Rhodes Municipal Transport Company – €8,000 Fine (Greece, 2021)

The Hellenic DPA has imposed a fine of EUR 8,000 on the Rhodes Municipal Transport Company. A former employee had filed a complaint against the controller with the DPA. The former employee was in a legal dispute with the controller after the latter had reported him for alleged embezzlement. Against this background, he had asked the controller to send him, for his defense in the criminal proceedings, a copy of the video recordings recorded by the bus's video surveillance system on the day on which the incident in question allegedly occurred. However, the controller had never responded to his request. The DPA considered this to be a violation of the data subject's right to information pursuant to Art. 12 (3) GDPR and Art. 15 GDPR. Furthermore, the controller had provided the data subject with a certificate about his previous employment, which, in addition to the type and duration of employment, also contained the information that he had been dismissed due to a criminal offense. The DPA considers this to be a violation of the principle of proportionality pursuant to Art. 5 (1) c) GDPR. The fine is composed proportionately of EUR 3,000 for a violation of Art. 5 (1) (c) GDPR and EUR 5,000 for a violation of Art. 12 (3) and Art. 15 GDPR.