Vodafone Greece – ΠΑΝΑΦΟΝ Ανώνυμη Ελληνική Εταιρεία Τηλεπικοινωνιών – €22,000 Fine (Greece, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Vodafone Greece was fined for failing to provide a former employee with access to their personal emails after they left the company. This is significant because it shows that companies must keep records and respond to access requests properly. It serves as a reminder for businesses to manage employee data responsibly.
What happened
Vodafone Greece failed to provide a former employee with access to their personal emails as requested under privacy laws.
Who was affected
The former employee of Vodafone Greece was affected by the company's failure to respond to the access request.
What the authority found
The Greek Data Protection Authority found that Vodafone did not comply with the rules regarding access requests and imposed a fine.
Why this matters
This ruling stresses the importance of maintaining employee records and responding to access requests in a timely manner, which is crucial for compliance with privacy regulations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Entities Involved
The data subject was a former employee of Vodafone – Panafon S.A. (the controller). The data subject had filed a lawsuit against the controller on November 2020 regarding a labour dispute between them. In that context, on 4 December 2020 the data subject had submitted an access request to the controller, under Article 15 GDPR. She aimed to access her personal data, including all emails sent from her corporate account and those in which she was listed as either the sender or the recipient. The controller had not provided the requested documents, stating that it had deleted them in 2016 within ninety days of the termination of the employment relationship and did not keep them in its records. The controller had further argued that the deletion of an employee’s email account upon their departure from the company cannot be extended to any sent messages that were scattered within and outside its organisation. On 12 January 2021 the data subject filed a complaint with the Greek DPA against the controller. The DPA issued the decision 19/2022 on this matter. The DPA reprimanded the controller for failing to notify the data subject in time about the extension of the deadline for responding to her access request. However, it did not order Vodafone to provide copies of the requested emails, finding that the data subject had not sufficiently specified which emails she sought and why they were necessary for the pending labour proceedings. On 9 February 2023, the data subject filed a request for reconsideration with the DPA, relying on new evidence. She submitted printouts of six emails which the controller had submitted to the court on 13 December 2022 during the labour proceedings, although it had previously stated that it no longer held such emails. Regarding the new submitted evidence, the controller argued that these did not originate from the data subject’s email account but from the email account of her former supervisor. The former supervisor claimed that, upon leaving the
Related Enforcement Actions (0)
No other enforcement actions found for Vodafone Greece – ΠΑΝΑΦΟΝ Ανώνυμη Ελληνική Εταιρεία Τηλεπικοινωνιών in GR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
21 April 2026
Authority
Hellenic Data Protection Authority
Fine Amount
€22,000
GDPRhub ID
gdprhub-10028About this data
Cite as: Cookie Fines. Vodafone Greece – ΠΑΝΑΦΟΝ Ανώνυμη Ελληνική Εταιρεία Τηλεπικοινωνιών - Greece (2026). Retrieved from cookiefines.eu
Last updated: