HDPA (Greece) - 36/2021

From GDPRhub
HDPA (Greece) - 1947/26-08-2021
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(2) GDPR
Article 12(2) GDPR
Article 15 GDPR
Article 83 GDPR
Type: Complaint
Outcome: Upheld
Decided: 26.08.2021
Fine: 40.000 EUR
National Bank of Greece S.A.
National Case Number/Name: 1947/26-08-2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: Hellenic Data Protection Authority (in EL)
Initial Contributor: Stergios

The Greek DPA (HDPA) investigated a complaint against two data controllers that failed to comply with a consumer's access request in the context of the sale of a product which had been returned. It fined each controller €20,000 for failing to comply with the right of access.

English Summary


The complainant had bought a product from a seller (Controller A). It was agreed that the price of the product would not been paid in full at the time of the sale, but rather via several installments. Shortly thereafter, the Complainant decided to return the product. Despite this return, the Complainant realized that he was still being charged every month on his credit card. he therefore contacted Controller A in writing (via the Facebook Messenger App) and asked the latter to notify the bank (Controller B) of the need to cancel his credit card installments. Controller A however did not notify Controller B. The Complainant therefore attempted to directly contact Controller B with the same request. Controller B never answered him.

The Complainant then requested Controller A to provide him with a copy of the correspondence it had with Controller B with respect to the installments. Controller A however refused to grant him access to this information on the basis of that the communication that had taken place with the bank constituted an internal communication with "no possibility of disclosure".

In this context, the Complainant decided to file a complaint with the Greek DPA (the HDPA)


The HDPA held that Controller A and B should have responded positively to the request of the Complainant in accordance with Article 12(2) GDPR and Article 15 GDPR. The HDPA imposed an administrative fine of EUR 20,000 on each Controller for failure to comply with the the right of access.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.