Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Greece: HDPA fines MEP and Ministry of Interior €440,000 for personal data leaks

On May 27, 2024, the Hellenic Data Protection Authority (HDPA) announced that it had published its Decision No. 16/2024 as issued on May 27, 2024, in which it imposed an administrative fine of €40,000 on MEP Anna Michelle Asimakopoulou and €400,000 on the Ministry of Interior for General Data Protection Regulation (GDPR) violations, following an investigation into complaints regarding unsolicited political communication.

Background to the HDPA's decision

The HDPA noted that it received a large number of complaints regarding unsolicited political communication via email from the MEP. Following an investigation, the HDPA established that a file with personal data of all registered foreign voters for the June 2023 elections, for which the Ministry of Interior is responsible for processing, was leaked outside of the Ministry. The file contained personal data, such as email addresses and contact telephone numbers of foreign voters, which is usually excluded from the provision of copies of electoral rolls to the beneficiaries. Subsequently, the MEP, who received the leaked data, processed the file in order to send an email to all the voters contained in it.

Findings of the HDPA

The HDPA found that the collection of personal data of emigrant voters, including electronic communication details and their use for sending a political communication message, was in violation of the basic principles of legality, objectivity, and transparency of processing. More specifically, the HDPA found the MEP in violation of Articles 5(1)(a), 6(1), and 14 of the GDPR, and the Ministry in violation of Articles 5(1)(f), 25(1), 30, 32, and 33(3)-33(5) of the GDPR.

Outcomes

In light of the above, the HDPA imposed a fine of €40,000 on the MEP and ordered the MEP, as a data controller, to delete all data of foreign voters. Furthermore, the HDPA fined the Ministry €400,000 and ordered the Ministry, as a data controller, to, among other things:

  • record approved policies and check and review the procedures and measures that apply regarding the protection of personal data during the processing of voters' personal data;
  • within three months of this decision, draw up relevant timetables for training, implementation, and updating of the above, alongside notifying the HDPA of the completion of such activities; and
  • provide and implement specific measures to avoid, detect, and investigate personal data breach incidents.

You can read the press release here and the decision here, both only available in Greek.