Imposition of fines and order to comply following a leak of expats’ personal data file by Greek Data Protection Authority

The Greek Supervisory Authority for Data Protection imposed on the Greek Ministry of the Interior,  an administrative fine totalling EUR 400,000 and on a Member of European Parliament an administrative fine totalling EUR 40,000 for infringements of GDPR.

The Hellenic Data Protection Authority received a large number of complaints regarding unsolicited political communication via e-mail sent on 1/3/2024 and entitled "100 days before the European elections", by Member of European Parliament Anna-Michelle Asimakopoulou. Following this, the Authority investigated the case ex officio, exercising immediately its powers of investigation and auditing the bodies involved.

Following a series of on-the-spot audits and the receipt of evidence and data in the context of the audit, it was found that a file containing personal data of all registered Greek expatriate voters for the June 2023 elections, for which the Hellenic Ministry of the Interior is the controller, and for which the legislation in force does not provide for any case of its transmission to recipients outside the Ministry, was transferred outside the Ministry. That file contained, in addition to the known details of the electoral roll, the email addresses and telephone numbers of expatriate voters abroad, which are excluded from being provided to the recipients of copies of the electoral roll.

This file was created on 8 June 2023 for internal use within the Ministry of Interior in relation to the electoral process. It is concluded that the leak of this file occurred between 8 and 23 June 2023, as it was proved that on 23 June 2023 the file was provided to the then political party New Democracy Secretary of Greek Expatriates, Nikos Theodoropoulos, from a sender whose identity and capacity has not been determined to date, in order, according to his claims, to use it for the analysis of the election results.

On 20 January 2024, this file was sent to Ms Asimakopoulou by Mr Theodoropoulos. Ms Asimakopoulou then processed the file from the Ministry of the Interior in order to send an e-mail to all the voters contained therein. Ms Asimakopoulou’s email did not include the information required by Article 14 of the GDPR to inform its recipients, in particular of the source of their personal data.

As far as the Ministry of Interior is concerned, the leak of a file intended exclusively for internal use is an incident of violation of the confidentiality of personal data and therefore a personal data breach. The audit carried out by the Hellenic DPA at the Ministry of Interior identified shortcomings in the procedures and applicable data protection policies, deficiencies in the investigation of the incident as well as unsubstantiated announcements of the circumstances of the incident. Finally, deficiencies and inaccuracies were found in the content of the relevant records of processing activities kept.

As regards Ms Asimakopoulou, the Authority found that the collection of personal data of expatriate voters, including electronic contact details, and their use to send a political communication message was in breach of the basic principle of lawfulness, objectivity and transparency of the processing, as it was in breach of a number of provisions of electoral law and moreover could not be reasonably expected by the data subjects (expatriate voters).

The Authority imposed on the Ministry of the Interior, as the controller, an administrative fine totalling EUR 400,000 for infringements of Articles 5, 25, 30, 32 and 33 of the GDPR and instructed it to take action regarding the compliance of the measures and procedures followed with the GDPR, within a specific timeframe.

The Authority notes that the infringements identified are not related to the voting process. The Authority imposed on Anna Michelle-Asimakopoulou, as controller, an administrative fine totalling 40,000 euros for infringements of Articles 5, 6 and 14 of the GDPR and ordered the deletion of such data.

As regards New Democracy political party and Mr Theodoropoulos, the Authority postponed the adoption of a decision, since the latter, after hearing and submitting pleadings, submitted an affidavit as to the manner in which the electoral rolls were received, as a new crucial element, the content of which shows the need to investigate further the allegations made therein. (soutce dpa.gr/photo freepik.com)

Comments

Editorial

Editorial
George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Daily Mail publisher wins case against ‘success fees’ paid to lawyers (ECtHR)

The banks Crédit agricole and Credit Suisse participated in a cartel in the sector for suprasovereign bonds, sovereign bonds and public agency bonds denominated in US dollars

ECtHR elects a new Vice-President of the Court and two new Section Presidents

A notary does not breach the sanctions against Russia when he or she authenticates the sale of a property owned by an unlisted Russian company (ECJ)

A national court is not required to apply a decision of its constitutional court that infringes EU law (ECJ)

European Ombudsman asks Commission to publish details of its handling of senior staff move to law firm