The Hellenic Data Protection Authority (hereinafter the “HDPA” or the “Authority”) imposed a fine of €22,000 on an insurance company (NN Hellas – €20,000) and a cooperating dental company (MEDIADENT IKE – €2,000) for:

• Refusal to satisfy the right of access to recorded telephone calls,
• Improper cooperation with the HDPA,
• Lack of transparency in determining controller/processor roles.

1. Background

The complainant held an insurance policy with NN Hellas that included the “Dental Care” dental care program. For the service of policyholders, NN Hellas had a partnership with MEDIADENT company, which managed the program’s call center.

During telephone calls, policyholders were informed through a pre-recorded message that “for your safety and quality service, the call is being recorded,” while the service was presented as “Dental Care of NN HELLAS.”

On December 14, 2023, the policyholder submitted an access request via email to both companies, requesting transcripts of his telephone conversations that had taken place from July 24, 2023, to December 14, 2023, accurately specifying the date and time of each call.

Despite repeated communications (15/12/23, 20/12/23, 22/12/23, 27/12/23), neither company satisfied his request. NN Hellas referred the policyholder to MEDIADENT, while the latter completely ignored the request, although it had initially stated that it would provide the recordings.

2. Legal Framework

2.1. Telephone Calls – Personal Data

The complainant’s recorded telephone conversations constitute his personal data, according to Regulation 2016/679 (General Data Protection Regulation – GDPR), to which he, as a data subject, has the right to gain access, according to the provisions of Article 15 GDPR.

2.2. Data Protection Principles & Access Request

Specifically, according to the provisions of Article 15 paragraphs 1 and 3 GDPR:

“1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data […] The controller shall provide a copy of the personal data undergoing processing […].”

Furthermore, according to Article 12 paragraph 2 of the GDPR, the controller shall facilitate the exercise of data subject rights provided for in Articles 15 to 22 of the GDPR, while according to Article 12 paragraph 3 GDPR, the controller shall provide the data subject with information on action taken on a request under Articles 15 to 22 without undue delay and in any event within one month of receipt of the request.

The HDPA emphasized that the principle of accountability regarding transparency does not apply only at the point of data collection, but throughout the entire lifecycle of processing. Consequently, the rules that impose clear and transparent information also govern any response by the controller to a related access request.

In this context, the proper and timely satisfaction of the right of access constitutes a critical element for the transparency of processing and is directly connected to the principles of personal data protection.

2.3. Roles of the Parties

One of the central issues of the case concerned determining the data controller for recording telephone calls. NN Hellas initially argued that MEDIADENT was the “processor,” while later changed position arguing that MEDIADENT was the “controller.”

The HDPA, examining the private agreement between the companies from 2015, found that:

• METLIFE (predecessor of NN Hellas) determined the purpose and means of processing consisting of recording telephone calls
• Set specific operational specifications for the call center
• Specified that it should have the capability of recording and sending calls to itself
• Determined the purpose of processing (“for customer service and quality control of provided services”).

Therefore, NN Hellas acts as Data Controller and bears responsibility for processing the request, with the assistance of the Processor (MEDIADENT).

2.4. Transparency Towards Data Subjects

Despite the contract between the companies, the agreement and exact relationship were not transparent to the data subjects, who recognized only their contracting party NN Hellas as the controller. This emerged from:

• The fact that the telephone was answered as “Dental Care of NN HELLAS”
• The insurance contract referred to “Provision of Dental Care within the HEALTH Network”
• Policyholders were informed by NN Hellas about the program’s termination.

3. Imposed Sanctions

3.1. NN Hellas

In this case, the HDPA imposed on NN Hellas an order to satisfy the Article 15 GDPR right of access of the complainant, providing the requested files within ten (10) days, and imposed an administrative fine of €20,000 for violation of his right of access.

For determining the fine, it took into account:

• Its degree of responsibility, as it has not implemented a specific procedure for responding to data subjects’ access requests
• The contradictory stance regarding MEDIADENT’s role
• Indifference to proper satisfaction of the right for a long period
• The impact of non-provision on the possibility of effective exercise of legal claims by the policyholder
• The company’s turnover.

3.2. MEDIADENT

MEDIADENT was imposed a fine of €2,000 for violating the obligation to cooperate with the supervisory authority (Article 31 GDPR), as it:

• Did not respond to any of the two HDPA documents
• Did not appear at the hearing on 21/5/2025
• Processed health data of a significant number of subjects

4. Practical Advice for Public and Private Sector Organizations

There are numerous organizations that proceed with recording telephone conversations, and most utilize external partners. The decision under examination confirms that particular attention should be given to the following (indicatively):

• Standardized Procedures:

• • For receiving and processing requests (e.g., secure provision of access to recorded conversations, appointment of responsible persons for each stage)
  • For determining the “absolutely necessary time for keeping recorded conversations, based on the recording purpose.

• Data Processing Agreement (DPA) Drafting, where clear instructions are given regarding personal data management and any breach requests (in cases of external partners).
• Transparency to Callers about call recording as well as the purpose of such recording. It is noted that simple reference to purposes such as “transaction security” or “quality service” may not be deemed appropriate as they are not sufficiently specified.
• Full notice Provision (e.g., on the organization’s website) with the provisions of Article 13/14 GDPR (e.g., retention time, recipients, source, rights, etc.) and referring callers to this information. It is noted that corresponding information should also be given to call center employees.
• Secure Retention of Recorded Conversations
• Thorough Staff Training

In case a document is transmitted from a supervisory authority, it is very important to:

• Comply with set deadlines
• Provide complete requested elements as well as other supporting evidence
• Not ignore any hearings

For the best possible safeguarding of an organization, communication with a professional who will undertake the organization’s representation is recommended.

5. Conclusion

Decision 32/2025 of the HDPA constitutes an important reminder of the obligations arising from the GDPR. The right of access is not optional but a fundamental right of every subject, and its non-satisfaction entails serious sanctions.

This decision also emphasizes the importance of transparency in business relationships and the need for clear information to subjects regarding the roles of involved companies. When a business appears to customers as the main controller, it cannot subsequently disclaim responsibility for satisfying their rights.

Finally, the case underlines that non-cooperation with the supervisory authority constitutes an independent violation that is strictly punished, regardless of the business size.

Businesses are called upon to review their procedures and ensure full compliance with GDPR obligations, in order to avoid similar sanctions and protect data subjects’ rights.

Our Law Office contributes to shaping compliance policies and procedures with existing legislation and makes specific recommendations for timely and effective handling of subject requests.

On behalf of the «Stergios Konstantinou & Associates

– SGKLegal» Law Office