Greek SA: Imposition of fine on association for transmission of sensitive data, failure to facilitate right of access and lack of cooperation with the SA

12 August 2025

Greece

Background information

Date of final decision: 24 June 2025
National case
Controller: Association “Shield of David”
Legal Reference(s):
- GDPR: Article 5. Principles relating to processing of personal data
- GDPR: Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject
- GDPR: Article 13: Information to be provided where personal data is collected from the data subject
- GDPR: Article 15: Right of access by the data subject
- GDPR: Article 24: Responsibility of the controller
- GDPR: Article 31 Cooperation with the Supervisory Authority
Decision: Infringement of the GDPR, fines imposed
Key words: Access request, Cooperation with the Supervisory Authority

Summary of the Decision

Origin of the case

A complaint was submitted to the Hellenic SA against an association for people with Αutism Spectrum Disorder (“Shield of David”), which failed to satisfy the right of access exercised by the complainants, as holders of parental responsibility for their minor child.

Key Findings

The defendant association not only did not satisfy the right of access to CCTV footage, but also transmitted sensitive personal data of the minor child to a company without prior notification and consent of the parents. More specifically, it disclosed information regarding the intervention program followed by their minor child, the medical report, and the full social history that was taken upon the child's admission to the therapeutic programme and also disclosed a decision of the Single-Member Court of First Instance to a large number of recipients.

Decision

The Authority imposed on the association an administrative fine of EUR 3,000 for not facilitating the exercise of data subject rights, and in particular the right of access (Articles 12 (2) and 15 of the GDPR), an administrative fine of EUR 3,000 for transmission of personal data without informing the data subject beforehand (Articles 13 and 24 of the GDPR), an administrative fine of EUR 3,000 for transmission of the court decision to a number of recipients (violation of Articles 5 (1) (a) and 13 of the GDPR) and an administrative fine of EUR 1,000 for violating the principle of cooperation with the supervisory authority (Article 31 of the GDPR).

For further information: Decision: https://www.dpa.gr/el/enimerwtiko/prakseisArxis/epiboli-prostimoy-gia-mi-ikanopoiisi-dikaiomatos-prosbasis-gia-diabibasi (Greek)

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.

Greek SA: Imposition of fine on association for transmission of sensitive data, failure to facilitate right of access and lack of cooperation with the SA

Background information

Summary of the Decision

Origin of the case

Key Findings

Decision

Strengthening Schengen security and preventing irregular migration: EU Entry Exit System enters into operation

Akt o digitálnych trhoch a všeobecné nariadenie o ochrane údajov: EDPB a Európska komisia schválili spoločné usmernenia na objasnenie spoločných kontaktných bodov

Anonymisation and pseudonymisation: take part in the stakeholder event

Polish SA: administrative fine of EUR 4 022 773 for McDonald’s Polska sp. z o.o. and EUR 43 680 for 24/7 Communication Sp. z o.o. for negligence in risk analysis and safeguards

Polish SA: administrative fine of EUR 1 170 for Social Welfare Centre and EUR 2 341 EUR for Mayor of Aleksandrów for ignoring the risk of ransomware attack