On 2 April 2024, the Hellenic Data Protection Authority (DPA) issued a decision finding that the Ministry of Migration and Asylum had violated multiple provisions of the General Data Protection Regulation (GDPR) in connection with the implementation of the Centaur program (for managing electronic and physical security in Closed Controlled Structures and Reception and Identification Centres) and the Hyperion program (for monitoring entry and exit in these facilities). The DPA imposed two administrative fines totaling €175,000 on the Ministry.
Let’s examine in detail the GDPR provisions that were violated and the fines imposed, in accordance with the DPA’s authority as outlined in Article 58(2)(h) of the GDPR, which empowers supervisory authorities to impose administrative fines pursuant to Article 83, depending on the circumstances of each individual case.
Failure to Conduct a DPIA from the Design Stage
As part of its investigation, the Hellenic Data Protection Authority (DPA) found that the absence of a comprehensive, integrated, and coherent Data Protection Impact Assessment (DPIA), carried out from the design stage and by default, prior to the procurement and implementation of the ‘Centaur’ and ‘Hyperion’ systems, constitutes a violation of Articles 25 and 35 of the GDPR. These provisions establish the principles of “data protection by design and by default” (Article 25) and the requirement for a “data protection impact assessment” (Article 35). For this violation, the DPA imposed an administrative fine of €100,000 on the Ministry.
Failure to Cooperate with the Supervisory Authority
The DPA further found that the Ministry submitted memos and accompanying documents containing vague, incomplete, confusing, and contradictory information; failed to submit to the Authority the contracts with data processors containing clauses on the processing of personal data in the context of the ‘Centaur’ and ‘Hyperion’ systems in accordance with Article 28 of the GDPR; failed to provide clarifications regarding the processing carried out via the ‘Centaur’ system—particularly its automated functions—and the interconnection between the ‘Centaur’ and ‘Hyperion’ systems with other public sector systems, neglecting to provide the requested information; and failed to submit contracts which the Ministry, according to its claims, had concluded with the Data Protection Officer.” These actions were found to constitute a violation of Article 31 of the GDPR.
Article 31 of the GDPR, concerning “cooperation with the supervisory authority” (in this case, the Hellenic Data Protection Authority), provides that “the controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.”
For this violation, the DPA imposed an administrative fine of €75,000
In addition to the fines, the DPA gave the Ministry a three-month deadline to bring its data processing practices into full compliance with the GDPR, pursuant to Article 58(2)(d).
It is worth noting that since December 2021, the DPA had received inquiries from the LIBE Committee of the European Parliament regarding surveillance technologies at the borders. In February 2022, civil society organizations—including the Hellenic League for Human Rights, HIAS Greece, and Homo Digitalis—formally requested an investigation into the procurement and installation of the Centaur and Hyperion systems. In July 2022, the UNHCR office in Greece also sent a letter to the DPA expressing concerns.
Under the rule of law, public authorities are required to fully comply with EU and national legislation on the protection of personal data during lawful processing. However, the DPA’s investigation documented that the Ministry of Migration and Asylum violated Articles 25, 35, and 31 of the GDPR in the implementation of the Centaur and Hyperion security programs in CCCs and RICs.
Bank Account number: 1100 0232 0016 560
IBAN: GR56 0140 1100 1100 0232 0016 560
BIC: CRBAGRAA
In a time where the very foundations of democracy are gradually being eroded by the rise of extreme nationalism, alt-right movements, the spread of disinformation and corporate capture, the efforts of organisations such as Vouliwatch are more relevant than ever.
We rely on the generosity of each and every one of you to continue with our efforts for more transparency and accounta
By financially supporting Vouliwatch you support our litigation strategy, our campaigns for transparency and accountability in the political system, the development of new civic tech tools, our research projects and last but not least our impartial and accurate