HDPA - 4/2020

From GDPRhub
Revision as of 08:13, 24 March 2020 by AL (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=4/2...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HDPA - 4/2020
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(2) GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Type: Complaint
Outcome: Upheld
Decided: 20.03.2020
Published: n/a
Fine: 5000 EUR
Parties: Centre for speech therapy
National Case Number/Name: 4/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: {{{Initial_Contributor}}}

The HDPA fined € 5.000 private centre for speech therapy because it did not fulfill the right of access exercised by a parent, who had the parental responsibility but not the custody, on behalf of his minor child. The controller also ignored HDPA's previous order to comply with the parent's request, thus violating Article 15(1) and (4) GDPR as well as the principle of accountability pursuant to Article 5(2) GDPR.

English Summary


The complainant requested twice via e-mail all data that the Centre as data controller held on his minor child. The controller refused to provide the data because of the complainant's ex-wife's (and mother's of his child) refusal. The controller argued that the mother had custody.

The HDPA first asked the controller to immediately fulfill the complainant's request according to Article 15(1) and (3) GDPR and inform the authority accordingly. It invoked is own case law, according to which any parent who has parental responsibility of the child may have the right of access according to Article 15, even if they don't have custody, unless there is a specific court decisions ordering otherwise e.g. prohibition of communication with the child. The controller did not comply and it did not notify the HDPA of any decision it took with this regard.


May a data controller refuse to fulfill the right of access without any response of a parent who exercise it on behalf of their minor child, if this parent has parental responsibility but not custody?


The HDPA, as had initially decided, found that the controller should have fulfilled the complainant's right of access or should have justified its refusal to do so -especially after the HDPA's initial order. Thus, it found that the controller had violated Article 15 (1) and (3) as well as the principle of accountability as provided for in Article 5(2) GDPR.


Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.