HDPA (Greece) - 34/2023

From GDPRhub
HDPA - 34/2023
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(c) GDPR
Article 15(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 09.11.2020
Decided: 10.11.2023
Published: 29.11.2023
Fine: 20000 EUR
National Case Number/Name: 34/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Inder-kahlon

The Hellenic DPA imposed an administrative fine of €20,000 on a leasing company. They fined them €10,000 for violating Article 5(1)(c) GDPR, and an additional €10,000 for violating Article 15(1) GDPR.

English Summary


The company Piraeus Leasing (the controller) posted an advertisement for the sale of property owned by CBP Leasing. In that advertisement there was a photo of the data subject's car parked next to the property. The property was previously owned by the data subject's father before it was seized. The data subject claimed that the license plate of his car was visible in the photograph, which allowed his social circle to become aware of the loss of his family property.

The data subject submitted a request for erasure of the personal data concerning him and an objection to processing to the controller's data protection officer ('DPO'), asking for his license plate to be removed from the advertisement. The DPO responded, stating the car's registration number was not visible, but in order to avoid any concern the photograph was removed from their website and would be retained in the company's archives as proof of the fact that the registration number of the car was not visible.

Later an acquaintance of the data subject who was a potential buyer of the property, shared emails with him revealing that the controller had shared images of the property with them, including the photo used in the advertisement, which clearly contained the data subject's car and his license plate.

After uncovering new evidence, the data subject filed a complaint on against Piraeus Leasing and another similar complaint against CBP Leasing (which was renamed to PIRAEUS FINANCIAL LEASING SINGLE MEMBER S.A.). However, since both of these companies ceased to exist, the beneficiary by formation for both companies for any pending lawsuits became PEIRAIOS LEASING M.A.E. Therefore, the Hellenic DPA considered the controller to be PEIRAIOS LEASING M.A.E., and considered both complaints together as they were filed by the same data subject against what now was the same defendant company.


The Hellenic DPA found that the data controller (PEIRAIOS LEASING M.A.E.) had processed the data subject's personal data in violation of Article 5(1)(c) GDPR and Article 15(1) GDPR.

Firstly, the DPA found a violation of Article 5(1)(c) GDPR, as the controller had retained a photograph containing the data subject's personal data, through which he could be identified. Moreover, the controller had transferred the personal data to a third party. Both of these actions were in violation of the principle of data minimisation.

Secondly, the DPA found a violation of Article 15(1) GDPR. Under this Article, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed. In this instance, the DPA found a violation, as the controller alleged that it had already deleted the contested photograph from their website and had told the data subject that the photograph contained no personal data of his. Therefore, they falsely confirmed that no personal data of the data subject were being processed, when in actuality they were.

As such, the DPA issued a fine of €20,000 in total. €10,000 for the breach of the principle of data minimisation (Article 5(1)(c) GDPR) and €10,000 for the violation of Article 15(1) GDPR.


The unauthorised disclosure of personal data, even as basic as a car license plate, can have profound consequences, causing embarrassment, and disrupting one's peace of mind. This incident underscores the importance of safeguarding individual's privacy and the potential far-reaching impact of seemingly innocuous information.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

The Authority investigated a complaint by a natural person against a company related to the processing of a photo in which the license plate number of the complainant's car was visible and imposed a fine of €10,000 for a breach of Article 5 of the GDPR and a fine of €10,000 for a breach of Article 15 of the GDPR.