The Hellenic DPA determined that EKAB, which is overseen by the Ministry of Health, violated several GDPR provisions by refusing to provide two citizens with access to recordings of their emergency calls, submitted as part of a complaint regarding a delayed ambulance arrival. As a result, the DPA imposed two fines totaling €30,000.
The case involved a request made in June 2022 by the patient’s grandmother and father to access the calls they had made to the emergency number 166. EKAV denied the request, citing a board decision that such recordings are confidential and only accessible by authorities investigating criminal offenses.
On September 2, 2024, the Hellenic Data Protection Authority (DPA) issued a decision concluding that the National Center for Emergency Assistance (EKAB), which falls under the Ministry of Health, violated multiple provisions of the General Data Protection Regulation n (GDPR) by refusing to provide two citizens with the recorded conversations they had with EKAB’s call center. These recordings were requested in the context of a complaint about the delayed arrival of an ambulance for a relative in need. The DPA imposed two administrative fines on EKAB totaling €30,000.
Let’s take a closer look at the GDPR provisions EKAB violated, and the fines that were imposed, under the DPA’s authority in accordance with Article 58, paragraph 2 of the GDPR (“Each supervisory authority shall have all of the following corrective powers: to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case”).In June 2022, the two complainants (the grandmother and father of the patient) submitted a request to EKAB for access to the recorded phone calls they had made to its call center a few days earlier.
However, EKAB refused to provide the requested information, citing, among other things, a relevant decision by its board of directors which stated that the archive of recorded conversations through the emergency number 166 constitutes confidential material. According to that decision, providing copies or written transcriptions is permitted only for administrative or prosecutorial authorities involved in investigating criminal offenses.
Following EKAB’s refusal to fulfill the request and the complainants’ appeal to the Data Protection Authority (DPA), the independent authority took up the case and found that, in this instance, the applicants exercised their right of access to their recorded calls to number 166 as data subjects, clearly identifying—through their requests—the phone numbers they used, as well as the date and time of each call. EKAB, acting as the data controller, failed to respond in any way to their requests for access to the recordings. It did not inform them of the reasons for its inaction, did not ask for supplementary information for identification purposes (e.g. confirmation of number ownership or other details that could confirm identification), but instead ignored the requests, characterizing them as repetitive, abusive, and ‘incomprehensible.’
Based on the above findings, the Hellenic Data Protection Authority (DPA) concluded that EKAB violated Article 15(3) of the GDPR, in conjunction with Articles 11(2), 12(4), and 12(6). According to Article 15(3), which concerns the data subject’s right of access, “The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.”
For this violation, the DPA imposed an administrative fine of €20,000 on EKAB and ordered it to provide the two complainants with copies of their recorded telephone conversations.
The DPA also determined that the information EKAB provided to data subjects at the time of the complaint did not meet the GDPR’s transparency requirements, firstly because it was not easily accessible to the data subjects, since the necessary information was scattered throughout EKAB’s website and not presented in a clear and understandable manner, and secondly because both the information on the website and the submitted ‘Personal Data Protection Policy’ were vague and unclear regarding the possibility (or impossibility) of granting access to recorded phone calls in the context of exercising the right of access.
As a result, the DPA concluded that EKAB also violated Article 13 of the GDPR, which sets out the obligation to inform data subjects in accordance with the fundamental principle of transparency (Article 5(1)(a) of the GDPR). For this second violation, the DPA imposed an additional administrative fine of €10,000.
Under the rule-of-law, public authorities are obliged to strictly comply with both EU and national legislation regarding the protection of citizens’ personal data during lawful data processing procedures.
However, the investigation conducted by the Hellenic Data Protection Authority (DPA) demonstrated that the National Center for Emergency Assistance (EKAB), under the Ministry of Health, violated multiple provisions of the General Data Protection Regulation (GDPR)—specifically, Article 15(3) in conjunction with Articles 11(2), 12(4), and 12(6), as well as Article 13 in conjunction with Article 5(1)(a).
Bank Account number: 1100 0232 0016 560
IBAN: GR56 0140 1100 1100 0232 0016 560
BIC: CRBAGRAA
In a time where the very foundations of democracy are gradually being eroded by the rise of extreme nationalism, alt-right movements, the spread of disinformation and corporate capture, the efforts of organisations such as Vouliwatch are more relevant than ever.
We rely on the generosity of each and every one of you to continue with our efforts for more transparency and accounta
By financially supporting Vouliwatch you support our litigation strategy, our campaigns for transparency and accountability in the political system, the development of new civic tech tools, our research projects and last but not least our impartial and accurate