On 28 February 2024, the independent Data Protection Authority (DPA) published a decision in which it found that the Hellenic Post (ELTA), which is part of the Growthfund, or the National Fund of Greece, the asset manager of a major portfolio of state-owned enterprises, committed serious breaches of the provisions of the General Data Protection Regulation (GDPR).
The DPA thus imposed an administrative fine of EUR 2.995.140 against ELTA, in accordance with its competence deriving from Article 58(2) of the GDPR (‘Each supervisory authority shall have all of the following corrective powers: […] (i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case.’).
The independent authority took up the case following a cyber attack against ELTA and the leakage of the personal data of its customers, employees and partners on the dark web.
The DPA’s investigation found that ELTA did not have sufficient technical security measures in place, that policies were not being applied correctly, in violation of Article 32 GDPR, and noted that the restriction of access to the data was not sufficiently secured, as well as that the disabling of security mechanisms was not detected or prevented.
The DPA also held that ELTA, firstly, did not ensure, by implementing the necessary technical and organisational measures, the protection of personal data from unauthorised or unlawful processing, resulting in the loss of the right to protection of personal data under Article 5(1) of the GDPR; secondly, they failed to implement appropriate data protection policies to ensure that they are able to demonstrate that they have carried out processing in accordance with the definitions in Article 32 of the GDPR; thirdly, they did not ensure the confidentiality, availability and reliability of the processing systems and services on a continuous basis, as well as the integrity of the procedures through regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures as per Article 32(1) of the GDPR.
On the basis of the above findings, the DPA concluded that ELTA infringed Articles 5 (1) and 32 of the GDPR. Article 5(1) provides that: “Personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Article 32 of the GDPR provides that: “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including…(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;”
Article 32(2) goes on to detail that, “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”
The DPA characterized the violations as “severe” given the wide range of people affected (approximately five million customers, employees, and partners of ELTA), the extent of the damage, the failures to implement security policies, the categories of personal data affected (e.g., financial data), and the lack of measures to limit the posting of the data online.
Under the rule of law, public authorities must strictly comply with EU and national legislation on the protection of citizens’ personal data in their data processing procedures.
However, an investigation by the independent Data Protection Authority (DPA) has in this case documented that the Hellenic Post (ELTA), which is part of the public Growthfund, the asset manager of a major portfolio of state-owned enterprises, committed serious breaches of provisions of the General Data Protection Regulation (Articles 5(1) and 32 of the GDPR).
Bank Account number: 1100 0232 0016 560
IBAN: GR56 0140 1100 1100 0232 0016 560
BIC: CRBAGRAA
In a time where the very foundations of democracy are gradually being eroded by the rise of extreme nationalism, alt-right movements, the spread of disinformation and corporate capture, the efforts of organisations such as Vouliwatch are more relevant than ever.
We rely on the generosity of each and every one of you to continue with our efforts for more transparency and accounta
By financially supporting Vouliwatch you support our litigation strategy, our campaigns for transparency and accountability in the political system, the development of new civic tech tools, our research projects and last but not least our impartial and accurate