"Α" – €1,400 Fine (Greece, 2024)

In 2019, the data subject asked their former lawyer (the controller) to return documents related to legal matters. Despite multiple requests, including an SMS in November 2019 and an email in April 2020, the controller failed to respond. The data subject continued pressing for the return of the documents through extrajudicial notices in September 2020 and June 2021, yet received no response. Afterwards, the data subject submitted a complaint to the Hellenic Data Protection Authority (HDPA) in December 2022, alleging that the controller had violated their data access rights under GDPR. The HDPA initiated an investigation, requesting written clarifications from the controller. However, the controller did not respond to the HDPA properly. The HDPA once again requested clarifications from the controller, reminding them of the obligation to cooperate with the supervisory authority, as derived from Article 31 GDPR. Subsequently, the HDPA requested more details and documents from the data subject. The HDPA scheduled a hearing during which the data subject emphasised that their right to access personal data had been violated by the controller's failure to return documents. Moreover, they mentioned that the controller had never denied having the documents and was required to delete them upon the revocation of consent. On the other hand, the controller claimed that the documents were either no longer retained or accessible through other means in their office. The controller also stated that the documents in question were already available from other sources, such as public records or court files, and that the request was therefore unnecessary. First, the HDPA held that the controller had violated Article 15 GDPR, by ignoring the data subject's access requests and withholding the requested documentation. Additionally, the HDPA found that the obligation to grant to the data subject access to their personal file should have been satisfied pursuant to the national law, [http