Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Greece: HDPA fines METRO €50,000 for data subject rights and breach notification obligation failures
On June 27, 2024, the Hellenic Data Protection Authority (HDPA) announced that it had published its Decision No. 17/2024 as issued on the same date, in which it imposed an administrative fine of €50,000 on the METRO S.A. for General Data Protection Regulation (GDPR) violations, following a complaint.
Background to the decision
The HDPA noted that the complainant, who maintained a user account on METRO's online store, received an SMS to their personal mobile phone from a former employee of METRO, who had delivered orders, placed by the complainant, a few days earlier. The complainant reported the incident to METRO, exercising their rights of access to their personal data and deletion of such data.
Findings of the HDPA
The HDPA found METRO in violation of its obligations under Articles 24, 32, and 33 of the GDPR as it did not proceed to investigate the incident according to its relevant policy and did not notify the HDPA of the incident. METRO also did not review and update the technical and organizational measures it applies to avoid a similar incident in the future.
In addition, the HDPA found METRO in violation of Articles 15 and 17 of the GDPR by not responding to the complainant's access and deletion requests stating that the complainant was not the data subject as the details mentioned in the order were of their husband. Nonetheless, the HDPA found that METRO should have responded to the request, requesting additional information necessary to confirm the identity of the data subject.
Outcomes
In light of the above, the HDPA imposed a total administrative fine of €50,000 on METRO.
You can read the press release here and the decision here, both only available in Greek.