KOTSOVOLOS S.A – €40,000 Fine (Greece, 2021)

The complainant had bought a product from a seller (Controller A). It was agreed that the price of the product would not been paid in full at the time of the sale, but rather via several installments. Shortly thereafter, the Complainant decided to return the product. Despite this return, the Complainant realized that he was still being charged every month on his credit card. he therefore contacted Controller A in writing (via the Facebook Messenger App) and asked the latter to notify the bank (Controller B) of the need to cancel his credit card installments. Controller A however did not notify Controller B. The Complainant therefore attempted to directly contact Controller B with the same request. Controller B never answered him. The Complainant then requested Controller A to provide him with a copy of the correspondence it had with Controller B with respect to the installments. Controller A however refused to grant him access to this information on the basis of that the communication that had taken place with the bank constituted an internal communication with "no possibility of disclosure". In this context, the Complainant decided to file a complaint with the Greek DPA (the HDPA) The HDPA held that Controller A and B should have responded positively to the request of the Complainant in accordance with Article 12(2) GDPR and Article 15 GDPR. The HDPA imposed an administrative fine of EUR 20,000 on each Controller for failure to comply with the the right of access.