One Way Private Company – Violation Found (Greece, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
One Way Private Company was found to have made unsolicited marketing calls despite many people opting out. The Hellenic Data Protection Authority determined that the company did not supervise its processes well enough to prevent these calls. This is important because it shows that companies must ensure their marketing practices respect people's choices.
What happened
One Way Private Company made marketing calls to people who had opted out of receiving such communications.
Who was affected
Telephone subscribers who had registered to not receive marketing calls were affected.
What the authority found
The authority ruled that the company violated Article 32 of GDPR by failing to implement adequate measures to control its marketing practices.
Why this matters
This finding emphasizes that companies must actively manage their marketing processes to comply with privacy laws. It sets a precedent for accountability in direct marketing practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Entities Involved
The Hellenic Data Protection Authority (HDPA) examined numerous complaints lodged by telephone subscribers (the data subjects) who received unsolicited marketing calls promoting products and services of ZENITH, a gas supply company acting as the controller. The calls were carried out either directly by the controller or by external call centers acting on its behalf as data processors, including One Way Private Company, Sigma & Kappa Import S.A., and Revma Plus Retail S.A. Many of the data subjects were registered in the opt-out registry under [https://www.dpa.gr/sites/default/files/2019-10/law_3471_06en.pdf Article 11 of Law 3471/2006], indicating that they did not wish to receive marketing calls. Despite this, they were contacted. The processors attributed these calls to human error, manual dialing mistakes, technical or systemic failures, or the use of random digit dialing systems. In certain cases, the controller argued that calls to former customers were made for market research or customer satisfaction purposes and relied on legitimate interest as the legal basis for processing. The controller claimed that it had adopted extensive compliance measures, including data processing agreements, audits of call centers, data protection impact assessments, staff training, and internal policies. Nevertheless, repeated violations were identified, particularly in relation to one processor, leading the controller to terminate its cooperation with that processor. The HDPA therefore examined whether the controller and its processors complied with [https://www.dpa.gr/sites/default/files/2019-10/law_3471_06en.pdf national law on privacy in electronic communications], as well as the relevant provisions of the GDPR. The HDPA held that the controller violated Article 32 GDPR by failing to implement and effectively apply appropriate technical and organizational measures to supervise and control its processors. In particular, the controller failed to promptly investigate complaint
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (1)
Other enforcement actions involving One Way Private Company in GR
Details
About this data
Cite as: Cookie Fines. One Way Private Company - Greece (2025). Retrieved from cookiefines.eu
Last updated: