Greek SA: Imposition of fine on association for transmission of sensitive data, failure to facilitate right of access and lack of cooperation with the SA
Background information
- Date of final decision: 24 June 2025
- National case
- Controller: Association “Shield of David”
- Legal Reference(s):
- GDPR: Article 5. Principles relating to processing of personal data
- GDPR: Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject
- GDPR: Article 13: Information to be provided where personal data is collected from the data subject
- GDPR: Article 15: Right of access by the data subject
- GDPR: Article 24: Responsibility of the controller
- GDPR: Article 31 Cooperation with the Supervisory Authority
- Decision: Infringement of the GDPR, fines imposed
- Key words: Access request, Cooperation with the Supervisory Authority
Summary of the Decision
Origin of the case
A complaint was submitted to the Hellenic SA against an association for people with Αutism Spectrum Disorder (“Shield of David”), which failed to satisfy the right of access exercised by the complainants, as holders of parental responsibility for their minor child.
Key Findings
The defendant association not only did not satisfy the right of access to CCTV footage, but also transmitted sensitive personal data of the minor child to a company without prior notification and consent of the parents. More specifically, it disclosed information regarding the intervention program followed by their minor child, the medical report, and the full social history that was taken upon the child's admission to the therapeutic programme and also disclosed a decision of the Single-Member Court of First Instance to a large number of recipients.
Decision
The Authority imposed on the association an administrative fine of EUR 3,000 for not facilitating the exercise of data subject rights, and in particular the right of access (Articles 12 (2) and 15 of the GDPR), an administrative fine of EUR 3,000 for transmission of personal data without informing the data subject beforehand (Articles 13 and 24 of the GDPR), an administrative fine of EUR 3,000 for transmission of the court decision to a number of recipients (violation of Articles 5 (1) (a) and 13 of the GDPR) and an administrative fine of EUR 1,000 for violating the principle of cooperation with the supervisory authority (Article 31 of the GDPR).
- For further information: Decision: https://www.dpa.gr/el/enimerwtiko/prakseisArxis/epiboli-prostimoy-gia-mi-ikanopoiisi-dikaiomatos-prosbasis-gia-diabibasi (Greek)