HDPA (Greece) - 2/2023

From GDPRhub
Revision as of 13:46, 1 February 2023 by Lr (talk | contribs) (rearranging first para)
HDPA - 2/2023
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 31 GDPR
Article 58(1) GDPR
Article 83(4) GDPR
Article 13 of National Law 4624/2019
Article 15 of National Law 4624/2019
Article 66 of National Law 4624/2019
Type: Complaint
Outcome: Upheld
Started: 20.12.2022
Decided: 13.01.2023
Published: 13.01.2023
Fine: 50.000 EUR
Parties: n/a
National Case Number/Name: 2/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Anastasia Tsermenidou

The Greek DPA (HDPA) imposed a fine of €50,000 on Intellexa S.A for failing to cooperate with an investigation into their alleged installation of monitoring software on data subject's devices without their knowledge.

English Summary


The controller in this case is Intellexa S.A (Intellexa), a software company which provides technology and intelligence to law enforcement agencies. An individual, "A", provided to the HDPA a copy of a petition they filed with the Prosecutor of the Supreme Court concerning the alleged attempted interception of their mobile phone with 'Predator' surveillance software. In addition, numerous press reports were published linking Intellexa to the aforementioned software, and to the installation of monitoring software on users' mobile telephone devices without their knowledge.

Following these developments, the HDPA conducted an "own-volition" investigation, undertaking an on-site audit of Intellexa premises on 3 October 2022. Prior to the audit, the HDPA sent Intellexa a document containing the details of the investigation and requesting further information. Despite multiple telephone assurances from the company's lawyers to auditors that their request would be met, the company did not submit any information. During the audit, the company's three-story building was found to be completely empty and without any functional network infrastructure or information system. Through a discussion with the representatives of the company, the audit team requested specific information on the data processed, the auditees took notes and assured them that they would provide this promptly.

On 4 October 2022, Intellexa submitted a request to the HDPA to be provided with the audit questions in writing, claiming that it was impossible to draft effective and accurate responses to notes taken during the audit, due to the complexity and highly technical nature of the isssue. On 6 October 2022, the HDPA sent the company a written request containing 24 questions, asking for as much information as possible, and specific documentation, as soon as possible. On 21 October 2022, the HDPA received an email from Intellexa claiming their employees have been subject to "haasasment" by journalists following the audit, and informing the authority that they intend to submit responses the following week. The HDPA responded to this email on 24 October 2022, stating that they expect full and substantiatied replies to their questions as soon as possible.

Intellexa S.A did not reply to the HDPA's enquiries, they were subsequently invited to attend a hearing on 29 November 2022 to verify their compliance with the requirements of Article 31 GDPR. On 18 November 2022, the company sent a response to the auditor's questions. It was noted that, in response to some of the questions, Intellexa did not provide the information requested by the authority; information which was, according to the HDPA, undoubtedly in the company's possession.

At the hearing Intellexa's lawyers argued that, despite their "justified reservations", the company tried to respond to the questions asked "to the fullest extent possible" in cooperation with "various investigations launched simultaneously by several different Greek authorities". In their submissions, they asserted that the Greek authorities ought to act in a more "coordinated and consistent" manner.


The HDPA found that Intellexa S.A, has, by choice, breached its obligation to cooperate with the supervisory authority under Article 31 GDPR. In doing so, they found that the company has unduly delayed its response to the investigation, and failed to provide information which was indisputably in its possession.

The HDPA did not accept the controller's assertions that they had responded in a reasonable period of time. Furthermore, in asserting that the Greek authorities should act in a "coordinated and consistent" manner, the company had disregarded the independence of the DPA and the rules governing the effective performance of its obligations in the context of its statutory objective of the protection of personal data.

Pursuant to Articles 58(2)GPDR and 83 GDPR, the authority unanimously considered that the conditions for imposing an administrative fine on Intellexa SA had been fulfilled. In doing so, they took into account the serious nature and gravity of the infringement, and imposed a fine of €50,000. Additionally, the HDPA issued an order instructing the company to deliver the relevant information immediately.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

The Authority carried out an administrative audit on Intellexa SA. investigating cases of the installation of tracking software on users' mobile terminal devices, with the aim of tracking them without their knowledge, as well as the subsequent collection and processing of their personal data collected by such software. As the company was excessively late in responding to the Authority's questions and did not provide specific information that was requested and is in its possession, the Authority imposed a fine of 50,000 euros and ordered that specific information be delivered to it immediately.