HDPA (Greece) - 13/2024

From GDPRhub
Revision as of 10:46, 7 April 2024 by E tsimpida (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=13/2024 |ECLI= |Original_Source_Name_1=Greek DPA |Original_Source_Link_1=https://www.dpa.gr/el/enimerwtiko/prakseisArxis/aytepaggelti-ereyna-gia-tin-anaptyxi-kai-egkatastasi-ton-programmaton |Original_Source_Language_1=Greek |Original_Source_Language__Code_1=EL |Original_Source_Name_2= |Original_Sourc...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HDPA - 13/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 22 GDPR
Article 24 GDPR
Article 25(1) GDPR
Article 28 GDPR
Article 30 GDPR
Article 31 GDPR
Article 35 GDPR
Article 37 GDPR
Article 38 GDPR
Article 39 GDPR
Article 55 GDPR
Article 83 GDPR
Type: Investigation
Outcome: Violation Found
Started: 02.03.2022
Decided: 17.10.2023
Published: 02.04.2024
Fine: 175,000 EUR
Parties: Ministry of Migration and Asylum
National Case Number/Name: 13/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: Greek DPA (in EL)
Initial Contributor: Evangelia Tsimpida

In a particularly important decision with a very interesting rationale, the Greek Data Protection Authority found that the Ministry of Migration and Asylum had failed to comply with a number of provisions of the GDPR and imposed an administrative fine of 175,000 euros and ordered the Ministry to comply with its obligations under the GDPR within three months.

English Summary

Facts

At the end of 2021, the DPA became aware of the decision of the Greek government regarding the development and deployment of the Centaurus Programme by the Ministry of Migration and Asylum to control the reception and accommodation facilities for third country nationals on the Aegean islands, while at the same time it received requests for an investigation and opinion from the LIBE Committee of the European Parliament, as well as from civil society organisations on the controlled systems "Centaurus" and "Hyperion". The “Centaurus” project is reportedly an integrated digital system for the management of Electronic and Physical Security around and within the facilities of the Closed Controlled Accommodation Centres of third country nationals on the islands of Lesvos, Chios, Samos, Leros and Kos and using cameras and Artificial Intelligence Behavioral Analytics (AI) algorithms, which will be managed by the Ministry. The "Centauros" programme includes, inter alia, the use of CCTV system and unmanned aerial vehicles (drones), with which personal data, at least image data, will be processed. The "Hyperion" programme is described as an integrated entry/exit control system on the premises of the above-mentioned structures, with the purpose of controlling the entry and exit of the guests and certified members NGOs through the processing of personal data, in particular biometric data.

On 3/2/2022 the DPA asked from the Ministry (Data Controller) to provide explanations on the programmes and in particular regarding a) the legal basis (statutory provision and/or law) of the intended processing, b) the other elements of such processing (such as time of data retention, information of data subjects, etc.), and c) the question whether an impact assessment study of the effects of the processing on the protection of personal data has been carried out and on 13/9/2022 requested additional information due to ambiguity, while further clarifications were requested on 7/3/2023.

The Ministry argued that - the legal basis is based on the performance of a task carried out in the public interest or in the exercise of official authority (article 6 para. 1 (e) GDPR) - for the processing of special categories of (biometric) data (fingerprints), the legal basis is based on the substantial public interest (Article 9 para. 2(g) GDPR) - prior to the development of the Centaurus programme, alternative protection measures, such as fencing of the property and patrols, were not effective in dealing with illegal activities, such as incidents of theft, assault and vandalism - no record of activities has been kept and that access to the subjects' data is restricted to authorised police users, - no other biometric data file is kept by the Ministry, other than that processed through the Hyperion system, and no personal data is processed by the Hyperion and Centaurus programmes in order to extract special categories of personal data - regarding the consent, the data subjects, upon entering the accommodation facility, fill in a personal data recording form of the Ministry where they give consent to the processing of their data - A Data Protection Impact Assessment has been carried out, which has been partially updated.

Holding

The Greek DPA has assessed the above information and the memos and documents submitted and has taken into account the following: - With regard to the legal basis for processing, there is ambiguity as it is not clear whether and in which cases other legal bases may apply in parallel to the processing of data carried out by the 'Hyperion' and 'Centaurus' systems, while it was noted that in the Ministry's documents, before clarifications were requested, it had invoked legitimate interest and consent as a legal basis. The DPA found a violation of the principle of lawfulness under Article 5(1a) of the GDPR. - The information provided to the data subjects was considered inadequate, as it was clear from the file that the data subjects did not understand Greek or English, thus the information did not comply with the requirement to provide information in "a concise, transparent, intelligible and easily accessible form, using clear and simple wording". The DPA found a violation of Articles 12-13-14 of the GDPR. - In the absence of the required information, it does not appear that data protection contracts have been concluded between the Ministry and the Data processors. The DPA found a violation of Article 28 of the GDPR. - Failure to complete the record of activities prior to the start of the programmes. The DPA found a violation of Article 30 of the GDPR. - The Data Protection Impact Assessments are limited and fragmented, and a comprehensive and systematic assessment of the impact of the planned processing operations on the protection of personal data was not carried out prior to the start of each processing operation. The DPA found a violation of Article 35(1) to (3) of the GDPR. - The interconnections of the systems with other systems were not explained and the potential risks were not assessed. - Failure to comply with the principle of accountability by failing to provide complete, accurate and clear information to adequately document the lawfulness of the operations carried out within the above systems involving the processing of personal data. The DPA found a violation of Article 31 of the GDPR.

The Greek DPA: A) found that the failure to carry out a comprehensive, holistic and coherent Data Protection Impact Assessment from the beginning and by default before the procurement and implementation of the Centaurus and Hyperion systems constituted a violation of Articles 25 and 35 of the GDPR. It imposed a fine of EUR 100,000 for this violation. B) found that the submission to it of pleadings and accompanying documents containing vague, incomplete, confusing and contradictory information constitutes a violation of Article 31 GDPR. For that violation, it imposed a fine of EUR 75,000. C) instructed the Ministry of Migration and Asylum, as data controller, to take all necessary steps to comply with the data controller's obligations as described in the decision within a period of three (3) months.

Comment

This particular decision of the DPA is of great importance, both for the reasoning developed and for the amount of the fine, which is the highest ever imposed by the Greek DPA on a public body. Furthermore, it is important to underline that it aims to protect data subjects who, by definition, are in a vulnerable position, mainly asylum seekers who face difficulties in defending their rights.

Following the decision, the Ministry issued a clarifying press release in which it stressed that "the authority did not take into account that these were systems that had been partially received and piloted in some accommodation facilities and not in the whole, which made it necessary to carry out individual data protection impact assessments and not an overall one, since the processing of personal data could not be assessed before the systems were operational".

There is therefore a very interesting disagreement between the DPA's and the Ministry's views on data protection impact assessments. The DPA clearly states that the data protection impact assessments should in any case be comprehensive, holistic and coherent, whereas the Ministry insists that this was not possible given the conditions in which the systems were developed.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority, after receiving knowledge about the development and implementation of the "Centaur" and "Uperion" Programs by the Ministry of Immigration and Asylum in facilities of the Closed Controlled Structures Centers and Reception and Identification Centers for citizens of third countries, proceeded to a thorough check of the integrated digital electronic and physical security management system - "Kentauros" and the integrated entry-exit control system with a reader combined with a fingerprint (i.e. processing biometric data) - "Upperion" in the facilities of the above-mentioned guest structures as well as employees and certified members of non-governmental organizations organizations. The Authority found deficient cooperation on the part of the Ministry of Immigration and Asylum as the Controller and further considered that the required Data Protection Impact Assessments carried out by the Ministry were materially incomplete and limited in scope, and that serious omissions remain regarding with the Ministry's compliance with specific provisions of the GDPR regarding the implementation of the disputed systems. For these reasons, it imposed an administrative monetary fine on the Ministry of Immigration and Asylum for the violations found in relation to the cooperation with the Authority and the Impact Assessments and at the same time sent the Ministry a compliance order within three months regarding its GDPR obligations.