SUPPORT US
Thodoris Chondrogiannos
GDPR Violation by the Ministry of Migration and Asylum
27 • 04 • 2024

On 2 April 2024, the Hellenic Data Protection Authority (DPA) imposed two administrative fines totaling €175,000 on the Ministry of Migration and Asylum for violations of the General Data Protection Regulation (GDPR) in connection with the implementation of the Centaur and Hyperion security programs in Closed Controlled Structures (CCCs) and Reception and Identification Centres (RICs) for refugees, asylum seekers, and migrants.

On 2 April 2024, the Hellenic Data Protection Authority (DPA) issued a decision finding that the Ministry of Migration and Asylum had violated multiple provisions of the General Data Protection Regulation (GDPR) in connection with the implementation of the Centaur program (for managing electronic and physical security in Closed Controlled Structures and Reception and Identification Centres) and the Hyperion program (for monitoring entry and exit in these facilities). The DPA imposed two administrative fines totaling €175,000 on the Ministry.

Let’s examine in detail the GDPR provisions that were violated and the fines imposed, in accordance with the DPA’s authority as outlined in Article 58(2)(h) of the GDPR, which empowers supervisory authorities to impose administrative fines pursuant to Article 83, depending on the circumstances of each individual case.

Failure to Conduct a DPIA from the Design Stage

As part of its investigation, the Hellenic Data Protection Authority (DPA) found that the absence of a comprehensive, integrated, and coherent Data Protection Impact Assessment (DPIA), carried out from the design stage and by default, prior to the procurement and implementation of the ‘Centaur’ and ‘Hyperion’ systems, constitutes a violation of Articles 25 and 35 of the GDPR. These provisions establish the principles of “data protection by design and by default” (Article 25) and the requirement for a “data protection impact assessment” (Article 35). For this violation, the DPA imposed an administrative fine of €100,000 on the Ministry.

Article 31 of the GDPR, concerning “cooperation with the supervisory authority” (in this case, the Hellenic Data Protection Authority), provides that “the controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.”

For this violation, the DPA imposed an administrative fine of €75,000

In addition to the fines, the DPA gave the Ministry a three-month deadline to bring its data processing practices into full compliance with the GDPR, pursuant to Article 58(2)(d).

It is worth noting that since December 2021, the DPA had received inquiries from the LIBE Committee of the European Parliament regarding surveillance technologies at the borders. In February 2022, civil society organizations—including the Hellenic League for Human Rights, HIAS Greece, and Homo Digitalis—formally requested an investigation into the procurement and installation of the Centaur and Hyperion systems. In July 2022, the UNHCR office in Greece also sent a letter to the DPA expressing concerns.

Where is the problem with the rule of law?

Under the rule of law, public authorities are required to fully comply with EU and national legislation on the protection of personal data during lawful processing. However, the DPA’s investigation documented that the Ministry of Migration and Asylum violated Articles 25, 35, and 31 of the GDPR in the implementation of the Centaur and Hyperion security programs in CCCs and RICs.

Thodoris Chondrogiannos
More
Submit a report if you have detected a violation of the rule of law!
SIGNED REPORT VIA DEDICATED FORM ON GOVWATCH
ANONYMOUS REPORT VIA GLOBALEAKS
Support govwatch
DONATE