On April 15, 2019, the Greek Data Protection Authority (“DPA”) fined Hellenic Petroleum S.A. EUR 20,000 for unlawful processing of personal data and EUR 10,000 for failing to adopt appropriate data security measures.

Hellenic Petroleum S.A. had engaged a vendor to conduct a study on its behalf. The study was exposed online, and its results—which included sensitive data such as political opinions, trade union membership and participation in associations—was publicly accessible on the Internet.

The DPA deemed Hellenic Petroleum S.A. to be the data controller and the vendor to be the data processor and, as such, Hellenic Petroleum S.A. was responsible for its vendor’s processing of the personal data. The DPA also concluded that the processing of sensitive data took place without a legal basis and absent the DPA’s permission. In addition, the DPA held Hellenic Petroleum S.A. responsible for failing to ensure appropriate technical and organizational measures had protected the data.

The decision (in Greek) applied local data protection law applicable pre-GDPR.