of the fake website and the real website provided by the
plaintiff, a fact that he could not have known while being fully
convinced that he was transacting with the defendant. Furthermore, the
defendant’s liability to compensate the plaintiff is based on the
provision of Article 8 of Law 2251/1994, which applies in this case, as
the plaintiff's damage resulted from inadequate fulfillment of its
obligations in the context of providing its services, but also on the
provision of Article 914 of the Civil Code in the sense of omission on
its part of unlawfully and culpably imposed actions. In this case, given
that during the relevant period there had been a multitude of similar
incidents of fraud against the defendant's customers, the latter, as a
service provider to the consumer public and bearing transactional
obligations of care and security towards them, displayed gross
negligence regarding the security provided for electronic transaction
services, which was compromised by the fraudulent theft of funds, as it
did not comply with all required high-security measures for executing
the contested transaction, failing to implement the strict customer
identification verification process and to check the authenticity of the
account to which the funds were sent, thus not assuming the suspicious
nature of the transaction, did not adopt comprehensive and improved
protective measures to fully protect its customers against malicious
attacks and online fraud and to prevent the infiltration of unauthorized
third parties, nor did it fulfill its obligations to inform, accurately
inform, and warn its consumers - customers, as it failed to adequately
inform them of attempts to steal their personal data through the sending
of informative emails or SMS, while merely posting in a section rather
than on a central banner (as it later did) does not constitute adequate
information such that it meets the requirement of protecting its
customers and the increased safeguarding of their interests. Although
the plaintiff acted promptly and informed the defendant on the same day
about the contested incident, the defendant did not act as promptly
regarding the investigation of the incident and the freezing of the
account that held the fraudulent credit to prevent the plaintiff's loss,
but only returned part of the funds to the plaintiff a month later. This
behavior, beyond being culpable due to gross negligence, was also
unlawful, as it would have been illegal even without the contractual
relationship, as contrary to the provisions of Law 4537/2018 and Law
2251/1994, regarding the lack of security of the services that the
consumer is legitimately entitled to expect, as well as the building of
trust that is essential in banking transactions, elements that it was
obligated to provide within the sphere of the services offered, and
contrary to the principles of good faith and commercial ethics, as
crystallized in the provision of Article 288 of the Civil Code, as well
as the general duty imposed by Article 914 of the Civil Code not to
cause harm to another culpably. This resulted not only in positive
damage to the plaintiff but also in causing him moral harm consisting of
his mental distress and the disruption, agitation, and sorrow he
experienced, for which he must be awarded financial compensation. Taking
into account all the general circumstances of the case, the extent of
the plaintiff's damage, the severity of the defendant's fault, the
mental distress suffered by the plaintiff, the insecurity he felt
regarding his deposits, the sorrow he experienced, and the stress caused
by his financial loss, which occurred during the pandemic period when
his earnings from his professional activity had significantly decreased,
as well as the financial and social situation of the parties, it is the
court's opinion that he should be granted, as financial compensation for
his moral harm, an amount of €250.00, which is deemed reasonable and
fair. Therefore, the total monetary amount that the plaintiff is
entitled to for his positive damage and financial compensation for the
moral harm suffered amounts to a total of (€703.18 + €250.00) = €953.18.
pipeline_tag: sentence-similarity
library_name: sentence-transformers
metrics:
- cosine_accuracy@1
- cosine_accuracy@3
- cosine_accuracy@5
- cosine_accuracy@10
- cosine_precision@1
- cosine_precision@3
- cosine_precision@5
- cosine_precision@10
- cosine_recall@1
- cosine_recall@3
- cosine_recall@5
- cosine_recall@10
- cosine_ndcg@10
- cosine_mrr@10
- cosine_map@100
model-index:
- name: ModernBERT Embed base Legal Matryoshka
results:
- task:
type: information-retrieval
name: Information Retrieval
dataset:
name: dim 1024
type: dim_1024
metrics:
- type: cosine_accuracy@1
value: 0.4797979797979798
name: Cosine Accuracy@1
- type: cosine_accuracy@3
value: 0.51010101010101
name: Cosine Accuracy@3
- type: cosine_accuracy@5
value: 0.5429292929292929
name: Cosine Accuracy@5
- type: cosine_accuracy@10
value: 0.5833333333333334
name: Cosine Accuracy@10
- type: cosine_precision@1
value: 0.4797979797979798
name: Cosine Precision@1
- type: cosine_precision@3
value: 0.4629629629629629
name: Cosine Precision@3
- type: cosine_precision@5
value: 0.43434343434343436
name: Cosine Precision@5
- type: cosine_precision@10
value: 0.38333333333333336
name: Cosine Precision@10
- type: cosine_recall@1
value: 0.09271934379235842
name: Cosine Recall@1
- type: cosine_recall@3
value: 0.22890301595826673
name: Cosine Recall@3
- type: cosine_recall@5
value: 0.30770266682067887
name: Cosine Recall@5
- type: cosine_recall@10
value: 0.42662183717190455
name: Cosine Recall@10
- type: cosine_ndcg@10
value: 0.529259904757641
name: Cosine Ndcg@10
- type: cosine_mrr@10
value: 0.5031174843674843
name: Cosine Mrr@10
- type: cosine_map@100
value: 0.5844516299609221
name: Cosine Map@100
- task:
type: information-retrieval
name: Information Retrieval
dataset:
name: dim 768
type: dim_768
metrics:
- type: cosine_accuracy@1
value: 0.48484848484848486
name: Cosine Accuracy@1
- type: cosine_accuracy@3
value: 0.51010101010101
name: Cosine Accuracy@3
- type: cosine_accuracy@5
value: 0.5404040404040404
name: Cosine Accuracy@5
- type: cosine_accuracy@10
value: 0.5883838383838383
name: Cosine Accuracy@10
- type: cosine_precision@1
value: 0.48484848484848486
name: Cosine Precision@1
- type: cosine_precision@3
value: 0.4663299663299663
name: Cosine Precision@3
- type: cosine_precision@5
value: 0.4348484848484848
name: Cosine Precision@5
- type: cosine_precision@10
value: 0.3843434343434343
name: Cosine Precision@10
- type: cosine_recall@1
value: 0.09341409451649786
name: Cosine Recall@1
- type: cosine_recall@3
value: 0.23140373783594786
name: Cosine Recall@3
- type: cosine_recall@5
value: 0.3102853774167123
name: Cosine Recall@5
- type: cosine_recall@10
value: 0.4291149067692061
name: Cosine Recall@10
- type: cosine_ndcg@10
value: 0.5319032784063994
name: Cosine Ndcg@10
- type: cosine_mrr@10
value: 0.5069965528298861
name: Cosine Mrr@10
- type: cosine_map@100
value: 0.5864306183343692
name: Cosine Map@100
- task:
type: information-retrieval
name: Information Retrieval
dataset:
name: dim 512
type: dim_512
metrics:
- type: cosine_accuracy@1
value: 0.48737373737373735
name: Cosine Accuracy@1
- type: cosine_accuracy@3
value: 0.5126262626262627
name: Cosine Accuracy@3
- type: cosine_accuracy@5
value: 0.5353535353535354
name: Cosine Accuracy@5
- type: cosine_accuracy@10
value: 0.5757575757575758
name: Cosine Accuracy@10
- type: cosine_precision@1
value: 0.48737373737373735
name: Cosine Precision@1
- type: cosine_precision@3
value: 0.46801346801346805
name: Cosine Precision@3
- type: cosine_precision@5
value: 0.43383838383838386
name: Cosine Precision@5
- type: cosine_precision@10
value: 0.37676767676767675
name: Cosine Precision@10
- type: cosine_recall@1
value: 0.09438996523668676
name: Cosine Recall@1
- type: cosine_recall@3
value: 0.23367899309415768
name: Cosine Recall@3
- type: cosine_recall@5
value: 0.3122762821348897
name: Cosine Recall@5
- type: cosine_recall@10
value: 0.42416411438420315
name: Cosine Recall@10
- type: cosine_ndcg@10
value: 0.5282814575705473
name: Cosine Ndcg@10
- type: cosine_mrr@10
value: 0.5069694965528299
name: Cosine Mrr@10
- type: cosine_map@100
value: 0.5821878424069403
name: Cosine Map@100
- task:
type: information-retrieval
name: Information Retrieval
dataset:
name: dim 256
type: dim_256
metrics:
- type: cosine_accuracy@1
value: 0.4797979797979798
name: Cosine Accuracy@1
- type: cosine_accuracy@3
value: 0.5075757575757576
name: Cosine Accuracy@3
- type: cosine_accuracy@5
value: 0.5404040404040404
name: Cosine Accuracy@5
- type: cosine_accuracy@10
value: 0.5883838383838383
name: Cosine Accuracy@10
- type: cosine_precision@1
value: 0.4797979797979798
name: Cosine Precision@1
- type: cosine_precision@3
value: 0.4621212121212121
name: Cosine Precision@3
- type: cosine_precision@5
value: 0.43787878787878787
name: Cosine Precision@5
- type: cosine_precision@10
value: 0.39116161616161615
name: Cosine Precision@10
- type: cosine_recall@1
value: 0.08857199193466242
name: Cosine Recall@1
- type: cosine_recall@3
value: 0.21584461750459863
name: Cosine Recall@3
- type: cosine_recall@5
value: 0.29454518732444884
name: Cosine Recall@5
- type: cosine_recall@10
value: 0.42024722570256184
name: Cosine Recall@10
- type: cosine_ndcg@10
value: 0.5298808669679341
name: Cosine Ndcg@10
- type: cosine_mrr@10
value: 0.5031255010421677
name: Cosine Mrr@10
- type: cosine_map@100
value: 0.5755487788695127
name: Cosine Map@100
- task:
type: information-retrieval
name: Information Retrieval
dataset:
name: dim 128
type: dim_128
metrics:
- type: cosine_accuracy@1
value: 0.4797979797979798
name: Cosine Accuracy@1
- type: cosine_accuracy@3
value: 0.49747474747474746
name: Cosine Accuracy@3
- type: cosine_accuracy@5
value: 0.5328282828282829
name: Cosine Accuracy@5
- type: cosine_accuracy@10
value: 0.5732323232323232
name: Cosine Accuracy@10
- type: cosine_precision@1
value: 0.4797979797979798
name: Cosine Precision@1
- type: cosine_precision@3
value: 0.4595959595959596
name: Cosine Precision@3
- type: cosine_precision@5
value: 0.4318181818181818
name: Cosine Precision@5
- type: cosine_precision@10
value: 0.379040404040404
name: Cosine Precision@10
- type: cosine_recall@1
value: 0.09010758907534054
name: Cosine Recall@1
- type: cosine_recall@3
value: 0.21971985202181332
name: Cosine Recall@3
- type: cosine_recall@5
value: 0.2980257365606146
name: Cosine Recall@5
- type: cosine_recall@10
value: 0.4067610155477257
name: Cosine Recall@10
- type: cosine_ndcg@10
value: 0.5199447549733692
name: Cosine Ndcg@10
- type: cosine_mrr@10
value: 0.4993797097963763
name: Cosine Mrr@10
- type: cosine_map@100
value: 0.5701028277766129
name: Cosine Map@100
- task:
type: information-retrieval
name: Information Retrieval
dataset:
name: dim 64
type: dim_64
metrics:
- type: cosine_accuracy@1
value: 0.44191919191919193
name: Cosine Accuracy@1
- type: cosine_accuracy@3
value: 0.4671717171717172
name: Cosine Accuracy@3
- type: cosine_accuracy@5
value: 0.5075757575757576
name: Cosine Accuracy@5
- type: cosine_accuracy@10
value: 0.5631313131313131
name: Cosine Accuracy@10
- type: cosine_precision@1
value: 0.44191919191919193
name: Cosine Precision@1
- type: cosine_precision@3
value: 0.4250841750841751
name: Cosine Precision@3
- type: cosine_precision@5
value: 0.4005050505050505
name: Cosine Precision@5
- type: cosine_precision@10
value: 0.35883838383838385
name: Cosine Precision@10
- type: cosine_recall@1
value: 0.08339662290909679
name: Cosine Recall@1
- type: cosine_recall@3
value: 0.20785390082314062
name: Cosine Recall@3
- type: cosine_recall@5
value: 0.28372514997771076
name: Cosine Recall@5
- type: cosine_recall@10
value: 0.3958739587184769
name: Cosine Recall@10
- type: cosine_ndcg@10
value: 0.4937920439707365
name: Cosine Ndcg@10
- type: cosine_mrr@10
value: 0.4664391935225268
name: Cosine Mrr@10
- type: cosine_map@100
value: 0.5456891304539262
name: Cosine Map@100
Then you can load this model and run inference.
