HDPA (Greece) - 13/2025
| HDPA - 13/2025 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 4(12) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 15(1) GDPR Article 15(3) GDPR Article 33(1) GDPR Article 37 GDPR Article 55(3) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | n/a |
| Parties: | Employee of the Athens Administrative Court of Appeal The Athens Administrative Court of Appeal |
| National Case Number/Name: | 13/2025 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | Iliana Papantoni |
The DPA reprimanded the Athens Administrative Court of Appeal for violating its employee’s right of access. The DPA instructed the Court to immediately fulfill the complainant’s right of access and to appoint a DPO.
English Summary
Facts
An employee (the data subject) of the Athens Administrative Court of Appeal (the controller) filed a complaint with the DPA against the Court for denying him access to his personnel file and to electronic records stored on his work computer, which had been removed.
The data subject argued that the removal of the computer deprived him of access to personal data of significant importance, including evaluation reports and internet browsing history, which he claimed were necessary for his defense in disciplinary proceedings. The controller justified the removal on the grounds of a flood that had damaged several floors, necessitating the redistribution of computers to ensure the continuity of court operations. It also asserted that the data subject had orally indicated he did not require the files stored on the computer, which had been backed up.
The data subject further claimed that the deprivation of access to his data due to the computer’s removal constituted a personal data breach and that the controller should have notified the DPA of the incident within 72 hours.
Holding
The DPA determined that the controller had violated the data subject’s right of access to his personal data by failing to provide access to his personnel file and electronic records.
The DPA ordered the controller to provide the employee with copies of all documents containing his personal data, both from his personnel file and from the hard drive of the removed computer.
With regard to the alleged personal data breach, the case file did not support the claim that the removal of the data subject’s computer—through specific actions taken by the Court—and his resulting lack of access to documents containing personal data constituted a personal data breach. Moreover, it was neither substantiated nor established that the flooding had caused any breach of the confidentiality, integrity, or availability of personal data. Consequently, the DPA found that the controller was not obliged to notify a personal data breach.
Additionally, the controller was instructed to appoint a Data Protection Officer within two months.
Comment
Right to Access Personal Data
The decision highlights the importance of the right to access personal data, as enshrined in the GDPR. The DPA found that the Administrative Court of Athens violated this right by failing to provide the employee with access to his personnel file and electronic records. The ruling reinforces the principle that individuals must have access to their personal data, particularly when such data is essential for defending themselves in disciplinary proceedings. This aspect of the decision serves as a reminder to public authorities of their obligation to facilitate access to personal data and respond promptly to such requests.
Appointment of a Data Protection Officer (DPO)
The DPA’s decision also underscores the obligation of public authorities to appoint a DPO, as required under the GDPR. The Administrative Court of Athens had failed to do so, prompting the DPA to order the appointment of a DPO within two months. This requirement highlights the critical role of the DPO in ensuring compliance with data protection obligations and in safeguarding individuals’ data rights. The decision serves as a clear reminder to all public authorities of the importance of maintaining an effective data protection governance structure.
Assessment of the Alleged Personal Data Breach
The DPA found insufficient evidence to support the claim that the flood incident constituted a personal data breach requiring notification under the GDPR. This aspect of the decision reflects the DPA’s careful assessment of the facts and adherence to the legal thresholds for what constitutes a reportable breach. It clarifies that not all events involving potential data inaccessibility or system disruption automatically qualify as personal data breaches. The decision provides useful guidance for public authorities on interpreting and applying the GDPR’s breach notification obligations.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary The Authority, if it considers that its competence to examine the complaint in question is established, as the personal data, the processing of which is being investigated, concern a judicial employee and fall within the administrative competences of the Administrative Court, finds a violation by the Court of the employee's right of access and addresses him, as the controller, a reprimand and instructs the Court to immediately satisfy the complainant's right of access, on the one hand, to his official file and on the other hand to the hard drive of the computer he was using. It also instructs the Court to ensure the appointment of a Data Protection Officer in accordance with the requirements of the GDPR, within two months, while rejecting the complainant's claim for an obligation to notify an incident of a personal data breach.
