Greece: HDPA fines Aegean Marine Petroleum €150,000 for GDPR violation
The Hellenic data protection authority ('HDPA') published, on 22 January 2020, its decision ('the Decision') issued, on 19 December 2019, to fine Aegean Marine Petroleum Network Inc €150,000 for violating Articles 5(1) and (2), and 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the HDPA found that companies outside the Aegean Marine Petroleum group had obtained access to its servers, which contained personal data, and copied the servers' content. Furthermore, HDPA noted that Aegean Marine Petroleum failed to take the necessary technical measures to secure the processing of large volumes of data stored in the servers.
In addition, the HDPA highlighted that Aegean Marine Petroleum did not keep the relevant software separate from the personal data stored in the server, which led to the unlawful copying of the content of the server. Moreover, the HDPA emphasised that Aegean Marine Petroleum had not informed the data subjects about the processing of their personal data contained in the servers. Lastly, the HDPA requested Aegean Marine Petroleum to take the necessary security measures to comply with Articles 5 and 6 of the GDPR.