National Bank of Greece – €20,000 Fine (Greece, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The National Bank of Greece was fined EUR 20,000 for replacing customers' debit and credit cards without their consent. This is important because it shows that companies must inform users about how their data is being processed and give them choices. Businesses should learn to respect user consent and provide clear information about data practices.
What happened
The bank replaced all customers' debit and credit cards with new ones that stored transaction history without informing them.
Who was affected
Customers of the National Bank of Greece whose cards were replaced were affected.
What the authority found
The Greek data protection authority ruled that the bank did not properly inform customers about the data processing related to the new cards, violating GDPR's requirements for consent and transparency.
Why this matters
This ruling highlights the need for companies to obtain user consent for data processing and to keep customers informed about their data. It sets a precedent for how businesses should handle user data and consent in the future.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The National Bank of Greece (the controller) replaced all debit/credit cards of its customers (data subjects) with new ones which could carry out contactless transactions. Data subjects could not refuse the replacement. The new cards embedded a chip stored information on the 10 last transactions. According to the controller, this information included only the date, the amount, and currency of the transaction. Third parties could gain unauthorised access to this data by situating a "reading" device (e.g. a smart phone with malicious software installed) close to the card. According to the manufacturer of the cards (Mastercard), this feature was not necessary for carrying out contactless payments and it was the controller's choice to add it. The range of the collected data was also determined by the controller. However, the controller did not inform the data subjects about these processing operations. After a data subject's complaint in 2015, the Greek DPA issued a warning in [https://www.dpa.gr/sites/default/files/2019-10/48_2018anonym.pdf Decision 48/2018]. The DPA held that since the collection performed by the chip was not necessary for carrying out contactless payments, the processing could only be based on the data subject's consent. After that, the DPA ordered the controller to inform the data subjects who were already possessing the cards in question and had not granted their consent about the storage of transaction history. The information could be delivered by any appropriate means (such as email, postal notice, message through the e-banking account). By doing so, the data subjects could have the opportunity to object to this processing (Article 21 GDPR). In case of an objection, the controller had to deactivate the collection of the transaction history or issue a new card without this feature. For the cards issued in the future, the feature in question had to be deactivated by default and could be activated only based on the data subject's consent. On 15 No
Related Enforcement Actions (2)
Other enforcement actions involving National Bank of Greece in GR
Fine
€20K
Details
Fine Date
14 July 2022
Authority
Hellenic Data Protection Authority
Fine Amount
€20,000
GDPRhub ID
gdprhub-5400About this data
Cite as: Cookie Fines. National Bank of Greece - Greece (2022). Retrieved from cookiefines.eu
Last updated: