HDPA (Greece) - 48/2023

From GDPRhub
Revision as of 14:58, 21 March 2024 by Inder-kahlon (talk | contribs) (→‎Holding)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HDPA - 48/2023
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started: 27.04.2022
Decided: 26.01.2024
Published: 26.02.2024
Fine: 1000 EUR
Parties: n/a
National Case Number/Name: 48/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Inder-kahlon

The Hellenic DPA imposed €1,000 administrative fine on an accountant for unlawfully collecting and using personal data without proper authorisation, violating Article 5(1)(a) GDPR and Article 6(1)) GDPR.

English Summary


The data subject, who lives abroad and had no contact with his deceased father, lodged a complaint against his father’s accountant for the unauthorised and unlawful processing of his personal data. The data subject discovered through the Tax Office of Athens that an income statement for the year 2020 of his father had been submitted via email by the accountant after his father’s death. The data subject complained that this tax return was submitted without their consent or knowledge and that the accountant who submitted it on behalf of the data subject used his personal data, including his full name and tax identification number, designating him as his father’s tax representative. 

The defendant argued, among other things, that he prepared and submitted the income statement to ease the burden on the data subject, as instructed by the data subject’s deceased father. The accountant further claimed that the name and VAT number of a living relative of the deceased as his representative were a requirement of the tax office, and the data was provided by the data subject’s father when he was alive. The accountant also stated that it was not possible to contact the data subject at the time of submitting the disputed income statement, as the data subject was living abroad and had no way of communicating with him. Finally, the accountant pointed out that the disputed personal details of the data subject, i.e., his name and VAT number, were shared exclusively with the tax office to which they were already known.

The data subject stated that he and his father did not maintain a relationship, as his mother had sole custody. He also mentioned that he only acquired a VAT number after receiving properties from his mother, and neither his father nor his father's accountant had knowledge of his tax affairs. Moreover, the data subject contested the existence of an authorization or mandate from his father to the accountant, citing a lack of evidence. Additionally, the data subject noted that such authorizations, if any, typically expire upon the principal's death. The accountant’s action put the data subject at risk of incurring unknown administrative or criminal liabilities. Furthermore, the data subject disputed the accountant’s claim of technological incompetence, which the accountant cited as the reason for not responding to the data subject's request. The accountant stated that the data subject’s details were disclosed due to tax authorities' requirements and that the disclosure of the data subject’s VAT number did not harm him nor benefit the accountant. Additionally, the accountant pointed out that concerns about his contract or services with the deceased may lead to civil claims, not liability for violating data laws.


The Hellenic DPA found that the accountant had processed the data subject's personal data in violation of Article 5(1)(a) GDPR, Article 6(1) GDPR, Article 12(3) GDPR, Article 12(4) GDPR and Article 15 GDPR.

As such, the DPA issued a fine of €1,000 in total:

a) Fine of €500 for violations of Article 5(1)(a) GDPR, Article 6(1) GDPR.

b) Fine of €500 for violations of Article 12(3) GDPR, Article 12(4) GDPR and Article 15 GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

The Authority ruled that the collection and use of name and VAT number by an accountant on behalf of an heir without a relevant order constitutes a violation of articles 5 par. 1 item. a) and 6 para. 1 GDPR, while also ruling that the complained data controller violated the provisions of article 15 GDPR in combination with the provisions of article 12 paras. 3, 4 GDPR, as he improperly responded to the subject's access request.

The Authority imposed by a majority a total fine of 1,000 euros on the complained controller for the above infringements.