Elpedison – €168,709 Fine (Greece, 2024)

The Hellenic Data Protection Authority undertook an investigation following numerous complaints regarding unsolicited spam calls originating from companies acting as call centres (hereinafter “processor”) on behalf of ELPEDISON A.E. (hereinafter "controller"), aimed at promoting the controller's products and services. In Greece, individuals have the option to register under Article 11 of Greek Law 3471/2006 (hereinafter "register-list") to opt out of unsolicited communications. During the investigation, complaints that did not meet validity criteria were rejected by the HDPA. The remaining 40 potentially valid complaints were categorised into four categories. Category A: six complaints where the controller acknowledged a violation might had occurred. Category B: three complaints where the controller disputed the occurrence of a violation. Category C: twenty-nine complaints where the controller claimed to had fulfilled its obligation but the processor failed. Therefore, in addition to the controller, the investigation was extended to include five processors. These processors included BEFON (3 complaints), Call Experts (11 complaints), Televise (1 complaint), Zitatel (8 complaints), and Plegma Net (7 complaints). Category D: two complaints that were still under investigation at the time. The controller had failed in many cases to provide a correct, up-to-date register-list on time, pointing out the complex process that involves receiving the register-list from various providers, which it then needs to combine and send to the processors. The processor pointed out that delays in the register-list update were due to the 11 million phone numbers that required reformatting before they could be imported and the long time required to upload them into the relevant systems. Both the controller and its processors blame human and systemic errors, claiming they were isolated incidents and not intentional. The Hellenic DPA found that the controller had breached Article 11 of Gre