HDPA (Greece) - 4/2023

From GDPRhub
HDPA - 4/2023
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 33 GDPR
Article 34 GDPR
Type: Complaint
Outcome: Upheld
Started: 18.01.2023
Decided: 02.02.2023
Published: 30.03.2023
Fine: 30.000 EUR
Parties: n/a
National Case Number/Name: 4/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)

The Greek DPA fined a bank €30,000 for transferring financial data of the data subject to an unauthorized third party, in violation of Articles 5(1)(a) and (f), and for failing to notify the breach in line with Articles 33 and 34 GDPR.

English Summary


The data controller, Piraeus Bank, provided data relating to a joint bank account to a third party who claimed to be the heir of one of the account holders who had died. This third party then used such data in a lawsuit against the other account holder, the data subject. The data subject filed a complaint with the DPA claiming that the transfer of their personal lacked a legal basis.

After investigating the matter, the controller acknowledged that its employee made a mistake by providing the requested information to a third party. The controller also reported having adopted all technical and organizational measures to ensure data security, which, however, is not able to prevent human error. Finally, it claimed that it was not necessary to notify the DPA and the data subject about the breach.


The DPA highlighted the principles of lawfulness, fairness and transparency established by the GDPR and reinforced the responsibility controllers regarding the security of personal data. The DPA recalled the negative impacts that data breaches can have on data subjects, including physical, material or moral damages. For this reason, these breaches must be reported to the authority within 72 hours after the data controller becomes aware of them, in accordance with article 33 GDPR. Likewise, the data subject must be notified according to Article 34 GDPR. For these reasons, the DPA not only recognized the illegality of the transfer of personal data to a third party, but also held that the controller failed to comply with the obligation to notify the breach.

Therefore, the DPA found a violation of Articles 5(1)(a) and (f) , 33 and 34 GDPR, and fined the controller €30,000.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Article 2: Material scope Article 2.2.c: Exclusively personal or domestic activity Article 3: Territorial scope Article 4.1: Personal data (definition) Article 4.1: Data subject (definition) Article 4.2: Processing (definition) Article 4.3: Restriction of processing (definition) Article 4.4 : Profiling (definition) Article 4.5 : Pseudonymization (definition) Article 4.6 : Filing system (definition) Article 4.7 : Controller (definition) Article 4.8 : Processor (definition) Article 4.9 : Recipient (definition) Article 4.10 : Third party (definition) Article 4.11 : Consent (definition) Article 4.12 : Breach of personal data (definition) Article 4.13 : Genetic data (definition) Article 4.14 : Biometric data (definition) Article 4.15 : Data concerning health (definition) Article 4.16 : Main establishment (definition) Article 4.17 : Representative (definition) Article 4.18 : Enterprise (definition) Article 4.19 : Group of enterprises (definition) Article 4.20 : Binding corporate rules (definition) Article 4.21 : Supervisory authority (definition) ) Article 4.22 : Relevant supervisory authority (definition) Article 4.23 : Cross-border processing (definition) Article 4.24 : Relevant and reasoned objection (definition) Article 4.25 : Information society service (definition) Article 4.26 : International organization (definition) Article 5.1 : Principles of data processing Article 5.1.a : Principle of legality, objectivity and transparency Article 5.1.b : Principle of purpose limitation Article 5.1.c : Principle of data minimization Article 5.1.d : Principle of accuracy Article 5.1.e : Principle of limitation of storage period Article 5.1.f : Principle of integrity and confidentiality Article 5.2 : Principle of accountability Article 6.1.a : Legal basis of consent Article 6.1.b : Legal basis of contract execution Article 6.1.c : Legal basis of compliance with a legal obligation Article 6.1 .d: Legal basis for safeguarding vital interest Article 6.1.e: Legal basis for fulfilling a public duty Article 6.1.f: Legal basis for overriding legal interest Article 6.4: Compatibility of processing for another purpose Article 7: Conditions for consent Article 8: Consent of a child for services information society Article 9.1: Special categories of personal data Article 9.2.a: Express consent Article 9.2.b: Fulfillment of labor law obligations, etc. Article 9.2.c: Protection of vital interests Article 9.2.d: Processing of data of special categories of members of an institution, organization etc. Article 9.2.e: Overt disclosure Article 9.2.g: Substantial public interest Article 9.2.f: Establishment, exercise or support of legal claims Article 9.2.h: Processing by a health professional Article 9.2.i: Public interest in the field of public health Article 9.2.i: Archiving, scientific or historical research - statistics Article 10: Processing of data of criminal convictions and offenses Article 11: Processing which does not require identity verification Article 12: Transparent information Article 12.2: Facilitation for the exercise of rights Article 12.3: Deadline for response in right Article 12.4: Deadline for informing non-action in right Article 12.5: Manifestly unfounded or excessive right requests Article 12.6: Information necessary to confirm the identity of the subject Article 13: Information during collection from the data subject Article 14: Information when the collection is not done by the data subject Article 15: Right of access Article 16: Right of correction Article 17: Right of deletion Article 18: Right to limit processing Article 19: Obligation to notify correction, deletion or restriction Article 20: Right to portability Article 21: Right of objection Article 22: Automated individual decision-making Article 23: Limitations of rights Article 24: Responsibility of the controller Article 24.2: Implementation of appropriate data protection policies Article 25.1: Data protection by design Article 25.2: Data protection by definition Article 26: Joint controllers Article 27: Representatives of managers or executors outside the EU Article 28: Processor of processing (regulations) Article 28.3: Arrangements of a contract (or other legal act) with processors Article 29: Processing under the supervision of the person in charge or the processor Article 30: Records of processing activities Article 31 - Law 4624/2019 article 66: Cooperation with the supervisory authority Article 32: Processing security Article 33: Notification of a personal data breach Article 34: Notification of a personal data breach Article 35: Impact assessment regarding data protection Article 36: Prior consultation Article 37 - Law 4624/ 2019 article 6: Definition of the data protection officer Article 38 - Law 4624/2019 article 7: Position of the data protection officer Article 39 - Law 4624/2019 article 8: Duties of the data protection officer Article 40: Codes of ethics Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Article 45: Transfers based on adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 49: Derogations for special situations Article 50: International cooperation Article 55: Jurisdiction of the supervisory authority Article 56: Competence of the lead supervisory authority Article 56.2: Competence in local affairs Article 60: Cooperation between the head and interested supervisory authorities Article 61: Mutual assistance Article 62: Joint undertakings Article 63: Coherence mechanism Article 66: Urgent procedure Article 80 - n .4624/2019 article 41: Representation of data subjects Article 83: General conditions for imposing administrative fines Article 86 - n.4624/2019 article 42: Processing and public access to official documents Article 87: National identity number Article 89.1: Safeguards for purposes archiving, scientific or historical research, statistics Article 95 : Relationship with Directive 2002/58/EC