National Bank of Greece – €200,000 Fine (Greece, 2025)

The DPA received numerous complaints against the Greek National Bank (the controller) concerning the violation of the right of access of data subjects under Article 15 GDPR, due to non-satisfaction or long delays. Following this, the DPA investigated - ex officio - the procedures followed by the controller for such access requests. The DPA found that in one instance the controller had used the data subject's personal data in the context of litigation between the two parties which the data subject itself had previously requested and had not been granted even after the expiration of the submission-deadline, resulting in an unfavorable evidentiary position for the data subject. In other cases, the DPA found that the controller only responded after between two to seven months, sometimes only partially or after intervention of the DPA. The controller stated that in recent years there has been an increase in electronic fraud cases, which had lead to a rapid increase in corresponding requests. According to the controller, every possible effort was made to serve its customers, seeking to exhaust every margin for their recovery, however, the proper and complete investigation of these incidents often proves to be time-consuming, as it requires a thorough search of the controller's files and systems, cooperation of all involved areas, evaluation of the actual incidents and communication with the other parties involved (e.g. beneficiary's bank, etc.). The controller also invoked its teleworking arrangements, due to which their access to the requested information was not possible in some cases. The DPA found that the procedures followed by the controller for handling access requests were ineffective. The DPA held, that the fact that despite the existence of known complaints and issues with meeting the GDPR deadlines established by Article 12(2) GDPR the controller was mobilized to record its relevant procedures only after the the DPA initiated investigations. This,