Bookstore of Hestia – €9,000 Fine (Greece, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Bookstore of Hestia was fined for accidentally revealing a writer's real identity to a large group in an email. This is significant because it shows the serious consequences of mishandling personal information, especially for individuals who wish to remain anonymous.
What happened
The bookstore disclosed a writer's real name in an email sent to 55 recipients, violating privacy rules.
Who was affected
The writer, who used a pseudonym to protect their identity, was affected by the breach.
What the authority found
The Hellenic Data Protection Authority ruled that the bookstore failed to protect special personal data and did not take necessary precautions under GDPR.
Why this matters
This case emphasizes the need for businesses to implement strong data protection measures, especially when dealing with sensitive information. Companies should ensure they have proper safeguards to prevent similar breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is a publishing company, Bookstore of Hestia. The data subject is a writer, contracted with the controller, who published books using a pseudonym due to his desire to hide his authorship form his immediate family and professional environment. The data subject belongs to a gender minority, the problems thereof are the focus of his writing. In February 2024, the data subject received an email to his personal email address from the controller which was visible to the other recipients of the message, numbering approximately 55 people. This resulted in the disclosure of his real identity to all third parties. The data subject lodged a complaint with the DPA (Hellenic Data Protection Authority-HDPA) alleging that the above breach resulted in the disclosure to the other recipients of the email of his personal data relating to his gender identity, which therefore constitutes a special category of personal data. He also claimed that the breach caused him shock and serious psychological problem and put his career in danger. Furthermore, the data subject stated that the controller did not take any of the actions required under the GDPR after the critical incident pursuant to Article 34 GDPR and that it failed to implement appropriate technical and organisational measures. The controller on the other hand, claimed that the critical email message made no mention of the data subject’s name and it did not reveal any special category personal data. In any case, according to the controller, it had legitimate interest in the processing of the data which consisted in the smooth operation of its warehouse and distribution system and eventually its financial interests. First, the DPA held that the controller disclosed special category of personal data to third parties by revealing to the recipients of the email the data subject’s real name and pseudonym. Second, it found that the controller had not taken any technical and organisational measures to ensure an adequat
Related Enforcement Actions (0)
No other enforcement actions found for Bookstore of Hestia in GR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
21 July 2025
Authority
Hellenic Data Protection Authority
Fine Amount
€9,000
GDPRhub ID
gdprhub-9576About this data
Cite as: Cookie Fines. Bookstore of Hestia - Greece (2025). Retrieved from cookiefines.eu
Last updated: