The Hellenic Data Protection Authority (hereinafter the “HDPA” or the “Authority”) imposed a fine of \u20ac22,000 on an insurance company (NN Hellas – \u20ac20,000) and a cooperating dental company (MEDIADENT IKE – \u20ac2,000) for:<\/p>\n
The complainant held an insurance policy with NN Hellas that included the “Dental Care” dental care program. For the service of policyholders, NN Hellas had a partnership with MEDIADENT company, which managed the program’s call center.<\/p>\n
During telephone calls, policyholders were informed through a pre-recorded message that “for your safety and quality service, the call is being recorded,” while the service was presented as “Dental Care of NN HELLAS.”<\/p>\n
On December 14, 2023, the policyholder submitted an access request via email to both companies, requesting transcripts of his telephone conversations that had taken place from July 24, 2023, to December 14, 2023, accurately specifying the date and time of each call.<\/p>\n
Despite repeated communications (15\/12\/23, 20\/12\/23, 22\/12\/23, 27\/12\/23), neither company satisfied his request. NN Hellas referred the policyholder to MEDIADENT, while the latter completely ignored the request, although it had initially stated that it would provide the recordings.<\/p>\n
The complainant’s recorded telephone conversations constitute his personal data, according to Regulation 2016\/679 (General Data Protection Regulation \u2013 GDPR), to which he, as a data subject, has the right to gain access, according to the provisions of Article 15 GDPR.<\/p>\n
Specifically, according to the provisions of Article 15 paragraphs 1 and 3 GDPR:<\/p>\n
“1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data […] The controller shall provide a copy of the personal data undergoing processing […].”<\/p>\n
Furthermore, according to Article 12 paragraph 2 of the GDPR, the controller shall facilitate the exercise of data subject rights provided for in Articles 15 to 22 of the GDPR, while according to Article 12 paragraph 3 GDPR, the controller shall provide the data subject with information on action taken on a request under Articles 15 to 22 without undue delay and in any event within one month of receipt of the request.<\/p>\n
The HDPA emphasized that the principle of accountability regarding transparency does not apply only at the point of data collection, but throughout the entire lifecycle of processing. Consequently, the rules that impose clear and transparent information also govern any response by the controller to a related access request.<\/p>\n
In this context, the proper and timely satisfaction of the right of access constitutes a critical element for the transparency of processing and is directly connected to the principles of personal data protection.<\/p>\n
One of the central issues of the case concerned determining the data controller for recording telephone calls. NN Hellas initially argued that MEDIADENT was the “processor,” while later changed position arguing that MEDIADENT was the “controller.”<\/p>\n
The HDPA, examining the private agreement between the companies from 2015, found that:<\/p>\n
Therefore, NN Hellas acts as Data Controller and bears responsibility for processing the request, with the assistance of the Processor (MEDIADENT).<\/p>\n
Despite the contract between the companies, the agreement and exact relationship were not transparent to the data subjects, who recognized only their contracting party NN Hellas as the controller. This emerged from:<\/p>\n
In this case, the HDPA imposed on NN Hellas an order to satisfy the Article 15 GDPR right of access of the complainant, providing the requested files within ten (10) days, and imposed an administrative fine of \u20ac20,000 for violation of his right of access.<\/p>\n
For determining the fine, it took into account:<\/p>\n
MEDIADENT was imposed a fine of \u20ac2,000 for violating the obligation to cooperate with the supervisory authority (Article 31 GDPR), as it:<\/p>\n
There are numerous organizations that proceed with recording telephone conversations, and most utilize external partners. The decision under examination confirms that particular attention should be given to the following (indicatively):<\/p>\n
In case a document is transmitted from a supervisory authority, it is very important to:<\/p>\n
For the best possible safeguarding of an organization, communication with a professional who will undertake the organization’s representation is recommended.<\/p>\n
Decision 32\/2025 of the HDPA constitutes an important reminder of the obligations arising from the GDPR. The right of access is not optional but a fundamental right of every subject, and its non-satisfaction entails serious sanctions.<\/p>\n
This decision also emphasizes the importance of transparency in business relationships and the need for clear information to subjects regarding the roles of involved companies. When a business appears to customers as the main controller, it cannot subsequently disclaim responsibility for satisfying their rights.<\/p>\n
Finally, the case underlines that non-cooperation with the supervisory authority constitutes an independent violation that is strictly punished, regardless of the business size.<\/p>\n
Businesses are called upon to review their procedures and ensure full compliance with GDPR obligations, in order to avoid similar sanctions and protect data subjects’ rights.<\/p>\n
Our Law Office contributes to shaping compliance policies and procedures with existing legislation and makes specific recommendations for timely and effective handling of subject requests.<\/p>\n
On behalf of the \u00abStergios Konstantinou & Associates <\/strong><\/p>\n – SGKLegal\u00bb<\/strong> Law Office<\/strong><\/p>\n Lawyer \u2013 Advanced LLM (IP & ICT Law)<\/p>\n CIPP\/E, CIPM, FIP<\/td>\n Trainee Lawyer, LLM<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":" The Hellenic Data Protection Authority (hereinafter the “HDPA” or the “Authority”) imposed a fine of \u20ac22,000 on an insurance company (NN Hellas – \u20ac20,000) and a cooperating dental company (MEDIADENT IKE – \u20ac2,000) for: Refusal to satisfy the right of access to recorded telephone calls, Improper cooperation with the HDPA, Lack of transparency in determining […]<\/p>\n","protected":false},"author":4,"featured_media":1789,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[645,643,647,641,644,649,639,648,640,637,377,654,638,651,650,653,652,642,646,179],"class_list":["post-1787","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en","tag-article-15-gdpr","tag-call-center-compliance","tag-controller-vs-processor","tag-data-protection-fines-greece","tag-data-subject-access-request","tag-data-transparency-gdpr","tag-decision-32-2025-hdpa","tag-gdpr-compliance-greece","tag-gdpr-fines","tag-gdpr-greece","tag-gdpr-legal-advice","tag-gdpr-penalties","tag-hellenic-dpa-decision","tag-mediadent-fine","tag-nn-hellas-fine","tag-non-cooperation-supervisory-authority","tag-personal-data-greece","tag-recorded-phone-calls-gdpr","tag-right-of-access-gdpr","tag-sgk-legal-en"],"_links":{"self":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1787","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/comments?post=1787"}],"version-history":[{"count":2,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1787\/revisions"}],"predecessor-version":[{"id":1791,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1787\/revisions\/1791"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/media\/1789"}],"wp:attachment":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/media?parent=1787"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/categories?post=1787"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/tags?post=1787"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n\n
\n Stergios Konstantinou<\/strong><\/p>\n Eva Pitsi<\/strong><\/p>\n