{"id":1484,"date":"2025-03-28T14:13:02","date_gmt":"2025-03-28T12:13:02","guid":{"rendered":"https:\/\/sgklegal.gr\/?p=1484"},"modified":"2025-03-28T15:44:56","modified_gmt":"2025-03-28T13:44:56","slug":"decision-1-2025-hdpa-a-win-for-our-law-office","status":"publish","type":"post","link":"https:\/\/sgklegal.gr\/en\/decision-1-2025-hdpa-a-win-for-our-law-office\/","title":{"rendered":"Decision 1\/2025 HDPA &#8211; A win for our Law Office"},"content":{"rendered":"<p>By decision no. 1\/2025, the Hellenic Data Protection Authority (hereinafter the &#8220;HDPA&#8221;) imposed a fine of \u20ac220,000 to the National Bank (hereinafter the &#8220;Bank&#8221;) for violation of the provisions of Regulation (EU) 2016\/679 (hereinafter the &#8220;GDPR&#8221;). The Law Office &#8220;Stergios Konstantinou &amp; Associates &#8211; SGK Legal&#8221; represented one of the complainants.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>What happened?<\/strong><\/span><\/p>\n<p>The HDPA acted on a combined total of 7 complaints of violation of the right of access in the years 2021 to 2022 and in early 2023, while conducting an ex-officio audit of the Bank&#8217;s compliance procedures from the implementation of the GDPR until the date of the examination of the case.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Legal provisions<\/strong><\/span><\/p>\n<p>The relevant provisions were Articles 12, 15 and 25 of the GDPR.<\/p>\n<p>In particular:<\/p>\n<ul>\n<li>Article 15 para. 15 Articles 15(1) and 15(3) GDPR provide that every natural person has the right to obtain a copy of the personal data relating to him or her which are processed by a Data Controller (right of access).<\/li>\n<li>Then in Article 12 GDPR every controller should facilitate the exercise of the rights of data subjects and in principle process them within one month of receipt of the request.<\/li>\n<li>Finally, according to Article 25 GDPR, every controller must have in place by design and by default, policies and procedures to enable it to process data subjects&#8217; rights, such as the right of access, in a timely and correct manner.<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>In relation to the case at hand<\/strong><\/span><\/p>\n<p>The HDPA dealt with a total of 7 complaints for violation of the right of access in the years 2021 to 2022 and in early 2023. At the same time, it conducted an ex officio audit of the Bank&#8217;s compliance procedures from the implementation of the GDPR until the date of the examination of the case.<\/p>\n<p>In particular, the HDPA found that the procedures followed by the Bank in handling access requests were ineffective, and therefore led to the late and partial fulfillment of the subjects&#8217; requests. Furthermore, the Bank failed to take appropriate technical and organisational measures.<\/p>\n<p>In its reasoning, the HDPA considered that factors such as the volume and nature of the personal data processed by the Bank, the large number of access requests it receives due to its field of activity and the potential risks of any delay in satisfying the subjects&#8217; requests are appropriate as parameters for the design and updating of the relevant compliance procedures.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Conclusion<\/strong><\/span><\/p>\n<p>In its Decision 1\/2025, the HDPA, notes that:<\/p>\n<ul>\n<li>Data Controllers should have policies and procedures in place for processing requests,<\/li>\n<li>These policies and procedures should be accessible to all the Processing Manager&#8217;s staff in order for the latter to be timely in processing requests. In this context, it is particularly useful to provide regular training of staff on these policies and procedures.<\/li>\n<li>Finally, it is very important that the Data Controller reviews and updates the technical and organisational measures taken on the basis of the feedback received from the affected data subjects and\/or the staff handling these requests.<\/li>\n<\/ul>\n<p>Decision 1\/2025 again makes it clear that compliance with the requirements of the EU and national regulatory framework on data protection should not be limited to the mere drafting of texts, which can be found in a drawer or in a digital folder. On the contrary, it is a dynamic process, which must be constantly updated both in the light of legislative developments and of the challenges that arise in the implementation of this framework.<\/p>\n<p>For the Law Firm &#8220;Stergios Konstantinou &amp; Partners &#8211; SGK Legal&#8221;<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"301\"><strong>Sergios Konstantinou<\/strong><\/p>\n<p>Attorney at Law, Advanced LLM (IP &amp; ICT Law)<\/p>\n<p>CIPP\/E, CIPM, FIP<\/td>\n<td width=\"301\"><strong>Eva Pitsi<\/strong><\/p>\n<p>Trainee Lawyer, LLM<\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>By decision no. 1\/2025, the Hellenic Data Protection Authority (hereinafter the &#8220;HDPA&#8221;) imposed a fine of \u20ac220,000 to the National Bank (hereinafter the &#8220;Bank&#8221;) for violation of the provisions of Regulation (EU) 2016\/679 (hereinafter the &#8220;GDPR&#8221;). The Law Office &#8220;Stergios Konstantinou &amp; Associates &#8211; SGK Legal&#8221; represented one of the complainants. What happened? The HDPA [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":1482,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[158,159,156,111,157],"class_list":["post-1484","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en","tag-access-right","tag-data-protection-en","tag-decision","tag-gdpr-en","tag-hdpa"],"_links":{"self":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/comments?post=1484"}],"version-history":[{"count":1,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1484\/revisions"}],"predecessor-version":[{"id":1485,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1484\/revisions\/1485"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/media\/1482"}],"wp:attachment":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/media?parent=1484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/categories?post=1484"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/tags?post=1484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}