Introduction

Call centres constitute critical infrastructure for modern commercial activity, enabling customer service, retention campaigns, and new customer acquisition across all sectors. However, their operation in Greece presents one of the most complex and strictly regulated areas of data protection compliance. The Hellenic Data Protection Authority (HDPA) has issued dozens of decisions examining telemarketing activities, imposing fines ranging from €5,000 to €150,000 and revealing systemic inadequacies in the manner in which controllers (call centre clients) and processors (call centres) handle personal data in this context.

The risks are clear and consist of unauthorised calls to subscribers registered in “Article 11” registries, inadequate controller oversight of processor call centres, deficient consent mechanisms in online forms, and failures to respect data subjects’ rights of objection. For energy providers, telecommunications operators, and any business utilising call centres—whether in-house or outsourced—the compliance framework requires meticulous attention to lawful bases, transparency, technical security, contractual arrangements, and continuous monitoring mechanisms.

This article provides an analysis of the legal framework governing call centre operations in Greece, grounded in recent enforcement decisions of the HDPA. The analysis is organised around three core risk axes: lawfulness of processing, technical compliance and security, and governance with allocation of responsibility between controllers and processors.

1.      The Legal Framework: GDPR, Law 4624/2019 and Article 11 of Law 3471/2006

Call centre operations are governed by a dual regime combining the horizontal application of the GDPR with specific rules for electronic communications. Article 3 paragraph 2 of Law 3471/2006, as in force, clarifies that the GDPR applies to any matter relating to the provision of electronic communications services not specifically regulated by that law.

The cornerstone provision is Article 11 paragraph 2 of Law 3471/2006, which establishes an opt-out system. Unsolicited communications with human intervention (calls) for the purposes of direct commercial promotion of products or services and for any kind of advertising purposes are not permitted if the subscriber has declared to the provider of the publicly available service that they do not generally wish to receive such calls. The provider is obliged to register these declarations free of charge in a special subscriber register, which is available to any interested party.

Critically, advertisers, if they conduct telephone promotional activities with human intervention, are obliged to obtain from all providers updated copies of the Article 11 registries of Law 3471/2006 and to ensure they have available the declarations of subscribers made up to thirty days before making the telephone call.

The telephone number constitutes personal data capable of indirectly identifying its holder, and its processing falls fully within the scope of the GDPR.

2.      Lawful Bases: Distinguishing Customer Service from Telemarketing

The lawful basis of processing depends critically on the nature and purpose of the call.

2.1. Telemarketing to “Cold Lists”

For calls based on a “cold list”—a list consisting of telephone numbers generated automatically based on random numbering ranges—the lawful basis of processing, taking into account Article 11 paragraphs 1 and 2 of Law 3471/2006, may be Article 6(1)(f) GDPR (legitimate interests) to the extent that it is ensured that numbers registered in the Article 11 Registry will not be called and the principles of Article 5 GDPR and other GDPR requirements are met, such as in relation to satisfying the principle of transparency and satisfying the rights of called data subjects.

The legitimate interest must be genuine and the balancing transparent. In Authority decisions, energy providers have invoked their commercial interest in customer acquisition, but this remains conditional upon strict compliance with the Article 11 opt-out mechanisms.

2.2. Calls to Current or Former Customers

Calls to current customers for service purposes (e.g., follow-up on a customer-initiated request) may be lawful as “solicited communication,” provided the customer has previously contacted the service department, on condition that the return call is made within a reasonable time frame.

However, the HDPA has strictly limited the scope of marketing to former customers. Where an energy provider called former customers to conduct satisfaction surveys and investigate reasons for departure, relying on legitimate interests under Article 6(1)(f) GDPR, the HDPA held that after termination of the customer relationship, in order to be entitled to use the data for service research, the company must prove it has a superior legitimate interest so that a lawful basis other than consent can apply. A call to a customer who has already departed cannot be considered lawful, as it does not appear that the former customer was informed of the further retention of their data for this purpose (violation of the transparency principle of Article 5(1)(a) GDPR) while the controller did not document the lawful basis used (violation of Article 6(1) GDPR).

Practical example: A telecommunications provider maintains a database of subscribers who switched to competitors. It wishes to call them to understand their dissatisfaction. Unless it can prove (i) that subscribers were informed during the contractual relationship that their data would be retained for this specific purpose after departure, and (ii) that a genuine legitimate interest exists, such calls violate Articles 5(1)(a), 6(1) and 6(4) GDPR.

2.3. Data Collected via Online Forms

Where call centres collect telephone numbers via online forms, consent under Articles 6(1)(a) and 7 GDPR constitutes the appropriate basis. The HDPA has identified endemic inadequacies in this practice.

For the collection of telephone numbers via declaration in a website form to meet the requirements of valid consent, the controller must be able to prove that the specific data subject who is a subscriber or at least user of the telephone number consented to the processing operation (in this case a telephone call from an official partner for promotion of offers), i.e., that it was they and not some third party who entered their telephone number on the website.

The HDPA has emphasised that consent cannot be considered provided with full awareness where the data subject is referred to the data protection information notice (usually titled “Privacy Policy”), which contains different information from that already received via the screenshots of the interest expression form, nor can it be considered specific and granular when it includes the separate matter of data processing by social media for the purpose of displaying advertisements.

Practical example: A call centre created a website featuring an energy company’s logo and the phrase “official partner,” with a form stating “we will contact you at no charge to you.” The form requested only name and telephone. According to the HDPA, each website user reasonably understands that an official partner of the energy company will contact them by telephone to provide information about its offers, and reasonably expects to be called shortly after entering their details and not two months later. Furthermore, the data subject does not expect to be called for the promotion of other companies’ products and services since no possibility is provided for granting separate consent with a clear affirmative action for receiving promotional telephone calls for those companies, nor are the required details identifying those companies provided.

3.      Transparency Obligations and Information Requirements

Article 14 GDPR governs transparency where personal data is not obtained directly from the data subject—the typical scenario of “cold calls.”

During the call itself, agents must provide certain minimum information. The company employee initially informs the called party of their name, which company they are calling from, and that they are calling on behalf of the controller. No concealment of calling numbers occurs.

However, HDPA decisions reveal that many call centres fail to provide adequate information about data subjects’ rights. The scripts do not include information about the possibility of exercising the right of access and objection, and in certain cases where the called party is a subscriber of another provider, beyond the right of objection, the subscriber is informed they have an obligation to contact their provider for registration in the Article 11 Registry rather than that they also have the possibility to contact the provider.

Practical example: A telecom provider’s script states: “You are registered under Article 11. You must contact your provider for registration.” This is inadequate. The correct wording should state: “You have the right to object to future calls from us by informing us now, and you can also register with your provider’s Article 11 registry to be excluded from calls by all advertisers.”

4.      Consent Requirements: Specificity, Granularity and Proof

Where consent is invoked, Greek supervisory practice requires strict compliance with Articles 4(11) and 7 GDPR. In cases of consent, the controller must be able to prove that the data subject consented to the processing operation. This requirement has proven fatal for numerous call campaigns based on online forms.

The HDPA strictly applies EDPB Guidelines 05/2020 on consent. Consent does not meet the requirements of clear, specific and informed consent where it concerns receiving promotional telephone calls both for promoting the products and services of a specific company and from “any third party” operating inter alia in the telecommunications and/or energy sector (electricity, natural gas), because the phrase “any third party” does not identify the data recipients and the consent is not clear as the wording gives the data subject the impression that the company promotes its own products and services while it promotes the products and services of companies with which it contracts.

Furthermore, in cases where the requested consent will be used by multiple (joint) controllers or if data will be transferred or processed by other controllers wishing to rely on the initial consent, all these organisations must be named. Processors need not be named within consent requirements, although, to ensure compliance with Articles 13 and 14 GDPR, controllers should provide a complete list of recipients or categories of recipients, including processors.

Practical example: A form states: “I consent to receive calls from Company X and its partners in the energy and telecommunications sector.” This is invalid. The form must state: “I consent to receive calls from Company X” (with a separate checkbox) and “I consent to receive calls from [list: Company Y, Company Z]” (with another separate checkbox).

5.       Data Security: Article 32 GDPR and Systemic Failures

Article 32 GDPR obligations apply to both controllers and processors, and the HDPA has apportioned liability accordingly.

5.1. A. Failures to Exclude Article 11 Registry Numbers: Rejection of Technical Defences

The most common violation concerns technical or organisational failures to exclude telephone numbers registered in Article 11 registries from calling lists.

In Decision 43/2025, processor PREMIUM claimed that due to the large volume of data there exists a possibility of non-entry of individual data in case the internet line presents technical problems (mainly slow speed that momentarily interrupts the upload process), something which however cannot be perceived by the technician performing the upload at that moment, as it is not a total non-upload or non-upload of a large volume of data so that there would be a relevant system indication.

The HDPA categorically rejected the claim of partial non-upload of data due to low connection speed, holding, based on technically documented analysis, that the data transfer protocols used incorporate reliability mechanisms that preclude silent loss or corruption of data portions. Packet loss triggers retransmission mechanisms, not the creation of incomplete or partial files. Consequently, the invocation of momentary technical malfunctions cannot justify the failure to implement Article 32 GDPR security measures.

Regulatorily, the Authority concluded that in case instability or disconnections are detected in one of the available network routes, an appropriate measure under Article 32 GDPR is automatic routing of critical and large-volume uploads via the most reliable connection available to the processor. Accordingly, a violation of Article 32 GDPR by PREMIUM company is established as it did not take appropriate security measures during execution of processing and seven unlawful promotional telephone calls were made to subscribers registered in the Article 11 Registry, with concealment of the calling number.

5.2. Manual Calls and Human Error

Controllers and processors frequently invoke “human error” for manual calls to Article 11 registry numbers. However, the HDPA does not accept this argument without exhaustive documentation. In cases where calls were characterised as “manual,” call centres reported that calls were made by the assigned employee manually and not via the company’s dialer in order to immediately exclude the telephone number. Given that employees also check the Article 11 Registry when making manual telephone calls, it is strongly presumed that the employee primarily erred in typing the telephone number they wished to call, with the result that they inadvertently called the number.

While isolated errors may attract lesser sanctions, the HDPA emphasises that the technical and organisational measures that the controller and processor must take to ensure an appropriate level of security against risks, while not always able to prevent every possible personal data security breach incident, nevertheless require, after any failure of these measures, assessment and evaluation of their effectiveness as an essential element for maintaining processing security. Consequently, the primary obligation is recording of the incident, so that it is documented and the controller’s compliance with Article 5 GDPR principles is proven, as required based on the accountability principle, and also in accordance with Article 33 GDPR.

Practical example: A call centre employee makes five “manual” calls to opt-out numbers, claiming typographical errors. Without systemic controls preventing manual calling of restricted numbers before it occurs, this constitutes an Article 32 violation. The processor must implement technical barriers—e.g., mandatory automatic checking of each manually entered number against the opt-out database before the call can be placed.

5.3. Consolidation of Article 11 Registries

Controllers must obtain and consolidate registries from all providers. The HDPA found that the controller does not verify the procedure followed by each partner call centre for consolidating individual provider registries into the unified Article 11 Registry. The controller’s checks are conducted via declarations by the call centre itself in corresponding questionnaire responses without verifying the relevant procedures and conducting sample checks in maintained files. The controller did not submit to the Authority written procedures of processors or sub-processors for consolidating the opt-out Registry.

Further systemic inadequacy: Telephone numbers used by partner call centres are not included in the respective contracts. These telephone numbers are notified to the controller via submission of signed statutory declarations by legal representatives of partner call centres. The statutory declarations submitted to the Authority were dated two to four years after the dates of conclusion of the respective contracts. This obstructs effective complaint investigation and demonstrates inadequate oversight.

5.4. Call Traceability and Obligation to Maintain Call Detail Records

The accountability principle and Article 32 GDPR security obligations require controllers and processors to ensure complete traceability of every telephone call. This obligation is not merely technical—it is fundamental for proving compliance and investigating complaints.

Both the controller and partner companies must maintain the necessary data (call detail records—CDRs) for investigating every complaint for a period of one year. These records capture technical elements of a telephone communication, without conversation content, and must include at minimum the calling telephone number, called telephone number, date and time of call, duration, and unique campaign or controller instruction identifier.

The traceability obligation extends to three dimensions. First, telephone numbers used for making calls must be notified to the controller, and partner call centres must inform the controller immediately and no later than within 24 hours whenever a new number is added or removed, accurately recording the date and time when a telephone number is added or removed. Second, each campaign must be mapped to a specific processor and specific written controller instruction. Third, the controller must have the capability, within a reasonable time from complaint submission, to identify which processor made the call, from which number, for which campaign, and under which documented instruction.

The Authority has repeatedly encountered situations where complainants alleged they received promotional telephone calls, but the controller responded to the Authority (according to responses from respective partner call centre companies) that complainants’ telephone numbers were not called by any partner call centre and furthermore that the numbers from which these calls were made do not belong to any partner call centre. Such traceability failures constitute not merely individual deficiencies but fundamental governance failures constituting Article 32 GDPR violations.

Practical example: A controller receives a complaint about a call on 15 March 2025 at 14:32 from number 2111234567. Within 48 hours, it must be able to identify: the call was made by processor XYZ Call Centre, within the Spring2025_Energy campaign, pursuant to written instruction dated 1 March 2025, by a processor employee. Without this capability, the controller does not satisfy the accountability principle and cannot prove the lawfulness of its activity.

6.      Use of Scripts and Objection Recording Mechanisms

Controllers must provide call centres with detailed scripts to ensure compliance with transparency and consent rules.

HDPA decisions reference provision of scripts from controllers to processors. Communication scripts were submitted for calls for the purpose of commercial promotion of products/services and for sales confirmation calls.

Scripts must include the controller’s and processor’s identity where relevant, clear statement of promotional purpose, information on how to exercise objection rights immediately, and an objection recording mechanism that generates proof such as a unique reference number or call recording timestamp.

The controller’s obligation as controller is to provide appropriate tools, principles and guidelines to prevent unlawful calls. This includes maintaining a special Objections Registry with those who have exercised specific objection to receiving telephone calls (based on Article 21 GDPR). This registry must be updated daily and transmitted to all processors regularly.

7.      Call Recording: Lawful Basis, Retention and Access

While none of the examined decisions focuses exclusively on call recording, the lawful basis principle applies. Where call centres record conversations, the lawful basis depends on purpose: for quality assurance and training, legitimate interests under Article 6(1)(f) GDPR may suffice, provided the balancing is documented and data subjects are informed according to Article 14 GDPR. For proof of sales contracts, performance of contract under Article 6(1)(b) GDPR or compliance with legal obligation constitute appropriate bases.

HDPA decisions reference the telecommunications providers’ obligation to retain call detail records for one year. Call centres should align retention with this standard and document their retention policy in the Article 30 records of processing activities.

Practical example: A call centre records all sales calls. It must inform data subjects during the call with a statement such as “This call is recorded for quality and training purposes and for contract verification,” retain recordings for twelve months, and implement access controls ensuring only authorised personnel such as the quality team, legal department, and Data Protection Officer can access recordings.

8.      Controller-Processor Relationships: Roles, Responsibilities and Contractual Requirements

Correct determination of controller and processor roles is fundamental and frequently contested.

8.1. The Legal Test

Article 4(7) GDPR defines the controller as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data. The processor is defined in Article 4(8) GDPR as the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

The HDPA has consistently held that call centres operating on behalf of advertisers are processors, not independent controllers, where the advertiser determines the purpose and essential means. From case file evidence it emerges that the controller, via contract, assigns to partner call centres the conduct of promotional telephone calls for promoting its own products and services. Through contracts, written guidelines and other instructions provided to these partner call centre companies, the principal establishes a series of specifications determining the framework of each partner’s activities. Accordingly, the principal fully determines the processing objective, hence its purpose, while also determining the basic characteristics for processing means.

8.2. When Processors Become Controllers: The ICOMM Case

Notably, Article 28(10) GDPR provides that if the processor determines the purposes and means of processing in violation of the Regulation, the processor shall be considered a controller in respect of that processing.

The HDPA has applied this provision to attribute liability to processors exceeding their mandate. In cases where a processor violates obligations imposed by contract and processes data beyond or in violation of controller instructions, a violation of Article 29 GDPR by the processor arises.

In Decision 43/2025, the HDPA examined a call centre (ICOMM) that created its own websites for lead collection. According to the website’s terms of use and privacy policy, ICOMM processes collected personal data (name, telephone and email) for direct commercial promotion and advertising of products/services it provides itself or third parties (legal persons) operating inter alia in telecommunications and/or energy sectors or HERON. Although the website contains HERON elements and ICOMM processes collected data for HERON’s promotional purpose, HERON responded to the Authority that the controller for data collected via the website is ICOMM and it neither knows nor has control over that specific processing.

The HDPA held that ICOMM violated Article 29 GDPR for complaints numbered 32, 33 and 34 as it exceeded HERON’s instructions and acted as controller under Article 28(10) GDPR. This finding underscores a critical compliance risk: a processor creating its own lead generation infrastructure—even nominally “for” the controller’s benefit—becomes controller for that processing and bears independent liability.

8.3. Contractual Obligations Under Article 28(3)

Article 28(3) GDPR provides that processing by a processor shall be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller and setting out the subject matter and duration of processing, the nature and purpose of processing, the type of personal data and categories of data subjects, and the controller’s obligations and rights. The contract specifically provides that the processor processes personal data only on documented controller instructions and takes all required measures under Article 32 GDPR.

Article 29 GDPR provides that the processor and any person acting under controller or processor authority who has access to personal data shall process such data only on controller instructions, unless required to do so by Union or Member State law.

The HDPA has found that call centres frequently fail to act solely on documented instructions, particularly regarding use of online forms outside the controller’s knowledge, transfer of data to sub-processors without authorisation, and creation of “bundled consent” for multiple controllers.

8.4. Chain of Accountability: Sub-Processors

According to Article 28(4) GDPR, the initial processor remains fully liable to the controller for performance of the other processor’s obligations.

In Decision 43/2025, the HDPA held that ICOMM was liable for calls made by its sub-processor GALLANT. ICOMM bears responsibility for telephone calls in complaints numbered 26 and 27, made by its subcontractor GALLANT during their contractual relationship, to persons registered in the Article 11 Registry as, according to Article 28(4) GDPR, the initial processor remains fully liable to the controller for fulfilment of the other processor’s obligations.

Controllers must ensure they obtain not only processor lists but also sub-processor lists, and verify that written sub-processing agreements exist meeting Article 28 requirements.

9.      The Obligation of Active Processor Oversight

The HDPA has imposed strict obligations on controllers to actively oversee processor call centres.

9.1. Why Questionnaires Are Insufficient

It is established that the controller’s oversight procedure regarding telephone calls from partner call centres is deficient, while investigation of complaints submitted to the Authority does not include thorough examination of causes leading to unlawful calls. The controller, following each examined complaint received from the Authority from 2018, asked partner call centres to respond whether they made each disputed telephone call. The controller forwarded partner call centres’ responses to the Authority, whether positive or negative, without proceeding to substantive control and investigation measures of these responses.

Reliance solely on processor declarations is insufficient. The controller, within its responsibility as controller and fulfilment of the accountability principle, bears the obligation to oversee processors in an appropriate and suitable manner, especially for matters addressed systematically. The controller must not be satisfied with assurances received from each processor but must identify the source of each error immediately upon its detection and take appropriate corrective measures.

9.2. Mandatory Annual Call Log Audits: HDPA Order

The HDPA has specified particular audit methodologies. Such an audit, consisting of automated cross-checking of telephone numbers included in the consolidated Article 11 Registry with numbers included in each partner’s outbound call log files (which the latter is obliged to maintain for one year), taking into account the current state of technology, is simple to implement and can be repeated periodically on an adequate call sample, in a time period not exceeding one year without disrupting partner call centre operations. Indeed, conducting precisely this type of audit was proposed, yet not followed by the controller despite complaint submissions to the Authority, in every audit report conducted at partner call centres in years 2020-2022.

In Decision 44/2025, the HDPA issued a direct order: The Authority, based on Article 58(2)(d) GDPR, orders that within six months of notification, the energy provider design an audit procedure for Call Centre companies, which shall include, at least once annually, full or sample-based audit of a large number of outbound calls from each partner company, and notify the Authority following implementation of this procedure.

Practical example: An energy company contracts with three call centres. It conducts annual “remote audits” based on questionnaires but never cross-checks actual call logs against Article 11 registries. Following HDPA complaint investigation, it is ordered to implement quarterly sample audits comparing at least 10,000 calls per processor against the consolidated Article 11 file, with findings reported to the controller’s DPO and the HDPA.

9.3. Organisational Measures and Governance Frameworks

Contemporary HDPA supervisory practice has shifted emphasis from punishing individual call failures to establishing systemic governance failures. Merely having formal procedures no longer suffices; proof that they are implemented, monitored and systematically reviewed is required.

Taking into account the nature, scope, context and purposes of processing, as well as risks of varying likelihood and severity for rights and freedoms of natural persons, the controller implements appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with the Regulation. These measures are reviewed and updated when necessary.

In the call centre context, required organisational measures exceed mere policy existence and include establishing a clear accountability chain from senior management to agent, maintaining an updated records of processing activities for personal data processing performed by the processor, and designating a specific executive as compliance owner for each processor.

The Authority accepts that the controller has appropriate guidelines and procedures regarding conducting telephone calls for product and service promotion, which it has communicated to its partner call centres. Moreover, it conducted eleven (11) remote audits of organisational and technical measures via questionnaires at partner call centres in 2020-2022 and four (4) in 2023, submitting relevant audit reports to the Authority. However, audits must not be limited to organisational and technical matters but must include audits of calls actually made over a satisfactory time period.

Further, where complaint numbers increase or systemic problem indicators exist, periodic on-site audits at processor premises are required. A procedure for notifying the processor in cases of proven complaints, including those forwarded by the HDPA, is fundamental for identifying any internal procedure failures and making appropriate revisions.

In one case, the controller proceeded to an on-site technical re-audit conducted via direct sample audit of telephone numbers to which the processor company made calls within the time period during which complaints occurred. Based on this sample audit and related investigation, it was established that 43% of these calls were made to numbers registered in the Article 11 Registry. This finding led to termination of cooperation, demonstrating that substantive audits are not only legally necessary but operationally critical.

10.  The Burden of Proof: Inability to Document as Violation

The accountability principle of Article 5(2) GDPR shifts the burden of proof to the controller and processor. It is not enough to claim compliance; they must be able to prove it.

The controller bears responsibility and must be able to demonstrate compliance with paragraph 1 (“accountability”). Taking into account the nature, scope, context and purposes of processing, as well as risks of varying likelihood and severity for rights and freedoms of natural persons, the controller implements appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with the Regulation.

In the call centre context, inability to prove call lawfulness does not exempt from liability—on the contrary, it confirms inadequacy of security measures and governance.

The Authority has repeatedly encountered cases where controllers claim they cannot investigate complaints because processors deny making calls. These controller claims are not compatible with GDPR obligations. The controller, within its responsibility as controller and fulfilment of the accountability principle, bears the obligation to oversee processors in an appropriate and suitable manner. The controller must not be satisfied with assurances received from each processor.

Further, the Authority has held that the controller’s claim that outbound telephone calls from partner call centres to subscribers registered in the Article 11 Registry match the number of complaints submitted to the Authority cannot be considered accurate as it is based on estimation, not actual measurement. Proof of such a claim consists of providing the Authority with results arising from cross-checking each partner call centre’s outbound calls with the consolidated Article 11 Registry during the period calls were made, accompanied by documentary evidence such as relevant call detail record entries, consolidated provider registries etc., to measure the actual number of calls to telephone numbers registered in that Registry, given that the controller bears responsibility for documenting claims made.

Inability to prove connects directly to Article 24 GDPR on controller responsibility. Where the controller has not established mechanisms enabling it to know—and prove—which processor made which calls, when and under which instruction, it has failed in its fundamental obligation to take appropriate measures. Such failure does not exempt from liability—on the contrary, it confirms it.

Practical example: An energy provider claims “the violation rate is only 0.4% of total calls, so our system works.” Without submitting actual call log cross-checking against Article 11 registries, the claim is rejected as unproven. The Authority requires not estimation but verifiable measurement.

11.  Cross-Border Transfers and Data Protection Impact Assessments

While the examined HDPA decisions do not extensively address cross-border transfers, any call centre using cloud platforms hosted outside the European Economic Area, or engaging processors in third countries, must comply with GDPR Chapter V. Controllers should check whether an adequacy decision exists for the importing country and, if not, implement appropriate safeguards via transfer impact assessments according to Schrems II case law, signing standard contractual clauses, and implementing supplementary measures where necessary.

While the HDPA suggests routine call centre operations may not always trigger Article 35 DPIA obligations, best practice mandates conducting DPIAs where there is large-scale systematic monitoring of publicly accessible areas such as random calling across wide numbering ranges, automated decision-making with legal effects such as algorithmic lead scoring excluding individuals, or processing combined with new technologies such as AI-driven predictive calling.

12.  Article 11 Registry: Multiple Consequences of Violation

The opt-out system of Article 11(2) of Law 3471/2006 is not merely a regulatory obligation—it is an absolute prohibition with multi-layered legal consequences. Its violation exposes both controller and processor to three distinct risks: administrative sanctions, civil liability, and criminal prosecution.

12.1.                  HDPA Administrative Sanctions

As analysed, the HDPA imposes administrative fines based on Article 58 GDPR and Article 13 of Law 3471/2006, ranging from €5,000 to €150,000 depending on severity, systematicity of violation, turnover, and aggravating or mitigating factors. These sanctions can be combined with corrective orders such as deletion of unlawfully collected data, obligation to implement specific audit procedures within six months, and public naming of the company.

12.2.                  Civil Liability: Compensation and Monetary Satisfaction

Parallel to administrative sanctions, Article 14 of Law 3471/2006 establishes a special civil liability regime. Any natural or legal person who, in violation of this law, causes pecuniary damage is obliged to provide full compensation. If moral damage is caused, they are obliged to provide monetary satisfaction.

Critically, monetary satisfaction for moral damage for violation of this law is set at a minimum of ten thousand euros (€10,000), unless the claimant requests a smaller amount. Monetary satisfaction is awarded independently of claimed compensation for pecuniary damage. This means a subscriber who received a single unlawful call can claim at least €10,000 as monetary satisfaction, in addition to any compensation for pecuniary damage.

Furthermore, these claims are adjudicated independently of whether the HDPA or the Authority for Ensuring Secrecy of Communications has issued a decision establishing unlawfulness or criminal prosecution has been initiated. Consequently, the interested party can seek court relief via interim measures or final judgment without requiring a prior administrative decision.

12.3.                  Criminal Sanctions: Imprisonment and Penalties

Article 15 of Law 3471/2006 criminalises specific violations. Anyone who, in violation of this law, uses, collects, stores, obtains knowledge of, removes, alters, destroys, transmits, communicates, discloses personal data of subscribers or users, or makes it accessible to unauthorised persons or permits such persons to obtain knowledge of such data or exploits it in any manner, is punished with imprisonment of at least one (1) year and monetary penalty of at least ten thousand euros (€10,000) up to one hundred thousand euros (€100,000), if the act is not punished more severely by other provisions.

Criminal liability is aggravated where intent exists. If the perpetrator of these acts intended to procure for themselves or another unlawful pecuniary benefit or to harm a third party, imprisonment up to ten (10) years and monetary penalty of at least fifteen thousand euros (€15,000) up to one hundred fifty thousand euros (€150,000) is imposed. Even in cases of negligence, imprisonment up to eighteen (18) months and monetary penalty up to ten thousand euros (€10,000) is imposed.

Notably, a controller and any representative who does not comply with HDPA acts imposing administrative sanctions of temporary licence revocation, final licence revocation, and file destruction or processing cessation and related data destruction, is punished with imprisonment of at least two (2) years and monetary penalty of at least twelve thousand euros (€12,000) up to one hundred twenty thousand euros (€120,000). This makes non-compliance with an HDPA administrative decision an autonomous criminal offence.

12.4.                  Cumulative Exposure: Real Cost Example

Multi-layered legal liability means the real cost of a violation can far exceed the administrative fine.

Practical example: A call centre makes 100 calls to subscribers registered in the Article 11 registry. Ten file HDPA complaints. Five file lawsuits. One files criminal charges.

Total Exposure:

• HDPA administrative fine: €50,000 (average/case)
• Civil lawsuits: 5 × €10,000 (minimum) = €50,000
• Criminal prosecution: Possible imprisonment + €10,000-€100,000 penalty
• Legal defence costs: €30,000-€80,000
• Reputational damage: Public naming in HDPA decisions

Total financial cost: €140,000-€280,000 (plus potential criminal conviction)

This demonstrates that the administrative fine constitutes only part of the total non-compliance cost.

12.5.                  Special Liability of Telecommunications Providers

Recipients of unsolicited communication have the right to claim compensation for any pecuniary damage or monetary satisfaction for moral damage from a publicly available electronic communications service provider that negligently violated the obligation to take appropriate measures for preventing unsolicited communication. The provider is not obliged to compensate and take measures to prevent future violations if it proves it was not negligent.

This provision imposes special liability on telecommunications providers maintaining Article 11 registries, creating incentives for proper maintenance and registry availability to advertisers.

13.  Enforcement Trends: Fines, Reprimands and Corrective Orders

HDPA sanctioning practice reveals a calibrated approach.

13.1.                  Fine Levels

For processor PREMIUM, a €15,000 fine was imposed for Article 32 GDPR violation. For processor ICOMM, total fines of €35,000 were imposed: €5,000 for Article 32 violation, €10,000 for Article 29 violation, and €20,000 for Article 5(1)(a) violation. For controller HERON, a €115,000 fine was imposed for Article 32 violation concerning inadequate processor oversight.

In the telecommunications sector, fines were significantly higher. For WIND, OTE, Vodafone and Cosmote, €150,000 fines were imposed on each for violations of Article 11 of Law 3471/2006 and Article 10 of Law 2472/1997 (now read as GDPR violations).

13.2.                  Mitigating and Aggravating Factors

The HDPA considers as aggravating factors, inter alia, that call centres have as their core business activity the conduct of promotional telephone calls, thus they must know and fully respect the relevant regulatory framework. Furthermore, the fact that no substantive audit actions were taken by the controller although it received complaints over successive years constitutes an aggravating factor.

13.3.                  Corrective Orders

Beyond fines, the HDPA issues detailed compliance orders. Based on Article 58(2)(f) GDPR, the Authority orders that declarations and other personal data obtained via websites of complaints numbered 30, 32, 33 and 34 with ICOMM as controller and retained for product and service promotion purposes be deleted, as they were not lawfully collected, and the Authority be notified.

14.  Practical Compliance Guidelines

For in-house legal teams and professionals advising call centre operators, the following guidelines are essential:

1. Conduct role determination analysis. Draft a clear memorandum documenting whether your organisation is controller or processor (or both, for different activities). Apply the factual, purposive test from EDPB Guidelines 07/2020.
2. If you are a controller using processors: Execute Article 28(3) contracts with detailed instructions including approved scripts, approved numbering ranges, and express prohibition of independent lead generation. Obtain monthly written reports of telephone number lists used by the processor. Implement, at least once annually, full or sample audit of a large number of outbound calls from each processor, as required by the HDPA. Maintain documentation of all instructions given to processors via email, written instructions, and updated scripts.
3. If you are a call centre (processor): Never determine purposes or means beyond the controller’s documented instructions. If you create your own websites or lead sources, you become controller for that activity with full GDPR liability. Implement automated technical checks ensuring manual calls are also checked against Article 11 and objection registries before being placed. Establish procedures ensuring network line problems do not lead to partial non-loading of Article 11 data. Develop dual internet lines and route critical data via the most reliable connection. Notify the controller immediately of any data breach, including systematic calls to Article 11 numbers due to technical failure.
4. Consent mechanisms: Obtain consent only via methods allowing reliable proof that the specific individual (not a third party) consented. Provide separate, granular consent for each controller. Never use “bundled” consent for “Company X and its partners.” Ensure the consent request is distinct, in understandable and easily accessible form, using clear and plain language. Information important for making fully informed decisions about whether to provide consent must not be hidden in general terms and conditions.
5. Objection rights: Implement a simple, real-time objection mechanism during every call. Record the objection via call recording timestamp or unique reference number. Consolidate all objections (from calls, emails, complaints) in a central “do not call” file, updated daily and transmitted to all processors. Respect objections permanently unless the data subject provides new, specific, documented consent.
6. Maintain Article 30 records: Document each distinct processing activity (cold calls, warm lists, service callback returns, market research). Identify the lawful basis for each. Do not reuse data collected for one purpose (e.g., customer service) for another (e.g., marketing) without a new lawful basis and transparency.
7. Training and awareness: The processor conducted two presentations during 2023 for informing and raising awareness among its staff regarding data protection legislation. Presentations continue during 2024. Document all training sessions. Ensure call centre handlers understand objection rights and mandatory information to be provided during calls.
8. Build proof capability. The accountability principle is not theoretical—it is procedural. Based on the accountability principle, such errors are recorded, while they may also concern Article 33 GDPR data breach incidents. Controllers and processors must build systems enabling proof of every call’s lawfulness: for cold list calls, proof the number was not in the Article 11 registry on the call date via timestamped registry snapshot; for consent-based calls, proof of specific consent via stored form or recorded oral consent with unique identifier; for “solicited” calls, proof of the request such as inbound call recorded in CRM or email request.

Conclusion: From Compliance to Call Centre Governance

The evolution of HDPA supervisory practice demonstrates a fundamental shift: from punishing individual “wrong calls” to establishing systemic governance failures.

Decisions 43/2025 and 44/2025 do not concern companies that simply “forgot” to check a registry. They concern companies that, over successive years, received complaints without identifying systemic causes, relied on processor assurances without verification, discovered that 43% of one call centre’s calls went to Article 11 registry numbers only when the Authority conducted sample audits, and did not know which telephone numbers were used by their partners. These are not technical errors—they are governance failures.

The New Reality: Compliance as Governance

The contemporary compliance framework for call centres requires three levels of commitment.

First, vendor management as regulatory obligation. The relationship with the call centre is not merely commercial—it is regulatory responsibility. The controller’s responsibility concerns adequacy of processor oversight but also actions taken upon learning of complaints. Having a “good contract” is not enough—you must live the contract through continuous verification.

Second, auditability by design. The controller must be able to prove compliance with Article 5(1) GDPR. In the call centre context, this translates to complete call traceability, timestamped Article 11 registry snapshots, automated compliance checks, and real-time reporting capability enabling senior management to know call volumes, opt-out rates (which must be zero), and registry incorporation time.

Inability to prove does not exempt—it confirms the violation. Controller claims that it lacks the capability or means to further investigate complaints are not compatible with GDPR obligations.

Third, organisational responsibility at management level. Call centre compliance is not a DPO or legal department matter—it is a matter for senior management. When a company receives dozens of complaints over successive years and continues relying on questionnaires to processors instead of conducting actual call log audits, this is not an operational issue—it is a leadership failure.

Investment Versus Cost

For a company making millions of calls annually, investment in compliance frameworks, annual automated audits, and training corresponds to a small fraction of the cost of a €115,000-€150,000 fine, reputational damage from public naming in HDPA decisions, legal defence costs, and loss of commercial contracts when clients demand compliance certifications.

The legal framework for call centres in Greece is not ambiguous. It is fully developed through legislation, regulatory guidance, and detailed enforcement. The era of “technical errors” as justification has ended. The new era requires businesses treating data protection not as compliance cost but as operational excellence and corporate governance.

For legal professionals and compliance officers, the task is clear: transform formal compliance into proven, auditable, continuous governance. The HDPA does not demand perfection—it demands accountability. And that, with the right structure, is entirely achievable.