Hellenic Public Power Corporation S.A. (ΔΕΗ Α.Ε.) – €5,000 Fine (Greece, 2020)

The complainant exercised their right of access asking the DPO of the Hellenic Public Power Corporation SA to provide them copy of any correspondence from 2015 until the present, but they did not receive any response. The HDPA asked the company to clarify its position. The HDPA stressed that the fulfillment of the right to information and access does not require the data subject to prove any legitimate interest; this interest is inherent in the right to access, so that transparency and legitimacy of processing can be assured. Similarly, there is no requirement for the data subject to invoke any particular reasons why they want to exercise their right to access. The HDPA emphasised that, following the case law of the Greek Council of State, even in the case that the data controller does not keep any record of the data subject's personal data, it will still have the obligation to reply pursuant to Article 12(4) GDPR. The HPDA found that after one month from the receipt of the data subject's complaint, the company as data controller did not notify the data subject of its inability to promptly respond to their request. Thus, the HDPA imposed a fine of EUR 5,000.