| HDPA - 16/2024 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 4 GDPR Article 5(1) GDPR Article 6 GDPR Article 13 GDPR Article 14 GDPR Article 15 GDPR Article 29 GDPR Article 30 GDPR Article 32 GDPR art. 29 Law 3023/2002 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 01.03.2024 |
| Decided: | 27.05.2024 |
| Published: | 27.05.2024 |
| Fine: | 440.000 EUR |
| Parties: | Hellenic Ministry of Interior MEP Anna Michelle Asimakopoulou |
| National Case Number/Name: | 16/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Greek |
| Original Source: | Hellenic DPA (in EL) |
| Initial Contributor: | Nikolaos. Konstantis |
The DPA imposed €400,000 and €40,000 fine on the Ministry of Interior and an MEP, respectively, for unsolicited political communication to data subjects' email addresses, which were provided to the MEP by the Ministry of the Interior.
English Summary
Facts
The Hellenic DPA (HPDA) received 236 complaints regarding unsolicited political communication sent via e-mail by MEP Anna Michelle Asimakopoulou on 1 March 2024. In response, the HDPA initiated an investigation, which consisted of communications and requests for information from the Ministry, the New Democracy party, and Ms Asimakopoulou -- all of which were considered controllers for the processing.
The HDPA found a file containing personal data of all registered voters abroad for the June 2023 elections, for which the Ministry of Interior is a controller. The file was created for internal use at the Ministry of Interior in connection with a purpose related to the electoral process. It contained the names, countries, email addresses and telephone numbers of over 20,000 overseas voters. This data was not otherwise available. On 18 March 2024, the HDPA received a notification of a personal data breach from the Ministry, which approximated the date of the incident as May 2023.
The HDPA determined that the leak of this file from the Ministry occurred between 8 and 23 June 2023. On 23 June 2023, the file was provided to the then New Democracy Secretary of Greek Expatriates (political party) by an unidentified sender. On 20 January 2024, the then-secretary sent Ms Asimakopoulou the file via Whatsapp.
Upon receiving the file, the MEP then processed the data, exporting the email addresses to MailChimp to add them to her mailing list. On 1 March 2024, she emailed the mailing list, including the data subjects mentioned above. Her email did not inform recipients of how their data was obtained. The MEP claimed to have received the file on the basis of party instructions. She also argued that there was no specific regulation on political communication and she had reasonably considered she had an overriding legitimate interest in informing unknown voters about absentee voting.
Holding
The Hellenic DPA imposed an administrative fine of €400,000 for violations of Articles 5, 25, 30, 32 and 33 GDPR and instructed the Ministry of Interior to bring their actions into compliance with the GDPR. The DPA also imposed a fine of €40,000 on MEP Anna Michelle Asimakopoulou, as controller, for infringing Articles 5, 6 and 14 GDPR and ordered the deletion of the data.
Ministry of Interior
Although the HDPA could not ascertain how the transmission of data from the Ministry of the Interior to the Secretary of Expatriates of the New Democracy was made, it found that it undoubtedly constituted a breach of confidentiality and therefore a breach of personal data, in accordance with the definition of Article 4(12) GDPR.
The HDPA considered that the Ministry's investigation was no exhaustive in attempting to determine the time and scope of the breach. It also found that the policies and procedures followed by the Ministry for the movement of overseas voter data did not contain specific security measures for the movement of the records and restrictions (regarding the recipients of the records), nor did they contain provisions for recording and documenting the actions and approving the purpose of the export. The planned procedures also did not include any measures to mitigate the risks caused by human error. It also emerged that the measures in place were not reviewed for the specific needs of the processing of overseas electoral rolls. Further, the HDPA noticed deficiencies in the Ministry's data protection procedures and policies. In particular, the Ministry had not effectively implemented the means of processing with appropriate technical measures or organisational measures to implement data protection principles, as required by Articles 24 and 25 GDPR. It also failed to fulfill its Article 33 GDPR obligations to notify the breach to the supervisory authority correctly; its notification did not include any information that was publicly disclosed.
Finally, HDPA found that there were deficiencies and inaccuracies in the records of activities related to the Ministry's processing activities, in violation of Article 30 GDPR.
MEP
The HDPA found that the MEP's collection of personal data of absentee voters and usage of the data to send political communications breached the principle of lawfulness, fairness and transparency under Article 5(1)(a) GDPR. Indeed, the HDPA determined, the processing was done in violation of a number of provisions of the electoral legislation and could not be used to send a political communication message. Data subjects were not provided with appropriate information in accordance with Article 14 GDPR -- in particular, the source of their data -- resulting in a violation of the principle of transparency.
The MEP also infringed Article 6(1) GDPR in processing the data. Given that such processing (collection) was carried out in violation of a number of provisions of electoral legislation, voters abroad could not have reasonably expected that their personal data held by the Ministry of Interior would be processed in this way. Legitimate interest did not lend a valid legal basis either: the HDPA noted that the right of expatriate voters to the protection of their personal data prevails over the legitimate interest of the MEP to communicate with them individually.
New Democracy
The DPA postponed adopting a decision with regard to New Democracy because of additional evidence submitted, which the HDPA decided to further investigate.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, May 27, 2024 No. Prot. 1484 DECISION 16/2024 The Personal Data Protection Authority met, at the invitation of its President, in a meeting at its headquarters on 05-17-2024, on 05-18-
2024 and on 27-05-2024, in order to examine the case referred to in the history of the present. The meeting was attended by the President of the Authority, Konstantinos Menudakos, the regular members Charalambos Anthopoulos, Spyridon Vlachopoulos and Konstantinos Lambrinoudakis, as speakers, and the regular members Aikaterini Iliadou, Christos Kalloniatis, and Grigorios Tsolias. Present, without the right to vote, were the expert scientists - auditors, Georgia Panagopoulou, George Roussopoulos and Haris Symeonidou, as assistant rapporteurs and Irini Papageorgopoulou, an employee of the Authority's administrative affairs department, as secretary. The Authority took into account the following: I. BACKGROUND From 01-03-2024 to 16-04-2024, 236 complaints and requests from Greeks abroad were submitted to the Authority against MEP Anna Michelle Asimakopoulou for unsolicited political communication via e-mail to her personal their email address, which all the complainants had used to register in the special foreign electoral rolls in the year 2023 through the platform of the Ministry of the Interior 2 apodimoi.gov.gr. The e-mail of the complainant, entitled "100 days before the European elections", was sent on the same day and very close to the information message of the Ministry of the Interior to Greeks abroad regarding the postal vote. Several complainants reported, providing a relevant screenshot, that when they tried to unsubscribe from the list of recipients of the message, the information was displayed that the list had the name "UNSUBSCRIBERS". In some cases the complainants reported that the e-mail address to which they had received the MEP's message is used exclusively for their communications with the Greek State. At the same time, during the same period, 66 complaints were submitted to the Authority by Greeks abroad against the Ministry of the Interior for a violation of their personal data, due to the alleged leak of their e-mail address by the Ministry to the aforementioned MEP. I.A DESCRIPTION OF ACTIONS AND FINDINGS Following the large number of complaints and questions that were submitted and having taken cognizance of relevant protests published in the press and on social media, the Authority sent the no. prot. C/EX/754/04-01-2024 document to Mrs. Asimakopoulou. With its document, the Authority informed the MEP that it is exercising its investigation powers pursuant to Article 58 GDPR and Article 13 para. 1 item. h' of Law 4624/2019 and invited her to respond within 10 days of receiving it, to the following questions, providing the relevant documents: a) What was the source of the email addresses that belong to the list of recipients of the message entitled "100 days before the European elections", and what is the source in particular for the list of e-mail addresses called "REFUSED", which is mentioned during the attempt to deregister the complainants, b) What was the legal basis for processing the e-mail addresses of its recipients regarding the message, c) How were the data subjects informed about the above processing of their data, in accordance with the principle of transparency of the processing, d) To provide complete and accurate information (proof of shipment, lists of recipients, etc. . etc.) from which the total number of recipients of the above message as well as the number of e-mail addresses in the "REJECTED" list can be obtained. 3 On the same day, the Authority sent the no. prot. C/EX/755/04-03-2024 letter to the Ministry of the Interior, informing that a number of complaints have been submitted concerning the sending of a political communication message to those registered in the special electoral rolls abroad. With the document, he invited the Ministry within ten (10) days of receipt of the document to respond to which recipients it has issued copies of foreign electoral rolls in the last year, clarifying which elements are included in the electoral rolls that have been issued, and providing any relevant documentation , including related requests. Subsequently, the Authority also sent document G/EX/825/11-03-2024 to the Ministry of the Interior, with which it additionally requested to submit by Thursday 14-03-2024 the following information: The list of recipients, the method its extraction from the Ministry's systems, the platform through which the sending was done, the details of any processor on behalf of the Ministry, the log files and any relevant documentation concerning: a) The sending of a letter to Greek women and men who live abroad, on February 20, 2024, with no. prot. 273, referred to in a relevant press release of the Ministry1, b) The sending of an e-mail message from the address ekloges-info@ypes.gr on March 1, 2024 to those registered in the special electoral rolls abroad, with informative content regarding the letter vote. Mrs. Asimakopoulou with no. prot. C/EIS/2344/12-03-2024 document requested an extension of the deadline for the submission of its opinions until 26-03-2024. The Authority responded to the request with no. prot. C/EXE/866/13-03-2024 a document informing her that the new deadline for her answer is Thursday 21-03-2024 at 2 p.m. and pointed out that no further adjournment could be granted. In the same document it was emphasized that it is desirable to send, by the originally set deadline, that is on 15-3-2024, the complete list of recipients with the name "REFUSED" to whom the electronic message was sent on 01-03-2024. The Ministry of the Interior, with no. prot. G/EIS/2325/12-03-2024 document replied to with no. prot. C/EX/755/04-03-2024 document of the Authority. In this document, the 1 https://www.ypes.gr/minyma-tis-politikis-igesias-tou-ypes-pros-tous-ellines-tou-exoterikou-gia- epistoliki-psifo-efkairia-na-syndiamorfosoume- oloi-mazi-to-paron-kai-to-mellon-tis-choras-mas/ 4 The Ministry states, among other things, the following: A) Regarding the legal framework for the elements included in the electoral rolls: 1. According to the written provisions in article 3 of Law 4648/2019 (Government Gazette 205/t.A/2019) stipulates that the foreign electoral rolls that are drawn up bear the title "Special Foreign Electoral Roll" and contain the following: a) the serial number, b) the Special Electoral Number, c) the surname, d) the first name, e) the father's name, f) the mother's name, g) the husband's name and the father's surname (if it is a married woman bearing the surname of the spouse), h) the date and time of birth, i) the basic electoral roll (basic electoral district) where he is registered (prefecture, municipality, electoral district), j) the full address of residence, k) the e-mail address, l) the contact numbers. 2. According to Article 3 of Law 4648/2019, the provisions of Article 23 of Law No. 26/2012 apply accordingly for the special electoral rolls abroad, subject to items k) and l), i.e. the e-mail address and contact telephone numbers of the electors. Based on the above, it is clarified that the copies of the foreign electoral rolls available to the beneficiaries do not include the e-mail address and contact telephone numbers of the voters. B) Regarding the actions of the Directorate of Elections and the Directorate of Electronic Government regarding the granting of copies of electoral rolls, the Ministry stated that in accordance with article 53 of Law 4648/2019, the distribution of copies of electoral rolls is carried out as follows: One (1 ) full series of electoral rolls in digital media free of charge, as well as one (1) series of copies of publications of the Ministry of the Interior of electoral content are entitled to the parties represented in the Parliament or the European Parliament. Also, the above types are entitled during the pre-election period to the recognized parties, in accordance with the Regulations of the Parliament, as well as those that draw up combinations in 2/3 of the electoral districts of the State, basic and non-domiciled. Copies of electoral rolls can be made available during the pre-election period on payment of a fee in favor of the State, set by the Minister of the Interior to MPs, MEPs, candidates for MPs or candidates in the regional and municipal and community elections, and only for electoral districts, districts or the municipalities where they have been elected, as it appears based on the relevant decisions declaring them or they will be candidates according to their written declaration. C) Regarding the distribution of 2023 electoral lists: During the pre-election periods of May – June 2023, no natural person with the capacity of 5 candidates requested a copy of special foreign electoral lists of 2023. The political parties who received through their representatives after 09 -05-2023 from the Directorate of Electronic Government electoral rolls with the 1st Revision 2023 including the electoral divisions, they also received a file with the special foreign electoral rolls. Listed is a table with the applications of political parties, a table with receipts up to 13-6-2023 as well as an excerpt of a special foreign electoral roll, which the parties received (this does not include e-mails). The Ministry of the Interior, with no. prot. G/EIS/2445/15-03-2024 his document responded to with no. prot. C/EX/825/11-03-2024 document of the Authority sending two CDs with the list of electronic addresses and e-mail messages, sent on 02-29-2024 and 03-01-2024. Among other things, the following are mentioned in this document: On behalf of the Ministry of the Interior, an authorized executive of the project contractor (Singular Logic) of the Integrated Electoral Support System (OSYED) (contract no. 2/2024) took the following actions: a) According by Law 5083/2024 (article 37 par. 2), the applications of those citizens from the database of Greeks abroad 2023 that had been approved by the Ministry of the Interior until 30/6/2023, moved to the database of applications for postal votes .Excluded 2023 foreign voters, who had already registered on the mail-in platform (which operated until 2/19/2024), as there was no need to transfer. b) Create with appropriate queries (queries) in the database, the recipient files (3 files) as detailed below. c) Finally, he exported and copied the above files, to a local folder, on the OSYED server, which is hosted in the government cloud and access to which is only available to officials authorized by the service. The GIS&PSD is responsible for the operation and security of the government cloud. The criteria based on which queries were made in the database concerned a) Greek voters who submitted an application to the 2023 foreign voter application platform and were identified with taxisnet codes (file 26,685 e-mails at 15:53-27/2/2024 ), b) Greek voters who submitted an application to the foreign voter application platform 2023, through a Diplomatic Authority and had a VAT number (file 198 e-mails at 15:51 – 27/2/2024), c) Greek voters who submitted an application to the application platform of foreign voters 2023, through a Diplomatic Authority and did not have a VAT number (file with 22 e-mails 15:43-27/2/2024). The messages were sent using Microsoft programs (Microsoft Office Word and 6 Outlook). The recipient files were uploaded from the OSYED server, to the personal service computer (16:48-27/2/2024), by the competent Head of the Data Management and Interoperability Department and then sent on 02-29-2024 12:15 pm, to responsible officials of the Ministry for the settings of the message (e-mail) sending, the processing of the mass sending of the messages (e-mail), the sending of text messages (sms) in a later phase and to the heads of the co-competent Directorate of Elections, on whose behalf the sending of the three messages was carried out, as well as in the hierarchy up to the level of the General Director of Interior and Electronic Government. The table with the names and positions of the recipients is listed. Then the messages were sent to the recipients of categories b and c on 29/2/2024 (and time 14:22 and 14:10 respectively), and to the recipients of category a on 1/3/2024, gradually (in 5 groups of 5,000 approximately) from 08:25 to 14:54. It was clarified that no particular processing was carried out on the files in question, apart from some indicative visual checks per recipient category and the deletion of all other data, except for the e-mail. After uploading the file and sending it by e-mail, the usual security measures provided by the security policy were taken, and are applied by all Ministry staff (up-to-date antivirus, computer locking with a strong password, regular password change, regular checks on the network, etc.). The files remain undeleted for future use and will be deleted after the election process is complete. Finally, regarding the question of sending a letter to Greek women and men living abroad, on February 20, 2024, with no. prot.: 273, the Ministry points out that the recipients of the informative e-mails were e-mails from expatriate organizations, which number 2,103, and are included in the list of expatriate organizations received by the Ministry of the Interior from the competent General Secretary of Greek Expatriation and Public Diplomacy of the Ministry of Foreign Affairs. The contact details of expatriate organizations, letters and e-mails were submitted by the Minister's office, which had the relevant authority. On 03-15-2024, Ms. Asimakopoulou sent the Authority the data for the list of "REFUSED" recipients to whom the electronic message entitled "100 days before the European elections" was sent on 03-01-2024. The submitted data includes an export from the platform used (Mailchimp), in three 7 csv format files, with file names cleaned_members_export_e92c94dedb.csv, subscribed_members_export_e92c94dedb.csv,unsubscribed_members_export_e92c94dedb .csv. The columns of the files that are completed for all the records and concern the personal data of the recipients are: E-mail, Name/First name, Surname/Last name, TAGS. TAGS are in the form "APODIMEN, COUNTRY" (eg "APODIMEN", "BELGIUM"). The Authority examined this data, namely the list of e-mails submitted by Ms. Asimakopoulou and compared it with the lists of recipient e-mails of the Ministry of the Interior. The total number of e-mail addresses in Mrs. Asimakopoulou's lists was: 25,538, of which 23,392 were also found in the lists of acceptable e-mails of the Ministry. The total number of e-mails on the Home Office list was 26,905. From the examination of the first of these data submitted by Ms. Asimakopoulou, it emerged that the names and country of residence of the recipients were kept, while at the same time there was a fairly large number of common e-mails with the recipient lists of the 01-03-2024 informational e-mail of the Ministry of the Interior, but without these lists being fully identical. On 03-15-2024, the resignation of the General Secretary of Self-Government and Decentralization (department Secretary General of Interior and Organization) of the Ministry of the Interior as well as the Secretary of Immigration of the New Republic, who were allegedly involved in the leakage of personal data related to the case, following relevant announcements by the Government, and as a result of a relevant investigation conducted. There was no special information to the Authority, the Authority became aware of these developments through the media. On 03-18-2024 it was submitted to the Authority with no. prot C/EIS/2484/18-3-2024 Notification of a Personal Data Breach Incident by the Ministry of the Interior. In the notification in question, the start and end times of the incident are stated to be under investigation and to be approximately May 2023. The time the agency became aware of the incident is 3/15/2024, 2:00 p.m., and the manner in which became aware of the incident, the media. The type of data includes name and e-mail address. It states that the investigation by the Ministry's internal control service is ongoing, the number of subjects is not known (26,905 can only be considered as a maximum, which is also mentioned in the lists presented by the Ministry to the Authority with the no. prot. C/EIS/2445/15-03-2024 8 document) and that the subjects have not yet been informed, since the internal investigation has not been completed. Given the aforementioned notification, the data from the examination of the lists of Mrs. Asimakopoulou and the Ministry of the Interior, as well as the public announcements of the resignations, was issued with no. prot. C/EXE/903/19-03-2024 audit order of the President of the Authority with the audited body the Ministry of the Interior, in order to provide clarifications and answers and to find relevant data. The on-site inspection was carried out on 20-03-2024, at the offices of the Ministry of the Interior, 2 Evangelistrias, 1st floor, Athens. On behalf of the Ministry, the following were present: A, B, C and D, E, F, Z, H, I, I. The Authority's audit team consisted of Kostantinos Lambrinoudakis, regular member, and Georgia Panagopoulou and Haris Symeonidou , auditors. The on-site inspection plan was followed, which included questions related to the content of the submitted notification of a violation incident but also a search for evidence following the documents submitted by the Ministry and the conclusions that had been reached. Based on the incident report, those present were asked about what is known about the incident, when and how it happened, and how the Ministry became aware of it. The answer given was that the employees of the Ministry were informed about the leak by the media, then the same information was circulated by the Minister's Office, so after admitting the incident they submitted, as they should, the Notification to the Authority, following the relevant suggestion of the Manager of Data Protection, while the relevant investigation by the Internal Audit Unit is ongoing. During the audit, it was described the way in which the applications for registration of expatriates in the special foreign electoral rolls for the parliamentary elections of 2023 were examined, by authorized officials, through the OSYED system, in order to check compliance with the legal conditions and to decide the approval or rejection of applications. The way of performance of roles in the system and the safeguards that prevent the mass extraction of data were mentioned (assigning control of specific cases to officials, only authorized persons can execute queries that extract a file with mass voter data). During the audit, evidence was sought to substantiate the conclusion publicly announced by the Ministry, but no evidence was submitted and no concrete answer was given. Those present reserved the right to inform the Authority about this when the conclusion of the Internal Audit Unit is issued. 9 The audit team received as evidence the list of foreign voters drawn on 27-02-2024 for the purpose of sending an informative e-mail from the Ministry. The list included all the details of the voters that were extracted. It has been confirmed that this list does not include the details of those who had applied for a postal vote by the day of export (total 2,027). The items contained in the lists were as follows: No. OF APPLICATION, SURNAME, SURNAME B, FIRST NAME, NAME B, ON. FATHER, ON. MOTHER, TIN, BIRTH NAME ELECTION NUMBER, DIMOTOL NO., E-mail, MOBILE PHONE, AREA, CITY, STREET, NUMBER, ZIP Code, COUNTRY, PRIVATE NO., PRIVATE DATE, EKD_ID, DhmosId, TotalId. Specifically, the following were taken as evidence: P1) File that resulted from the extraction of citizen data from the database of foreign residents, on February 27, 2024 (applications through the Greek Diplomatic Authority, who did not have a tax identification number): EmigrantVoters_noAFM.xlsx, Π2) File resulting from the extraction of citizen data from the database of residents abroad, on February 27, 2024 (applications through the Greek Diplomatic Authority, without identification through Taxis codes): MigratedEmigrantfromDA_20240227.xlsx, P3) File resulting from the export of citizens from the database of foreign residents, on February 27, 2024 (applications identified through codes Taxis) : MigratedEmigrantVoters_20240227.xlsx. The recipients of the e-mail circulated internally at the Ministry of the Interior with the specific excel files attached were the nine employees (referred to in the Ministry's document with reference no. C/EIS/2445/15-03-2024), who they had relevant tasks and were hierarchically related to the object. It was clarified that the extraction of the data was done following relevant orders to the contractor, the communications and the relevant orders were requested and received as proof of the audit P6). During the audit, it was examined whether similar data exports from the electoral roll of emigrants (i.e. mass, including voters' e-mails) have been carried out and for what purpose in the last year, and the corresponding data were submitted. That is, xls format files were taken as evidence: Π4), File resulting from the extraction of citizens' data from the database of foreign residents, on May 24, 2023 (registration applications approved until May 24, 2023): Foreign_registration_applications_approved_240520233_submitted_until_1 7052023.xlsx 5) File resulting from the extraction of citizen data from the database of foreign residents, on June 8, 2023: "Emigration by Department for Electoral Lotteries - Vol. Ecl June 2023.xlsx". The exports of May and June 2023 were made by a competent official of the Ministry after the contractor had sent the official 10 technical instructions regarding the content of the query (query) in the database for this purpose. The relevant communications were received as persuasion, P6). E-mail message from the controlled body to the Authority in which the recipients of files Π4, Π5 are mentioned and to which is attached a relevant correspondence of a technical nature for the export: no. prot. G/EIS/2703/22-03-2024. The communications with the contractor were also completed with the no. prot. G/EIS/2866/27-03-2024 document of the Ministry. The receipt of the evidence from the on-site inspection was recorded in no. prot. C/EXE/934/20-02-2024 Evidence Receipt Protocol. As for how accesses to extract such data are recorded, the database and application logs do not record user actions, only logging in and out of the system. For confirmation and more detail about the logs, sent with no. prot. C/EIS/2970/01-04-2024 document from the Ministry, which promotes elements mentioned by the contractor. From the examination of the data resulting from the audit at the Ministry of the Interior and the subsequent communications, the following findings and conclusions emerged: The total number of e-mails that were on the recipient list of Ms. Asimakopoulou's campaign was 25,538. The number of emigrants registered in the electoral rolls for the June 2023 elections was 25,610 (as shown by the collection of these data on 08-06-2023 for the purpose of sending an informative e-mail from the Ministry, but also from the official data of registered in the electoral district abroad https://ekloges.ypes.gr/current/v/home/districts/57/). The list of 25,610 voters includes 25,572 different e-mails. Out of the 25,538 e-mails on Ms. Asimakopoulou's "EXPIRED" list, 25,462 are in the electoral lists of EI for the June 2023 elections: (i.e. only 76 e-mail addresses are on the MEP's "EXPIRED" list without corresponding to e-mail of the Ministry's list). While of the 25,572 different e-mails found in the Ministry of Interior's electoral lists of emigrants for the June 2023 elections, 25,462 are also on Ms. Asimakopoulou's list. In other words, only 110 e-mail addresses are missing, which, while they are in the electoral lists above, are not on Ms. Asimakopoulou's "EXCUSED" list. Of these 110 addresses, it appears that 91 belong to citizens from Turkey, a country that Ms. Asimakopoulou does not have on her list, 9 have errors in the e-mail (invalid), and 7 are missing for an unknown reason. As a 11th conclusion, it follows that Mrs. Asimakopoulou had as recipients of her e-mail practically all the e-mails of those citizens who were included in the electoral lists of emigrants for the elections of June 2023, and for them she uploaded to the MailChimp platform through which the e-mails are sent e-mails, their name, their e-mail, and the country in which they are voting. Mrs. Asimakopoulou submitted to the Authority the no. prot. C/EIS/2634/21-03-2024 memorandum, in which it mentions, among other things, about the specific mission: With regard to the disputed list "APODIMI", it came into its hands in parts, at the end of January 2024 , from the Directorate of Information Technology of New Democracy, which provided data only for the party executives, and referred it to the Expatriate Secretariat for possible updates of the executives' information. The Secretary of Expatriates, Nikos Theodoropoulos, sent, through the WhatsApp application, a file in excel format with approximately 25,000 names, surnames, patronymics, date of birth, telephone number, country, city, postal and e-mail addresses of emigrant voters from 35 countries. As soon as she received the digital list from Mr. Theodoropoulos, the MEP immediately forwarded it to her political office to upload (export) only the e-mail addresses to the MailChimp digital platform, so that they would be included in the recipients of the information campaign planned for March 1, 2024 entitled "From End to End" on the subject of postal voting. The campaign in question included the mass sending of a newsletter to expatriate Greeks, exactly 100 days before the European elections of June 9, 2024. In order to investigate the above described method of origin of the data, the Authority sent to New Democracy the no. prot. C/EX/936/22-03-2024 document, with which he invited her until Friday 29-03-2024 to present her views, clarifying in particular the following: a) what is the source of origin from which she has the party collects the list of Expatriates in which Ms. Asimakopoulou refers, in what way and at what time, b) what is the legal basis for the processing of the communication data of the Expatriates by the party, c) how does it fulfill the obligation informing the subjects in accordance with articles 12-14 GDPR and d) to which recipients the personal data in question has been communicated to date. Also, the Authority sent the no. prot. C/EX/945/26-03-2024 document for clarifications to Ms. Asimakopoulou, with which she was asked to provide a) The mentioned in paragraph 12 "6. Data source for the list of emigrants" of her memorandum file, in excel format, which she received through the WhatsApp application from Mr. Theodoropoulos, b) Evidence documenting the communications referred to in the same paragraph, i.e. the manner and content of her request to the Directorate of Information Technology of the New Democracy as well as the manner and content of the referral to the Expatriate Secretariat of the party. Mrs. Asimakopoulou, in response to the document with reference no. C/EX/945/26-3-2024, submitted with the documents no. prot. C/EIS/2859/27-03-2024 and C/EIS/2861/27-03-2024 her documents, the complete list "2023 Expatriates" she had received via WhatsApp, in encrypted form, and the requested documentation of from 01-22-2024 of her electronic correspondence with the IT Directorate of New Democracy (Mr. K), which sent her the attached, unupdated file, (Presidents of party organizations, members or friends of DEEP - DIMTO of New Democracy abroad), with referring her to the party's Expatriate Secretariat for the possibility of an updated list, from where then, as she mentioned, the former secretary of Greek Expatriates, Mr. Theodoropoulos, sent her the list of Expatriates 2023 via WhatsApp, which was incorporated into the overall file of recipients of the message in question. Attached are the relevant communications with the IT Department of New Democracy, from which it appears that from 22-
01-2024, the MEP's request was to provide her with "updated details (phone numbers, e-mails) of the Presidents of the New Republic of External Affairs (DEEP) as well as the updated details (phone numbers, e-mails) of the Presidents and members of the T. THE. New Democracy Abroad", while with his reply Mr. K stated that in the attached file "the lists may not be fully updated. For this reason, it would be good to contact the Secretariat of the Diaspora so that a check can be made, for any non-updated data". The comparison of the file presented by Ms. Asimakopoulou, i.e. the file that according to her statement was sent by Mr. Theodoropoulos via WhatsApp, with the P5 file of the Ministry of the Interior showed that it is the same file, which includes the following fields: Voting Country , Polling City, Ward, Country of Origin, City of Origin, AA of Elector on the Roll, Fylo, Eponymo, Onoma, on_pat, on_mht, on_syz, epon_pat, hmer_gen, HomeAddress, Street, StreetNumber, Region, PostCode, E-mail. 13 Then it was submitted with no. first C/EIS/2989/01-04-2024 document the response of New Democracy to the Authority, which is summarized as follows: The IT Directorate maintains and manages exclusively lists of registered Party Members, which include Party Executives inside and outside the Territory, such as they are also the Presidents of the Electoral District Steering Committee (hereinafter DEEP), former Prefectural Steering Committee (NODE) and Municipal Local Organization (hereinafter DIM.TO) or Local Organization (hereinafter TO) abroad. MEP Anna Michele Asimakopoulou requested from the Information Technology Directorate the updated details (phone numbers, e-mails) of the Presidents of the New Republic of New Democracy abroad, as well as the updated details (phone numbers, e-mails) of the Presidents and members of THE. New Republic of Abroad via email on January 22, 2024 at 1:41 p.m. In relation to expatriate voters, New Democracy stated that it maintains either its Members' file, which also includes expatriate voters, or the file of Citizens Registered in the Electoral Rolls, without contact information, as each time it is notified by the Ministry of the Interior. In the first file, that of its Members, any electronic addresses are included (among the Acceptable Methods of Contact). In the second file, of the Ministry of the Interior, no. Therefore, a file of expatriate voters with their electronic addresses is under no circumstances kept by New Democracy. According to the same answer, the Expatriate Secretariat does not keep, nor is it authorized to keep, any of the above two files, i.e. neither the file of Members party nor the file of Citizens Registered in the Electoral Rolls. On the contrary, the Expatriate Secretariat only keeps a record of Party Members who have an administrative or other functional relationship with it, within the provisions of a. 1 of the Regulation of the Operation of Party Organizations of Hellenism in Exile in conjunction with the a. 32 par. 3 of the current Statute of the party, i.e. of the executives of party organizations abroad. In relation to the memorandum of the MEP and the questions of the Data Protection Authority, it is pointed out graphically that New Democracy does not keep a List of Emigrants according to the claim of the MEP, therefore the answers to the questions under (a) to (d) of the Data Protection Authority (see . above document C/EX/936/22-03-2024) are negative. The IT Directorate keeps, among other things, records of Members of the New Democracy, as well as Citizens Registered in the Electoral Rolls of the Ministry of the Interior without contact details, in accordance with the General Policy and the Statute, and is the only one responsible for their transmission to the Party's Citizens . The Secretariat of Expatriates 14 exclusively maintains a record of those Party Members who at the same time maintain an administrative or functional relationship with foreign organizations. Attached is a relevant email from 01/22/2024. It is established that the correspondence is identical to the corresponding one that has been submitted to the Authority by Ms. Asimakopoulou with no. prot. C/EIS/2861/27-03-2024 her document. The Authority then sent the no. prot. C/EXE/1014/01-04-2024 letter to Mr. Theodoropoulos, ex-Secretary of Expatriates of New Democracy, with which he invited him until Thursday 4/4/2024 to present his views on the claim of Ms. Asimakopoulou, clarifying in particular the following: a) what was the exact request of the above MEP to the Apodimon Secretariat, b) what is the source from which the aforementioned excel file containing Apodimon's personal data came into the possession of the Secretary, with whom how and at what point in time, c) if it is envisaged that the above list of Expatriates will be maintained by the Secretariat of Expatriates of the ND and d) to which recipients the personal data in question has been communicated to date. He was also asked to provide any available documentation of his answers and in particular any communication (e-mails, WhatsApp, etc.) related to the handling of the file in question. With no. prot. C/EIS/3147/05-04-2024 document the former Secretary Apodimon of the ND replied to the Authority that Mrs. Asimakopoulou legally received from him, following her request, on 20-01-2024 via WhatsApp, the special electoral lists abroad, with her institutional capacity as Press Representative of the ND in the European Parliament and not as a MEP. He states that he legally possessed their special electoral lists and that they had legally come into his possession via WhatsApp, during the pre-election period of June 2023, as he was a designated representative of New Democracy in the Special Inter-Party Committee of article 2 par. 6 of Law 4648/ 2019 for the vote of foreign voters, where he had the main responsibility of examining objections of foreign voters. The source of the electoral rolls, as far as he is able to know, is the Ministry of the Interior, as he is obliged to observe them. With those with no. prot. C/EIS/3302/09-04-2024 and C/EIS/3305/09-04-2024 additional documents the former Secretary of Immigration of the ND submitted screenshots from the WhatsApp application which show when and how he received from someone person and how he sent the file to Ms. Asimakopoulou. From these data, it follows that the download of the file named 15 "Revenues by Department - Vol. Ekl June 2023.xlsx" was done by forwarded message on 23-06-
2023 and his promotion by Mr. Theodoropoulos to Ms. Asimakopoulou took place on 20-
01-2024. In addition, the former Secretary Apodimon of the ND clarified that the Ministry of the Interior is the exclusive source of the special electoral rolls and that the specific electoral rolls with the data included in them have not been processed by him and have not been sent to any other person except of Mrs. Asimakopoulou. Also, the Authority sent the no. prot. C/EXE/1009/01-04-2024 letter to the General Secretariat of the Prime Minister, with which he invited it until Thursday 04-04-2024 to assist in the work of the Authority by providing all the information available from the its own research, which it has announced publicly. The Authority did not receive a response. Subsequently, the Authority, after receiving the contact details of Mr. G.G. of the Interior and Organization of the Ministry of the Interior, Mr. Stavrianoudakis from the Ministry of the Interior (with document no. prot. C/EIS/3235/08-04-2024), sent him the document no. prot. C/EXE/1087/08-04-2024 document by which he invited him to present his views to the Authority by 10-4-2024, providing all the information at his disposal and providing all available documentation, since it has been publicly announced that he resigned taking responsibility for the Home Office data leak. Mr. Stavrianoudakis replied with no. prot. G/EIS/3359/11-04-2024, G/EIS/3360/11-04-2024, G/EIS/3361/11-04-2024 documents. He claims that by resigning he only accepted political responsibility, that he does not know anything about the leak and that he has no evidence of the involvement of his partner either. He attached his resignation letter as well as his responses during the Ministry's internal audit process. The Authority, by virtue of no. prot. C/EXE/1069/05-04-2024 control order with a controlled entity, the Ministry of the Interior proceeded with a new on-site control on 8/4/2024, at the offices of the Ministry of the Interior, Evangelistrias 2, 1st floor, Athens. On behalf of the Ministry, there were: B, , L, E, F, Z, M , N and X,.... The Authority's audit team consisted of Kostantinos Lambrinoudakis, regular member, and Georgia Panagopoulou, Haris Symeonidou, Georgios Rousopoulos, auditors. 16 The on-site audit plan was followed, which included a search for information about the lists circulated in connection with the work of the Special Inter-Party Committee, but also a search for the communications regarding the leaked list of emigrants, as well as a search for documentation of the relevant data protection policies and safety. The electronic communications with which the file "Receipts per Department for Lotteries of Electoral Officers - Voul Ekl June 2023.xlsx" was circulated to the Ministry on 8/6/2023 and on 9/6/2023 were submitted with no. prot. G/EIS/3283/09-04-2024 document. The minutes of all the meetings of the Inter-Party Committee were also submitted with no. prot. G/EIS/3301/09-04-2024 document. Both from the discussion during the audit and based on the submitted minutes of the meetings of the Special Inter-Party Committee, it emerged that the electoral list of foreign voters was not circulated in the context of exercising the powers of the Committee, the last meeting of which was held on 30-05-2023. The examination of the objections as well as the sample check included in the Commission's tasks were carried out without examining the entire electoral roll. During the discussion it was mentioned that electoral roll data has been requested and extracted from the databases from time to time following a relevant order of the General Secretary of the Interior and Organization. Also, as part of the audit, it was requested that the Ministry send to the Authority documentation regarding the recording of actions in OSYED, since it has been stated that important events selected by default by SQLserver are recorded, such as backups, deadlock victim processes and failures as well as the failed login attempts. As far as successful login attempts are concerned, these are recorded in the logs of the firewall that protect the OSYED system and are kept in the GISDS. The security policies and plans concerning the OSYED and the election-related systems as well as data protection policies, any impact assessment, as well as the activity records of the Ministry concerning the OSYED and the election-related systems were also requested. In addition, information was requested regarding the implementation of Article 8 of KYA 12284/2024 (Government Gazette 1037/B/12-02-2024) (processing of personal data – postal vote), as well as the applicable contracts with processors for OSYED, for election-related systems. The Ministry with no. prot. C/EIS/3285/09-04-2024, C/EIS/3286/09-04-2024 and C/EIS/3287/09-04-2024 documents he submitted the relevant documents to the Authority. 17 The Authority, by virtue of no. prot. C/EXE/1069/05-04-2024 of the control order of the President with an audited body, the Ministry of the Interior proceeded with a new on-site inspection on 10-04-2024, at the offices of the Ministry of the Interior, Evangelistrias 2, 1st floor, Athens. On behalf of the Ministry, the following were present: E, D and nO. The Authority's audit team consisted of Kostantinos Lambrinoudakis, regular member, and Georgia Panagopoulou, Haris Symeonidou, auditors. The on-site inspection plan was followed, which included seeking clarifications and confirmation in relation to the content received from the parties by CD on 13-6-2023, as per the original no. prot. C/EIS/2325/12-03-2024 response of the Ministry of Interior and especially the content of the xls file with the data of voters abroad. The control echelon, with an on-site search of the competent employee's PC, found that the list provided to the parties with a CD did not contain the e-mails or other additional personal data of foreign voters. The list is automatically extracted through the OSYED application to be included in the lists given to the parties with the prescribed procedure. The metadata of the file was also checked and it was found that the file had not been modified. The Authority, on 11-04-2024, by virtue of its no. prot. C/EXE/1068/05-04-2024 of the inspection order of its President, carried out an on-site inspection at the Offices of the New Democracy party, Piraeus 62, Moschato. The Authority's audit team consisted of Kostantinos Lambrinoudakis, regular member, and Georgia Panagopoulou, Haris Symeonidou, Georgios Roussopoulos, auditors. On behalf of New Democracy, the following were present: P, R, S, TkaY. The on-site audit plan was followed, which included seeking evidence from the internal investigation in the ND from which the responsibility of the Immigration Secretary arose and the manner in which the publicly announced information was confirmed. Also the description of the role and duties of the party's Diaspora / Expatriate Secretariat and whether this includes keeping records of personal data. The relevant excerpt of the party's activity file was requested, which was submitted with no. prot. G/EIS/3554/16-04-2024 Document. New Democracy did not have any evidence to provide in relation to the responsibility of the Secretary Apodimon. As part of the audit, his letter of resignation was submitted to the Authority in which he declares that he is innocent and resigns because he was asked. According to the answers given to the Authority during the audit, the responsibilities of the Expatriate Secretariat include the processing of personal data of party officials with a role in foreign organizations. Due to this responsibility, Ms. Asimakopoulou was also referred to the Secretary of Expatriates, during her communication with the IT Department on 01-22-2024, in order to provide her with any more recently updated information on these executives. In the CRM system (includes the database) of New Democracy, the information of party members is kept, as they are cross-referenced with the official electoral rolls. There are no voter e-mails in them, as found during the check. This database is accessible only to specific IT Department staff. The mailbox of the resigned Secretary of Expatriates (diaspora@nd.gr and onomastiko@nd.gr) was also searched through the e-mail server: the last access to it was on 24-01-2024 and the number of e-mails was minimal, which seems to indicate that these accounts were not often used. Any communications with Ms. Asimakopoulou as well as with the Ministry of the Interior were searched and nothing relevant to the case was found. The mailboxes support@nd.gr, …@nd.gr were also investigated for any additional communications with Ms. Asimakopoulou, with negative results. With reference to the content of the telephone communication with Ms. Asimakopoulou referred to in the e-mail attached to the New Democracy memorandum, during the audit it was clarified that Ms. Asimakopoulou asked how she could have more e-mail address information, due to the fact that on the list of executives sent to her, many of the e-mails were not completed. So they referred it to the Secretary of Expatriates, for any updated information. The conversation was with Mr. S. The log files on the e-mail server of the New Republic are kept, through an executor, for a period of 60 days. Secretary Apodimon was connecting to the Nea Demokratia network through his own laptop on a network with limited access. Apart from his e-mail, he did not have access to other systems of New Democracy. This practice is in line with the overall policy of the correct use of private devices ("Bring your own device" - BYOD), which is included in the "Policy for cyber security", which was submitted with the no. prot. C/EIS/ 3554/16-04-2024 document. During the discussion it was emphasized by the representatives of New Democracy that, since the alleged sending of the list by the resigned Secretary of Expatriates to the European Parliament was done via WhatsApp and that this list is not kept by 19 New Democracy , and given that Secretary Apodimon had sole responsibility for his laptop and the data stored on it, there is no responsibility for Nea Demokratia to comply with the list sent to Ms. Asimakopoulou from the resigned Expatriate Secretary the return of files, his laptop was not checked for any files belonging to New Democracy and no deletion/destruction of files with personal data was requested. His laptop probably had the updated files of the expatriate organization executives stored on it, but these files are no longer available in the ND. This event appears not to have been registered as a personal data breach incident. With the document C/EXE/1078/08-04-2024, the Authority forwarded to Ms. Asimakopoulou 230 complaints and requests from citizens that had been submitted between 01-03-2024 and 28-03-2024 and concern the sending of electronic messages on "100 days before the European elections" on 01-03-2024, for her views. With her response document C/EIS/3418/12-04-2024, Ms. Asimakopoulou stated that she has responded to those of the complainants who had already contacted her with a relevant protest e-mail and quoted the text of the said response, which stated that it can be forwarded by the Authority at its discretion to the other complainants. In addition, with the document C/EXE/1124/11-04-2024, the Authority asked Ms. Asimakopoulou to provide the original excel file that she received from the former Secretary of Immigration of the ND via WhatsApp, in order to check its metadata , in the manner indicated to her. Ms. Asimakopoulou submitted the file with no. prot. G/EIS/3531/16-04-2023 document. From the control of its metadata, it appears that the date of creation (08/06/2023) and the author are identical to the data of the file "Revenues by Department for Lotteries of Electoral Officers - Vol. Ekl June 2023.xlsx" (Π5)). The file was last modified on 22/01/2024 at 10:25, by the user "annamisel asimakopoulou". With document C/EXE/1076/08-04-2024, the Authority forwarded to the Ministry of the Interior 54 complaints and requests from citizens that had been submitted between 1/3/2024 and 20/29/3/2024 and concern the leakage of information that are included in the special electoral lists abroad, for his views. At the same time, with its document C/EIS/3549/16-04-2024, the Ministry forwarded to the Authority the electronic message from 19-04-2023 that was detected during the internal audit and concerns the internal handling of an excel file with the full details of 22,817 of emigrants up to 10-04-2023, which, as stated by the Ministry, had been exported without creating a query ("it was the entire base regardless of criterion). According to the said message, the file does not include the emigrants' phone number. Finally, with regard to the way of satisfying exercised rights of the GDPR, it is noted that: From the beginning of April 2024, a number of expatriate complaints were submitted to the Authority for violation of the right of access and/or erasure by the above MEP, given that in the relevant requests Ms. Asimakopoulou had responded with reference to the type of data included in the list that came into its possession without granting a copy of the data concerning the respective applicant as a data subject. With the G/EIS/3534/16-04-2024 supplementary complaint document against the Ministry of the Interior, the Authority was notified of the Ministry's response from 11/4/2024 to the access request submitted by the complainant on 14/3/2024 to the Directorate of Elections of the Ministry of the Interior. From this answer it follows that general information is provided regarding the data processing carried out by the Ministry in the context of the compilation of the electoral rolls and for the purpose of organizing the exercise of the right to vote, without providing a copy of the specific data held by the Ministry concerning the applicant. I.B CALL TO HEARING - MEMORANDS Following the above, the Authority with G/EXE/1205/22-04-2024, G/EXE/1207/22-04-
2024, C/EXE/1214/22-04-2024, C/EXE/1209/22-04-2024 and C/EXE/1206/22-04-2024 calls respectively, called those involved: Anna Michel Asimakopoulou, Ministry of Interior . During the meeting, the following persons were present, who had been notified by those invited to the Authority: 1) Anna Michelle Asimakopoulou, with her attorney, Leonidas Kanellos (A.M. ...) 2) On behalf of New Democracy, Lawyers Panagiota Moschandreou (A.M. ...) and Vasilios Gakopoulos (A.M. ...) and Ioannis Papaioannou, Deputy Director of IT 3) Nikos Theodoropoulos, with his attorneys, Leonidas Kotsali (A.M. ...), Alexis Stefanaki (A.M. ...), Vasilios Psycha (A.M. ...), Roussa Tsoukala (A.M. ...), Konstantinos Kotsali (A.M. ...) and Athanasios Theodoropoulos (A.M. ...) 4) On behalf of Michalis Stavrianoudakis, his attorney, Polyxeni Bovolia (A.M. ...) 5) Theodoros Economou, Head of the General Directorate of Internal Affairs and Electronic Government of the Ministry of the Interior, Panagiotis Skiadas Head of the Elections Directorate of the Ministry of the Interior, Angelos the Head of the Electronic Government Directorate of the Ministry of the Interior, Kleopatra Sarantakou Head of the Directorate of the Internal Audit Unit of the Ministry of the Interior, Stamatios Theocharis, Data Protection Officer at the Ministry of the Interior and Ioannis Bakopoulos, Co-Chair of the State Legal Council at the Ministry of the Interior. At the beginning of the meeting, Nikos Theodoropoulos submitted a request to postpone the meeting, in order to take note of the 26/4/2024 Conclusion of the Internal Audit Unit of the Ministry of the Interior, which had been forwarded to the Authority (prot. no. C/EIS/ 3889/26-04-2024), arguing that all parts of the case are interrelated and access to the Conclusion is necessary for its defense. The same request was submitted on behalf of Michalis Stavrianoudakis and Theodoros Oikonomou, who also requested access to the Conclusion from the Authority. Ms. Asimakopoulou objected to the postponement request, arguing that the Ministry's Finding is not relevant to the case, while the Head of the Internal Audit Unit, Mr. Sarandakou, pointed out that the findings of the Internal Audit are by law only communicated to the Minister of the Interior, to the Audit Court and the National Transparency Authority. After a short interruption, the Authority rejected the above requests for postponement and access to the Conclusion of the Internal Audit Unit of the 22nd Ministry, submitted by Nikos Theodoropoulos and Michalis Stavrianoudakis because, according to article 26 of the Regulation of Operation of the Internal Audit Unit of the Ministry of the Interior (Y.A. 16786 FEK II 5662/7.11.2022), in which it is stipulated that "1. The results of the Audit (audit report) are submitted in writing to the Minister and are communicated to the Head of the involved organizational unit to which the project being carried out concerns. 2. The Reports are notified without delay to the Court of Auditors in accordance with par. 3 of article 71 of Law 4820/2021 and are notified to the National Transparency Authority in accordance with Article 83 of Law. 4622/2019 and article 30 of the no. house 11699/2020 of decision E.A.D. (B' 1991/2020). The Reports may be disclosed, in addition to the aforementioned, to other agencies, or to other bodies outside the Ministry, only after approval by the Minister of the Interior", those interested in gaining access to this should address their request to the Ministry of the Interior, while the hearing process takes place on the basis of the above Description of Actions and Findings of the Authority, which has already been communicated to those summoned by their summons to a hearing, and not on the aforementioned Finding of the Ministry of the Interior. Besides, the Authority rejected the above request of Theodoros Oikonomos, who has not been summoned to be examined as a data controller or as a processor, primarily because he was not submitted as a representative of the Ministry of the Interior, which was summoned to the hearing, but individually. During the meeting, Mrs. Asimakopoulou repeated the allegations she had put forward with no. prot. C/EIS/2634/21-03-2024 her memorandum, stressing that she complies with the GDPR in terms of political communication and that due to her many years of activity since 2007 she has created a file of friends and recipients of her newsletter, consisting of from approximately 45,000 recipients. With regard to the file she received from the ex-Secretary of Expatriates of the ND, Mrs. Theodoropoulos, Ms. Asimakopoulou clarified that, having been informed about the institutionalization of postal voting, she decided to address the New Democracy party requesting information on expatriate members of the party and in this context, the employee of her office, F, contacted the ND IT Department by phone on 1/18 or 19/2024. In the said telephone call, Mr. K from the IT Department of ND stated that her request should be submitted in writing and will be answered, which was done on Monday 22/1/2024, while at the same time he referred her to the Secretary of Expatriates for possible updated information. In the meantime for reasons of speeding up the process, 23 since he knew Mr. Theodoropoulos since 2018 and they had worked together in the past, he considered it simpler to contact him directly, which he did, and met with him on 20/1/2024 in Athens in order to discuss her campaign ahead of the European elections. In the afternoon of the same day, Mr. Theodoropoulos forwarded the excel file to her via WhatsApp. Mr. Theodoropoulos, during the hearing, emphasized that what he was asked by Ms. Asimakopoulou were the electoral lists abroad and her purpose, as stated to him, was to examine from a strategic point of view which countries she would visit in the context of her election campaign but and to help Greeks abroad to register to vote by mail. He pointed out that Mrs. Asimakopoulou had been appointed press representative of the ND Eurogroup. He stated that from 1/20/2024 onwards Ms. Asimakopoulou did not contact him again. With reference to the electoral rolls, he clarified that he had not received them from the Ministry of the Interior but had requested and received them on 23/6/2023, from a "competent ND party official for the electoral rolls", which he did not name but reserved to name with his memorandum, clarifying, however, that this is an "executive of the Secretariat, who had absolute authority to have access to the electoral rolls kept by the party". The reason he asked for the lists a day before the overseas polls opened was to enable a demographic analysis of the electorate (by sex/age/city), since there are no exit polls abroad, and he was unaware that the address was included voters' e-mails in this file. Therefore, he argued that his role was a processing one, because initially he received from the competent services of the ND the foreign electoral lists, which he considered to be legally owned by the party and he himself was the recipient as an Organ of this, due to the duties of his position, as Secretary of Expatriates and based on the party's Constitution. Besides, he was appointed a member of the Special Inter-Party Committee of article 2 par. 6 of Law 4648/2019. Then, without making any further processing, he forwarded the foreign electoral rolls to an experienced lawyer, MEP and representative of the ND Eurogroup, whom he had met as the party's digital department head and considered an expert in data protection issues. With reference to the method of communication (WhatsApp), Mr. Theodoropoulos clarified that the ND Policy does not prohibit the use of these means between party officials, except in their communications with third parties. Responding to a relevant question from a member of the Authority, he replied that he was absolutely certain that the file he had received were the electoral rolls of 24 foreign countries and that they were the only ones he received in view of the parliamentary elections of 6/25/2023, while he had also received a section of the lists before the parliamentary elections of 21/5/2023, for the convenience of voters who would be in Lithuania in view of a sporting event. He stated that his role, as the Secretary of Expatriates, was to help the party in its relations with the expatriates and in this context he had sent many times the details of the members who registered with the party at events abroad or through the website diaspora.nd.gr , was passing out consent forms and before the 2023 parliamentary elections provided support from his personal mobile phone and e-mail to expatriates wishing to register to vote. The reason he was asked to resign was, he said, to protect the postal vote. Nea Demokratia, through its representatives, reiterated the allegations mentioned in the G/EIS/2989/01-04-2024 memorandum document, while it reserved its position regarding the telephone communication with the Information Technology Division mentioned by Mrs. Asimakopoulou before 22/ 1/2024. In response to a related question, it was clarified on behalf of ND that if Mr. Theodoropoulos had asked the party for the list of emigrants, he would have received a negative answer, because the electoral list kept by the party is not transmitted, but is only used to update the details of the party members. The ND also clarified that no special instructions had been given to the Secretary of Expatriates regarding the processing of personal data, but that the Party's Policy applies. In response to a question about how its bodies are informed about data processing and whether there are relevant contracts, the ND lawyer reserved to answer with the memorandum. Michalis Stavrianoudakis, through his lawyer's power of attorney, stated that he does not know any information in relation to the alleged leak of the emigrant file by the Ministry of the Interior. The present Parish Priest N.S.K. stated during the meeting that he does not have a mandate to represent the Ministry and suggested that questions be addressed to the Head of the Internal Audit Unit who was also present. After a short break, the Authority, after taking into account article 7 of Law 4795/2021, according to which "1. The internal control function is independent. Functional independence is ensured by the organizational affiliation of the Internal Audit Unit directly to the head of the institution, as well as by the establishment and operation of the Audit Committee. 2. The Internal Auditors are not involved in any way in the administration of the body 25 nor do they undertake operational tasks related to it", decided that the position of the Head of the MEE does not allow her to represent the Ministry of the Interior as a data controller before the Authority. Therefore, no questions were addressed to the above as a representative of the Ministry. After the conclusion of the meeting, all those invited were given a deadline to submit a memorandum and submitted on time: a) Anna Michele Asimakopoulou the G/EIS/4155/10-05-2024 memorandum, b) the Ministry of the Interior in G/EIS/4190/13-05-2024 memorandum, c) New Democracy in G/EIS/4191/13-05-2024 memorandum, d) Nikos Theodoropoulos in G/EIS/4199/ 13-05-2024 memorandum and e) Michalis Stavrianoudakis the G/EIS/4203/13-05-2024 memorandum. Anna Michelle Asimakopoulou, with her memorandum G/EIS/4155/10-05-2024, initially emphasizes that the outcome of the case is very important for her, since it has not only cost her certain re-election to the European Parliament but has created many disputes on a political and criminal level and in general repeats the allegations she made during the hearing, clarifying in particular the following: - That she turned to party sources in order to support her communication campaign for the European elections and thus on 18/1/2024 she had a telephone conversation with the Directorate of Informatics of the ND, in the context of which it was referred orally to Secretary Apodimon already before its official communication via e-mail on 22/1/2024. - That following the verbal instructions of the ND IT Directorate, she contacted Mr. Theodoropoulos by phone and then in person, where, during a working lunch on Saturday January 20, 2024 in Athens, she explained to him the content of the communication of her political office with the party, as well as her intention to contact expatriate Greeks for the postal vote, promoting her candidacy for the European elections of June 2024, and the Secretary of Expatriates informed her that he has enriched, secure and up-to-date contact information with expatriates, the which he had legally collected in the context of his party position and institutional role. In particular, he reminded her that during the pre-election period of June 2023, he was officially appointed as a representative of New Democracy in the Special Inter-Party Committee for the vote of foreign voters with the responsibility of examining candidate objections. At the same time, as can be seen from a relevant ND press release, he was in charge of receiving calls on his mobile phone, together with 5 other party officials, who operated an informal "call center" of the ND, with the aim of informing, guiding and facilitating the 26 foreign voters to collect the necessary supporting documents in order to be registered in the special electoral lists of the Ministry of the Interior for the year 2023. Through this action, he had collected full contact details of the interested parties, such as full names, patronymics, country, city and residential addresses, telephone numbers and e-mails, which he gladly offered to send to Ms. Asimakopoulou for use in her information campaign as an MEP. - That during their meeting she asked him for the contact details of the emigrants, in order to know in which countries there was a greater concentration of emigrant Greeks, so that she could travel to them as a priority, promoting her candidacy for the European elections. - That he had no reason to question his good intentions or his words, since he knew his actions and the fact that his institutional position as Diaspora Secretary of the ND included regular contacts with expatriate Greek organizations (over 2,100 around the world with based on official data), frequent trips and his stay for several days every month abroad, to organize events to promote the party to Hellenism in the Diaspora. She further states that if she had the slightest suspicion that this data is not legally secure and "certified" according to GDPR, she would have had no reason to use it, risking her certain re-election. - That Mr. Theodoropoulos sent her the file via WhatsApp, as he stated during the hearing, in the context of their existing relationship of trust and party communication, due to her capacity as a MEP and ND press representative in the European Parliament. Ms. Asimakopoulou pointed out that she is a press representative of the ND Eurogroup, without this status giving her more rights than other candidates, as well as that her receipt of the file on 20.1.2024, i.e. before the official response of the party's IT Directorate on 22.1.2024, is completely indifferent, since whenever she received them, she did so based on party instructions and from a source that was competently indicated to her. - That the use by party officials of personal devices and applications, such as WhatsApp, is expressly provided for by the party's policy on cyber security, in accordance with the security instructions ("Bring Your Own Device - BYOD), therefore the reply electronic from 22.1.2024 message from the IT Department of the ND to its office with a recommendation to address the Diaspora Secretariat, renders unfounded the claims of the ND, that the only competent agency for sending information is the 27 IT Department of the Party and the only means of transmitting information is e-mail, since if if this were the case, the IT Department would itself request the updated information from the Expatriate Secretary, so that he could deliver it to her in full, through the official channel, and would not "improperly" refer her to him. - Regarding the legality of her political communication via e-mail with all Greeks abroad, Ms. Asimakopoulou repeats the allegations mentioned in her original memorandum, stressing that there is no special regulatory regulation for political communication and that the relevant gap does not is covered by the Authority's Guidelines 1/2023, and that in this case he reasonably considered that he had an overriding legal interest in informing unknown voters about the postal vote, since he was not in a position to know what the "legitimate expectations" of the unknown recipients of the message were and considered that they will not be affected by a unique informational and non-commercial message from a prominent politician, as well as that the use of the e-mail of emigrants simultaneously serves the public interest for broad participation in the electoral process and for electing the most suitable candidates to the European Parliament , a purpose completely compatible with the original purpose of collecting the data and therefore, that in its opinion, the processing it carried out was not illegal. - Finally, citing the relevant jurisprudence of the CJEU and other EU supervisory authorities, it states that any imposition of a fine against it will open a new round of unfair political and economic exploitation of the case and requests the short issuance of a decision without the imposition of sanctions. Nikos Theodoropoulos, with his memorandum G/EIS/4199/13-05-2024, initially refers to the Authority's decision 26/2006 and argues that the electoral rolls are not used exclusively during the election period but are necessary for the smooth functioning of democracy of the parties, which by definition have a legitimate interest in requesting the electoral rolls regardless of time, in order to be able to fulfill their constitutionally protected purposes, and for this reason they may use them, as specifically defined in the Privacy Policy of each party. Indicative purposes include the analysis of opinion polls (which are used as guidelines for the electoral quota, which exists in each electoral district), the registration of new members in the party lists and in general the political communication of each of the 28 parties in the electoral districts. It also points out that article 23 of PD 26/2012 regulates exclusively the way candidates and parties communicate in the pre-election period and not in the non-pre-election period, i.e. this article does not regulate the way citizens are continuously informed about political positions and party actions. Furthermore, Mr. Theodoropoulos maintains that both the party and himself, as the Secretary of Expatriates and thus a Party Organ from the year 2019, had full legitimacy to have access to the special electoral lists of foreign voters. To this end, it invokes: a) the Regulation of the Operation of Greek diaspora organizations of the ND, which was updated by the Political Committee of the ND in November 2022, according to which, the competence of the Secretariat of Hellenism in the Diaspora includes, among others, and "the preparation and support of the participation of Electors Abroad in the National Elections and European Elections", which implies his responsibility as the Head of the Expatriate Secretariat of the ND, which was not limited to Party members, but to all Electors Abroad, b ) the ND Privacy Policy, article 6.1 of which states that "NEW REPUBLIC as a rule does not share or transmit Personal Data to third parties. Recipients of your Personal Data, unless otherwise specified in the respective Processing Policy, are the Party Organs, as responsible for its organization, management, operation and fulfillment of the purpose deriving from the NEAS DEMOKRATIAS Statute" and c) the article 33 of the party's Statute, according to which "Secretariats are Organs of the Party's Central Administration, with responsibility for the organizational and operational development, direction and coordination of their fields of action". Based on the above, it argues that it is not independently responsible for processing, that the responsible for processing is exclusively New Democracy, which, as a party, determines the purposes and means of processing, nor is it the processor, but an internal organ of the party. He states that due to his position as a party Organ, he had legal access to the data of the electoral rolls and therefore cannot be considered a third party in terms of the data contained in them. On the contrary, always in terms of his position, he is considered a person who, under the direct supervision of the ND, as data controller, was authorized to process the personal data contained in the electoral rolls. 29 With reference to the use of the WhatsApp application, he emphasizes again that communication with third parties is considered personal communication as long as it is not done through the party's domains (e-mail to @nd.gr). However, his communication, through the WhatsApp application, regarding the electoral rolls, was only made with party Organs. . Therefore, neither of them is considered a third party and the communication is considered completely internal, where according to the Privacy Policy of New Democracy no framework or limitation is defined in the way of communication. For this reason, he was not impressed when they were sent via WhatsApp by the relevant party executive, but neither did Mrs. Asimakopoulou express any reservations regarding the way of communication with him. Regarding the receipt of the electoral rolls, Mr. Theodoropoulos states that he had indeed requested, as he should have, from the "competent party executive" the Electoral Rolls of the Emigrants in order for the Emigrants' Secretariat of the Party to analyze the election result ex post facto (a more specific form of political communication). He received the special electoral lists on 23 June 17.05 pm, a few hours before the polls abroad opened (24 June 00.00 Greek time) and while there was already a legal ban on political communication. The electoral rolls were sent to him, as an excel file, and after the elections were over and the results were published, only gender, age and city were used by the Diaspora Secretariat, in order for New Democracy to know how the citizens voted according to above comparative data because exit polls are not carried out abroad on the day of the elections and therefore it would be impossible to draw substantial political conclusions, in a historic but also unprecedented democratic process. The memorandum provides the message through which Mr. Theodoropoulos received the relevant excel, from a Greek mobile phone number, of which he has hidden 5 of the last 6 digits, while the penultimate and small parts of some other digits are visible. Mr. Theodoropoulos claims that the obvious penultimate digit does not correspond, as far as he knows, to associates of the former Secretary General of the Ministry of the Interior, to whom the special electoral rolls were distributed by the Directorate of Elections, according to the 26/4/2024 Press Release of the Ministry of the Interior. Regarding the transmission of the above file to Ms. Asimakopoulou, Mr. Theodoropoulos states the following: In the context of the promotion of postal voting among expatriate Greeks, both New Democracy, and in particular the Secretariat of Expatriates, had planned political actions in countries and cities abroad with a strong 30 Greek element, in order to organize events, with the aim of informing and activating the emigrant Greeks regarding the Postal Vote. Besides, Secretary Apodimon had organized other similar events with government and party officials without using any element of the electoral rolls, even though they were in his possession since 6/23/2023. At the same time, in the context of the political choice of the ND for the promotion of postal voting, Ms. Anna Michel Asimakopoulou, as press representative of the New Democracy Eurogroup (i.e. as a party organ, since the press representative of the Eurogroup is appointed directly by decision of the president of of the party, i.e. it is a party organ), decided on her own initiative to assist in this effort. In the context of the campaign to promote postal voting among expatriate Greeks, Mrs. Asimakopoulou approached Mr. Theodoropoulos and asked him to meet and exchange views on the matter on 1/20/2023. As the late Secretary Apodimon emphasizes, the purpose of the meeting was the political communication of the Party, as specifically provided for in the General Privacy Policy, to promote the postal vote, which would be voted a few days later. At the meeting, Mrs. Asimakopoulos asked him for the special electoral lists, in order to draw political conclusions, based on demographic data of foreign voters, in order to promote postal voting and in this context, Mr. Theodoropoulos provided her with the special electoral lists , a few hours later. He points out that he could not have imagined that the lists in question would be the subject of another processing beyond the purpose that Ms. Asimakopoulou had mentioned to him, given her excellent knowledge of the GDPR, but also that he could not refuse because of the her institutional role (Press Representative of the ND Eurogroup in the European Parliament), as the legislation explicitly states that the representatives of the Parties in the Parliament and in the European Parliament can have access to the electoral rolls, while Ms. Asimakopoulou had repeatedly received institutional (in a non-electoral period) the electoral rolls from the Ministry of the Interior as stated before the Authority on 29/4/2024. Finally, Mr. Theodoropoulos claims that they were never concerned about the existence of e-mail addresses in the special foreign electoral rolls since it was the first time that e-mails were included in electoral rolls, based on article 3 of Law 4648/2019, which in par. 2 simply defined a reservation without a more specific provision (in contrast to the express prohibition that is now included in article 7 par. 2 of L.5083/2024 for postal voting) 31 therefore, the issue of e-mails to electoral lists, for the party Organs it was something unprecedented. He states that as New Democracy, but also personally, he was not interested in looking for any personal contact details of the persons (e.g. declared address of residence), as there was no intention for the ND to proceed with direct political communication with them, not even through postal delivery since something such is allowed only in the pre-election period and the purpose of their use in this case was the analysis of the election results. In addition, Mr. Theodoropoulos with no. prot. C/EIS/4499/22-05-2024 document presented his affidavit as to the method of access to the electoral rolls. New Democracy, with its memorandum G/EIS/4191/13-05-2024 refers verbatim to its opinion document dated 29/3/2024, highlighting in particular the provisions of its Statute and the party's published Personal Data Processing Policy and clarifying that the technical measures it applies exclude the registration and maintenance of a file in the party's database, by any Secretary. Those referred to as recipients of data (in Article 43) do not keep a record of members, but can only, for the exercise of the duties of their field, receive, upon request to the IT Directorate, as the only responsible for keeping, processing and transmitting members' data, either the membership record as a whole or part of it for a specific purpose. ND emphatically separates the concept of members from that of party officials and emphasizes that the IT Department sent, following a telephone conversation (22/1/2024) between Mr. S, from the IT Department of ND, and the office associate of Mrs. Asimakopoulou, on the same day file of foreign party officials and referred it to the Diaspora Secretariat, which also keeps a file of foreign officials, for possible updates of these details, with which the Diaspora Secretary from his position had an administrative or other functional relationship . With reference to the file received by Mr. Theodoropoulos via WhatsApp on 23/6/2023, the ND claims that it was circulated without the party's knowledge and without the slightest involvement of the party and that after his resignation he was not asked by the party to delete it or destruction of personal data files, as it was not known what this file contained and in order not to hinder the investigation of the competent Authorities. With regard to the existence of an incident of violation, the ND argues that no such incident occurred, on the one hand because the details of the foreign party officials are already 32 publicly available on the internet, therefore their right or freedom was not endangered, while moreover according to the Data Processing Policy of the party, the resigned Secretary must have stopped using them, on the other hand because the list of emigrants circulated via WhatsApp that were processed by the MEP and the former Secretary, were never available to the ND, nor would it could be in a state of full and indisputable knowledge of the risk in which the subjects may be, so that an obligation to notify the Authority is established. Besides, as he states, it was not objectively possible to correlate the two files (party officials abroad and list of emigrants) nor did the party have all the critical information for the purpose of investigating the incident. Michalis Stavrianoudakis, with his memorandum G/EIS/4203/13-05-2024, recalls the responsibilities of the General Secretariat of which he was head, in the context of which he cooperated with other departments of the Ministry regarding issues of an electoral nature, stressing that since it was deemed necessary to receive legal processing by the competent bodies for specific purposes, such as e.g. for the determination of polling stations and the dispatch of electoral material, aggregated and statistical electoral data, without personal data of electoral rolls, to which the Directorate of Elections had exclusive authority to access. Finally, he repeats that he himself never had in his possession files, namely telephone and e-mail details of Greek voters, nor did he ever order them to be forwarded in violation, therefore he is unaware if there was ever an improper transmission of voter lists. The Ministry of the Interior, with memorandum G/EIS/4190/13-05-2024 states, among other things, the following: The critical transmission of the details of voters registered in the 2023 electoral rolls (including email addresses) was carried out by Mr. Theodoropoulos who sent them to MEP Ms. Asimakopoulou. There is no element of the case file that links, in a circle of persons, the investigated processing with the Ministry of the Interior, nor is there any relevant proof of illegal transmission of the personal data in question by a representative of the Ministry outside of it. According to the above, the Ministry of the Interior had only carried out the necessary legal processing of the voters' data for the purposes of 33 informing them. From the data so far, it has not been proven that a specific person, who acted under the supervision of the Ministry of the Interior, is connected with the processing in question. From the possible handling of critical data by third parties, the responsibility of the Ministry for breach of the obligations with which it is burdened as a data controller cannot be established without a third party. In other words, the violation of the relevant legislation cannot be attributed to the Ministry of the Interior as the controller, since the e-mails have not been proven to date to have reached the MEP from the Ministry of the Interior. In any case, even if the responsibility of the Ministry could be considered to exist, it is nevertheless significantly mitigated due to the fact that the Ministry, as data controller, had taken all necessary measures in order to prevent accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to critical personal data. Also, it is necessary to mention that from the first moment the issue arose: a) The Ministry of the Interior notified the Authority of a possible personal data breach on 18/3/2024 through the Authority's platform, within 72 hours of the relevant publication to the media, b) The Ministry of the Interior cooperated fully and effectively with the Authority and its levels that investigated the case, c) The Ministry of the Interior provided answers to all questions - requests of the data subjects on the basis of Article 15 of the GDPR and up to today, 125 requests have been granted and in particular the subjects have been granted access to their data on the condition of prior identification of the subjects. The platform for expatriate voters has been activated for their direct access to the data held by the Data Controller pursuant to the electoral legislation and the interested parties have already been informed in writing by the Ministry of the Interior about this possibility. Also, during the formation of the Authority's judgment on the imposition or not and at what level of any administrative sanction, it is necessary to also take into account the security measures that were in force at the time that preceded the critical processing / handling of the personal data of Greek voters of foreign: The Ministry of the Interior had commissioned the preparation of a security study of the system to the contractor company Singular Logic. Among other things, the use of network equipment offered by the Unified Government Cloud "G-Cloud" of the General Secretariat of Information Systems was foreseen. A security study had been prepared for the 34 Integrated Electoral Support System (OSYED). The security plan used was based on the international standard ISO/IEC27001. The Department of Elections carried out the control of the applications of foreign voters only on the platform of the Electronic Government Directorate (OSYED). No unauthorized user could enter this system. In addition, it is stated that during the period preceding the May-June 2023 elections, security checks were carried out on the system both by the National Intelligence Service and by the Cyber Defense Directorate of the General Staff of the National Defense. Also, in accordance with the legislation (Article 3 par. 2 of Law 4648/2019), the copies of electoral rolls given to MPs did not contain e-mail addresses and telephone numbers of foreign residents. From the above, it can be concluded that the Ministry of the Interior showed due diligence and, complying with its obligations, took all necessary technical and organizational measures. In any case, in all systems the technical and organizational measures are subject to continuous improvement and the Ministry of the Interior takes into account both the observations of the Ministry of Internal Affairs and the suggestions of the Authority while making efforts to continuously improve and strengthen the measures in question. However, it is necessary to mention that in this specific case the critical movement of the data is not attributed nor proved to be due to the weakness of the security policy and the measures to protect the systems of the Ministry of the Interior. On the contrary, the human factor seems to have played a leading and even exclusive role. The Ministry of the Interior has procedures in place to deal with and manage alleged incidents of infringement as quickly as possible. In this context and with a view to effectively safeguarding the rights of the subjects, an investigation was ordered by the leadership of the Ministry the very next day after the complaints in question were made public. In particular, a. The next working day, after the first complaints, it was ordered by joint decision 350/4.3.2024 of the Minister and the Deputy Minister of the Interior to carry out an internal audit to confirm the adequacy and security of personal/personal data protection procedures in relation to the 2023 electoral rolls and beyond, b. The audit was completed after a thorough investigation (examined a large number of employees (28) and collected evidence), which was completed in a short period of 35 (45 days) and demonstrated a competent level of safety. Additionally, proposals for improving the security level are formulated, after taking into account the observations of the Ministry of Foreign Affairs and the recommendations of the Authority. c. In addition, it is noted that the conclusion (submitted on 26.4.2024 with the NTPA 425 document of the Head of the Directorate of the Internal Audit Unit) results in recommendations for conducting an EDE, which was ordered on the same day, i.e. from 26.4.2024 (Joint Decision of the Minister of the Interior) and Deputy Minister of the Interior 109/26.4.2024 - Appendix 1). d. With the 451/19.3.2024 written order of the Minister of the Interior (Appendix 2), the premises of the offices of the former General Secretary of the Interior Michalis Stavrianoudakis were sealed by taking all the necessary security and protective measures (locking of offices and computers, deactivation, removal of codes) for the electronic and paper files of the Office so that the Authority can carry out its investigation uninterruptedly and that the results of the conducted investigation are not jeopardized by ensuring all the guarantees of undisturbed and undisturbed conduct of the relevant controls. e. With the NPT PROT: 110/26.4.2024 joint decision of the Minister of the Interior and the Deputy Minister of the Interior (Appendix 3) to the Service Secretary of the Ministry, it was decided to implement expertise in order to examine the existing security policies and to outline proposals for the further improvement of security systems and personal data protection procedures related to the electoral process. The purpose is to introduce actions to further strengthen the procedures with an emphasis on the Directorate of Elections, as well as to optimize, where necessary, the special incident handling policies to comply with the procedures (recording the current situation in terms of the regulatory framework on personal data protection ("Gap analysis"), implementation of a study for the formulation of proposals regarding any findings that will emerge from the Deviation Assessment ("Roadmap") and the optimization of existing procedures (file of processing activities, personal data protection policies, policies websites, cookie program policies, information systems security policies)). f. By order of the Minister of the Interior, mandatory training was requested for all employees of the Ministry of the Interior in matters of personal data protection in cooperation with the EKDDA and the Ministry of the Interior. In particular, with the from 36
700/1.5.2024 document of the Minister of the Interior (Appendix 4) to the Vice-President of the EKKDA, it is requested in the context of the optimization of the information, training and awareness of officials of the Ministry of the Interior on issues related to the implementation of the General Regulation on the Protection of Personal Data, to proceed with the planning and the implementation of new specialized seminars in collaboration with the Institute of Education (INEP) of EKDDA, as well as the Data Protection Officer of the Ministry of the Interior. The Authority, after examining the elements of the file and after hearing the rapporteurs and the clarifications from the assistant rapporteurs, after a thorough discussion, DECIDED IN ACCORDANCE WITH THE LAW A APPLICABLE PROVISIONS 1. From the provisions of articles 51 and 55 GDPR and article 9 of Law 4624/2019 (Government Gazette A΄ 137) it follows that the Authority has the authority to supervise the implementation of the provisions of the General Regulation (EU) 2016/679 for the protection of natural persons against the processing of personal data (hereinafter GDPR), of this law and other regulations concerning the protection of the individual from the processing of personal data. In particular, from the provisions of articles 57 par. 1 item a', f' and h' of the GDPR and 13 par. 1 item g΄ and h' of Law 4624/2019 it follows that the Authority has the authority to deal with the complaints that have been submitted to the Authority for illegal processing of personal data, to control ex officio the possible leakage of personal data and to exercise, respectively, the powers granted to it from the provisions of articles 58 of the GDPR and 15 of law 4624/2019. 2. As "processing" of personal data in accordance with article 4 no. 2) GDPR means any act or series of acts carried out with or without the use of automated means, on personal data or sets of personal data, such as the collection, registration, organization, structuring, storage, adaptation or alteration, retrieval, information retrieval, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction. 37 3. As a "processor", according to article 4 no. 7) GDPR is defined as the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of processing personal data; when the purposes and manner of such processing are determined by the law of the Union or the law of a Member State, the controller or the specific criteria for his appointment may be provided by the law of the Union or the law of a Member State, as a "processor" (art. 4 no. 8 GDPR ) the natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller, while "third party" (art. 4 no. 10) GDPR) means any natural or legal person, public authority, agency or body, with the exception of the data subject, the controller, the processor and the persons who, under the direct supervision of the controller or the processor, are authorized to process the personal data. Furthermore, according to Article 29 GDPR "The processor and any person acting under the supervision of the controller or the processor, who has access to personal data, processes said data only on the instructions of the controller processing, unless required to do so by the law of the Union or the Member State". Consequently, in case of processing of personal data by a natural person on behalf of the data controller, i.e. in the exercise of his duties within the framework of the activities and intended purposes of the data controller, the actions of the natural person are attributed to the legal entity. As pointed out in the GDPR Guidelines 07/2020 on the concepts of controller and processor in the GDPR - Version 2.0 (July 7, 2021)2 "In principle, any processing of personal data carried out by employees in the field of activities of a organization can be considered to be carried out under the control of that organization (since employees who have access to personal data within an organization are not generally considered "controllers" or "processors" but "persons acting under supervision of the data controller or processor" within the meaning of Article 29 of the GDPR). In exceptional circumstances, however, an employee may -gdpr_en 38 to decide to use personal data for the same purposes and, therefore, to illegally exceed the powers assigned to him. (e.g. to establish his own company or for a similar purpose). Consequently, as a controller the organization has a duty to ensure that appropriate technical and organizational measures are in place, including training and information for employees, which will ensure compliance with the GDPR." (§19). In the same text of the Guidelines of the GDPR, the following is also clarified: "In practice, the processing of personal data in which several actors participate can be divided into several smaller processing activities for which it could be considered that each actor determines the purpose and method of processing independently. Moreover, a sequence or series of processing operations involving several actors may also be carried out for the same purpose(s), in which case it is possible that the processing involves one or more joint controllers. In other words, at the 'micro level' it is possible for the various individual processing operations to appear disconnected from one another, giving the impression that each individual operation may serve a different purpose. However, it is necessary to scrutinize whether at the "macro level" the processing operations in question should not be considered as a "series of operations" for the pursuit of a common purpose using jointly defined means. (§43). Anyone who decides to process data must consider whether that processing involves personal data and, if so, what obligations they have under the GDPR. An actor is considered a “controller” even if it does not intentionally target the personal data per se or has wrongly considered that it does not process personal data” (§44). Finally, the EDPS clarified that the ability to access the filing system does not constitute a condition for performance of the status of data controller, nor certainly the "possession" of the filing system or supervision over it, as long as he himself determines the purpose of processing even in "extraneous" files: "The controller does not need to actually have access to the data being processed. Anyone who outsources processing activities to an external provider exercising critical influence on the purpose and (substantial) means of processing (e.g. adjusting parameters of the service in such a way as to exercise influence on the choice of persons whose personal data is subject being processed) is considered 39 a controller, even if he has no actual access to the data” (§45). As, after all, it has been decided by the CJEU, any natural or legal person who affects for his own purposes the processing of personal data and participates in this way in determining the objectives and the method of processing can be considered as a data controller3 . The legislator of the Union did not make a distinction between natural and legal persons, for the determination of liability under the GDPR, since this liability depends only on the condition that the persons in question, alone or jointly with others, determine the purposes and the way of processing personal data. Therefore, any person who fulfills this condition, - regardless of whether it is a natural or legal person, a public authority, agency or other body - is responsible, among other things, for any violation referred to in article 83 paragraph 4 and 6, which is committed by itself or on its behalf, while the imposition of a sanction on a legal person as a data controller does not depend on the previous finding that the violation was committed by an identified natural person. 4 As decided by the CJEU, for the exemption of the controller of a legal entity from liability for compensation under Article 82 GDPR, it is not sufficient to claim that the disputed damage was caused by an error of a person acting under his supervision, within the meaning of Article 29 of the GDPR. In particular, Article 32 para. 4 GDPR, regarding the security of processing, provides that the controller takes measures to ensure that any natural person acting under his supervision and who has access to such data only processes it on his instructions controller, unless required to do so by Union or Member State law. Since the employees of the legal person's controller act under its supervision, it is up to that controller to ensure that its instructions are properly implemented by them and therefore, the legal person cannot be relieved of its responsibility simply by showing negligence or an employee's omission.5 Moreover, the Authority has also accepted that a natural person – an employee of the data controller – can be considered a data controller, if he uses data for his own purposes outside the scope and potential control of the activities of the legal entity.6 3 See CJEU judgment C‑25/17 (paragraph 68). 4 See CJEU judgment C‑807/21 (paragraphs 38-51). 5 See ECJ decision C-741/21 (paragraphs 44 – 54). 6 See APDPH decision 54/2021 (paragraphs 4-6), published on the website of the Authority. 40 4. Political parties are associations of persons, which, according to par. 6 of article 29 of Law 3023/2002, acquire legal personality upon their establishment for the fulfillment of their constitutional mission. 5. Article 5 para. 1 of the GDPR sets out the principles that must govern a processing. According to par. 1 a), d) and f) of this article, "1. Personal data: a) are processed lawfully and legitimately in a transparent manner in relation to the data subject ("legality, objectivity and transparency"), b) are collected for specified, explicit and lawful purposes and are not further processed against in a manner incompatible with those purposes; further processing for archiving purposes in the public interest or for scientific or historical research or statistical purposes shall not be deemed incompatible with the original purposes pursuant to Article 89(1) ("purpose limitation"), [...] ] f) are processed in a way that guarantees the appropriate security of personal data, including their protection against unauthorized or illegal processing and accidental loss, destruction or damage, using appropriate technical or organizational measures ("integrity and confidentiality »)». According to Rationale 39 of the GDPR "Any processing of personal data should be lawful and fair. It should be clear to natural persons that personal data concerning them is collected, used, taken into account or otherwise processed, as well as to what extent the personal data is or will be processed. […] Personal data should be processed in a way that ensures the appropriate protection and confidentiality of personal data, including to prevent any unauthorized access to such personal data (…)”. Furthermore, according to the principle of accountability which is expressly defined in the second paragraph of the same article and constitutes a cornerstone of the GDPR, the data controller "bears the responsibility and is able to demonstrate compliance with paragraph 1 ("accountability")". This principle entails the obligation of the controller to be able to demonstrate compliance with the principles of art. 5 par. 1. 41 6. As has been firmly accepted by the GDPR7, the principles of objectivity, legality and transparency of the processing, enshrined in article 5 par. 1 f. a) of the GDPR, are three distinct but inherently connected and interdependent principles, which every controller must respect when processing personal data. The link between the three principles is evident from a number of recitals (39, 42, 60, 71) and provisions (Articles 6 para. 2, 6 para. 3 b), 13 para. 2, 14 para. 2 and 40 par. 2 item a') of the GDPR. Objectivity is a fundamental principle according to which personal data should not be processed in a way that is unreasonably harmful, unfairly discriminatory or unpredictable or misleading to the data subject. Among other things, this principle includes the recognition of the legitimate expectations of the data subjects with regard to possible negative consequences that the processing may bring to them and the examination of the relationship and the possible effects of the disparity between them and the controller. In particular, some personal data are expected to remain private or to be processed only in certain ways and their processing should not cause surprise to the data subject.8 Further processing is lawful (principle of legality) only if and as long as is based on one of the legal bases referred to in article 6 par. 1 GDPR. With reference, in particular, to the legal basis of the overriding legal interest (article 6 par. 1. f) GDPR), in Reason 47 of the Regulation the following is highlighted: "The legitimate interests of the data controller, including those of a data controller to whom the personal or third party data may be disclosed, may provide the legal basis for the processing, provided that they do not override the 7 See In particular a) ESPD Guidelines 4/2019 in accordance with Article 25 - Data Protection already by design and by definition, §69, b) ESPD Guidelines 2/2019 for the processing of personal data in accordance with Article 6 paragraph 1 point b) of the GDPR in the context of the provision of online services to data subjects (EDPB Guidelines 2/2019) §12 and c) Binding Decision EDPB 2/2023 (EDPB Binding Decision 2/2023), §99-107. 8 See EDPB Binding Decision 5/2022 §148: “The EDPB recalls that, in data protection law, the concept of fairness stems from the EU Charter. The EDPB has already provided some elements as to the meaning and effect of the principle of fairness in the context of processing personal data. […]Among the key fairness elements that controllers should consider in this regard, the EDPB mentions autonomy of the data subjects, data subjects’ expectation, power balance, avoidance of deception, ethical and truthful processing. […] The principle of fairness under Article 5(1)(a) GDPR underpins the entire data protection framework and seeks to address power asymmetries between controllers and data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of data subjects' rights." 42 interests or the fundamental rights and freedoms of the data subject, taking into account the legitimate expectations of the data subjects based on their relationship with the controller. Such a legitimate interest could, for example, exist where there is a relevant and appropriate relationship between the data subject and the controller, such as if the data subject is a customer of the controller or is in its service. In any case, the existence of a legitimate interest would need a careful assessment, including whether the data subject, at the time and in the context of the collection of the personal data, can reasonably expect that for this purpose it can be carried out processing. In particular, the interests and fundamental rights of the data subject could prevail over the interests of the controller, when personal data are processed in cases where the data subject does not reasonably expect further processing of his data.' Furthermore, with paragraph 4 of Article 6 GDPR, it is defined that the processing of personal data for purposes other than those for which the personal data were originally collected is only allowed if the processing is compatible with the purposes of the initial collection, taking into account the criteria referred to in this provision and in particular, the context in which they have collected the data and the reasonable expectations of the data subject based on his relationship with the controller in terms of their further use. At the same time, Reasonable Opinion 50 of the GDPR makes it clear that the fulfillment of all the legality requirements of the initial processing is a necessary condition that must be checked by the controller before examining the compatibility of the further purpose of processing with the original9. Regarding compliance with the principle of transparency, Articles 13 and 14 GDPR specifically define the information that must be provided to the data subject by the data controller, both in the case that the data is collected from the data subject (Article 13) and in the case that the data have not been collected from the subject (Article 14). According to article 14 par. 1 and 2 GDPR, "1. When the personal data have not been collected from the data subject, the controller shall provide the data subject with 9 "To ascertain whether the purpose of the further processing is compatible with the purpose of the initial collection of the personal data, the controller, if meets all the requirements for the legality of the initial processing, it should take into account, among other things ... " (App. Sec. 50 GDPR) 43 given the following information: a) the identity and contact details of the data controller and, where applicable , of the controller's representative, b) the contact details of the data protection officer, as the case may be, c) the purposes of the processing for which the personal data are intended, as well as the legal basis for the processing, d) the relevant categories of data of a personal nature, e) the recipients or categories of recipients of the personal data, possibly (…). 2. In addition to the information referred to in paragraph 1, the data controller shall provide the data subject with the following information necessary to ensure fair and transparent processing with regard to the data subject: a) the period for which it will be stored the personal data or, when this is impossible, the criteria determining the period in question, b) if the processing is based on Article 6 paragraph 1 letter f), the legitimate interests pursued by the controller or by a third party, c ) the existence of the right to submit a request to the data controller for access and correction or deletion of personal data or restriction of processing concerning the data subject and the right to object to the processing, as well as the right to data portability, (…), e) the right to submit a complaint to a supervisory authority, f) the source from which the personal data originates and, depending on the case, if the data originated from sources to which the public has access,(…)”. According to paragraph 3 of the same article "The data controller shall provide the information referred to in paragraphs 1 and 2: a) within a reasonable period of time from the collection of the personal data, but at the latest within one month, taking into account the special circumstances under in which the personal data are processed, b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication with said data subject, or c) if disclosure to another recipient, at the latest when the personal data is disclosed for the first time". Furthermore, according to paragraph 4 of the same article, "When the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller should provide the data subject , before said further 44 processing, information for this purpose and any other necessary information, as referred to in paragraph 2". 7. The controller must facilitate the exercise of the data subjects' rights provided for in articles 15 to 22 (article 12 par. 2 GDPR), which include the right of access pursuant to article 15 GDPR and the right of access pursuant to article 17 GDPR right to erasure, under the conditions mentioned there, as well as to act in any case at the request of the subject based on articles 15-22 GDPR, informing the subject within one month of submitting the request (article 12 par. 3 GDPR), while if has reasonable doubts about the identity of the natural person making the request in accordance with Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject (Article 12 para. 6 GDPR). According to paragraph 3 of Article 15 of the GDPR "The data controller shall provide a copy of the personal data being processed. For additional copies that may be requested by the data subject, the controller may charge a reasonable fee for administrative costs. If the data subject submits the request by electronic means and unless the data subject requests otherwise, the information shall be provided in a commonly used electronic format.' 8. According to article 30 par. 1, 3 and 4 GDPR "1. Each data controller and, where applicable, its representative, shall keep a record of the processing activities for which it is responsible. This file shall include all of the following information: a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer, b) the purposes of the processing, c) description of the categories of data subjects and the categories of personal data, d) the categories of recipients to whom the personal data is to be disclosed or has been disclosed, including recipients in third countries or international organizations, e) where applicable, the transmissions of personal data to a third country or international organization, including the identification of said third country or international organization and, in the case of transfers referred to in Article 49 paragraph 1 45 second subparagraph, the documentation of the appropriate guarantees, f) where possible, the prescribed deadlines for the deletion of the various categories of data, g) where possible, a general description of the technical and organizational security measures referred to in Article 32 paragraph 1. 3. The records referred to in paragraphs 1 and 2 exist in writing, including in electronic form . 4. The controller or the processor and, where applicable, the representative of the controller or the processor shall make the file available to the supervisory authority upon request.' 9. In accordance with the provisions of paragraphs 1 and 2 of article 32 of the GDPR regarding the security of processing, "1. Taking into account the latest developments, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks of different probability of occurrence and severity for the rights and freedoms of natural persons, the controller and the executor the processing implement appropriate technical and organizational measures in order to ensure the appropriate level of security against risks, […] 2. When assessing the appropriate level of security, particular account is taken of the risks deriving from the processing, in particular from accidental or illegal destruction, loss , alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed". Also, according to article 25, par. 1 "Taking into account the latest developments, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks of different probability of occurrence and severity for the rights and the freedoms of natural persons from processing, the controller effectively implements, both at the time of determining the means of processing and at the time of processing, appropriate technical and organizational measures, such as pseudonymization, designed to implement data protection principles , such as the minimization of data, and the incorporation of the necessary safeguards in the processing in such a way as to meet the requirements of this Regulation and to protect the rights of data subjects." Furthermore, the provision of article 24 paragraph 1 of the GDPR states the following: "1. Taking into account the nature, scope, context and purposes of the processing, as well as the risks of different probability of occurrence and severity to the rights and freedoms of natural persons, the controller applies appropriate 46 technical and organizational measures in order to ensure and to be able to prove that the processing is carried out in accordance with this regulation. These measures are reviewed and updated when deemed necessary." 10. Political communication means the communication carried out by political parties, MPs, MEPs, factions and holders of elected positions in local government or candidates in parliamentary elections, European Parliament elections and local government elections in any period of time, pre-election or not , to promote political ideas, action programs or other activities with the aim of supporting them and shaping political behaviour. Following the decisions under no. 1343-5/2022 of the Council of State, by which it was decided that the activity of political communication, as not having the purpose of commercial promotion, does not fall under Law 3471/2006, the Authority reviewed, within the framework of its competence, the issues of legality arising in relation to political communication in order to determine the framework of the legal processing of personal data for this purpose based on the provisions of the GDPR, and with Decision 9/202310 decided to issue Guidelines 1/2023 for the processing of personal data data for the purpose of communication of a political nature. These Guidelines (hereinafter referred to as "CG 1/2023") clarify, among other things, the following: According to the democratic principle, the activity of political communication is protected by the Constitution, in particular in the context of the general right to participate in political life of the country (article 5 par. 1 Comp.), the right of citizens to information (article 5A par. 1 Comp.), and the fulfillment of the constitutional mission of political parties (article 29 par. 1 Comp.). However, when methods are used that require or consist in the processing of personal data, such as names, postal addresses, telephone numbers, e-mail addresses of natural persons, etc., the political communication is required to be made in a way to ensure respect for Article 9A Comp. . and the national and European legislation on the protection of personal data (ad hoc ΣΕ 1343-5/2022, sc. 14). In the above cases, the bodies and persons who carry out political communication become data controllers, in accordance with the definition of article 4 par. 7 of the GDPR, to the extent of 10 Available at the link https://www.dpa.gr/sites/ default/files/2023-04/9_2023%20- %20anonym_0.pdf 47 which define the purpose and manner of processing personal data. For example, when the Member of Parliament or candidate for Member of Parliament receives data from the political party to which he is a member and processes it for his personal political communication, he himself becomes a data controller. In this capacity, in accordance with the fundamental principle of accountability in the GDPR (Article 5 para. 2), the above persons must be able to demonstrate compliance with the basic principles of data processing, as provided for in Article 5 para. 1 GDPR . With regard to the legal basis for processing personal data in the case of political communication, with CG 1/2023 it was clarified that said processing can be based either on the prior consent of the data subjects (article 6, par. 1, section a GDPR ) or in an overriding legal interest that arises from time to time (article 6 par. 1, section f GDPR). In particular, political communication can be based on the legal basis of the controller's overriding legitimate interest, as long as it is shown that the processing is necessary to satisfy the controller's legitimate interest in promoting its political positions, and this interest is not overridden the interest or the fundamental rights and freedoms of the subjects, taking into account their legitimate expectations based on their relationship with the controller (See Ref. Sec. 47 GDPR). The processing of personal data for the purpose of political communication is also permitted under Article 6 para. 4 GDPR, as long as the purpose of the political communication is deemed to be compatible with the purposes for which the personal data was originally collected by the data controller. In order to ascertain whether the purpose of the communication policy is compatible with the purpose of the initial collection of the personal data, provided that all the requirements for the lawfulness of the initial processing are met, the controller must take into account, inter alia: Any relationship between initial purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of the data subject based on his relationship with the controller regarding their further use; the nature of the data of a personal nature; the consequences of the intended further processing for the data subjects; 48 and the existence of appropriate guarantees for both the initial and intended acts of further processing (See Petition Sec. 50 GDPR). With the CG 1/2023 it is also pointed out that in case of data collection for use for the purpose of political communication with a legal basis the overriding legitimate interest (Article 6 par. 1 GDPR), in accordance with the principle of accountability according to Article 5 par 2 GDPR, the data controller must be able to adequately document the weighting, which he must have carried out before the start of the processing, and based on which he assessed that the interest or the fundamental rights do not prevail over his interests and the freedoms of subjects - recipients of political communication. Likewise, in the case of further use of the data for the purpose of political communication, the data controller must be able to document the compliance of the criteria of paragraph 4 of Article 6 GDPR for the compatibility of the purpose. CG 1/2023 lists indicative examples of cases in which personal data may not be used for the purpose of political communication, as well as cases in which, based on an assessment of the specific circumstances, the legality of personal data processing can be documented for the purpose of political communication. From the examples of these last cases it follows that the collection of the data from a legal source is in any case a necessary condition for legitimate processing. Finally, with CG 1/2023, the information that must be provided in every electronic communication for the purpose of political communication is recalled, including the source from which the subject's contact information has been collected, as long as it is not the same the subject (article 14 par. 2 f), while it is emphasized that in the event of exercising the right to object, the controller must in principle no longer submit the subject's data to processing for the purpose of political communication (article 21 par. 1 sec. b GDPR). 11. With reference to the distribution of electoral roll data to parties and candidates, article 23 of the P.D. 26/2012 defines the following: "1. One (1) complete set of electoral rolls in digital media free of charge, as well as one (1) set of copies of publications of the Ministry of the Interior of electoral content are entitled to the parties represented in the Parliament or the European Parliament. Also, the above items are entitled during the pre-election period to the recognized parties, in accordance with the Regulation of the Parliament, as well as those that draw up combinations in 2/3 of the 49 electoral districts of the State, basic and non-domiciled. 2. Copies of electoral rolls can be made available during the pre-election period upon payment of a fee in favor of the State, set by the Minister of the Interior to MPs, MEPs, candidates for MPs or candidates in the regional and municipal and community elections, and only for electoral districts, the regions or municipalities where they have been elected, as it appears based on the relevant decisions declaring them or they will be candidates according to their written declaration. 3. Beneficiaries must destroy the electronic media, which contain the electoral rolls within three months of the completion of the electoral contests according to their written declaration. 4. The terms and conditions for making electoral rolls and other publications available to other persons and entities are determined by a decision of the Minister of the Interior. 5. The above information is available to the beneficiaries only in electronic media, is not transferred to them electronically and is used only by the person to whom it is granted exclusively for electoral use. 6. Granting to anyone else or their use by anyone else or for non-electoral purposes is prohibited. 7. Offenders are punished with the penalties of paragraph 4 of article 117." It follows from the above provisions that the beneficiaries of electronic copies of the electoral rolls are, among others, the parties represented in the Parliament or the European Parliament, as well as the MEPs only during the pre-election period, that the electoral rolls may only be granted in a storage medium ( CD) while their electronic circulation in any other way is prohibited, and finally that each beneficiary must destroy the electronic media containing the electoral rolls within three months of the election. 12. Furthermore, in accordance with paragraph 9 of article 3 of Law 4648/20019 ("Facilitation of the exercise of the right to vote by voters who are outside the Greek Territory and amendment of the electoral procedure", Official Gazette A' 205/16.12.2019), the Directorate of Elections of the Ministry of the Interior compiles and maintains the special foreign electoral rolls. Article 3 of Law 4648/2019 defines the content of the special foreign electoral rolls as follows: "1. The special foreign electoral rolls drawn up are entitled "Special Foreign Electoral Roll" and contain the following: a) the serial number, b) the Special Electoral Number, c) the surname, d) the first name, e) the name of father, f) the name of the mother, g) the name of the husband and the surname of the father (if it is a married woman bearing the surname of the husband), h) the date and time of birth, i) the basic electoral roll (basic electoral district) where he is registered (prefecture, municipality, electoral district), j) the full address of residence, k) the e-mail address, l) the contact numbers", while according to par. 2 of the same article "2. The provisions of article 23 of the p.d. 26/2012 are applied accordingly for the special foreign electoral rolls, subject to items k) and l) of the above paragraph". It is clear from the above provisions that electronic communication details (e-mail address and contact telephone number) are excluded from the distribution of the electoral rolls to the beneficiaries of article 23 of the P.D. 26/2012. The registration of non-Greek voters in the special foreign electoral rolls is done through a special application that operates on the website of the Ministry of the Interior under the responsibility of the Ministry, to which access is made using the login credentials to AADE applications, in accordance with the provisions of article 4 par. 1 and 2 of Law 4648/2019. The procedures for registration, change and suspension or deletion of the application for registration in the special foreign electoral rolls are determined by a Ministerial Decision under the authority of par. 7 of article 4, while in accordance with article 5 of the same law, the Ministry of the Interior updates the lists in question based on any changes to the voters and incorporates the confirmed registration applications and any changes thereto in the next revision of the basic electoral rolls. Paragraph 6 of article 2 of Law 4648/2019, as it was in force until its repeal by article 1 paragraph 4 of Law 5044/2023 (Government Gazette A 135/28.7.2023) provided for the establishment of a Special Inter-Party Committee for the examination of voter objections on rejection decisions for registration in the electoral rolls as follows: "By decision of the Minister of the Interior, which is published in the Government Gazette, a Special Inter-Party Committee is established, in which the above Minister or the person appointed by him, as Chairman, participates, and a representative of each party or coalition represented in the Parliament or represented in the dissolved Parliament. All members are appointed with their deputies. A representative of the Independent Authority of the Citizen's Advocate is designated as rapporteur, without the right to vote. The task of the Committee, which has decisive competence, is to examine appeals against rejection decisions for registration in the special electoral rolls herein, for which the procedure in paragraph 5 was not followed, to check specific applications at the request of a member or members of the Committee, as well as the sampling of the 51 applications accepted under paragraph 3. If one or more parties or combinations of parties do not indicate a representative within two (2) days of receiving the query, the Commission is legally established without their participation." 13. A breach of personal data (Article 4 no. 12 GDPR) means "the breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or otherwise submitted" manner in processing". According to the Guidelines 18/2018 of the Working Group of Article 29 of Directive 95/46/EC (now European Data Protection Council) on Personal data breach notification under Regulation dated 02-06-2018 ("Guidelines on Personal data breach notification under Regulation 2016/679" WP 250 rev. 1) one of the types of personal data breach is the one categorized based on the security principle of "confidentiality", when unauthorized access to personal data is found ("confidentiality breach"). A breach can potentially have various significant adverse consequences for persons, which can lead to physical, material or moral harm. The GDPR explains that this harm can include loss of control over their personal data, limitation of their rights, discrimination, misuse or identity theft, financial loss, unlawful de-pseudonymisation, damage to reputation and loss of confidentiality of personal data of a nature protected by professional secrecy, etc. (see also paragraphs 85 and 75). Incidents of data breach must be notified to the Authority within 72 hours from the moment the data controller becomes aware of them, in accordance with article 33 paragraph 1 GDPR: "1. In the event of a personal data breach, the controller shall notify the supervisory authority competent in accordance with Article 55 without delay and, if possible, within 72 hours of becoming aware of the personal data breach, unless the a breach of personal data may not cause a risk to the rights and freedoms of natural persons. Where notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay.' The notification must have the minimum content referred to in paragraph 3 of article 33 GDPR, while according to paragraph 5 of the same article "The data controller shall document any breach of personal data, 52 consisting of the facts concerning the breach personal data, the consequences and the corrective measures taken. Such documentation shall enable the supervisory authority to verify compliance with this Article.' Since it is not possible to provide all the required information at the same time, paragraph 4 of article 33 GDPR states that it can be provided to the Authority "gradually, without undue delay". With regard to the time when the Data Controller becomes aware of the incident, the above-mentioned OG29 (wp 250) states the following: "As detailed above, the GDPR requires, in the event of a breach, the Data Controller to notify the breach without delay and , if possible, within 72 hours of becoming aware of the fact. This may raise the question of when a controller can be deemed to acquire "knowledge" of a breach. OE29 considers that a controller should be deemed to have acquired "knowledge" when that controller has a reasonable degree of certainty that a security incident has occurred which results in personal data being compromised. However, as mentioned above, the GDPR requires the data controller to implement all appropriate technical protection measures and organizational measures to immediately detect any breach and immediately inform the supervisory authority and the data subjects. It also states that notification should be found to have been made without undue delay, taking into account in particular the nature and seriousness of the data breach, as well as its consequences and adverse results for the data subject. In this way, the controller is subject to the obligation to ensure that it becomes "aware" of any violations in time to be able to take appropriate action. The exact point in time at which a controller can be deemed to acquire "knowledge" of a particular breach will depend on the circumstances of the particular breach. In some cases, it will be relatively clear from the outset that a breach has occurred, while in others it may take some time to determine whether personal data has been compromised. However, the emphasis should be on taking timely action to investigate an incident to determine whether personal data has been breached and, if so, to take corrective action and make a disclosure, if required." Besides, the violation must also be notified to the data subject, on a case-by-case basis and in accordance with the provisions of article 53 34 par. 1 and 2 GDPR: "1. When the personal data breach may put the rights and freedoms of natural persons at high risk, the data controller shall immediately notify the data subject of the personal data breach. 2. The notification to the data subject referred to in paragraph 1 of this article clearly describes the nature of the personal data breach and contains at least the information and measures referred to in article 33 paragraph 3 items b), c) and d)". When assessing the risk, in accordance with recitals 75 and 76 GDPR the likelihood and seriousness for the rights and freedoms of the data subjects should be taken into account and the risk should be assessed based on an objective assessment. According to EO Guidelines 18/2018 29, when assessing the risk to persons as a result of a breach, the controller should consider the specific circumstances of the breach, including the severity of the potential impact and the likelihood of it occurring; taking into account a number of criteria: the type of breach, the nature, sensitivity and volume of the data, the ease of identification of the persons, the seriousness of the consequences for the persons, the specific characteristics of the person, the specific characteristics of the controller and the number of affected persons (wp 250 rev.01, p.28-31). Therefore, from article 33 of the GDPR, not only the obligation to submit notification of incidents of violation to the supervisory authority derives, but also the obligation to actively investigate each possible incident, once the data controller becomes aware of the relevant indications. Besides, from paragraph 3 of article 33 of the GDPR, which defines the elements that must be contained as a minimum in the notification, it follows the obligation of the data controller to immediately investigate the information referred to in this provision, so that he is able to include in the notification to the Authority (nature of the breach, categories and number of affected subjects, number of affected files, potential consequences of the breach, measures taken or proposed to be taken to deal with the breach, measures to mitigate its potential adverse consequences), as and to assess the risk to the rights and freedoms of the subject, in order to decide whether notification is also required to him in accordance with article 34 of the GDPR, while paragraph 5 of article 33 of the GDPR explicitly states the obligation to keep documentation for all the above procedures (see also APD decision 35/2023). 54 B FINDINGS - SUBMISSION 1. Anna Michele Asimakopoulou For the assessment of the legality of the processing of personal data of expatriate voters, which Anna Michele Asimakopoulou carried out between 20/1/2024 and 1/3/2024, i.e. the collection of personal data emigrants' data, including electronic contact details, the creation of a new file to be uploaded to the MailChimp service, which included the name, country and e-mail of the voters and the use of the emigrants' electronic address (e-mail) and the sending of political communication , the following findings from the research are taken into account: a) The purpose of processing was the political communication to promote the postal vote, as a project of the government and also of the candidacy of the MEP in the upcoming European elections of June 2024, through her pre-election campaign entitled "100 days before the European elections". The MEP, as a candidate for the upcoming elections, determined the purpose and means of the processing, therefore she is the controller within the meaning of article 4 no. 7 GDPR. b) The excel file entitled "Departmental Revenues for Electoral Draws - Bool Eccl June 2023.xlsx" (sic) was extracted on 8/6/2023 from the Home Office database for a lawful purpose (see (c) below). c) The file in question also included the e-mail addresses of the voters, with the aim, on the one hand, of informing them from the local Embassies in the event that they were drawn as members of the electoral committee, and on the other hand, of informing them en masse from the Ministry of the Interior for the possibility of canceling or suspending their registration in the special foreign electoral roll, in case they wished to vote in Greece (where they are registered in the basic electoral roll). d) MEPs belong to the persons entitled to obtain copies of electoral rolls under the conditions of article 23 of PD 26/2012, i.e. only during the pre-election period, from the Ministry of the Interior following their relevant request, only on a storage medium (CD) of prohibited expressly of the electronic circulation of electoral rolls in another way, and must destroy said electronic means within three months of the conduct of the elections. e) According to article 3 of Law 4648/2019, the copies of the foreign electoral rolls available to the beneficiaries of article 23 of PD 26/2012, do not include the e-mail address and contact telephone numbers of the voters. f) The storage media (CDs) issued by the Ministry of the Interior to political parties in view of the parliamentary elections of May and June 2023 did not include the e-mail addresses or contact telephone numbers of voters abroad, while no natural person with the status of the candidate did not request a copy of special electoral lists abroad for 2023. g) The file received by Anna Michele Asimakopoulou from the former Secretary of Immigration of the ND, Mr. Theodoropoulos on 20/1/2024 via WhatsApp is the file "Emigration by Department for Electoral Lotteries - Vol. Ecl June 2023.xlsx" (sic) of the Ministry of the Interior, (as it has emerged both from its content and from its metadata) without having substantiated the claim that she had made a relevant telephone communication with the party on 18 -1-2024. h) The above MEP, as data controller, did not provide full information to the data subjects within one month of data collection, as required by Article 14 of the GDPR, not even with the electronic message (e-mail) with which she was contacted them on 1/3/2024. Based on the above findings, the collection of emigrants' personal data, including electronic communication details, on behalf of Ms. Asimakopoulou, by the late Secretary of Emigrants of the ND, outside the pre-election period, electronically (WhatsApp application), is unlawful , non-objective and unlawful processing: Given that the said processing (collection) was carried out in violation of a number of provisions of the electoral legislation, it could not be reasonably expected for the subjects (foreign voters) that their personal data held by the Ministry Internal for the purpose of exercising their right to vote, including their electronic communication details, would be in the possession of a MEP and would be used for the purpose of political communication via e-mail. For the same reason, and the further individual acts of processing for the same purpose, i.e. the creation of a new file to be uploaded to the MailChimp service, which included the name, country and e-mail of the voters and the use of the electronic address (e- mail) of expatriates to send political communication is also unfair and illegal. Besides, the above-mentioned data processing of foreign voters cannot be based on the legal basis of the overriding 56 legal interest (Article 6 par. 1 GDPR), since, taking into account the above circumstances, the right of expatriate voters to the protection of their personal of data clearly outweighs the legitimate interest of the MEP to communicate with them individually to disseminate her political actions and ideas. In addition, appropriate information was not provided to the subjects in accordance with the GDPR (Article 14), in particular about the source of their data, with the result that the principle of transparency of the processing is also violated. Therefore, the processing of emigrants' data carried out by Ms. Asimakopoulou between 20/1/2024 and 1/3/2024 violated the fundamental principles of legality, objectivity and transparency of the processing, according to article 5 paragraph 1 1 GDPR. Based on the above, the Authority considers that there is a case to exercise its corrective powers under Article 58 para. 2 of the GDPR in relation to the violations found and that, based on the circumstances found, an order to delete personal data should be given , and to impose, pursuant to the provision of article 58 par. 2 sec. i of the GDPR, an effective, proportionate and dissuasive administrative fine according to article 83 of the GDPR, both to restore compliance and to punish illegal behavior. Furthermore, the Authority took into account the criteria for measuring the fine defined in article 83 par. 2 of the GDPR, paragraph 5 sec. a) of the same article that is applicable in this case, the Guidelines for the application and determination of administrative fines for the purposes of Regulation 2016/679 issued on 03-10-2017 by the Article 29 Working Group (WP 253) and the Guidelines 04/2022 of the European Data Protection Board for the calculation of administrative fines in the context of the General Regulation, as well as the actual data of the case under consideration, based on which the gravity of the violation is judged to be medium, and taking into account in particular: o that the nature of the violation concerns a basic principle of the GDPR, o that the purpose of the processing is legitimate and the processing does not directly result in serious consequences for the data subjects, o that the processing is not in the core activities of the controller, o that it constitutes an individual activity of the data controller, which is not a business according to articles 101 and 102 of the TFEU, 57 o the large number of affected subjects (25,610) which in fact are all registered foreign voters, o that the categories of personal data which the processing concerns, do not involve a high risk (articles 9-10 GDPR, communications, position, finances, etc.), while they cannot cause direct damage or inconvenience. o the disturbance and concern caused to data subjects regarding the leakage and illegal use of their personal data, as shown by the number and content of the complaints submitted to the Authority. o the fact that the violation was caused by gross negligence on the part of the MEP, who, due to her position and many years of experience, should have known that she was not entitled to have the specific file in her possession. In addition, it should have taken into account the CG 1/2023 of the Authority for Political Communication11, from which it is clear that a self-evident condition for the legality of any relevant processing is the initial collection of the data from a legal source (see pp. 6-7 : in each illustrative example cited it is expressly stated that the candidate must have "legally collected" the data) Regarding the way of satisfying the exercised rights of access of the subjects, from the data submitted to the Authority, no violation of the right emerges, given that the Mr. Asimakopoulou provided the information provided by article 15.1. 2. Ministry of the Interior For the evaluation of the legality of the acts of processing the personal data of expatriate voters, which the Ministry of the Interior carried out, the following findings are taken into account: 11 Available on the website of the Authority: https://www.dpa.gr/sites/default /files/2023- 04/%CE%9A%CE%91%CE%A4%CE%95%CE%A5%CE%98%20%CE%93%CE%A1%CE%91%CE%9C% CE%9 C%CE%95%CE%A3%201_2023.pdf 58 a) The Ministry of Interior is the controller for the processing of personal data of Greek citizen voters for the purpose of conducting the electoral process. In fact, according to Law 4648/2019, the Ministry of the Interior is the controller for the processing of personal data for the exercise of the right to vote of voters who are outside the Greek Territory. b) In accordance with the written provisions, as accepted by the Ministry of Interior in no. prot. C/EIS/2325/12-03-2024 document, the electronic contact details (e-mail address and contact phone number) of those registered in the foreign electoral rolls are not included in the copies of the foreign electoral rolls available to the beneficiaries, according to article 23 of the P.D. 26/2012. The Ministry also states in its document that during the pre-election periods of May - June 2023, no natural person in the capacity of a candidate requested a copy of special foreign electoral lists of 2023 and the political parties that received electoral lists with the First Revision 2023 through their representatives including the electoral divisions, they also received a file with the special foreign electoral rolls. The Authority's on-site investigation confirmed that these records did not include voters' email addresses. c) From the investigation of the Authority it emerged that a file in MS excel format that was exported on 8/6/2023 from the OSYED system for the purpose of conducting draws for election committees of the émigré departments, and contained data of those registered in the special foreign electoral rolls for the upcoming parliamentary elections elections of 25/6/2023 was found outside the Ministry of the Interior, in the possession of third parties. The file contained details of 25,610 citizens, i.e. all registered expatriate voters for the June 2023 election, and included the following fields: Voting Country, Voting City, Ward, Country of Origin, City of Origin, Elector AA on the Roll, Fylo, Eponymo, Onoma, on_pat, on_mht, on_syz, epon_pat, hmer_gen, HomeAddress, Street, StreetNumber, Region, PostCode, E-mail. On 23/6/2023 this file was sent to the Secretary of Expatriates of New Democracy, as can be seen from the message on the WhatsApp application that he provided. As also appears from a message in the WhatsApp application provided by Mr. Theodoropoulos, the same file was sent by the latter on 20/1/2024 to MEP Mrs. Asimakopoulou who also 59 processed the data for sending e-mail messages to the citizens included in this on 1/3/2024. d) Only specially authorized persons had the possibility of mass data extraction from the OSYED system, by executing queries in the database. Regarding the data of voters abroad, it was found that mass exports have been made for the purpose of sending electronic communication on behalf of the Ministry regarding the electoral process as well as for the needs of the electoral commissions' lottery through the embassies, in accordance with the law. 4648/2019. e) For the aforementioned purposes, the .xls files with the data of the electoral rolls were distributed to the competent officials, either for action or for their information, via e-mail and without any special security measures being taken. Therefore, each of the recipients had the option of local storage, export to removable media or transmission of the file through messaging applications. f) Electoral roll data had from time to time been requested and extracted from the databases following a relevant order of the resigned General Secretary of the Ministry either in written or oral form, without specifying the exact purpose, a conclusion that emerges both from the answers of the Ministry officials during the on-site inspection as well as from the submitted e-mail message included in no. first G/EIS/3549/16-04-
2024 Ministry document. g) There was a possibility of mass export of all the data of foreign electoral rolls, without recording and without any limitation or delimitation of when, who and for what purpose can request it. The .xls files were produced and circulated internally in the Ministry either due to official necessity or at the request of the resigned General Secretary of the Ministry. Corresponding internal handling of such files had taken place in the past. Therefore, it cannot be excluded the possibility that in the past, or even more recently, voter lists were sent by e-mail to recipients outside the Ministry, but without being able to search for evidence to document such a leak. This issue has existed since the time when the special electoral lists of foreign voters were created. According to what is reported by the Secretary of Immigration of the ND and was not disputed during the hearing or the pleadings, it is likely that some relevant 60 pieces of communication were forwarded to the Secretariat of Immigration of the ND, indirectly or directly, for a specific purpose and for a limited scope, this the facilitation of the registration of emigrants in the foreign electoral rolls, as particularly mentioned in the case of voters who were in Lithuania on May 21, 2023, to attend an important basketball game. h) Regarding the way of recording accesses for extracting mass data from OSYED, the log files of the database and the application do not keep information about the user's actions but only about his entry and exit from the system. This information is not particularly useful as a user can use the system for many different reasons. Important events are also logged based on the default settings of the software (SQLserver) as well as failed login attempts. However, the kept logs do not include the actions of the respective user in the database, so it is not possible to search later who and when executed a query in the database. From the security study (in the Ministry's document with no. prot. C/EIS/3286/09-04-2024) it appears that the recording of audit trails could have been activated in OSYED (the audit trail is a documented file that records the users of a computer system and the operations they have performed in a given period of time). i) The safety study of the OSYED contractor submitted with no. prot. C/EIS/3286/09-04-2024 document of the Ministry includes and proposes procedures on which the Security Policy and Security Plan of the OSYED Body (i.e. the Ministry of the Interior) will be based and does not constitute the approved Policy and Plan Security of the body from which the documentation of the implementation of the Study's proposals can be derived. j) In the contract for the provision of services for the development of an Integrated Electoral Process Support System submitted with no. prot. C/EIS/3287/09-04-2024 document, in the chapter "1.3 Subsystem for Ministry of Internal Affairs" is included as a requested function of the subsystem the personal information of the citizen via electronic message, for the exact place of exercising his electoral right at least 7 days before the elections. It is stated that the implementation of this process will be done with a communication and information mechanism for the voters and bodies concerned through electronic 61 messages. It emerged that no mechanism had been implemented in the application through which the functionality of updating overseas voters could be supported without the need for bulk file extraction. k) Regarding the management of the incident of violation: On 18-03-2024 the Authority was submitted with no. prot. C/EIS/2484/18-3-2024 Notification of a Personal Data Breach Incident by the Ministry of the Interior, with the following information: As the start and end time of the incident it is stated that it is being investigated and that it is approximately May 2023. As the time that became aware of the incident, the agency mentions 15/3/2024, 14:00, and as the way in which it became aware of the incident, the media. The type of data mentioned was name and e-mail address. It was also mentioned that the investigation by the Ministry's internal control service is ongoing, that the number of subjects is not known (only 26,905 can be considered as a maximum, which is also mentioned in the lists that the Ministry presented to the Authority with no. prot. C/EIS/2445/15-03-2024 document) and that the data subjects have not yet been informed, since the internal investigation has not been completed. l) Referring to the disputed case, in an interview on 16/3/2024, the Minister of the Interior explained that the leak "took place in the time period between the two electoral contests of the parliamentary elections held in May and June 2023, when the the Ministry of the Interior was under service leadership. During this period, an associate of the general secretary Michalis Stavrianoudakis, then in charge of the elections, exported electronic addresses of emigrants to the secretary of Hellenism Abroad of the New Republic, Nikos Theodoropoulos. Then he transferred them to Ms. Asimakopoulou."12 m) It also does not appear that the Ministry of the Interior carried out an exhaustive investigation and search for information in order to facilitate the determination of the time and the object of the illegal transmission of electoral roll data. No relevant information was given to the Authority's questions during the on-site inspections, nor was an authorized legal representative of the Ministry present. Consequently, no evidence is presented to document the fact and time of the data leak from the Ministry with the final recipient being the Secretary of Immigration of the ND or another recipient outside the Ministry. The order for 12 https://www.ertnews.gr/eidiseis/ellada/politiki/n-kerameos-ereyna-mexri-telous-gia-tin-ypothesi-ton-ilektronikon-dieythynseon/ 62 internal control was about the adequacy of the measures security and data protection, without referring to the identification of the specific incident, circumstances and manner of the leak. Furthermore, virtually no further investigation was carried out by the Ministry, nor a technical investigation in relation to the leak, while it was clear that the notification of the incident filed was at an initial stage and a number of elements were missing from it, for which at no stage after the submission of the notification, the Ministry did not prove that it proceeded with investigative actions to complete the notification. n) The records of activities related to the OSYED system were submitted (prot. no. C/EIS/3285/09-04-2024). In the files, the employees of the Ministry are mentioned as executors, while the contractor company performing the processing is not included, which has even been mentioned in the submitted notification of a data breach incident. Also, sufficient reference to security measures is not included, the time of keeping the data is not specified and reference is made to general legislation and not specific reference to the specific electoral legislation. A. From the above points a), b), c) it follows that a file with personal data of all registered foreign voters for the June 2023 elections, for which the Ministry of the Interior is responsible for processing, and for which the current legislation does not provide absolutely no case of its transmission outside the Ministry, it was trafficked outside the Ministry. Although it was not possible to establish how the transmission in question took place, this fact is indisputably an incident of violation of the confidentiality of personal data and therefore a violation of personal data, according to the definition of article 4 para. 12 of the GDPR, as it is certain that the existing measures were breached and there was an unauthorized disclosure of personal data that was transmitted, which was subsequently further processed. B. From the above points d) to g) it follows that the policies and procedures followed by the Ministry for the mass export and internal handling of foreign voter data did not contain special provisions (special security measures during the handling of files) and restrictions (regarding with the recipients of the files), but neither provisions for the recording and documentation of the actions as well as the approval of the export purpose. Furthermore, the planned procedures do not include any measure to limit the risk caused by the human factor 63 (which according to the Ministry also proved to be a catalyst and decisive factor). It should be noted that the risk from the human factor is referred to by the authorities as a key factor causing incidents of personal data breaches while it was specifically highlighted by the Authority as early as 201813. It also emerged that the applied measures were not reviewed for the special needs of processing foreign voter lists. C. From the above points h) to j) there are deficiencies in the procedures and policies for data protection (as referred to in the context of accountability in Article 24 of the GDPR), i.e. the controller did not effectively implement at the time of determining the means processing, the appropriate technical measures for recording user actions, organizational measures, for the implementation of data protection principles, as provided for in article 25, par. 1 for data protection already by design. D. From the above k), l), m) it follows that the submitted Personal Data Breach Incident Notification does not include information that was announced publicly and was mentioned in an interview with the Minister prior to the submission of the notification, while they are not included in the submitted Personal Data Breach Incident Notification Data, even though they were mentioned in an interview with the Minister before submitting the notification. With this handling of the incident, it did not fulfill the obligations of article 33, paragraphs 3, 4 and 5 of the GDPR regarding the notification of a personal data breach to the supervisory authority. E. From the point n) above, deficiencies and inaccuracies are observed in the content of the activity records kept concerning the OSYED system, as required by article 30 of the GDPR. It therefore follows that the Home Office breached i. articles 5 par. 1 sec. f and article 32 of the GDPR, as analyzed in the above points A and B, ii. Article 25.1 of the GDPR, as analyzed in point C, iii. the articles 33 par. 3, 4 and 5 of the GDPR, as analyzed in point D and iv. the article 30 of the GDPR as analyzed in point E. Based on the above, the Authority considers that there is a case to exercise its corrective powers according to article 58 par. 2 of the GDPR in relation to the identified violations and that it should, based on the circumstances found, to be imposed, according to 13 See https://www.dpa.gr/el/enimerwtiko/deltia/sygkentrotika-stoiheia-gnostopoiiseon-peristatikon-parabiasis-dedomenon 64 implementation of the provision of article 58 par. 2 sec. i of the GDPR, an effective, proportionate and dissuasive administrative fine according to article 83 of the GDPR, both to restore compliance and to punish illegal behavior. Furthermore, the Authority took into account the criteria for measuring the fine defined in article 39 par. 2 of Law 4624/2019 which is applicable in this case, the Guidelines for the application and determination of administrative fines for the purposes of Regulation 2016/ 679 issued on 03-10-2017 by the Article 29 Working Group (WP 253) and the Guidelines 04/2022 of the European Data Protection Board for the calculation of administrative fines under the General Regulation, as well as the actual data of of the case under consideration, on the basis of which the seriousness of the violation is judged to be high, and taking into account in particular: o that the nature of the violations concerns the obligations of accountability and taking technical measures to record the actions of the users and organizational measures of the data controller, o the processing concerns the main activities of the data controller responsible for organizing and carrying out the electoral process, which must not be called into question or undermine citizens' trust in it, o the violations do not directly result in serious consequences for the data subjects, o that the transmission of the specific file was an individual action, but in relation to the applied policies and technical measures for recording user actions, the violations concern the processing of personal data included in the electoral rolls, o the violation concerns the policies and the applied security measures (articles 25 and 32) concerns a long period of time, i.e. at least since the delivery of the studies of the OSYED system, o the large number of subjects who were definitely affected by the violation (25,610) and which are in fact all registered voters of foreign countries, 65 o The categories of personal data concerned by the processing do not pose a high risk (articles 9-10 GDPR, communications, position, finances, etc.) o the disruption and concern caused to the subjects regarding the leak and the illegal use of their personal data, as well as consequences for their feeling of trust in the State for the safeguarding of their personal data, as can be seen from the number and content of the complaints submitted to the Authority, o The fact that the violation was caused by the negligence of controller, who breached the duty of care without malice. o The fact that the Ministry, even after the incident, but before the hearing at the Authority, took specific measures in the right direction, such as the implementation of expertise and actions for the mandatory training of its staff. 3. As regards New Democracy and Mr. Theodoropoulos, the Authority postpones the issuance of a decision, given that the latter, after the hearing and submission of pleadings, submitted an affidavit as new evidence, which can be taken into account by the Authority in the context of the ex officio audit and from the content of which the need for further investigation of the allegations presented there emerges. III. DISPOSAL FOR THESE REASONS THE PRINCIPLE A. For the violations of articles 5 par. 1 a' in combination with article 6 par. 1 and article 14 of the GDPR, as analyzed in chapter B1 of the present reasoning, i) imposes ' article 58 par. 2 item i GDPR to Anna Michel Asimakopoulou, as data controller, a monetary fine of forty thousand (40,000) euros, and ii) instructs, according to article 58 par. 2 sec. g' of the GDPR to Anna Michele Asimakopoulou, as controller, to delete all the data of foreign voters. 66 B. For the violations of articles 5 par. 1 sec. f and 32 of the GDPR, of article 25, par. 1, of article 33, par. 3,4,5 of the GDPR, as well as of article 30 of the GDPR, as analyzed in chapter B4 of the present rationale, i) imposes article 58 par. 2 item i GDPR to the Ministry of the Interior, as controller, a monetary fine of four hundred thousand (400,000) euros, and ii) gives an order, according to article 58 par. 2 item. d' GDPR, in the Ministry of the Interior, as data controller, as it takes the following actions: On the occasion of this incident, the Ministry should record in approved policies, check and revise the procedures and measures it applies regarding the protection personal data during the processing of voters' personal data, including all data kept in the OSYED system and in any other related system. With the above actions, the principles of article 5 par. 1 of the GDPR must be ensured and in particular the confidentiality throughout the election process and a periodical evaluation process of the measures should be foreseen. The Ministry must, within three months from the notification of this, draw up a relevant timetable, in which the procedures for the preparation, implementation, supervision and updating of the above and the time of their execution will be specified, notify the Authority without delay of the timetable , and to inform it quarterly about its implementation. As specific measures to avoid, detect and investigate incidents of personal data breaches, the following should be foreseen and implemented without delay: 1. Systematic analysis of the institutional framework of the conduct of the elections, determination of the procedures that require the processing of personal data, recording for each procedure of the flows of personal data and recipients of any kind of data. As part of the analysis, the ability to perform actions on data sets by natural persons (e.g. employees) should be minimized to those that are absolutely necessary. Processes that are repetitive should be performed with minimal human intervention and without data extraction. In particular, it is proposed: 67 a) All functions that require mass processing of voters' personal data, and especially communication data, to be integrated into the applications, so that processing in accordance with the law is carried out through the application's environment (e.g. sending informational messages to voters), with a complete record of actions. b) To examine the possibility of using DLP software, especially for Ministry units involved in file exports. c) Prohibition of circulation of files containing voters' personal data through e-mail messages or other means of internal communication. Exceptionally, if it is really necessary, such traffic can only be done in an encrypted form. Each message must state the purpose of processing and the purpose of processing, as well as the length of time the file will be kept. The code must be communicated by a different means. This transaction must have been approved by a competent high-ranking official and the relevant approval must be kept on file (audit trail) for a sufficient period of time. d) Revision of the process of recording query-type actions (SELECT) in tables of the OSYED database or in other systems that process personal data and taking measures for the automated, preventive, control of the log files 2. Security Policy and Plan – other organizational measures Given that no approved security policy (or individual security plans) has been submitted to the Authority, the Ministry must update the Security Policy it applies and the accompanying individual security plans concerning the processing of voters' personal data in order to: a) Include the management systems of voter data and decide which of the proposed rules will be implemented (or record which ones have been implemented). b) To include appropriate provisions for updating the contracts with processors for the changes that will occur. c) Documenting, revising and updating the process of handling personal data breach incidents, with an emphasis on the content of the notification to the Authority, the information of the subjects, and the appropriate procedures and instruments for the internal investigation. 68 d) Control by an independent organization or body, on a regular basis at least annually, of the security of systems and procedures, including the evaluation of the security measures implemented. e) The periodic control by the Ministry, at least annually, of any processors in terms of taking the appropriate security measures. 3. Staff information and awareness measures To design a program of awareness-raising and training actions for both the leadership and executives of all levels and employees of the Ministry on issues of personal data protection, and especially on the obligations of the data controller, the way of cooperation with the Authority and the role of the Ministry of Foreign Affairs. The actions of the program should provide for activities that keep the staff of the Ministry alert. C. Postpones the issuance of a decision regarding New Democracy and Nikos Theodoropoulos, as stated above. The President The Secretary Konstantinos Menudakos Irini Papageorgopoulou
