Anonymous data subject – Complaint Upheld (Greece, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Greek Data Protection Authority found that a bus company wrongly included unnecessary information in a former employee's service certificate and failed to respond to his data access request. This case highlights the importance of data minimization and timely responses to data requests.
What happened
A bus company added unnecessary information to a service certificate and ignored a former employee's request for video footage.
Who was affected
A bus driver who was dismissed and requested access to video footage related to his dismissal.
What the authority found
The Greek DPA decided the bus company violated GDPR by including unnecessary information in a certificate and not responding to a data access request.
Why this matters
This case emphasizes the need for companies to only include necessary information in documents and to respond promptly to data access requests. It serves as a reminder to businesses to respect data minimization principles and comply with access rights under GDPR.
GDPR Articles Cited
Entities Involved
A bus driver ("X") working for the Municipal Transport Company of Rhodes ("RODA") was dismissed following a controversial incident. After having been dismissed, X asked RODA to provide him with a certificate of service. According to the applicable Greek law, such certificate should indicate the identity of the individual concerned, the type of occupation, as well as the period of employment. RODA however delivered a certificate which also included, in addition to the legally required information, the fact that X had been fired because of a criminal act. X considered that adding this information on the certificate was disproportionate and could cause him prejudice. Exercising his right to access under Article 15 GDPR, X requested RODA to provide him with a copy of the video-tape from the bus camera in order to verify what had happened on the day of the controversial incident. In accordance with Article 12(3) GDPR, RODA had the obligation to answer that request within one month upon receipt. RODA however never replied to X's request. X considered that by acting this way, RODA had infringed the GDPR. He therefore lodged a complaint with the Greek DPA. During the procedure, RODA explained that it had orally informed X of the fact that the video-tapes of the bus were systematically deleted after 7 days. X, however, denied having received that information. After considering all the facts of the case, the Greek DPA found that RODA had breached Article 5(1) GDPR (principle of data minimisation), as well as Article 12(3) and 15 GDPR (right of access by the data subject - obligation to reply within a month). In particular, the Greek DPA considered that, by adding on the certificate of service an information that was unnecessary and which could cause prejudice to the data subject, RODA had infringed the principle of data minimisation. Furthermore, by not replying to X's request to be provided with a copy of the video-tape, RODA had infringed its obligation with respect to a
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Anonymous data subject in GR
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Anonymous data subject - Greece (2021). Retrieved from cookiefines.eu
Last updated: