Δ.Ε.Η. Α.Ε. (Public Power Corporation) – €28,000 Fine (Greece, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Greece's Hellenic Data Protection Authority fined the Public Power Corporation for mishandling a customer's personal data. The customer continued to receive calls about unpaid bills for properties he did not own, even after requesting that his data be erased. This case highlights the need for companies to have strong processes in place to protect customer data.
What happened
The Public Power Corporation failed to properly erase a customer's personal data related to properties he did not own.
Who was affected
The customer who received unwanted calls and notices about unpaid bills for properties that were not his.
What the authority found
The authority found that the Public Power Corporation did not implement adequate measures to ensure the customer's data was erased and protected.
Why this matters
This ruling underscores the importance of having effective data management practices. Businesses must ensure they properly handle erasure requests to avoid legal issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
The data subject submitted a request to the controller ([https://www.dei.gr/en/ Δ.Ε.Η. Α.Ε.]) and asked for rectification and erasure of their personal data related to immovable assets that did not concern him. The confirmed the rectification and erasure of the personal data. However, from December 2020 to July 2021, the data subject continued to receive calls from law firms and collection agencies regarding outstanding bills for properties that were not his, neither owned nor rented by him. The data subject subsequently submitted another erasure request, asking for the removal of his tax number from the bills. Despite the controller's confirmation that the erasure request had been fulfilled, the data subject continued to receive harassing calls from collection agencies and law firms regarding unpaid bills. The data subject also received a payment notice from the municipality of Athens regarding the unpaid bills. The data subject lodged a complaint, stating that neither the law firms nor the municipality had notified the controller, nor the controller informed the relevant parties involved that these bills do not concern him. As per the data subject, this demonstrated a lack of appropriate technical and organisational measures on the part of the controller. The controller asserts that the issue arose from the complainant's failure to update the ownership information through the proper channels, resulting the erasure being applied only to the e-bill system. Consequently, data concerning the complainant continued to be processed by law firms and collection agencies acting on behalf of the controller to collect outstanding debts. The controller further explained that its disclosure of the complainant’s data to the municipality was done as per the Greek Law 3979/2011, in order to meet its legal obligations. The municipality which had not provided a timely response to the data subject’s request for information on the sources of data and other relevant information, stat
Related Enforcement Actions (0)
No other enforcement actions found for Δ.Ε.Η. Α.Ε. (Public Power Corporation) in GR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
3 September 2024
Authority
Hellenic Data Protection Authority
Fine Amount
€28,000
GDPRhub ID
gdprhub-8557About this data
Cite as: Cookie Fines. Δ.Ε.Η. Α.Ε. (Public Power Corporation) - Greece (2024). Retrieved from cookiefines.eu
Last updated: