The Hellenic DPA by virtue of its decision No. 52/2021 apportioned liability between a data controller and a data processor imposing a fine of €30,000 to the latter for failure to adopt appropriate technical and organizational measures (violation of Articles 32(2) and 32(4) of GDPR in conjunction with Article 28(3c) of the GDPR). Instead, only a reprimand was imposed to the data controller, after examining the level of data protection compliance of each party. The data processor was a private company acting under the instructions and on behalf of another private company (data controller), for the performance of telephone calls to data subjects, who were also included in the register of Article 11 of Law 3471/2006.
Read the full text of the decision (in Greek) εδώ