HDPA (Greece) - 2/2020: Difference between revisions

From GDPRhub
(Created page with "{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" ! colspan="2" |HDPA - 2/2020 |- | colspan="2" style="padding: 20px; background-color:#ffffff" |File:...")
 
No edit summary
Line 41: Line 41:
|}
|}


The HDPA imposed a EUR 5,000 fine on the biggest electric power company in Greece because it did not respond to data subject's right to access. The HDPA highlighted that even when the data controller does not keep any record of the data subject's personal data, it should notify the data subject of its inability to respond to the access request.
The HDPA imposed a EUR 5,000 fine on the biggest electric power company in Greece because it did not respond to data subject's right to access. The HDPA highlighted that even when the data controller does not keep any record of the data subject's personal data, it should notify the data subject of its inability to respond to the access request according to [[Article 12 GDPR#4|Article 12(4) GDPR]].


==English Summary==
==English Summary==

Revision as of 18:31, 18 March 2020

HDPA - 2/2020
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 12(4) GDPR

Article 15(3) GDPR

Type: Complaint
Outcome: Upheld
Decided: 21. 2. 2020
Published: n/a
Fine: EUR 5,000
Parties: Hellenic Public Power Corporation S.A. (ΔΕΗ Α.Ε.)
National Case Number: 2/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language:

Greek

Original Source: HDPA (GR)

The HDPA imposed a EUR 5,000 fine on the biggest electric power company in Greece because it did not respond to data subject's right to access. The HDPA highlighted that even when the data controller does not keep any record of the data subject's personal data, it should notify the data subject of its inability to respond to the access request according to Article 12(4) GDPR.

English Summary

Facts

The complainant exercised their right of access asking the DPO of the Hellenic Public Power Corporation SA to provide them copy of any correspondence from 2015 until the present, but they did not receive any response. The HDPA asked the company to clarify its position.

Holding

The HDPA stressed that the fulfillment of the right to information and access does not require the data subject to prove any legitimate interest; this interest is inherent in the right to access, so that transparency and legitimacy of processing can be assured. Similarly, there is no requirement for the data subject to invoke any particular reasons why they want to exercise their right to access.

The HDPA emphasised that, following the case law of the Greek Council of State, even in the case that the data controller does not keep any record of the data subject's personal data, it will still have the obligation to reply pursuant to Article 12(4) GDPR.

The HPDA found that after one month from the receipt of the data subject's complaint, the company as data controller did not notify the data subject of its inability to promptly respond to their request. Thus, the HDPA imposed a fine of EUR 5,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

This is an available machine translated decision. Please refer to the Greek original decision for details.