HDPA (Greece) - 8/2026
Greece's HDPA fines energy provider and bank €110,000 over disputed direct debit mandates.
Summary
The Hellenic Data Protection Authority (HDPA) has fined an energy provider, ZENITH SA, €100,000 and PIRAEUS BANK €10,000 for mishandling a customer's direct debit mandates. Both entities failed to properly respond to the customer's access requests and breached the accuracy principle under GDPR. The energy provider was also found to have failed in its control over its processor.
Full text
Help HDPA (Greece) - 8/2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 13:03, 10 July 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators159 edits Tag: submission [1.0] (No difference) Latest revision as of 13:03, 10 July 2026 HDPA - 8/2026 Authority: HDPA (Greece) Jurisdiction: Greece Relevant Law: Article 5(1)(d) GDPR Article 12(1) GDPR Article 12(3) GDPR Article 15(1) GDPR Article 28(1) GDPR Type: Complaint Outcome: Upheld Started: 22.10.2023 Decided: 05.06.2026 Published: Fine: 110,000 EUR Parties: ZENITH SA (ΖΕΝΙΘ ΑΕ) PIRAEUS BANK (ΤΡΑΠΕΖΑ ΠΕΙΡΑΙΩΣ) National Case Number/Name: 8/2026 European Case Law Identifier: n/a Appeal: n/a Original Language(s): Greek Original Source: HDPA (in EL) Initial Contributor: ds The DPA fined an energy provider €100,000 and a bank €10,000 over a customer’s disputed direct debit mandates. Both controllers failed to properly respond to his access requests and breached the accuracy principle, while the energy provider also failed to control its processor. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts On 27 May 2020, a data subject entered into an electricity supply contract by telephone with the Greek energy provider ZENITH (controller A) for three service connections. The contract was concluded through controller A’s processor, Sigma and Kappa Import S.A. During the call, the data subject provided his bank account number (IBAN), at least for the purpose of paying one of the services by direct debit. On 4 June 2020, during a subsequent phone call with the processor, the data subject stated that he did not want the other two services to be paid by direct debit. When the relevant contract documents were later sent to him for signature, he signed only one of the three direct debit mandate forms. However, the data subject subsequently noticed that all three electricity bills were being paid by direct debit. On 13 August 2020, he contacted controller A to complain about the matter. Controller A replied on 2 September 2020 that two additional direct debit mandates had been activated inadvertently because its processor had failed to take the necessary steps. The data subject then repeatedly requested copies of the signed direct debit mandates, but claimed that controller A did not properly respond to those requests. The data subject also contacted his bank, Piraeus Bank (controller B), since the disputed payments were being made from his bank account. He argued that he had never authorised the two additional direct debit payments and made an access request on 16 February 2023, requesting copies of the direct debit mandates and information concerning their activation. Controller B replied that it acted only as an intermediary in the execution of payments and had a merely administrative role in the process. It did not provide copies of the mandates or access to the relevant electronic records held in its systems. On 22 October 2023, the data subject lodged two separate complaints with the Greek DPA (HDPA) against controller A and controller B, arguing that both controllers had infringed his right of access. Controller A argued that it had investigated the issue after the data subject’s initial complaint and had contacted its processor. According to controller A, the processor had reviewed the recorded telephone conversation and confirmed that the data subject had initially agreed to the activation of direct debit mandates for all three services, but later clarified that he wanted the mandate to apply only to one service. Controller A acknowledged that only one of the three mandate forms had been signed, but maintained that the data subject had not clearly revoked his earlier consent regarding the other two mandates. It also argued that, after being informed of the situation and the available cancellation options, the data subject did not cancel the mandates and only returned to the matter two years later, when the relevant call recording was no longer available. Controller A further maintained that it had already responded to the data subject in a timely and sufficiently detailed manner on 2 September 2020. Controller A also stated that it had concluded an agreement with its processor on 1 May 2019, under which the processor had to transfer the recorded call files to it, without keeping or copying them, and then delete the data from its own records. Controller A noted that, under its own retention policy, such data should be retained for five years after the end of the customer’s contract. However, it explained that, in practice, the processor operated the telephone recording system and had direct control over the recorded files. For this reason, the agreement was amended on 1 August 2021 to reflect the actual setup, expressly providing that the recorded calls were retained in a specific log file maintained by the processor. Since a long period of time had passed and the matter was considered closed, the processor had deleted the data subject’s recorded call. Controller B argued that it had not violated the data subject’s right of access. It stated that it had informed him that it had received, via the interbank payment system, electronic files from controller A containing the details of the three direct debit mandates. It also argued that it had described the information it held and explained how the SEPA Direct Debit system works. According to controller B, it could not provide copies of the signed mandates because it did not receive or retain the original written mandates. It further argued that it had neither the factual nor the regulatory ability to verify or modify the content of the direct debit mandates received from controller A. Holding Regarding controller A, the DPA found that when the data subject first challenged the activation of the direct debit mandates, the recorded call of 27 May 2020 was still available. Controller A therefore could and should have obtained direct access to the recording in order to verify its content and respond to the data subject on the basis of its own assessment, instead of merely relying on the processor’s review. The DPA also noted that, in its response of 2 September 2020, controller A had presented the relevant facts as established, accepted responsibility, and apologised to the data subject for the distress. The DPA held that, by 2 September 2020, controller A was already aware that the registration of direct debit mandates for two of the three services had been made inadvertently and did not reflect the data subject’s actual intention. As the controller, it should therefore have taken the necessary steps to correct the inaccurate data it held about him. According to the DPA, it instead continued to retain the inaccurate data and shifted the burden of correction to the data subject by asking him to take additional steps to cancel mandates which he had not validly given. The DPA also noted that the data subject’s objections could essentially be treated as rectification requests under Article 16 GDPR. It therefore found that controller A had violated the accuracy principle under Article 5(1)(d) GDPR and imposed a fine of €25,000. The DPA further noted that controller A responded to the data subject’s access request only after five months and merely referred him back to its previous communication of 2 September 2020. It stated that it did not provide accurate and complete information, in particular regarding the fact that it no longer held the signed mandate form relating to the data subject or the recorded telephone conversation. The DPA therefore held that controller A had violated Article 12(3) GDPR, as well as Article 15(1) GDPR read together with Article 12(1) GDPR, and imposed a further fine of €25,000. Finally, the DPA found that the processor had not fo