HDPA (Greece) - 20/2023

From GDPRhub
HDPA - 20/2023
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 12(2) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 15 GDPR
Article 21 GDPR
Article 25(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 14.06.2022
Decided: 29.05.2023
Published: 29.05.2023
Fine: 150.000 EUR
Parties: n/a
National Case Number/Name: 20/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: eirini.saranti

The Hellenic DPA fined a telecommunications company a total of €150,000 for sending unsolicited advertising messages, for not responding to an access request and for not facilitating the objection to processing of personal data.

English Summary


The data subject was a client of a telecommunications services provider, the controller. Although they had expressly objected the receipt of advertising messages through the Register provided for in Article 11 of Law 3471/2004, the controller continued to send them promotional electronic messages.

The data subject submitted an access request, but the controller argued that it would be necessary for them to go to a store or send a registered letter in order to have their identity verified.

The data subject then filed a complaint with the Hellenic DPA claiming that the controller violated their data protection rights. In defense, the controller argued that there was a specific procedure described in its privacy policy for data subjects to request access to their data and this procedure had not been followed.


The Hellenic DPA acknowledged the fact that the data subject did not follow the procedure established by the controller, but stated that this was not a legitimate reason to not comply with the access request. The DPA also found that the controller made it difficult for the data subject to exercise their rights by requesting their physical presence in the store or the sending of a registered letter. Finally, the DPA held that the controller did not implement appropriate organizational and technical measures to enable the exercise of the right to object to the processing of personal data for promotional purposes, failing to comply with the requirements of the GDPR.

As such, the DPA ordered the controller to comply with the access request and issued a fine of:

a) €60,000 for the violation of Article 21(3) GDPR as the controller sent five promotional messages after the data subject had expressly objected the processing of their data for this purpose;

b) €60,000 for the violation of Articles 15(1) and 12(2), (3) and (4) as the controller did not respond to the access request and did not facilitate the exercise of the data subject's rights;

c) €30,000 for the violation of Article 25(1) GDPR as the controller did not implement organizational and technical measures to enable the data subject to exercise the right to object the processing of the personal data for promotional purposes.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

The Authority examined complaints from a subscriber of WIND, now NOVA, in which he complained about repeated receipt of e-mails for promotional purposes despite his opposition and repeated protests, as well as non-satisfaction of requests to exercise the right of access.

The Authority imposed a fine a) 60,000 euros for violation of Article 21 (3) GDPR due to the sending of five promotional messages despite the opposition and the removal of the complainant's telephone number from the Register of Article 11 Law 3471/2004 for a period of three months without to have requested it himself, b) 60,000 euros for failure to satisfy the right of access, failure to provide an answer, even if negative, and making it difficult to exercise the right of access, pretextually citing the inability to correctly identify the complainant in other ways than physical presence in the store or through by registered letter in violation of article 15 (1) cond. 12 par. 2, 3 and 4 GDPR and c) 30,000 euros for violation of Article 25 (1) GDPR because it did not in practice have the necessary procedures to ensure the right to object and stop the processing of the data for the promotional purpose.