METRO SA – €50,000 Fine (Greece, 2024)

€50,000Hellenic Data Protection Authority27 June 2024Greece
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

METRO SA was fined €50,000 because a former employee sent personal messages to a customer without permission. The company failed to respond to the customer's request to access and delete their data. This case highlights the importance of protecting customer information and responding to data requests.

What happened

A former employee sent text messages to a customer's private phone without permission.

Who was affected

The customer who had an account with METRO SA and received the unauthorized messages.

What the authority found

The Hellenic Data Protection Authority found that METRO SA did not take proper steps to protect personal data and failed to comply with the customer's request.

Why this matters

This ruling emphasizes that companies must have strong data protection measures in place and respond to customer requests. It serves as a reminder for businesses to prioritize customer privacy.

GDPR Articles Cited

AI-verified

Art. 15(GDPR)
Art. 17(GDPR)
Art. 24(GDPR)
Art. 32(GDPR)
Art. 33(GDPR)
View original scraped data
Art. 15(GDPR)
Art. 17(GDPR)
Art. 24(GDPR)
Art. 32(GDPR)
Art. 33(GDPR)

Original data from scraper before AI verification against source document.

Source verified 12 March 2026
verified correct
Greece enforcementHellenic Data Protection Authority actionsAll METRO SA actions
Full Legal Summary
Detailed

The Hellenic DPA has imposed a fine of EUR 50,000 on METRO SA. A former employee had sent text messages to the private mobile phone of a customer who had a user account in the company's online store and had placed orders that had been delivered to them by the employee a few days earlier. The customer then reported the incident to the controller and requested access to and deletion of their personal data. However, the controller did not respond to the incident, arguing that the order was in their husband's name. However, the DPA found that the controller should have complied with the request and that the controller had failed to install appropriate technical and organizational measures to protect personal data in order to avoid such an incident.

Related Enforcement Actions (0)

No other enforcement actions found for METRO SA in GR

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

27 June 2024

Authority

Hellenic Data Protection Authority

Fine Amount

€50,000

Enforcement Tracker ID

ETid-2400

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. METRO SA - Greece (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: