Back to Feed
PolicyJul 1, 2026

HDPA (Greece) - 10/2026

Greece's DPA fines two entities €160,000 for CCTV and data access request violations.

Summary

Greece's Data Protection Authority (DPA) has fined two organizations a total of €160,000 for multiple GDPR violations. The fines, €65,000 for an exhibition center operator and €95,000 for a supermarket chain, stem from issues related to CCTV footage disclosure, responses to data subject access requests, and adherence to data protection principles.

Full text

Help HDPA (Greece) - 10/2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 08:21, 30 June 2026 view sourceDs (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators115 edits Tag: submission [1.0] Latest revision as of 08:17, 1 July 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators115 editsm Tag: Visual edit Line 85: Line 85: }}}} In a decision on two separate complaints, the DPA fined two controllers €65,000 and €95,000 respectively for failures relating to the disclosure and further use of CCTV footage, responses to access requests and compliance with multiple data-protection principles and obligations.The DPA fined the operator of an exhibition centre and a supermarket chain €65,000 and €95,000 respectively for failures relating to the disclosure and further use of CCTV footage, responses to access requests and compliance with multiple data-protection principles and obligations. == English Summary ==== English Summary == Line 105: Line 105: The DPA found that although the data subject’s access requests had been formulated clearly, both controllers nevertheless requested additional clarification, therefore making the exercise of his right of access more difficult. The DPA found that although the data subject’s access requests had been formulated clearly, both controllers nevertheless requested additional clarification, therefore making the exercise of his right of access more difficult. Regarding controller A, the DPA noted that it had admitted using CCTV photographs in legal proceedings. It pointed out that although the purpose of defending legal claims appeared in its privacy policy, that policy did not specifically concern CCTV processing. It further held that the controller A’s CCTV signage referred only to the protection of persons and property and neither contained the information required by [[Article 13 GDPR|Article 13 GDPR]] nor referred data subjects to a second-level privacy notice.Regarding controller A, the DPA noted that it had admitted using CCTV photographs in legal proceedings. It pointed out that although the purpose of defending legal claims appeared in its privacy policy, that policy did not specifically concern CCTV processing. It further held that the controller A’s CCTV signage referred only to the protection of persons and property and neither contained the information required by [[Article 13 GDPR]] nor referred data subjects to a second-level privacy notice. The DPA concluded that controller A had disclosed the footage from its CCTV system without first informing the data subject and had processed it without ensuring that the processing was compatible with the originally specified purpose. It therefore found that the controller had infringed the principle of transparency, the principle of purpose limitation and the principle of accountability, since it failed to demonstrate its compliance with the GDPR. The DPA fined controller A €20,000 for the violations of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]], [[Article 13 GDPR#1|Article 13(1) GDPR]] and [[Article 5 GDPR#2|Article 5(2) GDPR]]. In addition, it imposed a separate €20,000 fine for the infringements of [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] and [[Article 13 GDPR#3|Article 13(3) GDPR]].The DPA concluded that controller A had disclosed the footage from its CCTV system without first informing the data subject and had processed it without ensuring that the processing was compatible with the originally specified purpose. It therefore found that the controller had infringed the principle of transparency, the principle of purpose limitation and the principle of accountability, since it failed to demonstrate its compliance with the GDPR. The DPA fined controller A €20,000 for the violations of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]], [[Article 13 GDPR#1|Article 13(1) GDPR]] and [[Article 5 GDPR#2|Article 5(2) GDPR]]. In addition, it imposed a separate €20,000 fine for the infringements of [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] and [[Article 13 GDPR#3|Article 13(3) GDPR]]. Moreover, the DPA concluded that controller A did not facilitate the exercise of the data subject’s right of access, as it did not provide him with all the relevant information required under [[Article 15 GDPR|Article 15 GDPR]] nor provided a copy of the personal data undergoing processing. It therefore imposed a fine of €20,000 for the violations of [[Article 12 GDPR#1|Article 12(1) GDPR]], [[Article 12 GDPR#2|Article 12(2) GDPR]], [[Article 15 GDPR#1|Article 15(1) GDPR]] and [[Article 15 GDPR#3|Article 15(3) GDPR]].Moreover, the DPA concluded that controller A did not facilitate the exercise of the data subject’s right of access, as it did not provide him with all the relevant information required under [[Article 15 GDPR]] nor provided a copy of the personal data undergoing processing. It therefore imposed a fine of €20,000 for the violations of [[Article 12 GDPR#1|Article 12(1) GDPR]], [[Article 12 GDPR#2|Article 12(2) GDPR]], [[Article 15 GDPR#1|Article 15(1) GDPR]] and [[Article 15 GDPR#3|Article 15(3) GDPR]]. Finally, the DPA found that controller A appeared to have appointed a Data Protection Officer but failed to communicate its DPO’s contact details to the DPA. It subsequently fined it €5,000 for the violation of [[Article 37 GDPR#7|Article 37(7) GDPR]].Finally, the DPA found that controller A appeared to have appointed a Data Protection Officer but failed to communicate its DPO’s contact details to the DPA. It subsequently fined it €5,000 for the violation of [[Article 37 GDPR#7|Article 37(7) GDPR]]. Line 115: Line 115: Regarding controller B, the DPA rejected the argument that the vehicle depicted in the photographs could not constitute personal data. It clarified that a vehicle registration plate may constitute personal data where it enables the identification of the vehicle’s owner. It further rejected controller B’s argument that its security guards had acted entirely on their own initiative. The DPA stressed that controller B was responsible for ensuring that appropriate technical and organisational measures, including staff training and instructions concerning data protection, were in place to ensure compliance with the GDPR. In addition, it pointed out that the email address that controller B had publicly indicated as a privacy contact point was misleading since it appeared not to be managed by a natural person capable of responding to requests. The DPA also noted that no notification of controller B’s DPO contact details appeared in its records, as required under [[Article 37 GDPR#7|Article 37(7) GDPR]] where a DPO has been appointed.Regarding controller B, the DPA rejected the argument that the vehicle depicted in the photographs could not constitute personal data. It clarified that a vehicle registration plate may constitute personal data where it enables the identification of the vehicle’s owner. It further rejected controller B’s argument that its security guards had acted entirely on their own initiative. The DPA stressed that controller B was responsible for ensuring that appropriate technical and organisational measures, including staff training and instructions concerning data protection, were in place to ensure compliance with the GDPR. In addition, it pointed out that the email address that controller B had publicly indicated as a privacy contact point was misleading since it appeared not to be managed by a natural person capable of responding to requests. The DPA also noted that no notification of controller B’s DPO contact details appeared in its records, as required under [[Article 37 GDPR#7|Article 37(7) GDPR]] where a DPO has been appointed. The DPA found that controller B had disclosed CCTV material without properly informing

Entities

HDPA (vendor)