Background information
- Date of final decision: 27 May 2024
- National case
- Legal Reference (s): GDPR: Article 5.1.a: Principle of lawfulness, fairness and transparency; GDPR: Article 6.1.f: Processing based on legitimate interest; GDPR: Article 14: Information to be provided where personal data have not been obtained from the data subject; GDPR: Article 25.1: Data protection by design; GDPR: Article 30: Records of processing activities; GDPR: Article 32: Security of processing; GDPR: Article 33: Notification of a personal data breach
- Controllers: Hellenic Ministry of the Interior, and a second controller; potential controllers: New Democracy political party, and a second potential controller
- Decision: Infringement of the GDPR, administrative fine
- Key words: Non-compliance with technical and organisational measures, unauthorised access, unlawful processing, political advertising, data breach.
Summary of the Decision
Origin of the case
The Ηellenic Supervisory Authority (SA) received a large number of complaints about unsolicited political communication via e-mail sent on 1/3/2024, on an initiative related to the European elections, by one of the controllers. Following this, the Hellenic SA investigated the case, exercising immediately its powers of investigation and auditing the bodies involved.
Key Findings
Following a series of on-the-spot audits and the receipt of evidence and data, it was found that a file containing personal data of all registered expatriate voters for June 2024 elections was transferred outside the Ministry. For this file, the Ministry of the Interior is the controllerand the legislation in force does not provide for any case of transmission to recipients outside the Ministry. The file contained, in addition to the known details of the electoral roll, the email addresses and telephone numbers of Greek expatriate voters, which are excluded from being provided to the recipients of copies of the electoral roll. The file was sent to the second of the potential controllers from a sender, whose identity and capacity have not been determined to date, in order, allegedly, to use it for the analysis of the election results.
Decision
The Hellenic SA imposed on the Ministry of the Interior, in its quality of controller, an administrative fine of 400 000€ for infringements of Articles 5, 25, 30, 32 and 33 of the GDPR and instructed it to take action regarding the compliance of the measures and procedures in line with the GDPR: within a specific timeframe. The Hellenic SA noted that the infringements identified are not related to the voting process.
The Hellenic SA imposed on the other controller an administrative fine of 40 000€ for infringements of Articles 5, 6 and 14 of the GDPR and ordered the deletion of those data unlawfully processed.
As regards the political party of New Democracy and the other potential controller involved, the Hellenic SA postponed the adoption of a decision because it considered that the case needed further investigation.
For further information:
- National decision 16/2024 (Greek)
- Hellenic SA's press release: in Greek, in English