One Way Private Company – Violation Found (Greece, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Hellenic Data Protection Authority (HDPA) examined numerous complaints lodged by telephone subscribers (the data subjects) who received unsolicited marketing calls promoting products and services of ZENITH, a gas supply company acting as the controller. The calls were carried out either directly by the controller or by external call centers acting on its behalf as data processors, including One Way Private Company, Sigma & Kappa Import S.A., and Revma Plus Retail S.A. Many of the data subjects were registered in the opt-out registry under [https://www.dpa.gr/sites/default/files/2019-10/law_3471_06en.pdf Article 11 of Law 3471/2006], indicating that they did not wish to receive marketing calls. Despite this, they were contacted. The processors attributed these calls to human error, manual dialing mistakes, technical or systemic failures, or the use of random digit dialing systems. In certain cases, the controller argued that calls to former customers were made for market research or customer satisfaction purposes and relied on legitimate interest as the legal basis for processing. The controller claimed that it had adopted extensive compliance measures, including data processing agreements, audits of call centers, data protection impact assessments, staff training, and internal policies. Nevertheless, repeated violations were identified, particularly in relation to one processor, leading the controller to terminate its cooperation with that processor. The HDPA therefore examined whether the controller and its processors complied with [https://www.dpa.gr/sites/default/files/2019-10/law_3471_06en.pdf national law on privacy in electronic communications], as well as the relevant provisions of the GDPR. The HDPA held that the controller violated Article 32 GDPR by failing to implement and effectively apply appropriate technical and organizational measures to supervise and control its processors. In particular, the controller failed to promptly investigate complaint
GDPR Articles Cited
National Law Articles
Entities Involved
The Hellenic Data Protection Authority (HDPA) examined numerous complaints lodged by telephone subscribers (the data subjects) who received unsolicited marketing calls promoting products and services of ZENITH, a gas supply company acting as the controller. The calls were carried out either directly by the controller or by external call centers acting on its behalf as data processors, including One Way Private Company, Sigma & Kappa Import S.A., and Revma Plus Retail S.A. Many of the data subjects were registered in the opt-out registry under [https://www.dpa.gr/sites/default/files/2019-10/law_3471_06en.pdf Article 11 of Law 3471/2006], indicating that they did not wish to receive marketing calls. Despite this, they were contacted. The processors attributed these calls to human error, manual dialing mistakes, technical or systemic failures, or the use of random digit dialing systems. In certain cases, the controller argued that calls to former customers were made for market research or customer satisfaction purposes and relied on legitimate interest as the legal basis for processing. The controller claimed that it had adopted extensive compliance measures, including data processing agreements, audits of call centers, data protection impact assessments, staff training, and internal policies. Nevertheless, repeated violations were identified, particularly in relation to one processor, leading the controller to terminate its cooperation with that processor. The HDPA therefore examined whether the controller and its processors complied with [https://www.dpa.gr/sites/default/files/2019-10/law_3471_06en.pdf national law on privacy in electronic communications], as well as the relevant provisions of the GDPR. The HDPA held that the controller violated Article 32 GDPR by failing to implement and effectively apply appropriate technical and organizational measures to supervise and control its processors. In particular, the controller failed to promptly investigate complaint
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (1)
Other enforcement actions involving One Way Private Company in GR
Details
About this data
Cite as: Cookie Fines. One Way Private Company - Greece (2025). Retrieved from cookiefines.eu
Last updated: