REPORTS
Data Protection Authority: Intelligence Agency EYP unlawfully leaked personal data of employees
On 31 October 2024, the Data Protection Authority (DPA) published two decisions (1, 2) relating to two complaints (1, 2) by employees of the National Intelligence Service (EYP) regarding the leakage of their personal data in violation of Article 5(1) of the Greek Data Protection Act and Article 13 of the General Data Protection Regulation (GDPR).
According to the decisions, the DPA found that on 15 December 2021, EYP sent a document to the Hellenic Police (ELAS), the Minister and the Deputy Minister of Citizen Protection, which included the names of the complainants, their branch and category, as well as the subject of their studies due to their imminent transfer to the other governmental departments in question.
This document was sent just one day before Law 4873/2021 came into effect (Government Gazette Α’/248/16.12.2021), a fact that is crucial for the complaints under consideration. Article 74 of Law 4873/2021 provided for the transfer of EYP personnel to the Ministry of Citizen Protection and the Hellenic Police, and would therefore form a legal basis for the disclosure of such personal data to the recipients in question, from the following day onwards.
However, due to the fact that this personal data was transmitted one day before the law came into effect, the transmission was determined to be unlawful and in violation of the principles of legality, objectivity and transparency, as enshrined in Article 5 (1) of the GDPR, according to which personal data must be processed lawfully and fairly and in a transparent manner in relation to the data subject (‘lawfulness, objectivity and transparency’), a condition which was not met in this case, since at the time of the transfer of the data of the two complainants there was no legal basis for that transfer.
In each case, the DPA imposed an administrative fine of EUR 5,000 in total, namely EUR 4,000 for the violation of Article 5(1) of the Greek Data Protection Act and EUR 1 000 for the violation of Article 13 of the General Data Protection Regulation (GDPR).
Under the rule of law, state authorities are required to apply national legislation to protect the personal data of their staff and citizens, and to ensure their lawful administrative functioning.
However, it follows from the abovementioned decisions that in the present case the intelligence service violated Article 5 (1) of the Greek Data Protection Act and Article13 of the General Data Protection Regulation (GDPR), by unlawfully leaking the personal data of two of its employees.
Bank Account number: 1100 0232 0016 560
IBAN: GR56 0140 1100 1100 0232 0016 560
BIC: CRBAGRAA
In a time where the very foundations of democracy are gradually being eroded by the rise of extreme nationalism, alt-right movements, the spread of disinformation and corporate capture, the efforts of organisations such as Vouliwatch are more relevant than ever.
We rely on the generosity of each and every one of you to continue with our efforts for more transparency and accounta
By financially supporting Vouliwatch you support our litigation strategy, our campaigns for transparency and accountability in the political system, the development of new civic tech tools, our research projects and last but not least our impartial and accurate
