Bookstore of Hestia – €9,000 Fine (Greece, 2025)

The controller is a publishing company, Bookstore of Hestia. The data subject is a writer, contracted with the controller, who published books using a pseudonym due to his desire to hide his authorship form his immediate family and professional environment. The data subject belongs to a gender minority, the problems thereof are the focus of his writing. In February 2024, the data subject received an email to his personal email address from the controller which was visible to the other recipients of the message, numbering approximately 55 people. This resulted in the disclosure of his real identity to all third parties. The data subject lodged a complaint with the DPA (Hellenic Data Protection Authority-HDPA) alleging that the above breach resulted in the disclosure to the other recipients of the email of his personal data relating to his gender identity, which therefore constitutes a special category of personal data. He also claimed that the breach caused him shock and serious psychological problem and put his career in danger. Furthermore, the data subject stated that the controller did not take any of the actions required under the GDPR after the critical incident pursuant to Article 34 GDPR and that it failed to implement appropriate technical and organisational measures. The controller on the other hand, claimed that the critical email message made no mention of the data subject’s name and it did not reveal any special category personal data. In any case, according to the controller, it had legitimate interest in the processing of the data which consisted in the smooth operation of its warehouse and distribution system and eventually its financial interests. First, the DPA held that the controller disclosed special category of personal data to third parties by revealing to the recipients of the email the data subject’s real name and pseudonym. Second, it found that the controller had not taken any technical and organisational measures to ensure an adequat