On September 23, 2024, the DPA published a decision in which it found that the Ministry for Citizen Protection had violated provisions of the GDPR in connection with the issue of new citizen identity cards. As part of its decision, the DPA imposed two administrative fines totaling €150,000 on the Ministry.
Let’s examine in detail the GDPR provisions that were violated by the Ministry, as well as the administrative fines imposed, pursuant to the DPA’s powers under Article 58(2) of the GDPR (“Each supervisory authority shall have all of the following corrective powers: to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case”).
The Hellenic Data Protection Authority (DPA) imposed a fine of €50,000 for violating Article 13 (“Information to be provided where personal data is collected from the data subject”) and Article 14 (“Information to be provided where personal data has not been obtained from the data subject”) of the GDPR. The fine was issued due to shortcomings in informing data subjects about the processing of their personal data—specifically, “due to the prolonged lack of communication with citizens, as well as inaccurate information contained in the public notice, which was belatedly published on the data controller’s website (i.e., the Ministry for Citizen Protection),” according to the wording of the Authority’s decision.
The DPA noted in its reasoning that under Article 12(1) of the GDPR, “the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and Article 34 relating to processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. Where requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.”
The DPA imposed a second fine of €100,000 for violating Article 35(1) of the GDPR, since the Ministry, according to the decision, “failed to carry out the required data protection impact assessment as it was obliged to do—performing it only after data processing had already begun, and only following the Authority’s intervention. Furthermore, the impact assessment appears not to have identified all potential risks, as evidenced by the above-mentioned violations.”
Article 35 of the GDPR provides that, “1.Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. 2. A single assessment may address a set of similar processing operations that present similar high risks.”
In addition to the fines, the Data Protection Authority (DPA) imposed a six-month deadline on the Ministry for Citizen Protection to remedy the deficiencies in the issuance process of the new identity cards and to fully comply with the applicable personal data protection legislation.
The Authority concluded that although the validity of the identity cards—issued under the current legal framework as described above—is not in question, the Ministry has an obligation to update and codify the legal framework regarding the data fields included in the new type of Greek citizen ID cards and the issuance process. This is necessary in order to uniformly regulate issues that arose, on the one hand, from the repeal of relevant provisions and, on the other hand, from the simultaneous application of different legal texts—both during the issuance of the old IDs and the issuance of the new ones—while also taking into account the specific matters analyzed in the DPA’s decision.
Under the rule of law, public authorities are obliged to fully comply with EU and national legislation regarding the protection of citizens’ personal data during lawful processing procedures.
However, the investigation conducted by the DPA showed that the Ministry for Citizen Protection violated numerous provisions of the GDPR (Articles 13, 14, and 35(1)) concerning the issuance of new identity cards for citizens.
Bank Account number: 1100 0232 0016 560
IBAN: GR56 0140 1100 1100 0232 0016 560
BIC: CRBAGRAA
In a time where the very foundations of democracy are gradually being eroded by the rise of extreme nationalism, alt-right movements, the spread of disinformation and corporate capture, the efforts of organisations such as Vouliwatch are more relevant than ever.
We rely on the generosity of each and every one of you to continue with our efforts for more transparency and accounta
By financially supporting Vouliwatch you support our litigation strategy, our campaigns for transparency and accountability in the political system, the development of new civic tech tools, our research projects and last but not least our impartial and accurate
