HDPA (Greece) - 13/2024: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=13/2024 |ECLI= |Original_Source_Name_1=Greek DPA |Original_Source_Link_1=https://www.dpa.gr/el/enimerwtiko/prakseisArxis/aytepaggelti-ereyna-gia-tin-anaptyxi-kai-egkatastasi-ton-programmaton |Original_Source_Language_1=Greek |Original_Source_Language__Code_1=EL |Original_Source_Name_2= |Original_Sourc...")
 
mNo edit summary
 
(5 intermediate revisions by 2 users not shown)
Line 91: Line 91:
}}
}}


In a particularly important decision with a very interesting rationale, the Greek Data Protection Authority found that the Ministry of Migration and Asylum had failed to comply with a number of provisions of the GDPR and imposed an administrative fine of 175,000 euros and ordered the Ministry to comply with its obligations under the GDPR within three months.
The DPA fined the Ministry of Migration and Asylum 175,000 for several GDPR violations in its surveillance of migrants in asylum facilities, including the unlawful processing of biometric data.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
At the end of 2021, the DPA became aware of the decision of the Greek government regarding the development and deployment of the Centaurus Programme by the Ministry of Migration and Asylum to control the reception and accommodation facilities for third country nationals on the Aegean islands, while at the same time it received requests for an investigation and opinion from the LIBE Committee of the European Parliament, as well as from civil society organisations on the controlled systems "Centaurus" and "Hyperion".
At the end of 2021, the Hellenic DPA (HDPA) became aware of the Ministry of Migration and Asylum's (the controller) development and deployment of the "Centaurus" and "Hyperion" Programmes Closed Control Facility Centres for third country nationals on the Aegean islands (Lesvos, Chios, Samos, Leros and Kos). The HDPA also received requests for an investigation and opinion from the LIBE Committee of the European Parliament, as well as from civil society organisations, on the use of the systems in the asylum facilities.
The “Centaurus” project is reportedly an integrated digital system for the management of Electronic and Physical Security around and within the facilities of the Closed Controlled Accommodation Centres of third country nationals on the islands of Lesvos, Chios, Samos, Leros and Kos and using cameras and Artificial Intelligence Behavioral Analytics (AI) algorithms, which will be managed by the Ministry. The "Centauros" programme includes, inter alia, the use of CCTV system and unmanned aerial vehicles (drones), with which personal data, at least image data, will be processed.
The "Hyperion" programme is described as an integrated entry/exit control system on the premises of the above-mentioned structures, with the purpose of controlling the entry and exit of the guests and certified members NGOs through the processing of personal data, in particular biometric data.


On 3/2/2022 the DPA asked from the Ministry (Data Controller) to provide explanations on the programmes and in particular regarding a) the legal basis (statutory provision and/or law) of the intended processing, b) the other elements of such processing (such as time of data retention, information of data subjects, etc.), and c) the question whether an impact assessment study of the effects of the processing on the protection of personal data has been carried out and on 13/9/2022 requested additional information due to ambiguity, while further clarifications were requested on 7/3/2023.
The Centaurus project is reportedly an integrated digital system for the management of electronic and physical security around and within the facilities. The controller uses CCTV systems, artificial intelligence behavioral analytics (AI) algorithms and unmanned aerial vehicles to process images and personal data. The Hyperion programme is described as an integrated entry/exit control system, with the purpose of monitoring the entry and exit of the guests and certified members NGOs through the processing of personal data, in particular biometric data.


The Ministry argued that
In response to the HDPA's request for explanations of the programmes and their data processing, the controller stated that the legal basis for the Centaurus project's video surveillance was the performance of a task carried out in the public interest or in the exercise of official authority pursuant to Article 6(1)(e) GDPR. It argued that prior alternative protection measures, such as fencing of the property and patrols, were not as effective as video surveillance in dealing with illegal activities. With regard to the use of drone surveillance, the controller stated that they are only used in cases of emergency, such as fire or unrest. It claimed that the retention period of Centaurus system data is 15 days unless an incident is detected, in which case it is kept for up to 1-3 months  and that access to data subjects' data is restricted to authorised police users; if copies of footage need to be provided, persons are blurred so as to minimise data. Information was provided to data subjects with notifications and warning signs on CCTV systems. Further, anti-malware software, passwords, system maintenance and software-level security policies were cited as security measures.
- the legal basis is based on the performance of a task carried out in the public interest or in the exercise of official authority (article 6 para. 1 (e) GDPR)
 
- for the processing of special categories of (biometric) data (fingerprints), the legal basis is based on the substantial public interest (Article 9 para. 2(g) GDPR)
In the case of the Hyperion programme, the controller seems to have argued that no biometric data was not used to identify data subjects, but nonetheless citing Article 6(1)(e) GDPR as the legal basis for such processing if it does occur. Where any processing of special categories of data (namely fingerprints and biometric data) occurred for identification purposes, the controller cited Article 9(2)(b), (c), (g) and (j) GDPR as its legal basis. In a later communication, it clarified that its primary legal basis in this regard was based on substantial public interest pursuant to Article 9(2)(g) GDPR. Regarding consent, data subjects entering the accommodation facility were prompted to fill out a personal data recording form which included a consent request. Finally, the controller noted that a partial Data Protection Impact Assessment was carried out for both the Centaurus and Hyperion programmes.
- prior to the development of the Centaurus programme, alternative protection measures, such as fencing of the property and patrols, were not effective in dealing with illegal activities, such as incidents of theft, assault and vandalism
 
- no record of activities has been kept and that access to the subjects' data is restricted to authorised police users,
The controller also claimed that there was no processing of personal data by either programme that extracted special categories of data - as a result, it found that Article 9 GDPR did not apply.  
- no other biometric data file is kept by the Ministry, other than that processed through the Hyperion system, and no personal data is processed by the Hyperion and Centaurus programmes in order to extract special categories of personal data
- regarding the consent, the data subjects, upon entering the accommodation facility, fill in a personal data recording form of the Ministry where they give consent to the processing of their data
- A Data Protection Impact Assessment has been carried out, which has been partially updated.


=== Holding ===
=== Holding ===
The Greek DPA has assessed the above information and the memos and documents submitted and has taken into account the following:
The HDPA imposed a fine of € 175,000, concluding that the controller violated Articles 5(1)(a), 6(1), 12, 13, 14, 15(e), 25, 30, 35, 58(1)(e).
- With regard to the legal basis for processing, there is ambiguity as it is not clear whether and in which cases other legal bases may apply in parallel to the processing of data carried out by the 'Hyperion' and 'Centaurus' systems, while it was noted that in the Ministry's documents, before clarifications were requested, it had invoked legitimate interest and consent as a legal basis. The DPA found a violation of the principle of lawfulness under Article 5(1a) of the GDPR.
 
- The information provided to the data subjects was considered inadequate, as it was clear from the file that the data subjects did not understand Greek or English, thus the information did not comply with the requirement to provide information in "a concise, transparent, intelligible and easily accessible form, using clear and simple wording". The DPA found a violation of Articles 12-13-14 of the GDPR.
First, the HDPA considered it ambiguous which and when legal bases may apply to the processing of data carried out by the 'Hyperion' and 'Centaurus' systems. In particular, the HDPA considered that Article 6(1)(f) GDPR is expressly excluded from provisions of the GDPR discussing processing carried out by public authorities in the exercise of their functions. It also observed that there was no specification of legal basis according to the category of data subjects (workers, vulnerable groups, minors, NGO workers, etc.). With regard to the processing of data, the HDPA found no evidence for the controller's claims that special categories of data were not processed. It considered that the Centaurus system's surveillance could process religious beliefs, racial or ethnic origin, or other special categories of data. It thus found that the controller should have articulated an appropriate legal basis for such processing under Article 9 GDPR.  
- In the absence of the required information, it does not appear that data protection contracts have been concluded between the Ministry and the Data processors. The DPA found a violation of Article 28 of the GDPR.
 
- Failure to complete the record of activities prior to the start of the programmes. The DPA found a violation of Article 30 of the GDPR.
Second, the HDPA also found a violation of the principle of lawfulness under Article 5(1a) of the GDPR. It found that the information provided to the data subjects was inadequate, as it was clear from the file that the data subjects did not understand Greek or English. Thus, the information did not comply with transparency requirements in violation of Articles 12, 13, and 14 GDPR.
- The Data Protection Impact Assessments are limited and fragmented, and a comprehensive and systematic assessment of the impact of the planned processing operations on the protection of personal data was not carried out prior to the start of each processing operation. The DPA found a violation of Article 35(1) to (3) of the GDPR.
 
- The interconnections of the systems with other systems were not explained and the potential risks were not assessed.
The HDPA also considered the controller's lack of cooperation. In particular, it noted that the controller failed to submit data protection contracts had been concluded with data processors because it claimed they were confidential. As a result, the HDPA found a violation of Articles 15(e) and 58(1)(e) GDPR, which permit supervisory authorities to obtain all information necessary for the performance of its tasks. The vague, incomplete, confusing and contradictory information provided also resulted in a violation of [[Article 31 GDPR]].
- Failure to comply with the principle of accountability by failing to provide complete, accurate and clear information to adequately document the lawfulness of the operations carried out within the above systems involving the processing of personal data. The DPA found a violation of Article 31 of the GDPR.
 
Fourth, the HDPA noted the controllers failure to complete the record of activities prior to the start of the programmes. Accordingly, it found a violation of Article 30(1) GDPR.
 
Fifth, as noted by the controller, the data protection impact assessments were limited and was not carried out prior to the start of each processing operation. The HDPA thus found a violation of Article 35(1), (2) and (3) GDPR.  It also found that this failure to carry out a comprehensive and coherent data protection impact assessment by default and prior to processing violated Article 25(1) and (2) concerning data protection by design and default.  
 
Finally, the HDPA noted that the interconnections of the systems with other government data systems were not explained and these potential risks were not assessed. Such failure to comply with the principle of accountability by not providing complete, accurate and clear information or adequately documenting the lawfulness processing constituted a violation of Article 31 GDPR.


The Greek DPA:
The Greek DPA imposed a fine of € 175,000 for this violation and instructed the controller bring processing into compliance within 3 months.
A) found that the failure to carry out a comprehensive, holistic and coherent Data Protection Impact Assessment from the beginning and by default before the procurement and implementation of the Centaurus and Hyperion systems constituted a violation of Articles 25 and 35 of the GDPR.
It imposed a fine of EUR 100,000 for this violation.
B) found that the submission to it of pleadings and accompanying documents containing vague, incomplete, confusing and contradictory information constitutes a violation of [[Article 31 GDPR|Article 31 GDPR]]. For that violation, it imposed a fine of EUR 75,000.
C) instructed the Ministry of Migration and Asylum, as data controller, to take all necessary steps to comply with the data controller's obligations as described in the decision within a period of three (3) months.


== Comment ==
== Comment ==
This particular decision of the DPA is of great importance, both for the reasoning developed and for the amount of the fine, which is the highest ever imposed by the Greek DPA on a public body. Furthermore, it is important to underline that it aims to protect data subjects who, by definition, are in a vulnerable position, mainly asylum seekers who face difficulties in defending their rights.
This particular decision of the DPA is of great importance, both for the reasoning developed and for the amount of the fine, which is the highest ever imposed by the Greek DPA on a public body. Furthermore, the processing in this case concerns data subjects who, by definition, are in a vulnerable position: namely, asylum seekers who face difficulties in defending their rights.


Following the decision, the Ministry issued a clarifying press release in which it stressed that "the authority did not take into account that these were systems that had been partially received and piloted in some accommodation facilities and not in the whole, which made it necessary to carry out individual data protection impact assessments and not an overall one, since the processing of personal data could not be assessed before the systems were operational".
Following the decision, the Ministry of Migration and Asylum issued a clarifying press release in which it stressed that "the authority did not take into account that these were systems that had been partially received and piloted in some accommodation facilities and not in the whole, which made it necessary to carry out individual data protection impact assessments and not an overall one, since the processing of personal data could not be assessed before the systems were operational".


There is therefore a very interesting disagreement between the DPA's and the Ministry's views on data protection impact assessments. The DPA clearly states that the data protection impact assessments should in any case be comprehensive, holistic and coherent, whereas the Ministry insists that this was not possible given the conditions in which the systems were developed.
There is therefore an interesting disagreement between the DPA's and the Ministry's views on data protection impact assessments. The DPA clearly states that the data protection impact assessments should in any case be comprehensive, holistic and coherent, whereas the Ministry insists that this was not possible given the conditions in which the systems were developed.


== Further Resources ==
== Further Resources ==

Latest revision as of 16:01, 10 April 2024

HDPA - 13/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 22 GDPR
Article 24 GDPR
Article 25(1) GDPR
Article 28 GDPR
Article 30 GDPR
Article 31 GDPR
Article 35 GDPR
Article 37 GDPR
Article 38 GDPR
Article 39 GDPR
Article 55 GDPR
Article 83 GDPR
Type: Investigation
Outcome: Violation Found
Started: 02.03.2022
Decided: 17.10.2023
Published: 02.04.2024
Fine: 175,000 EUR
Parties: Ministry of Migration and Asylum
National Case Number/Name: 13/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: Greek DPA (in EL)
Initial Contributor: Evangelia Tsimpida

The DPA fined the Ministry of Migration and Asylum € 175,000 for several GDPR violations in its surveillance of migrants in asylum facilities, including the unlawful processing of biometric data.

English Summary

Facts

At the end of 2021, the Hellenic DPA (HDPA) became aware of the Ministry of Migration and Asylum's (the controller) development and deployment of the "Centaurus" and "Hyperion" Programmes Closed Control Facility Centres for third country nationals on the Aegean islands (Lesvos, Chios, Samos, Leros and Kos). The HDPA also received requests for an investigation and opinion from the LIBE Committee of the European Parliament, as well as from civil society organisations, on the use of the systems in the asylum facilities.

The Centaurus project is reportedly an integrated digital system for the management of electronic and physical security around and within the facilities. The controller uses CCTV systems, artificial intelligence behavioral analytics (AI) algorithms and unmanned aerial vehicles to process images and personal data. The Hyperion programme is described as an integrated entry/exit control system, with the purpose of monitoring the entry and exit of the guests and certified members NGOs through the processing of personal data, in particular biometric data.

In response to the HDPA's request for explanations of the programmes and their data processing, the controller stated that the legal basis for the Centaurus project's video surveillance was the performance of a task carried out in the public interest or in the exercise of official authority pursuant to Article 6(1)(e) GDPR. It argued that prior alternative protection measures, such as fencing of the property and patrols, were not as effective as video surveillance in dealing with illegal activities. With regard to the use of drone surveillance, the controller stated that they are only used in cases of emergency, such as fire or unrest. It claimed that the retention period of Centaurus system data is 15 days unless an incident is detected, in which case it is kept for up to 1-3 months and that access to data subjects' data is restricted to authorised police users; if copies of footage need to be provided, persons are blurred so as to minimise data. Information was provided to data subjects with notifications and warning signs on CCTV systems. Further, anti-malware software, passwords, system maintenance and software-level security policies were cited as security measures.

In the case of the Hyperion programme, the controller seems to have argued that no biometric data was not used to identify data subjects, but nonetheless citing Article 6(1)(e) GDPR as the legal basis for such processing if it does occur. Where any processing of special categories of data (namely fingerprints and biometric data) occurred for identification purposes, the controller cited Article 9(2)(b), (c), (g) and (j) GDPR as its legal basis. In a later communication, it clarified that its primary legal basis in this regard was based on substantial public interest pursuant to Article 9(2)(g) GDPR. Regarding consent, data subjects entering the accommodation facility were prompted to fill out a personal data recording form which included a consent request. Finally, the controller noted that a partial Data Protection Impact Assessment was carried out for both the Centaurus and Hyperion programmes.

The controller also claimed that there was no processing of personal data by either programme that extracted special categories of data - as a result, it found that Article 9 GDPR did not apply.

Holding

The HDPA imposed a fine of € 175,000, concluding that the controller violated Articles 5(1)(a), 6(1), 12, 13, 14, 15(e), 25, 30, 35, 58(1)(e).

First, the HDPA considered it ambiguous which and when legal bases may apply to the processing of data carried out by the 'Hyperion' and 'Centaurus' systems. In particular, the HDPA considered that Article 6(1)(f) GDPR is expressly excluded from provisions of the GDPR discussing processing carried out by public authorities in the exercise of their functions. It also observed that there was no specification of legal basis according to the category of data subjects (workers, vulnerable groups, minors, NGO workers, etc.). With regard to the processing of data, the HDPA found no evidence for the controller's claims that special categories of data were not processed. It considered that the Centaurus system's surveillance could process religious beliefs, racial or ethnic origin, or other special categories of data. It thus found that the controller should have articulated an appropriate legal basis for such processing under Article 9 GDPR.

Second, the HDPA also found a violation of the principle of lawfulness under Article 5(1a) of the GDPR. It found that the information provided to the data subjects was inadequate, as it was clear from the file that the data subjects did not understand Greek or English. Thus, the information did not comply with transparency requirements in violation of Articles 12, 13, and 14 GDPR.

The HDPA also considered the controller's lack of cooperation. In particular, it noted that the controller failed to submit data protection contracts had been concluded with data processors because it claimed they were confidential. As a result, the HDPA found a violation of Articles 15(e) and 58(1)(e) GDPR, which permit supervisory authorities to obtain all information necessary for the performance of its tasks. The vague, incomplete, confusing and contradictory information provided also resulted in a violation of Article 31 GDPR.

Fourth, the HDPA noted the controllers failure to complete the record of activities prior to the start of the programmes. Accordingly, it found a violation of Article 30(1) GDPR.

Fifth, as noted by the controller, the data protection impact assessments were limited and was not carried out prior to the start of each processing operation. The HDPA thus found a violation of Article 35(1), (2) and (3) GDPR. It also found that this failure to carry out a comprehensive and coherent data protection impact assessment by default and prior to processing violated Article 25(1) and (2) concerning data protection by design and default.

Finally, the HDPA noted that the interconnections of the systems with other government data systems were not explained and these potential risks were not assessed. Such failure to comply with the principle of accountability by not providing complete, accurate and clear information or adequately documenting the lawfulness processing constituted a violation of Article 31 GDPR.

The Greek DPA imposed a fine of € 175,000 for this violation and instructed the controller bring processing into compliance within 3 months.

Comment

This particular decision of the DPA is of great importance, both for the reasoning developed and for the amount of the fine, which is the highest ever imposed by the Greek DPA on a public body. Furthermore, the processing in this case concerns data subjects who, by definition, are in a vulnerable position: namely, asylum seekers who face difficulties in defending their rights.

Following the decision, the Ministry of Migration and Asylum issued a clarifying press release in which it stressed that "the authority did not take into account that these were systems that had been partially received and piloted in some accommodation facilities and not in the whole, which made it necessary to carry out individual data protection impact assessments and not an overall one, since the processing of personal data could not be assessed before the systems were operational".

There is therefore an interesting disagreement between the DPA's and the Ministry's views on data protection impact assessments. The DPA clearly states that the data protection impact assessments should in any case be comprehensive, holistic and coherent, whereas the Ministry insists that this was not possible given the conditions in which the systems were developed.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority, after receiving knowledge about the development and implementation of the "Centaur" and "Uperion" Programs by the Ministry of Immigration and Asylum in facilities of the Closed Controlled Structures Centers and Reception and Identification Centers for citizens of third countries, proceeded to a thorough check of the integrated digital electronic and physical security management system - "Kentauros" and the integrated entry-exit control system with a reader combined with a fingerprint (i.e. processing biometric data) - "Upperion" in the facilities of the above-mentioned guest structures as well as employees and certified members of non-governmental organizations organizations. The Authority found deficient cooperation on the part of the Ministry of Immigration and Asylum as the Controller and further considered that the required Data Protection Impact Assessments carried out by the Ministry were materially incomplete and limited in scope, and that serious omissions remain regarding with the Ministry's compliance with specific provisions of the GDPR regarding the implementation of the disputed systems. For these reasons, it imposed an administrative monetary fine on the Ministry of Immigration and Asylum for the violations found in relation to the cooperation with the Authority and the Impact Assessments and at the same time sent the Ministry a compliance order within three months regarding its GDPR obligations.