Athens Urban Transport Organization (OASA) – €50,000 Fine (Greece, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Athens Urban Transport Organization (OASA) was fined €50,000 for keeping passenger data longer than necessary and not properly assessing privacy risks. The Greek Data Protection Authority found that OASA's data practices didn't meet GDPR standards. This case highlights the need for companies to regularly review how long they keep personal data and ensure their privacy assessments are thorough.
What happened
OASA kept passenger data for 20 years without justification and failed to conduct a proper privacy impact assessment.
Who was affected
Passengers using the Athens public transport system whose personal data was collected and stored.
What the authority found
The Greek Data Protection Authority found OASA violated GDPR by not limiting data storage time and failing to conduct an adequate data protection impact assessment.
Why this matters
This fine emphasizes the importance of not only limiting data retention to what's necessary but also conducting thorough privacy assessments. Businesses should ensure their data practices align with GDPR to avoid penalties.
GDPR Articles Cited
The Athens Public Transport Authority's (OASA) established a new electronic ticketing system. The system used passengers' passport number or other official identification document, their 8-digit code (PIN), their month and year of birth, and if applicable, their category of social beneficiary (for instance, if a passenger received social welfare benefits). In 2017, the HDPA had issued two opinions regarding the OASA's electronic ticketing system. In these opinions, the HDPA considered that the OASA, as the controller, should carry out a data protection impact assessment (DPIA) for their electronic ticketing system. On 18 November 2019, the Authority carried out an on-site inspection at OASA to determine compliance with the previously issued opinions. Following this inspection, the HDPA found remaining issues and ordered OASA to make amendments to their system. In March 2020, the OASA made new submissions to the DPA. These included a new DPIA, their record of prior processing activities, as well as a technical report from their contracted processor, "HELLAS SMARTICKET S.A.". Following these submissions, the HDPA still considered there to be issues with OASA's systems and requested additional information from them. After receiving this information, the HDPA deemed it to be unsatisfactory, and on 25 September 2023, the DPA proceeded to issue a decision. The DPA found that the controller had violated Article 5(1)(e) GDPR and Article 35(1) GDPR. (a) The DPA found that the controller had breached the principle of storage limitation under Article 5(1)(e) GDPR. In the course of their investigation, the DPA found that the controller aimed to retain personal data collected from their customers for 20 years, without demonstrating why this was necessary. (b) The DPA found that the controller had violated Article 35(1) GDPR, as their DPIA insufficiently identified the data retention purposes in relation to their records of processing. Moreover, the DPIA was unclear in ter
Related Enforcement Actions (0)
No other enforcement actions found for Athens Urban Transport Organization (OASA) in GR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
13 June 2023
Authority
Hellenic Data Protection Authority
Fine Amount
€50,000
GDPRhub ID
gdprhub-6357About this data
Cite as: Cookie Fines. Athens Urban Transport Organization (OASA) - Greece (2023). Retrieved from cookiefines.eu
Last updated: