Banner2.png

HDPA (Greece) - 1/2025

From GDPRhub
HDPA - 1/2025
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 12(2) GDPR
Article 15 GDPR
Article 25(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 09.01.2025
Published: 08.03.2025
Fine: 200,000 EUR
Parties: National Bank of Greece
National Case Number/Name: 1/2025
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: tjk

In an ex-officio procedure the DPA investigated the Greek National Bank's procedures for responding to Article 15 GDPR access requests. The DPA found that the responses were systemically delayed and improperly handled. The DPA thus fined the controller €200,000.

English Summary

Facts

The DPA received numerous complaints against the Greek National Bank (the controller) concerning the violation of the right of access of data subjects under Article 15 GDPR, due to non-satisfaction or long delays. Following this, the DPA investigated - ex officio - the procedures followed by the controller for such access requests.

The DPA found that in one instance the controller had used the data subject's personal data in the context of litigation between the two parties which the data subject itself had previously requested and had not been granted even after the expiration of the submission-deadline, resulting in an unfavorable evidentiary position for the data subject.

In other cases, the DPA found that the controller only responded after between two to seven months, sometimes only partially or after intervention of the DPA.

The controller stated that in recent years there has been an increase in electronic fraud cases, which had lead to a rapid increase in corresponding requests. According to the controller, every possible effort was made to serve its customers, seeking to exhaust every margin for their recovery, however, the proper and complete investigation of these incidents often proves to be time-consuming, as it requires a thorough search of the controller's files and systems, cooperation of all involved areas, evaluation of the actual incidents and communication with the other parties involved (e.g. beneficiary's bank, etc.). The controller also invoked its teleworking arrangements, due to which their access to the requested information was not possible in some cases.

Holding

The DPA found that the procedures followed by the controller for handling access requests were ineffective.

The DPA held, that the fact that despite the existence of known complaints and issues with meeting the GDPR deadlines established by Article 12(2) GDPR the controller was mobilized to record its relevant procedures only after the the DPA initiated investigations.

This, the DPA found, demonstrated that the controller had complied with access requests in an impermissible manner given the volume and nature of the personal data it processes, the multiple access requests it must have expected to receive and the possible risks from the delay in satisfying the right of access (e.g. inability of data subjects to prove fraudulent transactions).

The DPA emphasised that the fact that the controller began to receive an unusually large number of access requests is a factor that should have been taken into account when designing and updating its relevant procedures in compliance with Article 25(1) GDPR from the time this increase was detected, ensuring that it responded to this new condition, taking into account the employment status of its employees.

Specifically, the controller should have already assessed its weaknesses, initially when the increase in access requests was observed as a consequence of the outbreak of electronic fraud, subsequently when the complaints of its customers intensified and in any case when the DPA proceeded to an ex officio audit of its procedures. The DPA found that the controller's Policies are theoretical texts that are not applied in practice, despite its assurances.

Given this, the DPA found a violation of Article 12(2) GDPR in conjunction with Article 25(1) GDPR. Regarding the amount of the fine, the DPA considered under Article 83 GDPR

  • the large number of affected subjects, i.e. potentially the entire customer base of the controller, as well as third-party natural persons and
  • the long duration of the infringement, since it concerns the period since the entry into force of the GDPR.
  • that the infringement concerns the main activities of the controller and that the controller has been previously sanctioned for infringements of the right of access.
  • that the controller ignored the correct and timely satisfaction of access rights for a long period of time and only formulate relevant policies after the audit by the DPA.

Thus, the DPA imposed an administrative fine of €200,000 for the established violation of Articles 12(2) and 25(1) GDPR.

With regard to the case, where the controller used requested data against the data subject in court before responding to the access request, the DPA considered it necessary to impose an effective, proportionate and dissuasive administrative fine, pursuant to Article 83 GDPR considering the heightened gravity of the violation. Thus the DPA imposed an administrative fine of €20,000 for the established violation of the right of access in this one instance under Article 15(1) and (3) GDPR.

Comment

Interestingly the DPA in this decision rules on several individual complaints within the framework of an decision following an ex-officio investigation. This might raise the question what the consequence would be for example if one of the complainants or the controller challenges the DPA's individual case assessments within this one decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details. 

Athens, 9-1-2025 No. Prot.: 119 DECISION 1/2025 
The Personal Data Protection Authority, upon invitation of the President, convened a meeting via videoconference on 30-07-2024, in order to examine the case referred to in the history of this case. The meeting was attended by the President of the Authority, Konstantinos Menudakos, the regular members Charalambos Anthopoulos, Spyridon Vlachopoulos, Christos Kalloniatis, Konstantinos Lambrinoudakis, the alternate member Nikolaos Faldamis in replacement of the regular member Aikaterini Iliadou, who, although legally invited in writing, did not attend due to impediment, and the regular member Grigorios Tsolias as rapporteur. Present, without the right to vote, were Haris Symeonidou, expert scientist-auditor, as assistant rapporteur and Irini Papageorgopoulou, employee of the Administrative Affairs Department of the Authority, as secretary. 
The Authority took into account the following: 
The Authority has received a significant number of complaints against National Bank concerning the violation of the right of access of data subjects under Article 15 of the GDPR, due to non-satisfaction or a long delay in satisfying this right. Specifically, the following complaints have been submitted to the Authority since the beginning of 2022, from the examination of which the issues listed below have arisen: 1 1-3 Kifissias Avenue, 11523 Athens T: 210 6475 600 E: contact@dpa.gr www.dpa.gr 1. Complaint A (Γ/ΕΙΣ/183/11-01-2022) Following an incident of electronic fraud, which resulted, on 31/08/2021, in an unknown perpetrator modifying the transaction profile information of the complainant's Aston electronic account (i-bank) at the National Bank, and subsequently transferring an amount of € … from the complainant's bank account to third parties, the complainant submitted an application to NBG branch P on 08/09/2021, requesting, among other things, that he be provided with copies of his telephone conversations recorded from 03/09/2021 with the Bank's call center. In addition, on 20/09/2021, the complainant requested via e-mail a copy of his application-contract for the use of electronic banking services as well as a copy of all the activity of his i-bank account for the period from 20/08/2021 to 08/09/2021, and then, on 24/10/2021, by a new e-mail, the complainant requested that the Bank provide him with all available information regarding the recorded transactions and connections through his i-bank account, as well as copies of his telephone conversations with a representative of the Bank from 22/10/2021, while in the same message he requested that his personal data as reflected in his "Financial Transaction Profile" be corrected, according to the information included therein before 31/08/2021. According to the complaint, the Bank provided the complainant with a copy of his contract on 3/11/2021, only after the complainant served it with a lawsuit for this reason. In the context of investigating the said complaint, the Authority notified it to the complained bank on 14/4/2022, requesting it to present its views within 15 days. In its response G/ΕΙΙΣ/7313/24-05-2022, National Bank stated that the complainant's request for the provision of the recorded telephone conversations was ultimately satisfied on 19/4/2022, citing the delay as the fact that "by mistake the specific request was not forwarded to the competent Department of the Bank from the outset, and on the other hand that the creation of the CD in question is a task that requires access by appropriately authorized personnel to specific infrastructures of the Bank, access that was not possible on a daily basis due to teleworking arrangements". Therefore, the above access request 2 was satisfied 7 months after its submission and following the filing of a lawsuit by the subject and the submission of a complaint to the Authority. With his document G/ΕΙΣ/11379/28-10-2022, the complainant notified the Authority of the decision no. … of the Single-Member Court of First Instance P, which accepted his claim of 11/10/2021 against the National Bank for an award of compensation, including for violation of his right of access to his personal data (article 15, paragraph 3 GDPR), as complained of, and for this reason he was awarded an amount of one thousand (1,000 €) euros to compensate for his moral damage. Subsequently, the complainant, with his supplementary document G/ΕΙΣ/11967/22-11-2022, clarified that he insists on his complaint, because, as he states: "the bank not only did not satisfy my right of access to my conversations, but also invoked my conversations and used their content to counter the action I brought against it, referring to them in fragments, without at the same time granting me access to them, a fact from which it follows in my opinion that the violation of my right of access to my conversations was not due to workload, lack of staff and generally some negligent behavior, but occurred in view of our litigation for the violation of my i-bank and the loss of all the money I had deposited with the bank, exploiting in an impermissible manner the advantageous position of the bank as controller of personal data, against me. The fact that the document no. ... a decision of the Court of First Instance which justifies me in the first instance is not a reason to withdraw my relevant report, moreover, the bank has already appealed against the said court decision, which was scheduled to be discussed in December 2023. It should be noted that at the time I requested access to my conversations I was in a hurry, as I had lost all the money I had deposited with the bank and I urgently needed to exercise my legal rights. In the end, I exercised my rights in the best way I could, without however having access to my conversations and at the time the bank claims to have satisfied my right, namely on 19.04.2022, the deadline for filing even an addition to the lawsuit I had filed had already passed, therefore I had already suffered irreparable damage, while it is obvious that the any attempt at 3recovery was made following the notification of the Personal Data Protection Authority to the Bank regarding my complaint dated 14.04.2022 with no. prot. 910". With the same document, the complainant claims that his request dated 24/10/2021 for access to the i-bank connections and transactions and to the detailed transaction account for August and September 2021 (request with number ...) was not satisfied. 2. Complaint B (Γ/ΕΙΣ/8265/24-06-2022) Following an incident of fraud by the complainant, B on 15/02/2022, which resulted in the unlawful withdrawal of a sum of money (totaling … euros) from her account, as soon as the complainant became aware of the fraud and while the transfer was in progress, she repeatedly contacted the National Bank's call center, notifying the fact and requesting that measures be taken to prevent the fraud and freeze the sums of money, while in each call she was informed that the conversation was being recorded. Subsequently and in view of exercising her rights, on 16/02/2022 the complainant requested a written copy of her above conversations, while she subsequently notified the Bank of the 21/03/2022 extrajudicial statement, invitation and protest, with which, among other things, she requested again to be granted "an electronic storage medium of the recorded conversations she had from her personal phone ... and her husband's phone ..., [...] with the call center and the competent services of the Bank at your contact numbers 210 4848484 and 210 7727440, on 15.02.2022 and from 13:58 p.m. to 19:20 p.m." With the National Bank's response letter dated 20/04/2022, the complainant was informed, among other things, that the said request for the provision of recorded conversations is being processed. The Authority notified the Bank of the above complaint with the document G/ΕΣΕ/2336/22-09-2022 requesting its views on the complainants. According to the Bank's response document G/ΕΙΣ/11135/29- 10-2022, the complainant's requests for the provision of the recorded conversations were satisfied by sending a relevant copy (CD) to the branch S that serves the complainant, by internal correspondence on 14/6/2022 and the complainant, after being informed 4regarding this, received the CD in writing on 5/7/2022 (i.e. 4.5 months after the submission of the request). The reason for the delay, according to National Bank, is that "it was not possible to provide the copy of the conversations more quickly, on the one hand due to the large number of relevant requests received by the Bank, and on the other hand that the creation of the CD in question is a task that requires access by appropriately authorized personnel to specific infrastructures of the Bank, which access was not possible daily due to the teleworking arrangements". With G/EIS/12066/25-11-2022 In her supplementary document, the complainant states that she insists on her complaint and does not accept that her request has been satisfied, because, as she states, "the bank did not respect the deadlines provided by law for providing me with my recorded conversations, which caused me material and moral damage, anger and disappointment, given that [it] thus delayed the exercise of my claims for compensation for my damage due to the illegal debiting of my bank accounts with unauthorized transactions."  
3. Complaint C (Γ/ΕΙΣ/10200/18-09-2022) 
Following the rejection of a request to dispute a transaction that had been carried out with his card in February 2022 and after submitting related complaints, the complainant submitted an electronic request via email on 9/7/2022 for access to information regarding the Bank's actions, including any correspondence with the Business to which the transaction concerned. According to the complainant's supplementary document Γ/ΕΙΣ/10409/25-09-2022, his request was satisfied on 23/09/2022, after 74 days. The Authority, with its document G/ΕΣΕ/3298/15-12-2022, requested from the Bank its views on the reported incidents and in particular, on the reasons why it did not respond to the complainant's request within the deadline provided for in article 12 par. 3 GDPR and did not inform him accordingly, in accordance with the provisions of article 12 par. 4 GDPR. With its document G/ΕΙΣ/12869/29-12-2022, the Bank claimed that, "given the communications that had been mediated with the 5th customer and that the clarifying questions he raised with his request of 9/7/2022 concerned the same issue, the relevant case was considered a consequence of the above correspondence and the relevant request was registered as a complaint", following the request for dispute, while after searching and telephone consultation with him, it ultimately sent him the requested information on 23/9/2022, including its correspondence with the company. Regarding the reason for the delay, the Bank stated that the additional time it took to provide the requested information was due solely to the extensive research required, as more than 3 months had passed since the initial request to dispute the transaction. 
4. Complaint D (Γ/ΕΙΣ/10409/25-09-2022) 
In the context of the investigation of an electronic fraud incident that occurred on 17/7/2020 with the complainant D as the victim, the latter submitted on 18/3/2021, as the data subject, the request dated 16/3/2021 for access to the recorded calls he made with the Bank from 16/07/2020 until the date of the request, as well as for any recipients of his data. As is apparent from the e-mail messages between the complainant's attorney and the competent employee of National Bank attached to the complaint, the above request was submitted to branch T on 18/3/2021 and forwarded to the competent services of the Bank the following day, at 19/3/2021. According to the complaint, the said request was partially satisfied on 10/8/2021, namely by granting the complainant's recorded call, while he was not given any information regarding the reason for the delay, while the complainant was also not provided with the requested detailed information regarding the recipients of his data. The Authority, with its document G/ΕΣΕ/3299/15-12-2022, communicated the said complaint to the Bank, requesting its views. In its response G/ΕΙΙΣ/484/23-01-2023, the Bank stated that the request of complainant D was submitted on 7/5/2021 through Branch T to which the access request dated 16/3/2021 was attached, and that the Bank responded to the said request with its letter dated 10/8/2021, which is also attached to the complaint. As regards the complainant's question regarding the possible disclosure of his data by the Bank to third parties, the respondent states that it informed him "that in the context of making the disputed transfer, it processed only the data necessary for the execution of the transfer". Finally, it is stated that the customer was provided with a copy of his recorded conversations through his cooperating Branch, and from the attachment no. 6 document, it appears that the CD was received on 9/9/2021, i.e. 5 months after the submission of the request. According to the Bank's response, the additional time needed to provide the requested information is mainly due to the fact that "creating a copy of the recorded conversations is a task that requires access by appropriately authorized personnel to specific infrastructures of the Bank, which access was not possible on a daily basis due to the special conditions prevailing during the pandemic period". 5. Complaint E (Γ/ΕΙΣ/591/25-01-2023) Following an incident of fraud against the complainant (phishing), the complainant submitted, through an extrajudicial statement on 16/11/2022, a request for a copy of his recorded telephone conversations with the Bank. As is apparent from the no. Γ/ΕΙΣ/4133/01-6-2023 opinion document of the complained Bank, the above request was ultimately satisfied with the sending of the CD to the complainant's service outlet on 23/2/2023 and its delivery to the complainant on 9/3/2023. Regarding the issue of the delay in satisfying the right, the Bank states the following: "With regard specifically to the time required to provide the requested information regarding the granting of copies of the recorded conversations, we must point out that this is due to the extensive research required, as well as to the fact that creating a copy of the recorded conversations is a task that requires access by appropriately authorized personnel to specific infrastructures of the Bank, which access is not possible on a daily basis due to the teleworking arrangements in force for the Bank's staff." With his supplementary document G/ΕΙΣ/3123/28-4-2023 7, the complainant's attorney states that the right was satisfied late, almost two months after the complaint and almost four months from the proven submission of the request, and therefore, regardless of the satisfaction of the right, he requests the examination of the case, regarding the exceeding of the deadline provided for by the GDPR. 
6. Complaint F (Γ/ΕΙΣ/603/25-01-2023) 
Following an incident of fraudulent transactions of which the complainant fell victim and after the notification of her two out-of-court statements to the National Bank, on 6/10/2022 and 17/10/2022 respectively, the complainant submitted on 7/11/2022, via email to the address dpo@nbg.gr, a request for access in accordance with Article 15 of the GDPR to a series of her personal data related to the conduct of the said fraudulent transactions. According to the complaint, the Bank had not responded to the request in question, while the complainant received updates via e-mail that the request was being processed (on 8/11/2022, 8/11/2022, 22/11/2022, 7/12/2022 and 8/12/2022). Following notification of the complaint to the Bank with the Authority's document G/ΕΣΕ/1057/27-04-2023, with its document G/ΕΙΣ/4173/02-06-2023, the Bank, in response to this Authority's document, claims that the complainant received the recorded conversations on 19/1/2023 (but without providing relevant documentation) and that on 25/1/2023, the complainant was sent information about the movements made in her account. The said letter, which the Bank attaches as "enclosure 5", states the following: "Furthermore, with this letter we inform you that regarding the copy of your recorded telephone conversations with the Bank, you will be informed by telephone from your cooperating branch Y as soon as the processing of your request is completed, in order for you to come to receive it". The Bank also states that "the customer, after some communications with the Consumer Ombudsman with content similar to the above, received on 9/5/2023 an email (attachment 6) from the Bank's Contact Center 8 regarding the resending of a copy of her conversations, while on 30/05/2023 she also received a supplementary email from the bank (attachment 7), through which the connection details were sent to her as an attachment...". However, as appears from the documents submitted, the complainant was first informed on 9/5/2023 via e-mail that "the conversations that were identified will be given to Branch Y" (although in its response to the Authority, the Bank refers to "resending a copy of the conversations") and on 30/5/2023 she was sent the requested login information for her internet banking account and some additional clarifications. Therefore, the complainant's right of access to her recorded conversations was satisfied in May 2023, 6 months after its submission, after the aforementioned complaint was notified to the Bank by the Authority (27/4/2023) and after the Consumer Ombudsman also intervened. 
7. Complaint Z (Γ/ΕΙΣ/746/31-01-2023) 
Following a fraudulent transaction incident, of which she was a victim, the complainant Z submitted on 13/12/2022 by telephone to the National Bank a request to receive copies of the recorded telephone conversations she had with the Bank's customer service, on 3/12/2022 and 7/12/2022. Subsequently, according to the complaint, the complainant resubmitted her above request in writing on 20/12/2022, via the electronic platform of the Bank, additionally requesting the details of her account's detailed movement for the period from 29/11/2022 to 12/12/2022, details of the IP used as well as a copy of the confirmation document uploaded to her account on 1/12/2022. By the time of the complaint, the Bank had not responded to the said request, while in her relevant question from 18/1/2023 via the platform, the complainant received the answer that her request is under processing.  As emerged from the examination of the case (see C/ΕΙΣ/4174/2-6-2023 Bank's opinion document and C/ΕΙΣ/8232/20-11-2023 complainant's supplementary document), the Bank had sent its response on 24/1/2022 to the e-mail address of the unknown perpetrator (...), who had changed the address through the complainant's 9e-banking settings and about which the complainant had informed the Bank by telephone on 3/12/2022. Her recorded telephone conversations were sent on 1/2/2023 to branch F and were received in writing by the complainant on 10/2/2023, i.e. 3 months after the submission of the request, while for the remaining requested information, the complainant received an e-mail message, at her correct email address, on 10/3/2023 (4 months after the submission of the request). The Bank claims in its document that it “kept the customer fully informed about the progress of her case and responded to each request for information concerning her”. However, the complainant states that even then National Bank intentionally failed, as she claims, to grant her a conversation with a representative from the card department on December 3, 2022, for which she submitted a new request for access - for a copy with no. … on 15/11/2023. With her supplementary document G/ΕΙΣ/1538/26-02-2024, the complainant claims that, following information that her request is under investigation, on 22/12/2023 she was informed that the conversations were located and would be sent on a CD to branch F and finally, after many delays, she received it on 25/01/2024, but this time too the CD contained only one conversation which she had already received since February 2023, and whose content the complainant had invoked in order to explain to the defendant that she was requesting the immediately following one, which was ultimately not granted to her. Therefore, the complainant claims that her request in question has remained unsatisfied to date, despite whatever the Bank may claim to the contrary. With its document G/ΕΣΕ/590/16-02-2023, the Authority communicated the above supplementary document of the complainant to the National Bank in order to obtain its views thereon. Subsequently, the National Bank, with its supplementary document G/ΕΙΣ/1940/05-03-2024, reported the following regarding the complainant's request no. …: “The Bank searched for the specific conversation with the search criterion of all the telephones related to the client, conducting a thorough check of the incoming calls originating from both her own mobile phone and the mobile phones of her husband and lawyer, however, it was not possible to find any further communication with the client on that specific day, apart from the two conversations that had already been delivered to her. It is noted that at the end of the 2nd call (03.12.2022) the Bank representative told Z that she was going to forward the call to the card department, however no further conversation was found in the Bank's file, which indicates that the connection attempt may not have been successful. Therefore, on 22.01.2024 a new CD was sent to Branch F, which again contained the call made on 03.12.2022 with the Bank's Contact Center. According to the attached receipt, Z received the new CD on 26.01.2024. From the above it follows that, although it did not locate the requested call, the Bank complained about did not inform the complainant. Instead, it re-recorded her already granted conversation on another CD, which it delivered to her, without informing her that the CD did not contain her requested personal data. During the same period, the complaint G/ΕΙΣ/7926/11-06-2022 was also submitted by H against the National Bank for violation of the right of access, which was archived (G/ΕΣΕ/3284/14-12-2022) as devoid of purpose, due to the satisfaction of the right before the intervention of the Authority. As emerged from the examination of the complaint in question, the request for the provision of recorded telephone conversations was submitted on 5/5/2022 and was satisfied on 19/7/2022 (2.5 months later), since, as the Bank supported, "the investigation of similar fraud incidents is time-consuming, as it requires a thorough investigation of the Bank's files and systems, cooperation of all areas involved, evaluation of the facts and decision-making on the possibility of compensating the customer, while a corresponding in-depth investigation was also required in the case of the complainant." It is noted, finally, that in the context of another case (Complaint G/ΕΙΣ/6381/04-10-
2021), the Authority has sent the Bank the document G/ΕΣΕ/306/07-02-2023, which states the following: "from the investigation of the complaint, it emerged that the complainant's right of access to her personal data, exercised on 9/2/2021 and 20/3/2021, was satisfied with a delay of several months, specifically partly in July and partly in September 2021. With your response document dated 16-12-2022 to the Authority (above under 3 relevant), you clarified that the delay in satisfying the complainant's right is due to the fact that her request was submitted at the beginning of 2021, when the Bank was operating under strict health protocol due to the measures to deal with the Covid-19 pandemic, making it difficult to carry out tasks such as the extraction of voice files from the Bank's systems, which required the physical presence of its authorized personnel in special secure storage areas, while incidentally, the two CDs initially provided to the complainant did not include her conversations with the Fraud Prevention Department, an omission which was discovered after sending her out-of-court statement of 22/6/2021. We remind you of the obligation of the Data Controller, on the one hand, to ensure access to personal data of the subjects without undue delay in the context of the exercise of the right under Article 15 of the GDPR, and on the other hand, to comply with the right arising from par. 3 of Article 12 of the GDPR, its obligation, according to which, "the controller shall provide the data subject with information on the action taken upon a request pursuant to Articles 15 to 22 without delay and in any event within one month of receipt of the request". From the facts and the relevant documents provided, it appears that you did not respond, as mentioned above, to the complainant within the time limit provided for in Article 12, paragraph 3 of the GDPR. Therefore, and taking into account the clarifications provided above, we draw your attention to the fact that you must process and satisfy the relevant requests of data subjects within the time limits provided for in Article 12, paragraph 3 of the GDPR, ensuring that appropriate organizational and technical measures are taken and reviewing those measures, where necessary". Given that the above complaint has already been examined by the Authority, it is not re-examined in the context of the present case, however, the 12 factual incidents identified during its examination are taken into account for the overall operation of the Bank in relation to the manner of responding to access and information requests and the adoption of technical and organizational measures on its part. Following the above, given that the aforementioned complaints reveal the improper application by National Bank of the provisions of the GDPR concerning the satisfaction of the right of access, the Authority sent the document G/ΕΣΕ/294/06-02-2023 to the Bank, with the aim of investigating ex officio the procedures followed by it and examining the possible need to exercise corrective powers, in accordance with article 58 par. 2 GDPR. This document requested the Bank to clarify whether it has a written Policy or Procedure for Managing Data Subject Access Rights under the GDPR and, in the event of a positive response, the Bank was asked to provide the Authority with the said Policy as well as the relevant Instructions given to its staff. Furthermore, the Bank was asked to clarify whether, in its opinion, in the cases of the above complaints (under no. 1-4 and in the case of the complaint G/EIS/7926/11-06-2022 which was archived) this Policy and the relevant instructions to employees were complied with and b) whether, following the complaints, it has taken any action to review the procedures or update the relevant instructions. Since it had not received any response to the above document, the Authority sent its reminder document G/ΕΣΕ/2774/02-11-2023 to the Bank, with which it requested again the above information with regard to the newer (no. 5-7) complaints that had been submitted to the Authority in the meantime. National Bank responded to the above documents with its response under no. prot. G/ΕΙΣ/543/23-01-2024, in which it supports the following, while presents and invokes the following attached documents:
 -Since May 2018, the Bank has adopted the Personal Data Management Policy of the Bank and the Group (appendix 1) while it has also issued the service circular series B’ 85/24.05.2018 on the subject of “Start of implementation of the new framework regarding the protection of Natural Persons with regard to the processing of personal data (General Data Protection Regulation – GDPR)”, with which it informed the staff about the implementation of the GDPR and provided guidance on the Bank’s compliance with the institutional framework (appendix 2).
  - At the same time, an internal Procedure has been drawn up by the competent Unit regarding the Management of GDPR Customer Requests (cont. 3), which describes in detail the Bank's actions in the context of processing data subjects' requests to exercise their rights, in accordance with the provisions of the GDPR, while it has also designed a mandatory training seminar entitled "Protection of Individuals from the Processing of Personal Data", with the aim of presenting the institutional framework, familiarizing staff with it and informing them of developments, as well as the seminar "GDPR - From Regulation to Practice", which aimed at understanding the rights of data subjects arising from the GDPR. The Bank notes that the above texts and seminars are dynamic in nature and are updated or supplemented appropriately, without specifying when the above seminars were designed or clarifying whether they have already been carried out and to what percentage of the staff. - Regarding the management of the cases referred to in the Authority's document G/ΕΕΣ/2774/02-11-2023, the Bank first states that the relevant cases concerned cases of customers who had fallen victim to electronic fraud, that their requests mainly concerned the contestation of fraudulent transactions and the cancellation of transfers, while in addition the customers requested additional information, such as, for example, information on the identity of the persons to whom their money ended up or a copy of their previous recorded conversations with the Bank. For this reason, these customers contacted either their cooperating Branch or the Bank's call center and the relevant cases were forwarded for investigation to the Units that handle actions related to the dispute of transactions. Only one 14-year-old customer contacted the mailbox dpo@nbg.gr, however, after having previously submitted a request to dispute transactions that had been answered, as well as two out-of-court protests. The Bank claims that it has made every effort to respond to customers' requests in a timely manner, however, it should be taken into account that in recent years there has been a significant increase in electronic fraud incidents, which has led to an exponential increase in the relevant requests, as well as that the investigation of this type of case requires a lot of time, since it requires the cooperation of many Units within the Bank, but usually also communication with third-party Banks in the management of transaction dispute requests. The Bank emphasizes that during the relevant investigation it often communicates with customers in order to inform them of the progress of its actions or to request additional information and clarifications, while it also notes that the provision of copies of recorded conversations requires access by appropriately authorized personnel to specific infrastructures, access that is not possible on a daily basis due to the teleworking arrangements in force for the Bank's staff. - Finally, the Bank emphasizes that instructions have been given to the staff for the faster processing of the relevant requests, continuous communication with customers during the investigation and their detailed information on the reasons why the request cannot be processed within a month, in case it is determined that further investigation is required, while it states that the work of comprehensively recording the Bank's procedures in a standardized format is now underway, where detailed and clear information is provided regarding the procedures that must be applied by the individual Units of the Bank, including the "Management of GDPR Rights Exercise Requests" process, which describes in detail all the steps that are applied in the event of submitting a request to exercise GDPR rights and which the Bank presents as an annex. 4. Following the above, the Authority, with its summons G/ΕΣΕ/762/04-03-2024, summoned National Bank to a hearing before the Plenary Session of the Authority on 15/19/2024, in order to present its views on the case. During the meeting of 19/3/2024, the Bank submitted a request for adjournment, which was accepted and the case was adjourned to the meeting of 26/3/2024. At the meeting of 26/3/2024, the following were present, on behalf of National Bank: Θ and Ι, Compliance Managers of Business Regulation and Customer Conduct, Κ, Head of Customer Conduct, Λ, Head of Compliance and Quality Assurance, Μ, Head of Payments and Digital Services Compliance Sub-Department. In addition, Ν, Data Protection Officer (DPO) of National Bank and Ξ, Deputy DPO, were present to provide clarifications. The representatives of the Bank developed its allegations regarding the above cases and answered the relevant questions of the Chairman and the members of the Authority. At the end of the meeting, the National Bank was given a deadline and subsequently submitted the memorandum G/ΕΙΣ/3486/15-04-2024 within the deadline. Both orally during the meeting and subsequently with its memorandum, the Bank argued the following: Regarding the Authority's document no. prot. G/ΕΣΕ/294/06-02-2023, which had been sent to the address contact.center@nbg.gr, it stated that it did not reach the Bank because the said address has not been monitored since 8/6/2022 and the Bank's failure to respond to it is not due to its negligence or indifference. With regard to the Policies and Procedures followed, the Bank presents as Appendix 2 the Personal Data Management Policy, which has been adopted since May 2018 and was updated in May 2022. The text of the Policy refers to the principles of the GDPR and the relevant obligations of the Bank as Data Controller. On behalf of the Bank, the role of the DPO in monitoring compliance and in identifying relevant issues is emphasized and the allocation of relevant responsibilities per organizational unit of the Bank is analyzed. Furthermore, the Bank states that it has issued the service circular B’ 85/24.05.2018 on the subject of “Start of implementation of the new framework regarding the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation – GDPR)”, which it presents as Annex 163, with which it informed its staff about the implementation of the GDPR and provided guidance on the Bank’s compliance, including instructions for the management of customer requests for the exercise of their rights arising from the GDPR, and their registration in the Bank’s systems. Furthermore, the Bank states that in December 2023 the “Management of GDPR Rights Exercise Requests” procedure was established (Appendix 4), which describes in detail the steps followed after the submission of a relevant request by a Customer: in accordance with this procedure, the relevant requests are forwarded to the Bank’s DPO Office and are processed by this Office in cooperation with its competent Units, as the case may be. Exceptionally and for reasons of immediacy, the rights to correct personal data and to object to the sending of promotional material, when exercised in a Branch, are completed and responded to by the same. Regarding access requests, the Bank states that for certain requests that present common characteristics, such as, for example, provision of detailed account statements and copies of recorded conversations, it has already provided, since the entry into force of the GDPR, guidelines to the competent Units receiving requests for their immediate settlement and completion. Indicative responses are provided as Appendix 5-A and the act of appointment of the DPO and Deputy DPO as Appendix 5-B. In addition, the Bank states that it has designed the mandatory training seminar "Protection of the Individual from the Processing of Personal Data" addressed to its staff, with special sections relating to issues of exercising the rights of the subjects, providing indicative screens as Appendix 6. It is noted that the date of update in question is 13/12/2022. Regarding the individual complaints, National Bank first notes that most of the cases under examination concern cases of customers who had fallen victim to electronic fraud and their requests mainly concerned the contestation of fraudulent transactions and the cancellation of transfers, while in addition the customers requested additional information, such as copies of their recorded conversations with the Bank. As the Bank’s representatives stated during the hearing, in recent years there has been an increase in electronic fraud cases, which has lead to a rapid increase in the corresponding requests. According to the Bank, every possible effort was made to serve its customers, seeking to exhaust every margin for their recovery, however, the proper and complete investigation of these incidents often proves to be time-consuming, as it requires a thorough search of the Bank's files and systems, cooperation of all involved areas, evaluation of the actual incidents and communication with the other parties involved (e.g. beneficiary's bank, etc.). With regard to the specific cases, the Bank also noted the following (listed in order of submission of the complaints, as above): 
1. A: The Bank reiterates the facts of the case, noting that the request for a copy of the complainant's telephone conversations with the Bank was submitted through his cooperating Branch on 8/9/2021 and that the relevant copy was available at his cooperating Branch on 19/4/2022, a fact of which the customer was informed by telephone and subsequently in writing by the Bank's letter dated 3/6/2022. It also states that the complainant's email dated 24/10/2021 requesting further clarification was responded to by the Bank's letter dated 3/6/2022. At the same time, with its memorandum, National Bank presents the Proposals submitted by both sides in the context of the complainant's action before the Single-Member Court of First Instance P, as requested by the Authority during the hearing (Exhibits 10-C and 10-D). It is noted that on p.  6 and 7 of the Bank's Proposals dated 20/1/2022 refer to the content of the complainant's telephone conversation dated 3/9/2021 with representatives of the Bank, while on p. 8 of the complainant's Proposals dated 3/2/2022 it is stated that "the opposing party has to date never responded to the requests of the first of us for copies of his conversations..." With its memorandum, National Bank 18 does not respond to the complainant's claim that in this way it found itself in a less favorable evidentiary position and suffered procedural harm. 
2. B: The Bank reiterates the facts of the case by submitting its response dated 20/4/2022 to the complainant and the letter dated 14/6/2022 granting the recorded conversations that were initially requested on 16/2/2022 through a Branch, on 2/3/2022 in writing and on 20/3/2022 through an extrajudicial hearing. 
3. C: The Bank presents three letters to the complainant regarding his transaction dispute request and the related complaints submitted subsequently and preceding the request for access to (Exhibits 8-A, 8-B and 8-C), while with regard to the request in question submitted on 11/7/2022, it states that after searching for information and consulting with the customer by telephone, it sent him the requested information on 23/9/2022 (Exhibit 8-D). 
4. D: The Bank reiterates the facts by presenting the complainant's related requests, from which it emerges that his request of 7/5/2021 was satisfied with the provision of the copy requested on 9/9/2021. 
5. Q: The Bank reiterates the facts by submitting its response letter dated 20/2/2023 to the complainant, in which it was informed that his request dated 16/11/2022 is under processing and states that the request was satisfied by providing the copy requested on 9/3/2023. 
6. F: The Bank reiterates the facts of the case, presenting the information letters that the Bank sent, following the request of 3/10/2022 and the extrajudicial statements of the complainant of 5/10/2022 and 17/10/2022, informing her that her case is under processing, the receipt of the complainant's recorded conversations of 19/1/2023 (Exhibit 13-C), as well as the final message of 30/5/2023 with which the requested information was sent to her. 19 
7. G: The Bank reiterates the facts of the case, presenting again the answers it provided to the complainant. It is noted that the answers presented as Ex. 11-B (dated 24/12/2022) and 11-D (24/01/2023) have been sent via e-mail to the address of the unknown perpetrator (…), who had made the relevant change through the complainant's e-banking settings. The Bank did not provide any explanation regarding the complainant's lack of information about the fact that the specific requested call (dated 3/12/2022) had not been located. The Bank points out that in the above cases, the customers chose to contact either their cooperating Branch or the call center, having as their primary concern the dispute of the transactions. In this context, the relevant cases were forwarded for investigation and further handling to the Bank's Units that are responsible for the relevant actions (investigation of factual incidents in cooperation with other Bank Units, communication with third-party Banks, etc.). Only one customer contacted the mailbox dpo@nbg.gr, although she had previously submitted a request to dispute transactions, which had been answered, as well as two (2) out-of-court complaints. Subsequently, and due to the non-satisfaction of the request to dispute transactions, the customers requested copies of their telephone communications or other data from the Bank. As National Bank claims, it made every effort to respond to customers' requests in a timely manner, which was achieved, as it states, to a large extent, as in three of the above cases the maximum time period was respected, while in three there was a small time deviation (approximately 10 days). As for the additional time required to provide the information requested in the above cases, the Bank claims that it is mainly due to:
 - the number of relevant requests which are showing a rapid increase due to the outbreak of electronic fraud 20
 - the extensive research required to investigate the relevant incidents - the fact that the creation of copies of recorded telephone calls requires access by appropriately authorized personnel to specific infrastructures of the Bank, which was not feasible on a daily basis due to the teleworking arrangements. Furthermore, the Bank points out that in the cases of the complaints in question, the Bank took all the measures foreseen by its policies to prevent fraud, without this always being possible due to factors beyond its sphere of influence, emphasizing however that throughout the investigation of the complainants' cases, the Bank informed them of their progress and responded to their requests for information concerning them. Additionally, the Bank states that its compliance with the current legislative framework for the protection of personal data has been its main concern over time and in this context, it constantly reviews its internal procedures, constantly provides instructions to its staff for the faster processing of their requests, has reinforced with staff the Units responsible for receiving and handling relevant requests, and has proceeded to upgrade its internal systems and applications so that transaction dispute requests can be submitted directly and through the internet and mobile banking application. Finally, it states that in light of the review of the cases in question, it intends to review its internal procedures regarding the management of access requests, taking into account developments at European level (such as the Guidelines 1/2022 of the EDPB) and targeted information will be re-launched in its competent Units. The Authority, after examining the elements of the file and after hearing the rapporteur and the clarifications from the assistant rapporteur, after a thorough discussion, HAS DECIDED IN ACCORDANCE WITH LAW 211. It follows from the provisions of articles 51 and 55 of the General Data Protection Regulation (Regulation (EU) 2016/679 – hereinafter, GDPR) and article 9 of law 4624/2019 (Government Gazette A 137) that the Authority has the competence to supervise the implementation of the provisions of the GDPR, this law and other regulations concerning the protection of individuals from the processing of personal data. In particular, from the provisions of articles 57 par. 1 letter f of the GDPR and 13 par. 1 letter g of Law. 4624/2019 it follows that the Authority has the competence to deal with the above complaints for violation of the right of access to personal data, while from the provisions of articles 57 par. 1 letters a’ and h’ of the GDPR and 13 par. 1 letter h’ of Law 3624/2019 it follows that the Authority has the competence to investigate ex officio the compliance of the National Bank with the provisions of articles 24 par. 1, 12 and 15 of the GDPR and to exercise, respectively, the powers granted to it by the provisions of articles 58 of the GDPR and 15 of Law 4624/2019. 2. Article 5 par. 1 GDPR sets out the principles that must govern processing. According to article 5 par. 1 a) GDPR “1. Personal data: a) are processed lawfully and fairly in a transparent manner in relation to the data subject (“lawfulness, objectivity and transparency”), […]. Furthermore, in accordance with the principle of accountability expressly set out in the second paragraph of the same article, the controller “shall be responsible and in a position to demonstrate compliance with paragraph 1 (“accountability”)”. This principle entails the obligation of the controller to be able to demonstrate compliance with the principles of art. 5 par. 1. 3. In accordance with the provisions of art. 15 par. 1 and 3 GDPR: “1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, the right of access to the personal data […]. 3. The controller shall provide a copy of the personal data processed. For additional copies that may be requested by the data subject, the controller may charge a reasonable fee for administrative costs. If the data subject submits the request by electronic means and unless the data subject requests otherwise, the information shall be provided in a commonly used electronic format. The correct and timely satisfaction of the right The right of access of data subjects is a crucial element for the transparency of processing. As pointed out in the EDPB Guidelines 1/2022 on the right of access, this right should not be considered in isolation, as it is closely linked to other provisions of the Regulation, in particular to the principles of personal data protection, including the lawfulness and objectivity of processing, the transparency obligation of the controller, and to the other rights of the data subject provided for in Chapter 3 of the GDPR. Furthermore, it is irrelevant for what purpose the subject exercises the right of access. As the Authority has held, the GDPR does not impose conditions for its exercise, which is linked to the ability of the subject to be aware of the processing and to verify the lawfulness of the processing (see Recital 63 GDPR, decision of the Administrative Court of Justice 1/2022), but is not limited to this purpose, as the ECJ recently confirmed in its decision (see decision C-307/22, §§29-52). 3 Thus, it is not required to invoke the reasons for which the data subject wishes to exercise the right of access (see also decisions of the Administrative Court of Justice 36/2021, 2/2020 and 16/2017, paragraph 3). The same is also noted in the aforementioned Guidelines 1/2022 of the EDPB on the right of access (see in particular par. §13: “….the aim of the right of access is not suitable to be1 “Guidelines 01/2022 on data subject rights - Right of access” Version 2.0 Adopted on 28 March 2023, available on the EDPB website - https://edpb.europa.eu/our-work-tools/our- documents/guidelines/guidelines-012022-data-subject-rights-right-access_en 2“The right of access should not be seen in isolation as it is closely linked with other provisions of the GDPR, in particular with data protection principles including the fairness and lawfulness of processing, the controller´s transparency obligation and with other data subject rights provided for in Chapter III of the GDPR” (Guidelines 01/2022, §7).  3 https://curia.europa.eu/juris/document/document.jsf;jsessionid=D5412AE4E56E4284050A2374E1AB 30A5? text=&docid=279125&pageIndex=0&doclang=EL&mode=lst&dir=&occ=first&part=1&cid=56084 0 23 analyzed as a precondition for the exercise of the right of access by the controller as part of my assessment of access requests. Thus, controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting”). 4. Furthermore, according to the WP29 Guidelines on transparency (WP260 rev.01) when informing data subjects under Articles 13-14 GDPR, the information provided should be specific and definitive: “The use of linguistic qualifiers such as ‘may’, ‘certain’, ‘often’ and ‘likely’ should also be avoided. Where data controllers choose to use vague language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and why it does not undermine the lawfulness of the processing” (§ 13). This rule should also govern the information that subjects receive in response to a relevant access request under Article 15 GDPR, since as noted “The principle of accountability with regard to transparency applies not only at the point of collection of personal data, but also throughout the life cycle of the processing, regardless of the information provided or the communication made” (§ 29). With regard to the information of subjects within the framework of Articles 13-14 GDPR specifically for the recipients of the data, the following is recommended: “The names of the recipients of the personal data or the categories of recipients must be provided. In accordance with the principle of lawfulness, controllers must provide the most relevant information for the data subjects regarding the recipients. In practice, this will generally be the names of the recipients, so that data subjects know exactly who is in possession of their personal data. If 4 See in particular §38 of the above-mentioned CJEU judgment in case C-307/22: “It must be noted that neither the wording of Article 12(5) nor the wording of Article 15(1) and (3) of the GDPR make the provision of the first copy of the personal data free of charge subject to the data subject invoking a reason justifying his request. Therefore, those provisions do not enable the controller to require the reasons for submitting the request for access from the data subject.” 24 controllers choose to provide categories of recipients, the information should be as specific as possible and indicate the type of recipient (i.e., with reference to the activities carried out), the sector, the sub-sector and the location of the recipients” (see table pp. 49-50, WP260 rev.01). See also EDPB Guidelines 1/2022 on the right of access, §115 and the example cited therein: “… already under Article 13/14 GDPR the information on recipients or categories of recipients should be as specific as possible in terms of respecting the principles of transparency and lawfulness. The controller should name the actual recipients unless it would be possible to identify only the category of recipients. In any case, it is sometimes not yet possible to name the actual recipients at the time of providing information in accordance with Articles 13 and 14 GDPR, only at a later stage, for example, when an access request is submitted.5 Accordingly, in the event that the subject exercises his right of access with regard to the recipients, at a time subsequent to the initial information, i.e. at a time when the transmission of his data to specific recipients has already taken place, the Controller6 should name these specific recipients, so that the subject is in a position, if he wishes, to exercise further rights addressed to them. 
5. Furthermore, according to Article 12(2) GDPR “The controller shall facilitate the exercise of the rights of data subjects set out in Articles 15 to 22. (…)”, while Article 3 of the same Article sets the deadline for responding to access requests at 30 days, as a rule: “The controller shall provide the data subject with the information he/she needs to provide, in accordance with Article 13/14 GDPR, regarding CJEU judgment in case C-154/21, delivered on 12-01-2023. 25the controller shall provide the data subject with information on the action taken on a request pursuant to Articles 15 to 22 without delay and in any event within one month of receipt of the request. That period may be extended by two further months, where necessary, taking into account the complexity of the request and the number of requests. The controller shall inform the data subject of such extension within one month of receipt of the request, as well as of the reasons for the delay. If the data subject submits the request by electronic means, the information shall be provided, if possible, by electronic means, unless the data subject otherwise requests. According to recital 59 of the Regulation, “Means should be provided to facilitate the exercise of the rights of the data subject under this Regulation, including mechanisms to request and, where appropriate, obtain free of charge, in particular, access to personal data and rectification or erasure thereof and to exercise the right to object. The controller should also provide the means for electronic submission of requests, in particular where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to provide reasons where it does not intend to comply with any such requests.” 
6. According to Article 24(1) and (2) of the GDPR, “1. Taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing is carried out in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. 2. Where justified by the processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller. Based on the above, it is clear that it is important to establish appropriate procedures and policies that will ensure the timely and effective handling of requests from data subjects to exercise their rights under the GDPR, in particular by data controllers who systematically process personal data on a large scale, for a variety of different purposes, due to their field of activity. In cases where, due to the nature of the processing, the data subject may suffer harm from a delay in satisfying his rights, this should be taken into particular account when drawing up the relevant policies and procedures, as explicitly required by Article 24(1) of the GDPR. Moreover, according to Article 25(1) GDPR “Taking into account the latest developments, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons resulting from the processing, the controller shall effectively implement, both at the time of determining the means of processing and at the time of processing, appropriate technical and organizational measures, such as pseudonymisation, designed to implement data protection principles, such as data minimisation, and to integrate necessary safeguards into the processing in such a way as to meet the requirements of this Regulation and to protect the rights of data subjects”. At the same time, the effectiveness of the measures taken should be regularly reviewed on the basis of feedback received from the affected subjects and, where appropriate, the relevant procedures and policies of the controller should be appropriately re-structured, e.g. by retraining existing staff or by recruiting additional staff, if necessary, in order to ensure in each case the fulfilment of the above objectives of the 27 7 General Regulation for the benefit of the subjects. As, moreover, stated in the above EDPB Guidelines (1/2022), the possibility of extending the response deadline by two months should not be abused. If controllers are frequently forced to extend the above deadline, this could be an indication that their general practices regarding the handling of requests to exercise rights under the GDPR need to be modified and improved. Under no circumstances should the internal policies implemented by the controller, such as for example the teleworking arrangements of its employees, have the effect of undermining the protection of the rights of data subjects.  7. In this case, from the examination of all the elements of the file of the above cases and following the hearing procedure, the following is established: In view of the implementation of the GDPR, in May 2018, National Bank adopted the Personal Data Management Policy, which was updated in May 2022. This Policy includes a description of the Bank's personal data processing activities, allocation of responsibilities, reference to the bank's obligations and staff training. The text of the Policy refers to the principles of the GDPR and to the 7 See also Guidelines 1/2022 of the EDPB (ibid.) par. 42: “Therefore, the controllers should be proactively ready to handle the requests for access to personal data. This means that the controller should be prepared to receive there request, assess it properly (this assessment is the subject of this section of the guidelines) and provide an appropriate reply without undue delay to the requesting person. The way the controllers will prepare themselves for the exercise of access requests should be adequate and proportionate and depend on the nature, scope, context and purposes of processing as well as the risks to the rights and freedoms of natural persons, in accordance with Art. 24 GDPR. Depending on the particular circumstances, the controllers may, for example, be required to implement an appropriate procedure, the implementation of which should guarantee the security of the data without hindering the exercise of the data subject's rights." "Under certain circumstances the controller can extend the time to respond to a request of access by two further months if necessary, taking into account the complexity and number of the requests. It should be emphasized that this possibility is an exemption from the general rule and should not be overused. If controllers often find themselves forced to extend the time limit, it could be an indication of need to further develop their general procedures to handle requests.”(Guidelines01/2022,§162). 28 relevant obligations of the Bank as Controller. Furthermore, it issued the service circular B’85/24.05.2018 entitled “Start of implementation of the new framework regarding the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation – GDPR)” (Appendix 3 of the memorandum), with which it informed its personnel about the implementation of the GDPR and provided guidance on the Bank’s compliance, including instructions for the management of customer requests for the exercise of their rights arising from the GDPR, and their registration in the special system created in this regard (GDPR Request Management System). In addition, according to the Bank, a mandatory training seminar "Protection of the Individual from the Processing of Personal Data" has been designed for its staff, with special sections relating to the issues of exercising the rights of the subjects (see relevant screenshots as Appendix 6). These documents state "update date: 13/12/2022", while the Bank did not specify whether all or part of its staff attended these seminars and at what point in time. During the years 2021-2022 and at the beginning of 2023, several complaints by data subjects against National Bank for violation of the right of access to their personal data were submitted to the Authority. In some cases, in which the right was satisfied with a delay, but before any intervention by the Authority, the relevant cases were filed as having no purpose. By decision 36/2021, a fine of 20,000 euros was imposed on the Bank for violation of article 15 GDPR, while in another case, after it was established that the delay was due to the measures to address the Covid-19 pandemic and the related restrictions on the Bank's operation in 2021, the document G/ΕΣΕ/306/07-02-2023 was sent (see above, p. 12) with which the Authority drew the Bank's attention to the fact that it must comply with its obligations arising from articles 12 par. 3 and 15 GDPR, ensuring that appropriate organizational and technical measures are taken and reviewing these measures, where necessary. 298. With regard to the seven (7) cases examined here in particular, the following emerged: 1. A: The data requested by the complainant were partially provided (his contracts) after the service of the lawsuit, while the recorded conversations he requested were provided to him 7 months after the submission of the request. Particular account should be taken of the existence of a legal dispute between the complainant and the Bank, in the context of which the Bank used the complainant's personal data, which he had previously requested and which had not been provided to him even after the expiry of the deadline for addition-rebuttal, with the result that, due to the delay in satisfying the request, the latter found himself in a less favourable evidentiary position and suffered procedural damage. In its memorandum, National Bank did not respond to the complainant's claim that in this way it found itself in a less favorable evidentiary position and suffered procedural harm. Orally during the hearing, the representatives of National Bank denied that this delay was deliberate on its part, while they stated that the delay was due to the fact that the request was initially forwarded to the wrong department. Nevertheless, in order to protect the procedural interests of National Bank, it was possible to have timely access to the relevant data in order to use them in court. Therefore, a violation of Article 15 GDPR in conjunction with Article 12 par. 3 and 4 GDPR is established. 2. B: The complainant's right of access was satisfied before the notification of the complaint by the Authority, but after 4.5 months and after the resubmission, in writing, and by extrajudicial declaration after one month from the initial submission of the complainant's request, who claims that this delay caused her moral damage and delayed her exercise of her claims for compensation for the damage from the unauthorized transactions. Moreover, the teleworking of employees and the increase in requests due to the outbreak of electronic fraud invoked by the Bank do not constitute a reason for lifting its obligations arising from Article 12 of the GDPR, but, as has already been pointed out to the Bank in the document referred to in the previous paragraph, it must itself take the necessary measures to comply with the requirements of the GDPR. Therefore, a violation of Article 12 par. 3 and 4 GDPR. 3. C: The request was satisfied within 74 days of its submission. A violation of article 12 par. 3 and 4 GDPR regarding the notification of the complainant of the reasons for the delay and the need for an extension, as the request was initially "registered as a complaint", which was due to incomplete procedures, technical and organizational measures and insufficient training of employees that led to the inability to recognize a request from a data subject as an access request 4. D: The request was partially satisfied 5 months after its exercise (granting a recorded call) and as a reason for the delay, the Bank invokes the teleworking of its employees. However, this claim does not constitute a reason for lifting its obligations arising from article 12 of the GDPR, but, as has already been pointed out to the Bank in the document referred to in the previous paragraph, it must itself take the necessary measures for its compliance with the requirements of the GDPR. Furthermore, in response to the question regarding the exact recipients of the complainant's data, the Bank did not provide clear and specific information, but simply stated that "in the context of carrying out the disputed transfer, it processed only the data necessary for the execution of the transfer" (see paragraph 4 above). Therefore, a violation of Article 15 is found with regard to the 31 failure to provide information on the recipients and of Article 12, paragraphs 3 and 4 of the GDPR. 5. Q: The request was satisfied 4 months after its exercise and 2 months after the submission of the complaint, without relevant information. The Bank invokes the teleworking of its employees as a reason, but this claim does not constitute a reason for lifting its obligations arising from article 12 of the GDPR, but, as has already been pointed out to the Bank in the document referred to in the previous paragraph, it must itself take the necessary measures to comply with the requirements of the GDPR. Therefore, a violation of article 12 par. 3 and 4 of the GDPR is established. 6. F: The request was satisfied 6 months after its exercise, 1 month after the notification of the complaint by the Authority to the Bank and after the intervention of the Consumer Ombudsman, without relevant information to the complainant, beyond the standard messages that the request is under processing, and without the Bank citing a specific reason for the delay. Therefore, a violation of article 12 par. 3 and 4 GDPR. 7. G: The right was partially satisfied, with a delay (4 months after its submission). Regarding a specific recorded call that was requested, the right was not satisfied. After submitting a new request specifically regarding this call, although the Bank was unable to locate it, it did not inform the complainant about it. Instead, re-recorded her already granted conversation on another CD, which it delivered to her, without informing her that the CD did not contain her requested personal data. The responses provided as Appendix 11-B (dated 24/12/2022) and 11-D (01/24/2023) have been sent via e-mail to the address of the unknown perpetrator (…), who had made the relevant change through the complainant’s e-banking settings. The Bank did not provide any explanation regarding the complainant’s lack of information 32 about the fact that a specific requested call (dated 3/12/2022) had not been located. Therefore, a violation of Articles 15 GDPR and 12 par. 3 and 4 GDPR is established.  Furthermore, although the Bank claims that “throughout the investigation of the complainants’ cases, it informed them about the progress of their requests”, it did not appear that it specifically provided the information required by Article 12, paragraph 4 of the GDPR to the complainants, but it is established that it simply sent a standard message stating that the request is under processing. Therefore, the Authority finds in the above-mentioned 7 cases a violation by National Bank, as controller, of Article 12, paragraphs 3 and 4 of the GDPR in combination with the cases under items 1, 4 and 7 with Article 15 of the GDPR, as explained above. 9. Furthermore, based on the above, it appears that the procedures followed by the Bank for handling access requests were ineffective: In 3 of the cases examined, the Bank invoked the teleworking arrangements of its employees, due to which their access to the infrastructures in which the records of recorded conversations are kept was not possible, in some cases the Bank stated that the requests were not transmitted correctly and in a timely manner to the appropriate departments, as they were submitted in the context of transaction dispute incidents, while it also invoked as an argument the large increase in relevant requests in recent times. Furthermore, according to the memorandum of the National Bank, in December 2023 the procedure “Management of Requests for the Exercise of GDPR Rights” was drawn up (Appendix 4). This procedure appears to have been drawn up after the complaints under consideration were submitted and after the Authority sent a new document, G/ΕΣΕ/294/06-02-2023, in November 2023, for the ex officio control of its procedures. 33 Furthermore, although the Bank emphasizes the theoretically very important role of the DPO in monitoring compliance and in identifying relevant issues, it did not emerge that the DPO has made specific proposals or advice for the handling of the cases under consideration, nor any contribution by the DPO in the context of recording the procedures and updating the Bank's policies. The fact that despite the existence of the above complaints and the finding that in all these cases the GDPR deadlines were not met, the Bank was mobilized to record its relevant procedures only after the two documents from the Authority drawing its attention to the issue and calling on it to demonstrate its compliance with Article 12, para. 2 and 24 par. 1 and 2 of the GDPR, demonstrates that from the implementation of the GDPR until the date of examination of the case during the Authority's meeting, the Bank had not complied with them, in a manner that was impermissible given the volume and nature of the personal data it processes, the multiple access requests it is expected to receive due to its field of activity and the possible risks from the delay in satisfying the right of access, which is very likely to result in financial consequences for the subjects (inability to prove in the context of disputing fraudulent transactions, inability to investigate fraud, etc.). The Bank still does not seem to have identified specific causes for its failure to comply, but in its memorandum of 12/4/2024 it refers vaguely to a future review of its procedures: for example, it states that it has reinforced the Units responsible for receiving and handling relevant requests with staff, without specifying where the incorrect handling in the above cases is due, e.g. whether the cause was the lack of sufficient staff or the lack of understanding of the existing staff or some other reason. Furthermore, it states that “in light of a review of these cases, it intends to review its internal procedures regarding the management of access requests, taking into account developments at European level 34 (such as the EDPB Guidelines 1/2022) and targeted information will be re-launched in its competent Units”. However, the fact that, as a data controller, the Bank began to receive an unusually large number of access requests is a factor that should have been taken into account when designing and updating its relevant procedures from the time this increase was detected, ensuring that it responded to this new condition, taking into account the employment status of its employees. Specifically, in the context of ongoing compliance with the GDPR, the Bank should have already assessed its weaknesses, initially when the ("exponential", as it states) increase in access requests was observed as a consequence of the outbreak of electronic fraud, subsequently when the complaints of its customers intensified and in any case when the Authority proceeded to an ex officio audit of its procedures from the year 2023. On the contrary, the facts show that the Bank's Policies are theoretical texts that are not applied in practice, despite its assurances to the contrary. Given the above, in the context of the ex officio control of the procedures of the Bank complained about, a violation of Article 12, paragraph 2 of the GDPR in conjunction with Article 25, paragraph 1 of the GDPR is found. 10. Based on the above, the Authority considers that it is appropriate to exercise its corrective powers under Article 58, paragraph 2 of the GDPR in relation to the violations found. i. With regard to the complaint referred to in point 1 of paragraph 8 of this decision, the Authority considers that, based on the circumstances established, it is necessary to impose, in application of the provision of Article 58, paragraph 2, sub-paragraph i’ of the GDPR, an effective, proportionate and dissuasive administrative fine, pursuant to Article 83 of the GDPR, as referred to in the operative part of this decision. For the purpose of calculating the fine, the criteria set out in Article 83 par. 2 of the GDPR, par. 5 sub. b’ of the same article, which is applicable to the case, were taken into account and, in particular, the fact that while the complainant had not been provided with the personal data requested by him (recorded telephone calls), they were used by the Bank in the context of the dispute between them. ii. With regard to the complaints referred to in points 2-7 of paragraph 8 of this Decision, the Authority considers that, with regard to the established violations of the GDPR, it is appropriate to address a reprimand to National Bank, in accordance with Article 58 par. 2 sub. b’ of the GDPR and not an administrative fine given that the facts of these cases are assessed independently below regarding the Bank’s general compliance with the obligations arising from articles 12 and 15 of the GDPR, in the context of a separate audit case. iii. With regard to the established violation of article 12 par. 2 GDPR in conjunction with article 25 par. 1 GDPR, the Authority considers that, based on the circumstances established, an effective, proportionate and dissuasive administrative fine should be imposed pursuant to the provision of article 58 par. 2 sub. i’ of the GDPR, pursuant to article 83 of the GDPR. For the measurement of the fine, the Authority took into account the criteria set out in article 83 par. 2 of the GDPR, paragraphs 4 sub. a) and 5 sub. b) of the same article that are applicable to the present case, the Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679 issued on 03-10-2017 by the Article 29 Working Party (WP253) and the Guidelines 04/2022 of the European Data Protection Board on the calculation of administrative fines under the General Regulation, as well as the actual facts of the case under consideration, in particular the criteria and special circumstances listed below: The large number of affected subjects, i.e. potentially the entire customer base of the Bank, as well as third-party natural persons. The long duration of the infringement, since it is established that it concerns the period since the entry into force of the GDPR (25/5/2018). 36 The fact that the infringement concerns the main activities of the controller. The fact that the Bank has been previously sanctioned for infringement of the right of access. 9 The fact that the Bank ignored the correct and timely satisfaction of access rights for a long period of time, citing the current conditions due to the pandemic, and proceeded to formulate relevant policies only after the relevant audit by the Authority, while referring to a future review of its procedures. That the turnover (gross turnover) of the Bank for the last financial year (2023) amounted to approximately 2.6 billion euros10 FOR THESE REASONS THE AUTHORITY A. Imposes on National Bank of Greece S.A., as controller, based on Article 58, paragraph 2, subparagraph θ of the GDPR, an administrative fine of twenty thousand (20,000€) euros, for the established violation of the right of access of complainant A under Article 15 par. 1 and 3 GDPR in accordance with what is mentioned in point i. of paragraph 10 above. B. Addresses to National Bank of Greece S.A., as controller, based on Article 58 par. 2 sub. b’ of the GDPR, a reprimand, for the established violations of Article 12 par. 3 and 4 GDPR in combination with Article 15 GDPR, in the cases of the complaints mentioned in point ii. of paragraph 10 above. C. Imposes on National Bank of Greece S.A., as controller, based on Article 58 par. 2 sub. i’ of the GDPR, an administrative fine of two hundred 9See Decision 36/2021 of the Authority, published on its website. 10See the Bank's Annual Financial Report for the year 2023, available at the link https://www.nbg.gr/-/jssmedia/Files/Group/enhmerwsh- ependutwn/Annual_Financial_Reports/Annual-Financial-Report-2023-GR.pdf 37thousand (200,000€) euros, for the established violation of articles 12 par. 2 and 25 par. 1 GDPR, in accordance with what is mentioned in point iii. of paragraph 10 above. The President The Secretary Konstantinos Menuudakos Irini Papageorgopoulou38
Retrieved from "https://gdprhub.eu/index.php?title=HDPA_(Greece)_-_1/2025&oldid=46377"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki