New York College S.A. – €5,000 Fine (Greece, 2020)

Data subject complained that the private college, New York College, made targeted phone call offering their participation in seminar for unemployed people. In the call the College approached them as if it knew their status as unemployed. The data subject had requested from the data controller information on how and why their personal data was processed but did not get any satisfying response. The HDPA held that according to the principle of accountability as provided for in Article 5(2) GDPR, the college as data controller has the burden of proof as to the lawfulness of processing. The HDPA found that the controller did not provide any information to this end, violating the principle of accountability. Moreover, the processing was conducted in an opaque way with regard to both its general policy and dealing with the data subject's request in particular. The HDPA ordered the controller to bring its processing operations into compliance with the GDPR and take all necessary measures to full internal compliance and accountability as foreseen in Articles 5(1) and (2) and 6(1) GDPR. Finally, it imposed the fine of € 5.000.