HDPA (Greece) - 13/2024
HDPA - 13/2024 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1)(a) GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR Article 22 GDPR Article 24 GDPR Article 25(1) GDPR Article 28 GDPR Article 30 GDPR Article 31 GDPR Article 35 GDPR Article 37 GDPR Article 38 GDPR Article 39 GDPR Article 55 GDPR Article 83 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 02.03.2022 |
Decided: | 17.10.2023 |
Published: | 02.04.2024 |
Fine: | 175,000 EUR |
Parties: | Ministry of Migration and Asylum |
National Case Number/Name: | 13/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | Greek DPA (in EL) |
Initial Contributor: | Evangelia Tsimpida |
The DPA fined the Ministry of Migration and Asylum € 175,000 for several GDPR violations in its surveillance of migrants in asylum facilities, including the unlawful processing of biometric data.
English Summary
Facts
At the end of 2021, the Hellenic DPA (HDPA) became aware of the Ministry of Migration and Asylum's (the controller) development and deployment of the "Centaurus" and "Hyperion" Programmes Closed Control Facility Centres for third country nationals on the Aegean islands (Lesvos, Chios, Samos, Leros and Kos). The HDPA also received requests for an investigation and opinion from the LIBE Committee of the European Parliament, as well as from civil society organisations, on the use of the systems in the asylum facilities.
The Centaurus project is reportedly an integrated digital system for the management of electronic and physical security around and within the facilities. The controller uses CCTV systems, artificial intelligence behavioral analytics (AI) algorithms and unmanned aerial vehicles to process images and personal data. The Hyperion programme is described as an integrated entry/exit control system, with the purpose of monitoring the entry and exit of the guests and certified members NGOs through the processing of personal data, in particular biometric data.
In response to the HDPA's request for explanations of the programmes and their data processing, the controller stated that the legal basis for the Centaurus project's video surveillance was the performance of a task carried out in the public interest or in the exercise of official authority pursuant to Article 6(1)(e) GDPR. It argued that prior alternative protection measures, such as fencing of the property and patrols, were not as effective as video surveillance in dealing with illegal activities. With regard to the use of drone surveillance, the controller stated that they are only used in cases of emergency, such as fire or unrest. It claimed that the retention period of Centaurus system data is 15 days unless an incident is detected, in which case it is kept for up to 1-3 months and that access to data subjects' data is restricted to authorised police users; if copies of footage need to be provided, persons are blurred so as to minimise data. Information was provided to data subjects with notifications and warning signs on CCTV systems. Further, anti-malware software, passwords, system maintenance and software-level security policies were cited as security measures.
In the case of the Hyperion programme, the controller seems to have argued that no biometric data was not used to identify data subjects, but nonetheless citing Article 6(1)(e) GDPR as the legal basis for such processing if it does occur. Where any processing of special categories of data (namely fingerprints and biometric data) occurred for identification purposes, the controller cited Article 9(2)(b), (c), (g) and (j) GDPR as its legal basis. In a later communication, it clarified that its primary legal basis in this regard was based on substantial public interest pursuant to Article 9(2)(g) GDPR. Regarding consent, data subjects entering the accommodation facility were prompted to fill out a personal data recording form which included a consent request. Finally, the controller noted that a partial Data Protection Impact Assessment was carried out for both the Centaurus and Hyperion programmes.
The controller also claimed that there was no processing of personal data by either programme that extracted special categories of data - as a result, it found that Article 9 GDPR did not apply.
Holding
The HDPA imposed a fine of € 175,000, concluding that the controller violated Articles 5(1)(a), 6(1), 12, 13, 14, 15(e), 25, 30, 35, 58(1)(e).
First, the HDPA considered it ambiguous which and when legal bases may apply to the processing of data carried out by the 'Hyperion' and 'Centaurus' systems. In particular, the HDPA considered that Article 6(1)(f) GDPR is expressly excluded from provisions of the GDPR discussing processing carried out by public authorities in the exercise of their functions. It also observed that there was no specification of legal basis according to the category of data subjects (workers, vulnerable groups, minors, NGO workers, etc.). With regard to the processing of data, the HDPA found no evidence for the controller's claims that special categories of data were not processed. It considered that the Centaurus system's surveillance could process religious beliefs, racial or ethnic origin, or other special categories of data. It thus found that the controller should have articulated an appropriate legal basis for such processing under Article 9 GDPR.
Second, the HDPA also found a violation of the principle of lawfulness under Article 5(1a) of the GDPR. It found that the information provided to the data subjects was inadequate, as it was clear from the file that the data subjects did not understand Greek or English. Thus, the information did not comply with transparency requirements in violation of Articles 12, 13, and 14 GDPR.
The HDPA also considered the controller's lack of cooperation. In particular, it noted that the controller failed to submit data protection contracts had been concluded with data processors because it claimed they were confidential. As a result, the HDPA found a violation of Articles 15(e) and 58(1)(e) GDPR, which permit supervisory authorities to obtain all information necessary for the performance of its tasks. The vague, incomplete, confusing and contradictory information provided also resulted in a violation of Article 31 GDPR.
Fourth, the HDPA noted the controllers failure to complete the record of activities prior to the start of the programmes. Accordingly, it found a violation of Article 30(1) GDPR.
Fifth, as noted by the controller, the data protection impact assessments were limited and was not carried out prior to the start of each processing operation. The HDPA thus found a violation of Article 35(1), (2) and (3) GDPR. It also found that this failure to carry out a comprehensive and coherent data protection impact assessment by default and prior to processing violated Article 25(1) and (2) concerning data protection by design and default.
Finally, the HDPA noted that the interconnections of the systems with other government data systems were not explained and these potential risks were not assessed. Such failure to comply with the principle of accountability by not providing complete, accurate and clear information or adequately documenting the lawfulness processing constituted a violation of Article 31 GDPR.
The Greek DPA imposed a fine of € 175,000 for this violation and instructed the controller bring processing into compliance within 3 months.
Comment
This particular decision of the DPA is of great importance, both for the reasoning developed and for the amount of the fine, which is the highest ever imposed by the Greek DPA on a public body. Furthermore, the processing in this case concerns data subjects who, by definition, are in a vulnerable position: namely, asylum seekers who face difficulties in defending their rights.
Following the decision, the Ministry of Migration and Asylum issued a clarifying press release in which it stressed that "the authority did not take into account that these were systems that had been partially received and piloted in some accommodation facilities and not in the whole, which made it necessary to carry out individual data protection impact assessments and not an overall one, since the processing of personal data could not be assessed before the systems were operational".
There is therefore an interesting disagreement between the DPA's and the Ministry's views on data protection impact assessments. The DPA clearly states that the data protection impact assessments should in any case be comprehensive, holistic and coherent, whereas the Ministry insists that this was not possible given the conditions in which the systems were developed.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary The Authority, after receiving knowledge about the development and implementation of the "Centaur" and "Uperion" Programs by the Ministry of Immigration and Asylum in facilities of the Closed Controlled Structures Centers and Reception and Identification Centers for citizens of third countries, proceeded to a thorough check of the integrated digital electronic and physical security management system - "Kentauros" and the integrated entry-exit control system with a reader combined with a fingerprint (i.e. processing biometric data) - "Upperion" in the facilities of the above-mentioned guest structures as well as employees and certified members of non-governmental organizations organizations. The Authority found deficient cooperation on the part of the Ministry of Immigration and Asylum as the Controller and further considered that the required Data Protection Impact Assessments carried out by the Ministry were materially incomplete and limited in scope, and that serious omissions remain regarding with the Ministry's compliance with specific provisions of the GDPR regarding the implementation of the disputed systems. For these reasons, it imposed an administrative monetary fine on the Ministry of Immigration and Asylum for the violations found in relation to the cooperation with the Authority and the Impact Assessments and at the same time sent the Ministry a compliance order within three months regarding its GDPR obligations.