The Hellenic Data Protection Authority (“Authority”) issued two decisions on 7 October 2019 based on which it imposed two administrative fines amounting to 200,000 euros each to the Hellenic Telecommunications Provider, “OTE”.

According to the decisions, the following violations were identified:

  1. breach of the principle of accuracy (Art. 5 (1) c GDPR) and data protection already in the design phase (Art. 25 GDPR) when processing personal data of subscribers (Decision 31/2019); and
  2. failure to satisfy the right to object (Art. 21 (3) GDPR) and the principle of data protection by design when processing personal data of subscribers. (Decision 34/2019).

1. A few words about data protection by design and default

Data protection by design

Data protection by design emphasizes the need to proactively consider data protection requirements of the GDPR from the design phase throughout prototyping and field testing.

Recital 78 of the GDPR summarizes well the essence of the concept data protection by design, in that it states: “When developing, designing, selecting and using applications, services and products […] producers of the products [and] services […] should be encouraged to take into account the right to data protection when developing and designing such products [and] services […] and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.”

Data protection by design therefore requires producers to create their products or services in such a way, that the later use of the product or service is in compliance with the requirements of the GDPR in order to allow controllers and processors to fulfill their obligations under the GDPR.

Data protection by default

Besides data protection by design, the GDPR in Art. 25 para. 2 GDPR, explicitly regulates the concept of data protection by default. Data protection by default is implicitly already demanded by the GDPR through the application of the principles “purpose limitation” and “data minimization”. In essence, and different to data protection by design, data protection by default requires that the product or service is offered in such a way, that by default all privacy intrusive settings are not activated.

The basic idea behind this concept is that users who are less experienced with the technology will by default benefit from factory settings that enhance the data protection rights of the user.

2. HDPA Decisions

Decision 31/2019[1]

The Authority received several complaints from OTE subscribers which have received unsolicited calls from third parties for marketing purposes, although they have been registered to OTE’s Do-not-call register according to Art. 11 of the Greek Law 3471/2006.

In particular, after the investigation conducted by the Authority, the specific subscribers had made a portability request for the transfer of their subscription to another provider. In this context, OTE deleted their personal data from the Do-not-call register. However, when the same individuals canceled their portability request, a proper process for canceling their deletion from the register was not implemented. Therefore, the subscribers were visible on the internal customer register of OTE, but their phone numbers were not included in the register that OTE was forwarding to the marketing companies due to systems’ incorrect interface.

Even if this violation was not intentional according to the Authority, the incident affected a large number of individuals for a specific time period, hence the Authority imposed a fine of 200,000 € for violations of Art. 5 (1) c and Art. 25 GDPR, taking into account the conditions of laid down in Article 83 (2) of the GDPR. The fine was calculated based on the total annual turnover of OTE in 2018 on a group level.

Decision 34/2019[2]

Similar to the abovementioned Decision, the Authority received complaints from individuals since they were not able to unsubscribe from receiving marketing email communications.

After the Authority’s investigations, it was found that from 2013 and then, the “unsubscribe” button that OTE had implemented did not properly function. Moreover, OTE did not implement any organizational measure e.g. a procedure in order to identify when the data subject’s right to object could not be satisfied. As a consequence, OTE removed approximately 8000 individuals from their list, who had unsuccessfully attempted to unsubscribe.

The Authority imposed another a fine of 200,000 € for violations of taking into Art. 21 (3) and Art. 25 GDPR, taking into account the conditions of laid down in Article 83 (2) of the GDPR. The fine was calculated based on the total annual turnover of OTE in 2018 on a group level.

3. Conclusion

The fine imposed by the HDPA was the second fine in the row for Art. 25 GDPR violations. The first fine for data protection by design failures in Europe was issued on 4 July 2019 by the Romanian data protection authority (130,000 €).[3] The aforementioned shows the importance of considering data protection at the early stage of designing a system or a process.

Furthermore, on a side note, it seems that a lot of fines issued by the data protection authorities around EU triggered by complaints from data subjects that receive unsolicited marketing communications. With the ePrivacy Regulation looming on the horizon, it is more than time to address challenges in existing marketing processes.


[1] HDPA Press release, Athens 7-10-2019, Reference number: Γ/ΕΞ/6739.

[2] HDPA Press release, Athens 7-10-2019, Reference number: Γ/ΕΞ/6739.

[3] For more information, please follow the link to the press release by the Romanian data protection authority.