Alpha Bank – €10,000 Fine (Greece, 2023)

A complainant legally represented a company which had suffered electronic fraud resulting in money being transferred out of their bank account. The complainent visited the bank (the controller) to inform them about the fraud. The complainant later excercised a right of access under Article 15 GDPR to the bank (the controller) requesting access to log files in relation to the incident and video recordings (CCTV footage) of his visit to the bank. The bank failed to provide the requested copies of the data in a timely manner, and while the bank acknowledged the delay in their response to the data subject stating the request is being processed, the bank failed to provide the reasons for the delay. Additionally, the bank didn't notify the data subject about the extension to the one-month period set in Article 12(3) GDPR. On 17 May 2022, the data subject lodged a complaint before The Hellenic Data Protection Authority (HDPA) against the data controller. The bank later provided the log files, but failed to provide the video recordings, stating that video recordings were no longer available due to the expiration of the retention period of 45 Days. The Hellenic Data Protection Authority (HDPA) found that the controller had violated the data subject's right of access under Article 15 (1) GDPR and Article 15(3) GDPR. Furthermore, HDPA found that the data controller failed to fulfil its obligations under Article 5(1) and 12(3) of the GDPR. a) The HDPA found that the controller did not act in a timely manner, did not provided a reason for the delay and did not inform the data subject of an extension to the response time limit, thus violating its obligation under Article 12(3) GDPR. b) The HDPA determined that, despite receiving the Data Subject Access Request (DSAR) within the 45-day data retention period while the material was still available, the controller proceeded with the destruction of the video footage in accordance with its data retention policy without providing a c