Vodafone – €40,000 Fine (Greece, 2023)

The data subject made an access request to the controller, Vodafone, asking for a copy of the recordings of the conversations they had with the company's call center. However, the data subject received a CD with the recording of the conversations of another person. Concerned that their conversations were also mistakenly sent to someone else's address, the data subject contacted the controller to inform it of what had happened. Although the controller was immediately notified, it did not take any action to investigate the incident. On the contrary, it sought to transfer responsibility to the processor and suggested that the data subject contact it to return the CD. Not satisfied with this solution, the data subject filed a complaint with the Greek DPA. The Hellenic DPA underlined that the right of access to personal data also includes the right to obtain a copy of the data being processed Article 15(3) GDPR. It also emphasized that the exercise of this right does not need to be justified by a legitimate interest, as transparency is a condition for the effective protection of personal data. In addition, the DPA recalled that, in accordance with Article 4(12) GDPR, 'personal data breach' means a breach of security leading to the accidental or unauthorised disclosure of personal data. When this occurs, the data subject may suffer physical, material or moral damages. For this reason, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority (Article 33 GDPR). In the case at hand, the DPA held that the controller failed to comply with both obligations and imposed a fine of €40,000.