Vodafone – ΠΑΝΑΦΟΝ Ανώνυμη Ελληνική Εταιρεία Τηλεπικοινωνιών – €30,000 Fine (Greece, 2026)

€30,000Hellenic Data Protection Authority11 February 2026Greece
final
ePrivacy
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Vodafone was fined €30,000 for not properly handling a customer's requests for access to recorded phone calls. The company failed to provide all requested recordings and misled the customer about her rights. This ruling shows that companies must be transparent and responsive to customer requests regarding their personal data.

What happened

Vodafone did not fully comply with a customer's requests for access to her recorded phone calls.

Who was affected

A customer who requested access to her recorded phone calls related to a technical issue she reported.

What the authority found

The Hellenic Data Protection Authority found that Vodafone obstructed the customer's right to access her data and imposed a fine for this violation.

Why this matters

This case emphasizes the need for companies to improve their processes for handling customer data requests. Businesses should train staff to ensure compliance with data access rights.

GDPR Articles Cited

AI-verified

Art. 15(GDPR)
Art. 18(GDPR)
Art. 12(1) GDPR
Art. 12(2) GDPR
Art. 12(3) GDPR
Art. 12(4) GDPR
View original scraped data
Art. 12(GDPR)
Art. 15(GDPR)
Art. 18(GDPR)

Original data from scraper before AI verification against source document.

Source verified 4 April 2026
articles corrected
Greece enforcementHellenic Data Protection Authority actionsAll Vodafone – ΠΑΝΑΦΟΝ Ανώνυμη Ελληνική Εταιρεία Τηλεπικοινωνιών actions
Full Legal Summary
Detailed

A data subject filed a complaint against Vodafone – Panafon S.A., a telecommunications provider (the controller), with the Greek Data Protection Authority (HDPA). She had submitted three access requests seeking all recorded phone calls concerning a technical fault she had reported. The first two requests were rejected by the controller as vague, and the third request was only partially satisfied; some recordings were provided, but not all requested calls, and the controller did not inform her within one month about deficiencies in her request or the reasons for not fully complying. The data subject also alleged that the controller obstructed the exercise of the right of access to the recorded conversations in question, resulting in some of them being deleted because the prescribed retention period had expired, a risk which, as alleged, had been pointed out to the controller. In particular, she requested restriction of processing to prevent deletion of recordings after the one-year retention period, but the controller did not properly address this request. Furthermore, the controller provided misleading information through a representative regarding the manner of exercising or satisfying customers' right of access to recorded conversations concerning them. The HPDA upheld the complaint and imposed an administrative fine of €30,000. It also ordered the controller to adopt appropriate technical and organizational measures and improve staff training, with proof of compliance within six months. Specifically, it held that the controller violated Article 12(1), (2), (3), and (4) GDPR, because it failed to inform the data subject within one month of the deficiencies in the application, effectively prevented the exercise of the right and provided contradictory information, amounts to lack of transparency. Moreover, it argued that the controller breached Article 15 GDPR by failing to provide full access to all requested recorded conversations and Article 18 GDPR by not

Violations (2)

Unclear Cookie Information
high

The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.

Art. 12, 13 GDPR

Misleading Banner Messaging
critical

The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).

Art. 7 GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Vodafone – ΠΑΝΑΦΟΝ Ανώνυμη Ελληνική Εταιρεία Τηλεπικοινωνιών in GR

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

ANSPDCP

2025 · Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal

CNIL

2019 · Court of Justice of the European Union

Details

Fine Date

11 February 2026

Authority

Hellenic Data Protection Authority

Fine Amount

€30,000

GDPRhub ID

gdprhub-9831

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Vodafone – ΠΑΝΑΦΟΝ Ανώνυμη Ελληνική Εταιρεία Τηλεπικοινωνιών - Greece (2026). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: