HDPA (Greece) - 36/2021
| HDPA (Greece) - 1947/26-08-2021 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(2) GDPR Article 12(2) GDPR Article 15 GDPR Article 83 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 26.08.2021 |
| Published: | |
| Fine: | 40.000 EUR |
| Parties: | KOTSOVOLOS S.A National Bank of Greece S.A. |
| National Case Number/Name: | 1947/26-08-2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Greek |
| Original Source: | Hellenic Data Protection Authority (in EL) |
| Initial Contributor: | Stergios |
The Greek DPA (HDPA) investigated a complaint against two data controllers that failed to comply with a consumer's access request in the context of the sale of a product which had been returned. It fined each controller €20,000 for failing to comply with the right of access.
English Summary
Facts
The complainant had bought a product from a seller (Controller A). It was agreed that the price of the product would not been paid in full at the time of the sale, but rather via several installments. Shortly thereafter, the Complainant decided to return the product. Despite this return, the Complainant realized that he was still being charged every month on his credit card. he therefore contacted Controller A in writing (via the Facebook Messenger App) and asked the latter to notify the bank (Controller B) of the need to cancel his credit card installments. Controller A however did not notify Controller B. The Complainant therefore attempted to directly contact Controller B with the same request. Controller B never answered him.
The Complainant then requested Controller A to provide him with a copy of the correspondence it had with Controller B with respect to the installments. Controller A however refused to grant him access to this information on the basis of that the communication that had taken place with the bank constituted an internal communication with "no possibility of disclosure".
In this context, the Complainant decided to file a complaint with the Greek DPA (the HDPA)
Holding
The HDPA held that Controller A and B should have responded positively to the request of the Complainant in accordance with Article 12(2) GDPR and Article 15 GDPR. The HDPA imposed an administrative fine of EUR 20,000 on each Controller for failure to comply with the the right of access.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
