HDPA (Greece) - 39/2024: Difference between revisions

From GDPRhub
m (links fixed)
mNo edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 69: Line 69:
}}
}}


The DPA imposed a fine of €5,000 on the National Intelligence Service for unlawfully processing the personal data of its employe, in violation of the principles of legality, fairness, and transparency [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].
The DPA fined the National Intelligence Service €5,000 for unlawfully transferring personal data of an employee to other authorities, thus violating the principles of lawfulness, fairness and transparency under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject, an employee of the [https://www.nis.gr/en National Intelligence Service] (the "controller"), on 9 July 2022, filed a complaint with the Hellenic DPA, for the unlawful transfer of her personal data. More specifically, she complained that the controller transferred her personal data, including her name, educational qualifications, and professional classification, to the Ministry of Citizen Protection and the Hellenic Police. The data subject asserted that she was not informed about the transfer of her personal data, which was unnecessary and in violation of [[Article 13 GDPR|Article 13 GDPR]], and further argued that the controller lacked a valid legal basis for this specific processing.
On 9 July 2022, the data subject, an employee of the [https://www.nis.gr/en National Intelligence Service] (the controller), filed a complaint with the Hellenic DPA for the unlawful transfer of her personal data. More specifically, she complained that the controller transferred her personal data, including her name, educational qualifications, and professional classification, to the Ministry of Citizen Protection and the Hellenic Police. The data subject asserted that she was not informed about the unnecessary transfer of her personal data, in violation of [[Article 13 GDPR|Article 13 GDPR]], and further argued that the controller lacked a valid legal basis for this specific processing.


On 12 April 2024, the controller responded to the Hellenic DPA, that the data transfer to the Ministry of Citizen Protection, a public body, was conducted under Article 26 of Greek Law 4624/2019, as part of fulfilling its official duties. The controller justified that this data was necessary for the adoption of the decisions on her transfer and placement in accordance with the provision of Article 74, Government Decree A΄/248/16-12-2021. Additionally, the controller argued that the complainant did not contacted or submited a complaint to the controller before filing the complaint with the Hellenic DPA, and for this reason, the Authority can choose to not investigate this complaint.
On 12 April 2024, the controller responded to the Hellenic DPA, that the data transfer to the Ministry of Citizen Protection, a public body, was conducted under Article 26 of Greek Law 4624/2019, as part of fulfilling its official duties. The controller justified that this data was necessary for the adoption of the decisions on her transfer and placement in accordance with the provision of Article 74 of Greek law 4873/2021. Additionally, the controller argued that the data subject had not contacted the controller or submitted a complaint to them before filing the complaint with the Hellenic DPA, and for this reason, the DPA could choose to not investigate this complaint.


On 1 May 2024, the complainant responded to the Hellenic DPA arguing that, data was transferred on 15 December 2021, when the relevant law had not yet came into effect, as the Greek law 4873/2021 came into force on 16 December 2022. She claimed this rendered the transfer unlawful. Additionally, she asserted that there was a lack of transparency since she was not informed about this data processing under [[Article 13 GDPR|Article 13 GDPR]]. The complainant also highlighted that some of the transferred data, such as specific educational details, were unnecessary for the stated purpose, and alleged that the data had been disclosed to unauthorised personnel, violating principles of lawfulness, transparency, data minimisation, and confidentiality.
On 1 May 2024, the data subject responded to the Hellenic DPA arguing that data was transferred on 15 December 2021, when the relevant law had not yet come into effect, as the Greek law 4873/2021 came into force on 16 December 2022. She claimed this rendered the transfer unlawful. Additionally, she asserted that there was a lack of transparency since she was not informed about this data processing under [[Article 13 GDPR|Article 13 GDPR]]. The data subject also highlighted that some of the transferred data, such as specific educational details, were unnecessary for the stated purpose, and alleged that the data had been disclosed to unauthorised personnel, violating principles of lawfulness, transparency, data minimisation, and confidentiality.


=== Holding ===
=== Holding ===
The Hellenic DPA held that for lawful processing, controllers must comply with the principles of [[Article 5 GDPR#1|Article 5(1) GDPR]], as established in the [[CJEU - C-496/17 - Deutsche Post]], the existence of a legitimate basis under Article 6 does not exempt the controller from these obligations. The transfer of the complainant's personal data occurred on 15 December 2021, before the Greek Law 4873/2021 came into effect, which was on 16 December 2021, data processing of the complaint’s data by the controller was found to be unlawful and in violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].
The Hellenic DPA held that for lawful processing, controllers must comply with the principles of [[Article 5 GDPR#1|Article 5(1) GDPR]], as established in [[CJEU - C-496/17 - Deutsche Post]]; the existence of a legitimate basis under [[Article 6 GDPR]] does not exempt the controller from these obligations. The transfer of the data subject's personal data occurred on 15 December 2021, before the Greek Law 4873/2021 came into effect, which was on 16 December 2021, data processing of the data subject’s data by the controller was found to be unlawful and in violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].


Additionally the Hellenic DPA held that the controller must not only choose the appropriate legal basis before starting the processing, but also inform the data subject of the processing in accordance with [[Article 13 GDPR#1|Article 13(1) GDPR]] and [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]] of its use to the data subject. The complainant in this case was not properly informed about this data transfer, thus the controller violated the [[Article 13 GDPR|Article 13 GDPR]].  
Additionally the Hellenic DPA held that the controller not only has to choose the appropriate legal basis before starting the processing, but also inform the data subject of the processing in accordance with [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]] of its use to the data subject. The data subject in this case was not properly informed, thus the controller was found to be in violation of [[Article 13 GDPR|Article 13 GDPR]].  


Lastly, regarding the controller’s argument that the Authority could choose not to examine the case because the complainant did not first submit a complaint to the controller, the Hellenic DPA held that, according to [[Article 12 GDPR|Article 12 GDPR]], a request to the data controller concerns the exercise of rights under the GDPR, not the submission of a complaint regarding a violation of provisions under the jurisdiction of the DPA.
Lastly, regarding the controller’s argument that the DPA could choose not to examine the case because the data subject did not first submit a complaint to the controller, the Hellenic DPA held that, according to [[Article 12 GDPR|Article 12 GDPR]], a request to the data controller concerns the exercise of rights under the GDPR, not the submission of a complaint regarding a violation of provisions under the jurisdiction of the DPA.


For these reasons, the Hellenic DPA imposed a total fine of €5,000 and more specifically:
For these reasons, the Hellenic DPA imposed a total fine of €5,000 and more specifically:


€4,000 for the violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and
* €4,000 for the violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and
€1,000 for the violation of [[Article 13 GDPR|Article 13 GDPR]].
* €1,000 for the violation of [[Article 13 GDPR]].


== Comment ==
== Comment ==

Latest revision as of 17:38, 3 December 2024

HDPA - 39/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 12 GDPR
Article 13 GDPR
Greek Law 4624/2019
Type: Complaint
Outcome: Upheld
Started: 09.07.2022
Decided: 31.10.2024
Published: 08.11.2024
Fine: 5,000 EUR
Parties: Εθνική Υπηρεσία Πληροφοριών (National Intelligence Service)
National Case Number/Name: 39/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: inder-kahlon

The DPA fined the National Intelligence Service €5,000 for unlawfully transferring personal data of an employee to other authorities, thus violating the principles of lawfulness, fairness and transparency under Article 5(1)(a) GDPR.

English Summary

Facts

On 9 July 2022, the data subject, an employee of the National Intelligence Service (the controller), filed a complaint with the Hellenic DPA for the unlawful transfer of her personal data. More specifically, she complained that the controller transferred her personal data, including her name, educational qualifications, and professional classification, to the Ministry of Citizen Protection and the Hellenic Police. The data subject asserted that she was not informed about the unnecessary transfer of her personal data, in violation of Article 13 GDPR, and further argued that the controller lacked a valid legal basis for this specific processing.

On 12 April 2024, the controller responded to the Hellenic DPA, that the data transfer to the Ministry of Citizen Protection, a public body, was conducted under Article 26 of Greek Law 4624/2019, as part of fulfilling its official duties. The controller justified that this data was necessary for the adoption of the decisions on her transfer and placement in accordance with the provision of Article 74 of Greek law 4873/2021. Additionally, the controller argued that the data subject had not contacted the controller or submitted a complaint to them before filing the complaint with the Hellenic DPA, and for this reason, the DPA could choose to not investigate this complaint.

On 1 May 2024, the data subject responded to the Hellenic DPA arguing that data was transferred on 15 December 2021, when the relevant law had not yet come into effect, as the Greek law 4873/2021 came into force on 16 December 2022. She claimed this rendered the transfer unlawful. Additionally, she asserted that there was a lack of transparency since she was not informed about this data processing under Article 13 GDPR. The data subject also highlighted that some of the transferred data, such as specific educational details, were unnecessary for the stated purpose, and alleged that the data had been disclosed to unauthorised personnel, violating principles of lawfulness, transparency, data minimisation, and confidentiality.

Holding

The Hellenic DPA held that for lawful processing, controllers must comply with the principles of Article 5(1) GDPR, as established in CJEU - C-496/17 - Deutsche Post; the existence of a legitimate basis under Article 6 GDPR does not exempt the controller from these obligations. The transfer of the data subject's personal data occurred on 15 December 2021, before the Greek Law 4873/2021 came into effect, which was on 16 December 2021, data processing of the data subject’s data by the controller was found to be unlawful and in violation of Article 5(1)(a) GDPR.

Additionally the Hellenic DPA held that the controller not only has to choose the appropriate legal basis before starting the processing, but also inform the data subject of the processing in accordance with Article 13(1)(c) GDPR of its use to the data subject. The data subject in this case was not properly informed, thus the controller was found to be in violation of Article 13 GDPR.

Lastly, regarding the controller’s argument that the DPA could choose not to examine the case because the data subject did not first submit a complaint to the controller, the Hellenic DPA held that, according to Article 12 GDPR, a request to the data controller concerns the exercise of rights under the GDPR, not the submission of a complaint regarding a violation of provisions under the jurisdiction of the DPA.

For these reasons, the Hellenic DPA imposed a total fine of €5,000 and more specifically:

Comment

This case highlights an important aspect of the GDPR: the data subject's right to directly approach the supervisory authority if they believe their personal data has been unlawfully processed or their data privacy rights have been violated, without first exercising their rights with the controller.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Athens, 31-10-2024 No. Prot.: 2990 DECISION 39/2024 (Plenary) The Personal Data Protection Authority convened, at the invitation of the President, in an extraordinary meeting on 23-07-2024, in order to examine the case referred to in the present history. The President of the Authority Konstantinos Menudakos, regular members Spyridon Vlachopoulos, as rapporteur, Grigorios Tsolias, Konstantinos Lambrinoudakis, Christos Kalloniatis and Aikaterini Iliadou were present via teleconference. At the meeting, without the right to vote, Eleni Kapralou, special legal scientist, as assistant rapporteur, and Irini Papageorgopoulou, an employee of the Department of Administrative Affairs, as secretary, attended the meeting, by order of the President. The Authority took into account the following: With the no. first C/EIS/8670/09-07-2022 her complaint to the Authority and the documents attached to it, A (hereinafter "complainant"), who served in the National Intelligence Service (hereinafter "Complainant"), complains to the latter for the illegal leakage of personal data concerning her, and specifically that with the no. first ... (...) EYP document was forwarded to the Minister of Citizen Protection, the Deputy Minister of Citizen Protection and the leader of EL.AS. situations with the personnel of the service that served in ... and in ..., where she also belonged, and in particular situations that contained her name, her university education, the category/branch she belonged to (university education ...), as well as the cognitive the subject (bachelor's degree..., master's degree...). 1 Ave. Kifissias 1-3, 11523 Athens T: 210 6475 600 E: contact@dpa.gr www.dpa.gr The Authority, in the context of examining the above complaint, sent to the EYP the ref.prot.G/EXE/939/22- 03-2024 document to provide opinions. Subsequently, the EYP responded to the above document, with reference no. first C/EIS/3447/12-04-2024 her document, and in particular she claimed: 1) That the EYP after the passing of L. 4873/2021 and the signature by the President of the Republic of the order to be published in the Government Gazette on 15-12-2021, forwarded to the Minister of Citizen Protection, the Deputy Minister of Citizen Protection and the Leader of ELAS, document no. employee of the EYP (...). The names of the employees, their category, their branch, their grade, as well as the degrees they held, information necessary for the issuance of their reclassification and placement decisions in accordance with the provisions of article 74, were stated in said statements. Official Gazette Α΄/248/16-12-2021, 2) That the transmission in question took place from the EYP to the Ministry of Protection of A citizen, who is a public body, under the terms of article 26 of Law 4624/2019, i.e. in the context of the execution of the duties of the EYP, but also of the conditions defined in article 24 of the aforementioned Law, in view of the imminent transfer of the complainant and the need to check her data by ELAS, before the administrative act of the transfer is completed her. And the data that was transmitted was accurate and transmitted securely to the competent administrative bodies for the issuance of the related post-transfer administrative acts, 3) That the transmission was made only one day after the passing and one day before the entry into force of the Law. 4873/2021 and should be examined in the context of the cooperation and preparatory work of the public services, which is a constant practice between the services, when similar provisions of the Law are to be applied. After all, the transmission in question would take place anyway on 16-12-2021, the date of entry into force of the above Law, 4) The data transmitted was judged to be absolutely necessary for the purpose of its transmission, was accurate and transmitted safely to the competent authorities bodies, and finally, 5) that there was no "leakage of personal data" of any kind and that the transmission in question was legal, it was done with the aim of issuance of the administrative acts of the transfer and was already known to the complainant from the year of its submission to the Greek Parliament for voting, as it had received significant publicity. In continuation of the above, the Authority called with the no. first C/EX/1177/17-04-2024 and C/EX/1178/17-04-2024 calls her, A and EYP respectively to a hearing, via teleconference on 04-23-2024, in order to present their views on the case. During the meeting of 23-04-2024 of the Plenary of the Authority they were present via teleconference the complainant after her lawyer Georgiou Stamatiadis, the witness B, who, however, was not asked any questions in the context of the said hearing, and on behalf of the complainant C, Legal Adviser of EYP, D, Head of the Directorate of Administrative Support and Human Resources and E, Responsible EYP Data Protection. During the hearing, the parties developed their views and then, they were given a deadline and filed within the deadline, while the complainant no. first C/EIS/3996/01-05-2024 memorandum, and the complained against no. first C/EIS/4009/01-05-2024 memorandum. In particular, the complainant with no. first C/EIS/3996/01-05-2024 her memorandum claims: 1) That on 12-15-2021, the date of transmission of her personal data, Article 74 of Law 4873/2021 which provided for the mandatory transfer of the civilian staff of the Greek Police who served in ... to the central and regional Services of the Hellenic Police. The effective date of L. 4873/2021 was December 16, 2021, therefore there was no legal basis for the transmission of the personal data of EYP employees on 12-15-2021, refuting the relevant claims of EYP that the transmission in question took place on the one hand in full compliance with Service in a provision of the Law, on the other hand that it was done for the specified, expressly provided for by a provision of the Law purpose, 2) That in the Greek legal order, a law means the formal, i.e. act of a legislative body, by which a rule of law is established. Bills and proposed laws that have been passed become laws of the state upon their issuance and publication by the president of the Republic (articles 42 par. 1 and 35 par. 1 F), i.e. their publication in the Government Gazette is required as a component element of their prestige, 3) That according to the provisions of articles 14 and 17 of 3N. 3649/2008, the administrative documents related to the internal operation of the EYP, as well as those referring to the service status of its staff, are confidential, 4) That the information transmitted constitutes personal data and is confidential, therefore their processing is only permitted when specifically provided for by a provision of the Law, and further only if the subject has given his consent, having previously been informed in an appropriate manner and clear, about the data and the purpose of the processing, the identity of the controller, the recipient of the data and the existence of the right of access, 5) That in violation of article 36 of Law 4624/2019 the specific data processing was not carried out by specially authorized employees, whose names were informed to the E.Y.P., nor was the further transmission of the above personal data carried out after approval by the E.Y.P., 6) That the data processing which is carried out by a public authority, must meet the legality requirements of Article 6 GDPR, 7) That in order for personal data nature to be subject to legal processing, according to the GDPR, the conditions of application and observance of the principles of article 5 par.1 GDPR must be cumulatively met, 8) That the EYP transmitted, among others, the information "...", without this being necessary, given that the classification of its political staff in category and branch, depending on whether they have a university degree or not and finally 9) that in violation of the provision of article 5 par. 1 pc. f) GDPR regarding the obligation to observe the principle of data integrity and confidentiality, unauthorized persons became aware of the data (Article 32 GDPR). Furthermore, it refutes as vague and inaccurate the claim of EYP that the transfer in question took place in accordance with the provisions of article 26 par. 1 N. 4624/2019, claiming that the complainant does not mention exactly which of the conditions set by article 24 par. 1 of N. 4624/2019, to which article 26 par. 1 of N. 4624/2019, is met in this case. The EYP argued in its memorandum: 1) That the complainant did not address the EYP as a data controller and for this reason the Authority may not consider the complaint in question, 2) That the EYP never received an independent document 4 of A's complaint, despite the no. first C/EIS/8670/9-7-2022 complaint, the subject of which was "Leakage of personal data", with attachments no. first ... document from the EYP and statement extract with the complainant's name, category, branch, degree and her master's degree, from which only hypothetical conclusions could be drawn as to the real reason for her complaint and for this reason the Authority should not consider the complaint in question, 3) That for the implementation of the transfer in question they were transmitted securely, i.e. in a sealed envelope, to the Ministry of Protection of the Citizen, the data that were absolutely necessary for the purpose of transmission, namely only name, category, branch, degree and qualifications of the complainant (see also article 7 P.D 1/2017), 4) That in this case a transfer of personal data took place from a public body to another public body under the terms of article 26 par. 1N.4624/2019, or web framework of the performance of the body's duties that transmits, but also the need to bring the details of the complainant to the attention of the Hellenic Police, in order to complete the administrative procedure of the complainant's reassignment pursuant to the provisions of article 74 of Law 4873/2021 (A΄248). Namely, there was no leakage of personal data, as none of the principles of Article 5 of the GDPR were violated, given that the transfer was lawful and legitimate, and the data were absolutely necessary for the purpose of the transfer, 5) That if it were to be assumed that there was a breach of personal data legislation, its duration was limited (only a few hours), as there was a technical failure on the part of the National Printing Office, although the latter assured about the publication of the Law on 15-12-2021, and it is not due to fraud by the EYP, since the transfer in question was made in order to speed up the administrative process of the transfer, 6) That the transfer of personal data between public bodies in this case case, it concerns one and the same purpose, i.e. the official status of the employee, because the reassignment, although simultaneously involves dismissal from the institution of origin and "quasi-appointment" by the receiving body of the employee, aims at the continuation of his 5 civil servant status, as it previously existed in the body of origin, and finally, 7) That with regard to the violation of article 36 of Law.  4624/2019, the provision of this Law also governs the Hellenic Police, under whose authority the complainant's personal data was obtained. From the grammatical interpretation of the provision, it can be deduced that the Greek Police itself had the obligation to inform the EYP about its specially authorized employees who processed the personal data in question. Since until the issuance of the deed of her transfer by the competent body, the complainant was understood as an employee of the EYP, the Hellenic Police was obliged under the provision of article 36 of Law 4624/2019 to inform the EYP about the names of its specially authorized employees who processed the personal data of the complainant. The Authority, after examining all the elements of the file and those discussed in the 23-04-2024 meeting, after hearing the rapporteur and the clarifications from the assistant rapporteur, who was present without the right to vote after a thorough discussion, THINKS IN ACCORDANCE WITH THE LAW 1. Because, in accordance with the provisions of articles 51 and 55 of the General Data Protection Regulation (EE) 2016/679 (hereinafter, GDPR) and article 9 of Law. 4624/2019 (Government Gazette A 137), the Authority has the authority to supervise the implementation of the provisions of the GDPR, this Law and other regulations concerning the protection of the individual from the processing of personal data. In particular, from the provisions of articles 57 par. 1 pc. f of the GDPR and 13 par. 1 pc. g' of N. 4624/2019 it follows that the Authority has the authority to deal with the complaint in question against the EYP, as it concerns disclosure by transmission of data included in a filing system within the meaning of article 4 par. 2 and 6 of the GDPR, therefore for processing subject to the regulatory scope of articles 2 par. 1 of the GDPR and 2 of N. 4624/2019. 2. Because, in particular, according to article 4 par. 1 of the GDPR "personal data is any information relating to an identified or 6identifiable natural person ("data subject"); an identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identity identifier, such as a name, an identity number, location data, an online identity identifier or one or more factors that attribute to the physical, physiological, genetic, psychological, economic, cultural or social identity of the natural person in question". 3. Because, further according to article 4 par. 2 GDPR processing of personal data is "any act or series of acts carried out with or without the use of automated means, on personal data or sets of personal data, such as the collection, registration, organization, structuring, storage, adaptation or alteration, retrieval, information retrieval, use, disclosure by transmission, dissemination or any other form of making available, association or combination, limitation, deletion or destruction'. 4. Because, in article 4 para. 7 GDPR as a data controller is defined as "the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of processing personal data; when the purposes and manner of of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State". 5. Because, in article 5 par. 1 of the GDPR sets out the principles that must govern a processing, and in particular: "1. Personal data: a) are processed lawfully and legitimately in a transparent manner in relation to the data subject ("legality, objectivity and transparency") (...)". 6. Because, further, in accordance with the principle of accountability introduced by the second paragraph of the same above article, it is expressly defined that the data controller "bears the responsibility and is able to demonstrate compliance with paragraph 1 ("accountability" )". This principle, which is a cornerstone of the GDPR, implies the obligation of the data controller to be able to demonstrate compliance and, for this purpose, to legally check and document 7a processing carried out in accordance with the legal bases provided by the GDPR and national data protection law. 7. Because, in particular, in order for a processing act to be considered lawful (and in accordance with article 5 par. 1 GDPR) it is required that one of the legal reasons for processing provided for in article 6 par. 1 (items a-f) GDPR, i.e. "1. The processing is lawful only if and as long as at least one of the following conditions applies: a) the data subject has consented to the processing of his personal data for one or more specific purposes, b) the processing is necessary for the performance of a contract for which the subject of the data is a contracting party or to take measures at the request of the data subject before entering into a contract, c) the processing is necessary to comply with legal obligation of the controller, d) the processing is necessary to safeguard a vital interest of the data subject or another natural person, e) the processing is necessary for the fulfillment of a task performed in the public interest or in the exercise of a public authority assigned to the controller, f) the processing is necessary for the purposes of the legal interests pursued by the controller or a third party, unless against these interests overriding the interest or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular if the data subject is a child. Item f) of the first paragraph does not apply to the processing carried out by public authorities in the exercise of their duties". 8. Because in order for personal data to be legally processed, i.e. processed in accordance with the requirements of the GDPR, the conditions for applying and observing the principles of article 5 par. 1 GDPR, as also appears from the decision of the Court of Justice of the European Union (CJEU) of 16-01-2019 in case C496/2017 Deutsche Post 1 AG v. HauptzollamtKoln. The existence of a legal basis (Article 6 GDPR) does not 1 "57. However, any processing of personal data must be in accordance, on the one hand, with the principles that must be observed in terms of data quality, which exempts the controller from the obligation to comply with the principles (Article 5 para. 1 GDPR) with regard to legality, necessity and proportionality as well as the principle of minimization . In the event that any of the principles provided for in article 5 par.1 GDPR is violated, the processing in question is considered illegal (subject to the provisions of the GDPR) and the examination of the conditions for applying the legal bases of article 6 GDPR is omitted. Thus, the violation of the principles of article 5 GDPR is an unlawful collection and processing of personal data is not cured by existence legal purpose of financial basis. In addition, the CJEU with its decision of 01-10-2015 in the context of the case C-201/14 (Smaranda Bara) considered as a condition for the legitimate and legal processing of personal data the information of the subject of the data before the 3 processing of these. In particular, the controller, in the context of the observance of the principle of legitimate or fair processing of personal data, must inform the data subject that 4 he is going to process his data in a legal and transparent manner and be in a position at any time to prove his compliance with these principles (principle of accountability according to article 5 par. 2 in combination with articles 24 par. 1 and 32 GDPR). 9. Because further, the recognition and selection of the appropriate legal basis from those provided for in article 6 par. 1 GDPR is closely related to the principle of fair or fair processing as well as to the principle of purpose limitation, and the controller must not only choose the appropriate legal basis before starting the processing, but also inform according to art. 13 par. 1 pc. c GDPR for the use of the data subject, as well as Article 6 of Directive 95/46 or Article 5 of Regulation 2016/679 and, on the one hand, to the basic principles of legal data processing listed in Article 7 of of this directive or Article 6 of this regulation (cf. decisions of 20 May 2003, ÖsterreichischerRundfunk etc., C- 465/00, C-138/01 and C-139/01, EU:C:2003:294, paragraph 65, and of 13 May 2014, GoogleSpain and Google, C-131/12, EU:C:2014: 317, paragraph 71)'. 2See Decision 26/2019 APD, sc. 5. Cf. Decision 38/2004 APD, and 12/2022 APD. 3 ECJ, C-201/14, Smaranda Bara and others v. Casa Naţională de Asigurări de Sănătate etc., 1 October 4015, in particular sc. 34 See related DEEC496/17 op. par. 59 and DEEC-201/14 of 01-10-2015 par. 31-35 and in particular34 as well as relevant reference to Decision 26/2019 APD, sc. 5. 5See in this regard Decisions APD 26/2019, sc. 6 and APD 43/2019, sc. 5. 9choice of each legal basis exerts a legal influence on the application of the rights of the subjects. 6 In particular, the choice of the legal basis for the processing of personal data must take place before the start of the processing, and the controller is obliged based on the principle of accountability (see article 5 par. 2 in conjunction with articles 24 and 32 GDPR) to choose the appropriate legal basis out of those provided by article 6 par.1 GDPR, as well as to be able to demonstrate compliance with the principles of article 5 par. 1 GDPR, including of course the documentation on the basis of which it arrived at the relevant legal basis. In addition, with the GDPR, a new compliance model was adopted, the central axis of which is the above-mentioned principle of accountability, in the context of which the controller is obliged to plan, implement and generally take the necessary measures and policies, in order to process the data to be in accordance with the relevant legislative provisions. In addition, the data controller is burdened with the further duty to prove himself and at all times his compliance with the principles of article 5 par. 1 GDPR. It is no coincidence that the GDPR includes accountability (already mentioned above article 5 para. 2 GDPR) in the regulation of the principles ( article 5 par.1 GDPR) that govern the processing, giving it the function of a monitoring mechanism, essentially reversing the "burden of proof" regarding the legality of the processing (and in general the observance of the principles of article 5 par. 1 GDPR), transferring it to the processor, so that he bears the burden of invoking and proof of the 7 legality of the processing.  10. Because the principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information that is 6See Guidelines 2/2019 of the European Data Protection Board "on the processing of personal data under Article 6 (1) (b) GDPR in the context of the provision of online services to data subjects" pp. 4-67 par. 1, 12, 17-20 as well as Decision APD 26/2019, sc. 6. 7 See in this regard Decisions APD 26/2019, sc. 7 and APD 43/2019, sc. 6. 10necessary to ensure fair and transparent processing, taking into account the specific circumstances and the context in which the processing of personal data takes place. If the personal data is permitted to be disclosed to another recipient, the data subject should be informed when the personal data is first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which it was collected, the controller should provide the data subject, prior to such further processing, with information about that purpose and other necessary information (App. Thoughts 60-61 GDPR). Specifically, in accordance with paragraphs 1 and 2 of article 13 of the GDPR, when personal data have been collected from the data subject, the data controller provides the data subject with the information referred to in these paragraphs, and in paragraphs 3 and 4 of of the same article states that "When the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject, prior to said further processing, with information on for this purpose and any other necessary information", as mentioned in paragraph 2. 4. Paragraphs 1, 2 and 3 do not apply, when and as long as the data subject already has the information". According to the following, the data controller has an obligation to inform the data subject, in the sense that this obligation does not depend on a request from the data subject, but instead the data controller must comply with it proactively, regardless of whether the data subject will express an interest in the update. 8 11. Because according to article 1 par. 1 of Law 3649/2008 "The National Information Service (NIS) is an independent public political service and is subject to 8 Handbook on European legislation for the protection of personal data data, Organization of Fundamental Rights of the EU and Council of Europe, ed. 2018, 2019, p. 258 11 to the Minister of the Interior, who is responsible for determining the action of the E.Y.P. in the context of the national priorities of the government policy, subject to article 5 par. 3 of Law 2292/1995". Furthermore, according to article 5 par. 3 of Presidential Decree 81/2019 "The National Intelligence Service which was established by article 1 of the n.d. 2421/1953 and was renamed and organized by Law 1645/1986 and Law 3649/2008 (A 39) is transferred, as a set of powers, positions, and personnel, to the Prime Minister". 12. Because further, with article 74 of Law 4873/2021 (Government Gazette A΄/248/16-12-2021): Regulation of personnel issues of the National Intelligence Service (NISS) "1. The staff who serve in Sub-Directorate C` of Directorate B` Information Collection and Analysis (D.SY.A.P-B) of the sub-para. a' of para. a' of par. 1 of article 1 of the p.d. 1/2017 (A' 2) and at the offices of the Regional Support Units of the Sub-Directorate of Sub-Division B of par. 1 of article 1 of the same presidential decree as specified in the Internal Regulation and the attached Table of Composition and Distribution of the Staff of the Greek Police, is transferred to Central or Regional Services of the Hellenic Police and in particular to those that exercise public and of state security, by way of derogation from any general or special provision, with the same employment relationship, in recommended personal positions of civil personnel, which are abolished in any way by the departure of the employees who hold them. 2. The personnel of par. 1 are transferred to organizational structures of the Hellenic Police provided for in its Regulations, according to their qualifications - specialties that correspond to the same category/educational level to which they belong, based on their formal qualifications and in accordance with the provisions of p.d. 50/2001 (A` 39) with the same rank and salary scale that he held in the Service of origin. For the transfer of staff, a decision of the Minister of Citizen Protection is issued, which is not published in the Government Gazette in accordance with par. 5 of article 17 of Law 3649/2008 (A`39). For the placement of personnel in the Hellenic 12 Police Services, a decision is issued by the Chief of the Hellenic Police, taking into account the declarations of preference by regional unit. 3. The personnel transferred according to par. 1 and 2 are paid by the Hellenic Police. In the event that the transferred personnel receive lower monthly salaries compared to the monthly salaries of the Service of origin, the difference is kept as personal in accordance with par. 4 of article 27 of Law 4354/2015 (A' 176). The above personnel keep the pension and insurance status they had until the date of transfer". 4. The required credits for the total payroll of the transferred staff for the current year 2021, as well as for the year 2022 are transferred from the E.Y.P. to the Greek Police". 13. Because, according to paragraph 1 of article 24 of Law 4624/2019: "1. The processing of personal data by public bodies for a purpose other than that for which they were collected is permitted when this processing is necessary for the fulfillment of the tasks assigned to them and if it is: a) necessary to check the information provided by the subject of the data, because there are reasonable indications that this information is incorrect; b) necessary to prevent risks to national security, national defense or public safety or to secure tax and customs revenues; c) necessary for the prosecution of criminal offences; d) necessary to prevent serious damage to the rights of another person; e) necessary for the production of official statistics. (…)". Furthermore, article 26 of the same above Law provides the following: "1. The transmission of personal data from a public body to a public body is permitted, as long as it is necessary for the performance of the tasks of the transmitting body or of the third party to whom the data is transmitted and if the conditions are met that allow the processing in accordance with article 24. The third party to which the data is transmitted processes it only for the purpose for which it was transmitted. Processing for other purposes is permitted only if the conditions of article 24 are met. 2. Public bodies are allowed to transmit personal data to 13 private bodies if: a) the transmission is necessary for the performance of the body's duties transmits and the conditions of article 24 are further met; b) the third party to whom they are transmitted has a legitimate interest in being aware of the transmission and the data subject does not have a legitimate interest in not transmitting the data concerning him; or c) the processing it is necessary for the establishment, exercise or support of legal claims, and the third party undertakes against the public carrier to which the data is transmitted that it will only process it for the purpose for which it was transmitted. Processing for other purposes is permitted if the transfer is permitted in accordance with paragraph 1 and the transferee has given consent to the transfer. (…)'. In relation to the compatibility of the above-mentioned provisions of articles 24 and 26 of Law 4624/2019 with the provisions of the GDPR, which are invoked by EYP, the Authority with no. 1/2020 Its opinion held that the GDPR does not provide authorization to the national legislator to establish new "national legal bases", but only to specify the legal bases of article 6 par.1(c) and (e) of the GDPR, under the conditions and guarantees provided by the provisions of paragraphs 2 and 4 of article 6 GDPR and that from the provision of article 6 paragraph 4 GDPR on further processing for other purposes, different from, and compatible with, the purposes of the initial collection, it follows that the national legislator is not obliged to take implementation measures for the further processing of data that the GDPR itself establishes the criteria under a) to e) of said paragraph 4. With this opinion, it was specifically accepted that, even if it were considered that the national legislator was authorized by the GDPR to establish "national legal bases" for the further processing of the data according to Article 6 para. 4 GDPR, these should constitute only specialization of the legal bases of article 6 par. 1 sec. c' and e' GDPR and to respect, among other things, the principles of legality of article 5 par. 1 GDPR. With these considerations, the Authority has given an opinion that the provisions of the above Articles 24 and 26 of the Law do not meet any of the above substantive and procedural conditions and guarantees arising from the GDPR. With the same opinion, the Authority reserves the right to examine a more specific issue related to compatibility of the provisions of Law 4624/2019 with the GDPR that 14 will arise in the context of the exercise of its powers and points out that it will not apply provisions of Law 4624/2019, which will be judged to be in conflict with the GDPR or do not find reliance on "opening-specification clauses".  14. Because, moreover, according to article 35 par. 1, sec. a' of the Constitution "No act of the President of the Republic shall be valid or executed without the countersignature of the competent Minister, who alone becomes responsible, and without its publication in the Government Gazette", while according to article 42 par. 1, sec. a' of the Constitution "The President of the Republic issues and publishes the laws that have been passed by the Parliament within one month of their passing". From these provisions emerges the basic principle, which is also based on other constitutional provisions, that for the finalization of formal laws and presidential decrees, but also of other normative administrative acts, their publication in the Government Gazette is required as a constituent element of the their prestige. With its publication in the Government Gazette, the regulation acquires legal status and can be implemented, 10 thus becoming accessible to citizens and creating a presumption of knowledge thereof. Furthermore, "act" of the President of the Republic within the meaning of article 35 par. 1 sub. 1 of the Constitution is any written act that it acts in its capacity as a state organ and constitutes an exercise of its authority according to the Constitution and the Laws. A further condition - apart from the co-signature of the competent minister or competent ministers as the case may be - in order for the acts of the President of the Republic to be valid, he recommends, in accordance with article 35 par. 1 sec. 1 of the Constitution, their publication in the Government Gazette. The publication is an external formal element, the lack of which renders the act non-existent, and the requirement of publication is reiterated, especially in relation to formal laws, by article 42 par. 1 of the Constitution. 9 See CoE 4108/1999All, paragraph 6 and CoE 1374/2022Chapter, paragraph 6 1See Ste 4105/1995 Department, paragraph 6 1515. Because for the processing in question, EYP has the status of data controller according to article 4 par. 7 GDPR in relation to the personal data of its employees, to which the complainant also belonged. The EYP's claim that the Authority has the possibility not to examine the complaint because the complainant did not previously address the EYP as a data controller is rejected, given that according to Article 12 GDPR the relevant request to the data controller concerns the exercise of a right under the GDPR and not the submission of a complaint that has as its object the violation of the provisions of competence of the APDPH. Furthermore, the EYP's claim that it never received an independent document containing the content of A's complaint but only the complaint No. C/EIS/8670/09-07-2022 on the subject of "Leakage of personal data", with attachments No. first ... document from the EYP and a statement extract with the name and surname of the complainant, the category, the branch, her degree and her postgraduate title, from which only hypothetical conclusions could be drawn as to the real reason for her complaint and for this reason the Authority should not consider the complaint in question, it is likewise rejected because the complaint in question and the documents attached to it clearly show the object of the complaint, and all the documents were communicated to the complainant with the No. prot. C/EXE/939/22-03-2024 document of the Authority. 16. Because in this case, from the study of all the elements of the case, it appears that on the date of the transmission in question, that is on 15-12-2021, the President of the Republic had signed the bill passed by the Parliament, which contained the relevant with the EYP staff transfer order, the publication of this in the Government Gazette took place one day later, namely on 16-12-2021, at which point, and only then did the relevant law acquire formal force and legal status, in accordance with the above. Therefore, on 15-12-2021 the EYP processed the personal data of the complainant, by transmitting to the Minister of Citizen Protection, the Deputy Minister of Citizen Protection and the Chief of ELAS, the no. first ... of a document, with attached the relevant statements of the staff of the EYP, which include 16 personal data of the complainant, namely her name, branch/category, grade and degree, without prior publication in the Gazette of the Government of the formal law (i.e. Law 4873/2021) related to the reassignment of EYP personnel, with the result that the legislative basis for the said reassignment is missing during the transmission in question, but also without prior notification of the complainant, as the subject of the data for this transmission. In this way, the disputed processing was carried out in violation of the principle of legality, objectivity and transparency (Article 5 par. 1, para. a' GDPR), with the result that the personal data of the complainant have been subjected to illegal and unlawful processing that took place in a non-transparent manner in relation to the subject of the data. Moreover, regardless of the Authority's reservations mentioned in meeting 13 regarding the validity of Article 26 paragraph 1 of Law 4624/2019 referred to by the EYP regarding the transfer of personal data from a public body to a public body when it is necessary for the performance of the tasks of the body that transmits or the third party to whom the data is transmitted, the said provision has not however, application in this case, and for the reason that the disputed transmission of the complainant's personal data to ELAS did not constitute the performance of the duties of the EYP, given that it had not been assigned this obligation by the legislator, at least at the time of the disputed transmission, to in relation to the complainant's transfer. Therefore, there is no need to examine the possible assistance of the conditions of article 24 par. 1 sub. the examination of the EYP's claim included in the report No. C/EIS/4009/01-05-
2024 memorandum that "a transfer of personal data took place from a public body (National Intelligence Service) to another public body (Hellenic Police) under the terms of article 26 of Law 4624/2019, i.e. in the context of the performance of its duties transmitting body, but also of the need to bring the details of the complainant to the attention of the Greek Police in order to complete the administrative procedure of her 17 transfer pursuant to the provisions of article 74 of Law 4873/2021 (A΄ 248)". Furthermore, given that the disputed processing is contrary to article 5 para. 1 point a of the GDPR, and that, according to what is set out in paragraph 8, it is cumulatively required to fulfill the conditions for the application and observance of the principles of article 5 para. 1 GDPR, in order for the personal data to fall legal processing, the examination of the fulfillment of the other principles of legal data processing based on article 5, as well as the examination of the conditions for applying the legal bases of article 6 GDPR, and the related claims put forward by the parties involved, regardless of the fact that EYP, as the data controller, does not invoke any of the limited legal bases mentioned in Article 6 GDPR and is unable to prove the legality of said data processing. 17. Because, as stated above, the data subject was not informed about the transmission of his data, and the relevant claim of the EYP that "'After all, the above disputed provision of the law which prohibited the transfer of employees of the EYP to another Public Body was already known from the time of its submission to the Greek Parliament for a vote, had received significant publicity and was discussed long before its vote (…)" is not essential, as information through the publicity invoked by the EYP that the issue in question had received, does not meet the conditions of the article 13 GDPR, according to which the information requires an action by the data controller, addressed to the data subject, which was not the case in this case. 18. Because, following these, it is established that the EYP, as the data controller, proceeded with the controversial processing of the complainant's personal data in violation of a) the principles of legality, objectivity and transparency of Article 5 para. 1 a' GDPR as it based its actions on non-existing law and b) of Article 13 of the GDPR because it did not inform the complainant, as the subject of the data, of the specific processing. 19. Because the violation of the basic principles for the processing as detailed above, entails the imposition of the administrative sanctions of article 1883 par. GDPR right of the data subjects, entails the imposition of the relevant sanctions according to article 83 par. 5 item. II of the GDPR. And according to the GDPR (Ref. Sk. 148) in order to strengthen the enforcement of the rules of this Regulation, sanctions, including administrative fines, should be imposed for the violation of this Regulation, in addition to or instead of the appropriate measures imposed by the supervisory authority in accordance with this Regulation . 20. Because the Authority, based on the above, considers that the imposition of a corrective measure is not sufficient to restore compliance with the provisions of the GDPR that have been violated and that it should, based on the circumstances established, be imposed, pursuant to the provision of article 58 par. 2 sec. i of the GDPR additional and effective, proportional and dissuasive administrative fine according to article 83 of the GDPR both to restore compliance and to sanction illegal behavior. 11 21. Because the Authority further took into account the criteria for measuring the fine defined in article 83 par. 2 of the GDPR, paragraph 5 of the same article which is applicable in this case, article 39 par. 1 and 2 of the Law.

4624/2019 concerning the imposition of administrative sanctions on its entities

public sector, and the Guidelines 4/2022 of the European

Data Protection Board for the calculation of administrative fines for

the purposes of Regulation 2016/679, which were approved on 24/5/2023,
as well as the actual data of the case under consideration and in particular:

   i) The fact that the complainant in her capacity as responsible

processing violated the provision of article 5 par. 1 sec. its first principle

legality, objectivity and transparency, i.e. it violated a fundamental principle

of the GDPR for the protection of personal data.

   ii) The fact that the observance of the principles provided by its provision

article 5 par. 1 sec. a' of the GDPR is of capital importance, primarily, h

principle of legality, so that if it is missing it becomes illegal from the beginning h

11
 See OE 29, Guidelines and the application and determination of administrative fines
for the purposes of Regulation 2016/679 WP253, p. 6

                                                                             19processing, even if the other processing principles have been observed, many

rather in this case no documentation was provided as to whether it occurs

any of the legal bases defined in article 6 GDPR. On the contrary,
complained EYP justified the processing in question simply citing

speeding up the process for official reasons.

   iii) The fact that the complainant in the absence of a legislative basis for the

disputed processing did not meet its obligation to prove the

legality of this processing, while at the same time he failed to prove that

carried out its obligation provided for in Article 13 of the GDPR to
update, as specified above.

   iv) the fact that the violation identified above is not proven to

is attributed to the fraud of the complained service, but to its negligence, because of it

citing failure of the National Printing Office, while its acceleration

transmission on the part of EYP was done for official reasons.

   v) the fact that the controller did not delay in responding
in the Authority's documents,

   vi) the fact that from the elements brought to the attention of the Authority and based on

which established the above violations of the GDPR, it does not appear that the

controller caused material damage to the disputed processing

affected person.
   22. Based on the above, the Authority unanimously decides that it should be imposed

to the person charged as data controller or referred to in the ordinance

administrative sanction, which is judged to be proportional to the gravity of the violation.


                             FOR THESE REASONS

   The Authority,

   It imposes on the complained National Intelligence Service (NIS) as

controller the effective, proportionate and dissuasive administrative

monetary fine that is appropriate in the specific case, according to

more special circumstances thereof, totaling five thousand (5,000) euros, and

specifically in the amount of four thousand (4,000) euros for the above
ascertained violation of article 5 par. 1 par. a' and in the amount of one thousand (1,000)


                                                                             20 euros for the above found violation of article 13 GDPR, such as these

above were specified, in accordance with articles 58 par. 2 item. i and 83 par. 5

item a' and b' GDPR.


             The President The Secretary





      Konstantinos Menudakos Irini Papageorgopoulou













































                                                                       21