The Flash Report comments on the recent Decision of the Hellenic Data Protection Authority imposing a fine of 150.000 euros for data processing taking place in a server against GDPR provisions regarding the principles governing data processing and the lawfulness of processing. More specifically, the data controller had not implemented internal policies for the proper use of corporate means of electronic communications and network, or an internal audit procedure and it had not complied with the obligation to information towards the data subjects.