On 27 May 2024, the Data Protection Authority (DPA) issued an extensive decision detailing its findings that New Democracy MEP Anna-Michelle Asimakopoulou and the Ministry of Interior had violated a number of provisions of the General Data Protection Regulation (GDPR) in their treatment of the personal data of expatriate voters.
Fines were thus imposed on both Ms Asimakopoulou (EUR 40,000) and the Ministry of the Interior (EUR 400,000), along with the deletion of the relevant data and the adoption of protective measures by the Ministry in order to avoid similar violations in the future.
As far as Ms Asimakopoulou is concerned, the independent authority investigated the legality of a number of her actions in processing the personal data of expatriates: the collection of their personal data, their inclusion in the MailChimp email platform and, finally, the sending of an email entitled “100 days before the European elections” on 1 March 2024.
The DPA’s investigation found that on 8 June 2023 an excel file was exported from the database of the Ministry of Interior which included contact details of expatriate voters. The export of the file from the database of the Ministry of Interior, as well as the inclusion of the email addresses, was initially legal, namely to allow Greek embassies to inform expatriate voters if they are called to service as members of electoral committees, or to inform voters about the procedure of cancellation or suspension of their registration in the special electoral list abroad, if they ultimately wished to vote in Greece (where they are registered in the main electoral list).
The DPA notes that members of the European Parliament, such as Ms Asimakopoulou, have the right to obtain copies of electoral rolls, but in accordance with the terms of article 23 of Decree 26/2012 (Government Gazette Α’57/15.3.2012), the acquisition of copies can be made through the Ministry of Interior only during the election period, upon request, and only using a specific storage medium (CD). The legislation expressly prohibits the electronic circulation of electoral rolls in any other way.
Furthermore, it is provided that Members of the European Parliament must destroy any such data within three months following the elections, According to Article 3 of Law No. 4648/2019 (Government Gazette A’ 205/16.12.2019), the copies of the foreign electoral rolls made available to the beneficiaries of Article 23 of Decree 26/2012 do not include the voters’ e-mails and contact telephone numbers. Therefore, the data provided by CD by the Ministry of Interior to political parties for the May and June 2023 elections did not include voters’ e-mails and telephone numbers. It is also noteworthy that no individual in the capacity of a candidate requested a copy of the 2023 overseas electoral rolls.
Contrary to the above legislative provisions, on 20 January 2024, Ms Asimakopoulou received the aforementioned file from the Ministry of Interior through the WhatsApp application from the Secretary of Hellenic Diaspora Affairs for the New Democracy party, Nikos Theodoropoulos, who resigned from his post after the scandal broke. The date shows that the file was sent outside the election period and not by CD storage medium, but electronically. Furthermore, the file contained the e-mails and telephone numbers of expatriates, items that are expressly excluded from the available electoral rolls.
Taking into account the legislative framework, the DPA found that Ms Asimakopoulou, as the controller of personal data in the case at hand, had violated a number of provisions of the GDPR: Article 5 (1a) in conjunction with Article 6(1) and Article 14.
In the relevant passage of its decision, the DPA notes that the collection of the personal data of expatriates, including electronic contact details, at a time outside the election period, by electronic means (WhatsApp application), constitutes unfair, non-objective and unlawful processing of data. For the same reason, further individual processing operations for the same purpose, namely the creation of a new file to be uploaded to the MailChimp service, which included the name, country and e-mail of the voters and the use of the expatriates’ e-mail address to send political communications, are also unfair and unlawful.
Moreover, this processing of the data of voters from abroad cannot be found to be based on the legal basis of overriding legitimate interest (Article 6(1)(f) of the GDPR), since, taking into account the above circumstances, the right of expatriate voters to the protection of their personal data clearly prevails over the legal interest of the MEP to communicate with them individually in order to disseminate her political actions and ideas.
Moreover, the data subjects were not provided with adequate information in accordance with the GDPR (Article 14), as to how their data was obtained, which also infringes the principle of transparency of processing. Therefore, the processing of data of expatriates carried out by Ms Asimakopoulou between 20/1/2024 and 1/3/2024 violated the fundamental principles of lawfulness, objectivity and transparency of processing, in accordance with Article 5(1) of the GDPR. On the basis of the above findings, the authority imposed a fine of 40,000 on Ms Asimakopoulou and instructed her to delete all data on overseas voters.
Regarding the violations by the Ministry of Interior, the DPA noted that the leak of its official file constitutes a personal data breach, as the file in question was intended “exclusively for internal use”. Furthermore, during its audit, the independent authority found deficiencies in the procedures and data protection policies in place, shortcomings in the investigation of the incident in question, as well as deficiencies and inaccuracies in the content of the relevant activity records kept. For these failures, which violate Articles 5, 25, 30, 32 και 33 of the GDPR, the DPA imposed a fine of EUR 400,000 on the Ministry of Interior and ordered it to comply with the GDPR and adopt measures for the protection of personal data.
Under the rule of law, public authorities and the government must comply with the law on the protection of citizens’ personal data. However, in this case, the MEP Anna-Michelle Asimakopoulou and the Ministry of Interior violated a number of provisions of the General Data Protection Regulation (Article 5 (1a) in conjunction with Articles 6 (10) and 14 of the GDPR, as well as Articles 5, 25, 30, 32 and 33 of the GDPR) concerning the treatment of the personal data of expatriate citizens.
Bank Account number: 1100 0232 0016 560
IBAN: GR56 0140 1100 1100 0232 0016 560
BIC: CRBAGRAA
In a time where the very foundations of democracy are gradually being eroded by the rise of extreme nationalism, alt-right movements, the spread of disinformation and corporate capture, the efforts of organisations such as Vouliwatch are more relevant than ever.
We rely on the generosity of each and every one of you to continue with our efforts for more transparency and accounta
By financially supporting Vouliwatch you support our litigation strategy, our campaigns for transparency and accountability in the political system, the development of new civic tech tools, our research projects and last but not least our impartial and accurate