NN Hellas – €20,000 Fine (Greece, 2025)

The data subject had taken out insurance from NN Hellas, an insurance company (controller) which included the ‘Dental Care NN Hellas’ coverage plan. The provider of the dental services under his insurance contract was MEDIADENT, a dental clinic. In 2023, NN cancelled its dental care program. The data subject, in order to prove that his treatment was not completed yet, requested access to the recorded phone calls between him and Dental Care NN Hellas call center made in 2023, via email. NN Hellas did not provide him this data. The data subject lodged a complaint with the DPA (HDPA) claiming that NN Hellas failed to satisfy his access request. NN Hellas claimed that it had already responded to the data subject that the call center storing the recorded telephone communications belonged to Mediadent and NN Hellas did not have access to the data. It further claimed that Mediadent was the controller of personal data regarding the recording of phone calls since the purpose of this processing was the provision of dental services by Mediadent. According to NN Hellas, the latter was a controller only for the processing of its clients’ data in the context of the execution of the insurance contract between them and had no involvement in any other processing carried out by the respective health care provider. Mediadent, did not provide clarifications to the DPA, did not formally appear to the hearing and did not file a submission. For NN Hellas: The DPA, after examining the terms in the contractual agreement and the privacy policy between NN Hellas and Mediadent, came to the conclusion that NN Hellas determined the purpose and means of processing regarding the recording of telephone calls by the call centre managed by MEDIADENT. In particular, NN Hellas set clear and specific operating instructions for the call centre, ordered the possibility to record, transcribe and send calls in a compatible file format to NN Hellas and stipulated that Mediadent would send monthly