Back to Feed
PolicyJun 30, 2026

HDPA (Greece) - 10/2026

Greece's HDPA fines two companies €160,000 for GDPR violations related to CCTV footage.

Summary

The Hellenic Data Protection Authority (HDPA) has fined two companies, MEDE S.A. and MARKET IN S.A., a total of €160,000 for multiple GDPR violations. The violations stemmed from inadequate responses to data subject access requests concerning CCTV footage, unlawful processing, and unauthorized disclosure of personal data. Both companies were found to have delayed cooperation with the DPA during the investigation.

Full text

Help HDPA (Greece) - 10/2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 08:21, 30 June 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators109 edits Tag: submission [1.0] (No difference) Latest revision as of 08:21, 30 June 2026 HDPA - 10/2026 Authority: HDPA (Greece) Jurisdiction: Greece Relevant Law: Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 12(1) GDPR Article 12(2) GDPR Article 13(1) GDPR Article 13(3) GDPR Article 15(1) GDPR Article 15(3) GDPR Article 31 GDPR Article 37(7) GDPR Type: Complaint Outcome: Upheld Started: 22.06.2023 Decided: 12.06.2026 Published: Fine: 160,000 EUR Parties: MEDE S.A. MARKET IN S.A. National Case Number/Name: 10/2026 European Case Law Identifier: n/a Appeal: n/a Original Language(s): Greek Original Source: HDPA (in EL) Initial Contributor: ds In a decision on two separate complaints, the DPA fined two controllers €65,000 and €95,000 respectively for failures relating to the disclosure and further use of CCTV footage, responses to access requests and compliance with multiple data-protection principles and obligations. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A data subject submitted access requests to “MEDE S.A.”, a company operating an exhibition centre (controller A), and “MARKET IN S.A.”, a supermarket chain (controller B). He requested information concerning the collection and processing of his personal data through their respective CCTV systems. In particular, he asked for the relevant privacy notices, information on the personal data processed, the recipients of those data and copies of CCTV material disclosed to third parties. He also submitted photographs which allegedly originated from the CCTV systems of both controllers. Both controllers initially requested further clarification. After the data subject clarified and repeated his request, they made clarifications concerning their CCTV policies and stated that they had never disclosed CCTV photographs depicting the data subject to third parties. They maintained that they could not answer the remaining questions. The data subject then lodged separate complaints with the Greek DPA (HDPA) against both controllers. He alleged that they had inadequately responded to his access requests, unlawfully processed his personal data through their CCTV systems and unlawfully disclosed CCTV material to third parties. Controller A claimed that its only active cameras were located at the entrance and on the ground floor of the exhibition centre and that they did not record sound. It stated that no recording had taken place on the first floor, where the data subject worked. Controller A further argued that it had lawfully used CCTV photographs to legal proceedings involving controller A, a third party and the data subject, in order to defend its legal rights. It further argued that the third party had obtained the CCTV material through the court file in those proceedings and did not receive them directly from it. According to controller B, following an incident outside its premises, its security guards manually turned the cameras towards the data subject’s vehicle, printed the resulting images and delivered them to the prosecutorial authorities without the controller’s involvement. It further claimed that its cameras did not permanently record public areas. Controller B also argued that the photographs did not contain the data subject’s personal data because they only showed his vehicle. Holding The DPA took into account that during the investigation, both controllers responded only after repeated contact requests. It pointed out that controller B displayed particular difficulty in cooperating with the DPA, as it responded after significant delay. The DPA also noted that both controllers had requested an extension to file further submissions but ultimately failed to submit them. The DPA found that although the data subject’s access requests had been formulated clearly, both controllers nevertheless requested additional clarification, therefore making the exercise of his right of access more difficult. Regarding controller A, the DPA noted that it had admitted using CCTV photographs in legal proceedings. It pointed out that although the purpose of defending legal claims appeared in its privacy policy, that policy did not specifically concern CCTV processing. It further held that the controller A’s CCTV signage referred only to the protection of persons and property and neither contained the information required by Article 13 GDPR nor referred data subjects to a second-level privacy notice. The DPA concluded that controller A had disclosed the footage from its CCTV system without first informing the data subject and had processed it without ensuring that the processing was compatible with the originally specified purpose. It therefore found that the controller had infringed the principle of transparency, the principle of purpose limitation and the principle of accountability, since it failed to demonstrate its compliance with the GDPR. The DPA fined controller A €20,000 for the violations of Article 5(1)(a) GDPR, Article 5(1)(b) GDPR, Article 13(1) GDPR and Article 5(2) GDPR. In addition, it imposed a separate €20,000 fine for the infringements of Article 5(1)(b) GDPR and Article 13(3) GDPR. Moreover, the DPA concluded that controller A did not facilitate the exercise of the data subject’s right of access, as it did not provide him with all the relevant information required under Article 15 GDPR nor provided a copy of the personal data undergoing processing. It therefore imposed a fine of €20,000 for the violations of Article 12(1) GDPR, Article 12(2) GDPR, Article 15(1) GDPR and Article 15(3) GDPR. Finally, the DPA found that controller A appeared to have appointed a Data Protection Officer but failed to communicate its DPO’s contact details to the DPA. It subsequently fined it €5,000 for the violation of Article 37(7) GDPR. Regarding controller B, the DPA rejected the argument that the vehicle depicted in the photographs could not constitute personal data. It clarified that a vehicle registration plate may constitute personal data where it enables the identification of the vehicle’s owner. It further rejected controller B’s argument that its security guards had acted entirely on their own initiative. The DPA stressed that controller B was responsible for ensuring that appropriate technical and organisational measures, including staff training and instructions concerning data protection, were in place to ensure compliance with the GDPR. In addition, it pointed out that the email address that controller B had publicly indicated as a privacy contact point was misleading since it appeared not to be managed by a natural person capable of responding to requests. The DPA also noted that no notification of controller B’s DPO contact details appeared in its records, as required under Article 37(7) GDPR where a DPO has been appointed. The DPA found that controller B had disclosed CCTV material without properly informing the data subject in advance. It imposed a €50,000 fine for infringements of the principle of transparency under Article 5(1)(a) GDPR, the information obligations under Article 13 GDPR and the accountability principle under Article 5(2) GDPR. The DPA further found that controller B had failed to ensure that the personal data processed were relevant and limited to what was necessary for the intended purpose, therefore violating the principles of data minimisation and accountability. It fined it €20,000 for the violations of Article 5(1)(c) GDPR and Article 5(2) GDPR. The DPA held that controller B had also failed to facilitate the data subject’s access request, as it did not provide all requested info

Entities

HDPA (vendor)CCTV (product)MEDE S.A. (vendor)MARKET IN S.A. (vendor)