HDPA (Greece) - HDPA - 32/2024
HDPA - HDPA - 32/2024 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1) GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR Article 24 GDPR Article 25(1) GDPR Article 35 GDPR Article 83 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 26.09.2023 |
Decided: | 23.09.2024 |
Published: | 23.09.2024 |
Fine: | 150000 EUR |
Parties: | Ministry of Citizan Protection |
National Case Number/Name: | HDPA - 32/2024 |
European Case Law Identifier: | 2576/23-09-2024 |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | HDPA (in EL) |
Initial Contributor: | Stergios Konstantinou |
The Hellenic DPA reviewed a complaint on the new ID Cards that include biometric data. It focused on GDPR compliance, emphasizing transparency, data minimization, and security.
English Summary
Facts
A citizen filed a complaint about the issuance of new identity cards containing biometric data and the Ministry of Citizen Protection's failure to respond to an inquiry about the legality of this data processing. The HDPA initiated an investigation to examine the Ministry's compliance with GDPR, focusing on data minimization, transparency, and security measures. The Ministry explained its actions, including conducting a Data Protection Impact Assessment (DPIA), assessing risks, and implementing safeguards for biometric data. The DPA stressed the importance of providing adequate public information and ensuring individuals' rights regarding personal data access.
Holding
The Hellenic Data Protection Authority (HDPA) found that the Ministry of Citizen Protection violated provisions of the GDPR related to transparency and data minimization concerning the issuance of new identity cards that contain biometric data. Specifically, the Ministry had failed to provide timely responses and sufficient information to the public regarding the processing of personal data in compliance with GDPR requirements.
Reasoning: First, the DPA held that the controller violated Article 12 (Transparency) of the GDPR by failing to provide clear and timely information to the complainant and the public about the processing of their personal data in relation to the new identity cards. This included details about the legality, purpose, and scope of the data collection.
Second, the DPA found that the Ministry had not fully complied with the principle of data minimization under Article 5(1)(c) of the GDPR. The authority noted concerns about the scope of biometric data collected and questioned whether all the data being processed was necessary for the stated purpose (issuance of identity cards).
Third, the DPA emphasized the need for a Data Protection Impact Assessment (DPIA), as required by Article 35 of the GDPR, due to the high risks posed by the processing of biometric data. The Ministry had initiated this process but needed to demonstrate full compliance with the risk mitigation measures outlined in the DPIA.
Finally, the DPA stressed that the Ministry must adhere to the principle of accountability under Article 5(2) of the GDPR and ensure ongoing compliance by reviewing and adjusting its data protection practices.
The decision highlighted the Ministry’s obligation to inform citizens adequately about the data processing procedures and ensure compliance with data protection laws.
Comment
The Hellenic Data Protection Authority (HDPA) in Decision 32/2024 addressed a complaint regarding the processing of biometric data for new identity cards. The HDPA found that the Ministry of Citizen Protection violated GDPR provisions, particularly Articles 12 and 5, by failing to provide clear information and by potentially collecting excessive data. The Ministry's efforts to conduct a Data Protection Impact Assessment (DPIA) were noted but deemed insufficient in fully addressing data protection risks. The DPA emphasized transparency, data minimization, and accountability, consistent with previous rulings on personal data processing in public services, such as Decision 26/2019, which also scrutinized transparency in governmental data processing. The decision reinforces the DPA’s stance on upholding GDPR standards in biometric data handling.
This decision is in line with the HDPA's broader pattern of ensuring that public authorities maintain transparency and safeguard citizens' rights under GDPR, similar to cases involving health data (e.g., Decision 9/2019) and online data processing.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 23-09-2024 Prot. No.: 2576 A P O F A S H 32 / 2024 The Personal Data Protection Authority met at the invitation of its President at its headquarters, Kifisias 1-3 Athens, on Tuesday, April 30, 2024 , following the meetings of 26/4/2024, 12/3/2024 and 5/12/2023, in order to examine the case, which is mentioned below in the history of this decision. The President of the Authority, Konstantinos Menudakos, and the regular members of the Authority, Spyridon Vlachopoulos, Konstantinos Lambrinoudakis, as rapporteur, Christos Kalloniatis, Aikaterini Iliadou and Grigorios Tsolias, as well as the alternate member Nikolaos Livos, as rapporteur to replace the regular member Haralambos Anthopoulos, were present. who, although summoned legally and in due time, did not appear. Present without the right to vote were Eleni Maragou, Georgia Panagopoulou, Konstantinos Limniotis and Anastasia Tritaki, auditors of the Authority, as assistant rapporteurs and Irini Papageorgopoulou, employee of the administrative affairs department, as secretary. The Authority took into account the following: C/EIS/6753/26-09-2023 complaint, A stated before the Authority that in the context of the issuance of the new type of identity cards, on 25/8/2023 he addressed to the Ministry of Citizen Protection a request regarding the provision of information and the legality in general of the processing of issuing the new type of identity . Despite the request, as stated by the complainant, and despite the fact that on 19/9/2023 he sent the relevant reminder, he did not receive a response. The Authority, taking into account the general discussion that exists in the public sphere and concerns the public opinion regarding the new type of identity cards of Greek citizens, proceeded, on the occasion of the above complaint, to an ex officio examination of the case and sent it with no. prot. C/EXE/2544/11-10-2023 document, with which he requested the provision of opinions on behalf of the Ministry of Citizen Protection, in relation to the issues raised by the above complaint, and more specifically in relation to the consideration of the complainant's request and the existence of a relevant response. With no. Authority letter C/EIS/7563/25-10-2023 (No. Ministry letter …. / ../ ….) response document, the Ministry of Citizen Protection (through the Director of State 1 Security/Identities and Records Department), brought the following to the attention of the Authority: a) during the time period when the relevant request was sent, there were a number of official actions in progress, in order to start the issuance of the new type of identity cards of Greek citizens in a timely manner, due to the country's relative commitment to European and international of the obligations, for the delay in the implementation of which, he had received a Warning Letter (Article 258 of the TFEU) for non-compliance with Regulation (EU) 2019/1157, while there were a number of incoming requests, reports, etc., which related to clarifications regarding the upcoming process of issuing the new identity cards and for which an effort was made by the competent authorities es addresses to be satisfied as much as possible in the assembly, between them and a number of other citizens' requests related to religious or similar issues, to which the Directorate had been called upon to respond, despite the fact that they avoided its responsibilities, b) in the context of the operation of the new system of issuing identity cards for Greek citizens based on the correct planning to achieve the highest possible level of security of the personal and business data it manages and stores, had been carried out by the IT Department/A.E.A. of the Hellenic Police Risk Analysis Study, in order to record possible risks/risks and the vulnerabilities of the new system and to propose the appropriate technical and organizational measures to deal with them, and c) since the new system also includes biometric elements, it has already been proposed to develop of an impact assessment study on personal data, in order to comply with the GDPR, for the preparation of which, a working group will be formed by the Directorate of State Security/A.E.A., as the Expedited Service/owner of the Data, in which executives from the competent Directorates of the Headquarters of the Greek Armed Forces will participate. Following these, the Authority called with no. prot. C/EIS/2876/14-11-2023 call, the Ministry of Citizen Protection to be heard on Tuesday 5/12/2023 at the Plenary Session of the Authority, topics for discussion a) providing general information to data subjects and b) carrying out an impact assessment, regarding the data processing in the context of the issuance of the new type of identity cards. At the meeting in question, which took place at the Authority's headquarters, were present members of the Hellenic Police (H.A.S.), Police Director, Department Head of the Department of Identity & Archives/D.K.A. /A.EA., C, Deputy Director of Police, Head of the Identity Office/Identities & Records Department/D.K.A. /A.E.A. as well as D, Police Officer B, Data Protection Officer of EL.AS., in order to provide clarifications on issues raised by the President and the Members of the Authority. The above, after having developed their opinions orally, were given a deadline during this meeting to submit written memoranda to further support their 2nd claims. Following these, EL.AS. timely submitted with no. Authority Prot. G/EIS/455/19-01-2024 memorandum, after the supplementary G/EIS/759/31-01-2024 memorandum, with which a data protection impact assessment study was submitted. With the above, EL.AS. put before the Authority, the following: a) with regard to the provision of information to the data subjects, the provisions mentioned in the above mentioned under no. Authority Prot. G/EIS/7563/25-10-2023 (No. Prot. … /../ …. of the Ministry) document. In addition, in order to ensure in the best possible, complete and comprehensible way the information of the data subjects regarding the processing of personal data which is received and stored during the process of issuing the new type of identity cards of Greek citizens, EL.AS. has drawn up a relevant informative text, which has been posted on its respective website and has been forwarded to all the issuing authorities of the country, so that it can be posted in a clear place at the issuing offices, with the aim of fully informing the subjects before submitting the relevant application for the issuance of an identity card , b) the process of issuing the new type of identity cards of Greek citizens, started on 25/9/2023, by virtue of the no. 3021/19/84-ma' from 04-09-2023 declaratory Act of the Minister of Citizen Protection (Government Gazette B' 5328), c) the issuance of identity cards of Greek citizens is regulated by the provisions of the N.D. 127/1969 (A΄ 29), as amended and in force, as well as the no. 8200/0-297647 from 10-04-2018 K.Y.A. (Β΄ 1476), as amended and in force, which provides for the issuance of the new D.T. type, as the provisions of Law 1599/1986 (A΄ 75), as amended, and in particular articles 1, 2 , 3, 4 and 5, which also regulated the issuance of identity cards for Greek citizens, have been repealed and, specifically, articles 1, 3 and 4, as amended, were repealed by the provisions of article 144 of Law 5003/ 2022 (A' 230), while articles 2 and 5 were repealed by the provisions of article 6 of Law 1988/1991 (A' 189). Due to the fragmentation of the legal provisions concerning the issuance of identity cards of Greek citizens in different legal texts, a relevant advisory note from the Hellenic Republic of Greece has been circulated, which concerns the amendment of the N.D. 127/1969 "On the evidentiary value of identity cards" (Α΄ 29), as amended and in force, so that the relevant provisions are regulated by a single legal text, d) with the no. 1519/23/2347819 from 21-11-2023 Decision of the Chief of Staff/A.E.A., a working group was set up, with the purpose of preparing a personal data impact assessment study regarding the new type of identity cards of Greek citizens. In the above impact assessment study, the process of issuing the new type of bulletins is described in detail, i.e. the process of receiving the data of the subjects, the way of storing this data, procedures and security technologies concerning both the way of transmitting the information from the issuing authorities to the principle of printing the documents, as well as in the characteristics of the form itself (including the digital storage medium incorporated in it), the management of human resources, the measures for data protection, etc., e) the details of the data subjects which are currently obtained are provided by explicit legislative provisions (European regulations, laws, ministerial decisions, etc.) and constitute data with which the exclusive connection of the identity cards to their owner is ensured at a level of certainty, however, within the framework of the principle of data minimization, EL.AS. after taking into account the contents of the above impact assessment study, it will consider the possibility of reducing the data which are collected and required for the issuance of the identity card today, if and as long as the unique matching of holder - card can be assured with certainty, suggesting, in the present case, the possibility of amending the existing legislation, f) regarding the storage of the data collected during the process of issuing the new cards, in accordance with the provisions of of article 3 of the N.D. 127/1969, the issuing authorities are obliged to keep a special identity file, which contains all the information entered during the issuance of these cards as well as the supporting documents submitted for their issuance, while in accordance with the provisions of article 10 of no. 8200/0-297647 from 10-04-2018 K.Y.A. (Β΄1476), it is stipulated that, at the Directorate of State Security of the Headquarters of the Hellenic Armed Forces, an electronic identity file is kept with the supporting documents for issuance and the data included in each identity card. The supporting documents submitted for the issuance of the identity card are kept in original form by the issuing services of article 1, for a period of one (1) year from the date of their filing. The data stored in the electronic application "Identities of Greek Citizens", which is accessible through the IT network and information systems of EL.AS. (PoliceonLine), are kept without being deleted, in the context of fulfilling the purpose and responsibilities of EL.AS. (legal issuance of documents, identity verification, verification of information, investigation of criminal acts, etc.). In case of issuing an identity card to replace an old one, the physical folder of the old card and its contents (issuance documents) are destroyed by the issuing authority. The old card is kept in the folder prepared for the new identity card, as proof, except in cases of loss/theft. ID documents that have been revoked and have not been removed from their holders are not destroyed. The destruction of these takes place only after the removal - confiscation of the identity cards from their owners, excluding the case where the revocation takes place due to the 4 tampering of the identity card, in which case the above supporting documents are persuasive documents and consequently must, with the filed case file, be submitted to the competent prosecuting authority, g) the fingerprints of the applicants for a new identity card are used exclusively for the needs of their registration in the digital storage medium which is integrated in the identity card, during the personalization process of the card at the Directorate of Passports & Security Documents/A .E.A. They are downloaded through a special application, which operates on the IT network of EL.AS. (Police on Line), an application which is used exclusively for the specific purpose and by authorized personnel for this purpose. Fingerprints are automatically deleted after ninety (90) calendar days from the issuance of each identity card, h) details related to the data printed on the form of the identity card of Greek citizens, as well as other technical characteristics thereof, are kept in the online public register of genuine identity and travel documents of the Council of the European Union (PRADO). The Authority met at its headquarters on Tuesday, March 12, 2024, in order to discuss the case under consideration. During the discussion, further questions arose regarding the following issues: a) the type of processing that may occur to the personal data that is kept in the electronic storage medium of the new identity, i.e. the data: father's surname, mother's surname, Municipal registration number, census number and place of issuance of the certificate, given that these data do not appear to constitute data to be utilized by electronic services, which may be stored in the aforementioned electronic storage medium in accordance with article 3 par. 10 of Regulation (EU) 2019/1157, as well as the entities authorized to carry out the processing, in what way and by what means and for what purposes, b) how to satisfy the rights of data subjects (and, in particular, the right to access the data held on the electronic identity storage medium) and c) how to separate national data from biometric data, taking into account that, in accordance with article 3 par. 10 of Regulation (EU) 2019/1157, if a Member State stores in identity cards data for electronic services such as e-government, then the national data in question must be physically or logically separated from the biometric data referred to in paragraph 5 of the Regulation. In order to clarify the above issues, the Authority sent the letter no. first 5ArchisG/EX/977/28-03-2024 document to HEL.AS., requesting additional clarifications. With the no. Authority prot. G/EIS/3370/11-04-2024 (no. prot. EL.AS. … / ../ .. /…) document, EL.AS. argued, in response, among other things, the following: a) in accordance with the provisions of the N.D. 127/1969 (A' 29), of Law 1599/1986 (A' 75) and of the no. 8200/0-297647 from 10-04-2018 K.Y.A. (B΄ 1476), among the identity elements, which were included in the old type but also in the new identity cards of Greek citizens, are the surname of the holder's father and mother, the Municipality of registration, the census number and the place of issuance of the card. Pursuant to the provisions of article 3§3 of Law 1599/1986 (A' 75) (which has now been repealed by article 144 para. b of Law 5003/2022), the competent Minister was authorized to add information of the holder in the certificate, but not to remove, therefore, during the planning and implementation of the process of issuing the new certificates, the above elements were also provided for in no. 8200/0-297647 from 10-04-2018 K.Y.A. (as amended and valid), as items included in the new bulletin. However, due to the fact that it was not possible: i) their removal in the absence of a relevant authorization provision, nor ii) their printing on the body of the card due to insufficient space on it, the above data are incorporated into the electronic storage medium of the relevant document, and are also kept in the electronic identity file of the Hellenic Police, as data provided and collected during the process of issuing each card, while of the above data, only the last name of the holder's father and mother are included in the other data provided to the Interoperability Center of the Ministry of Digital Governance, which is responsible for interoperability and exchange of data between Public Bodies, in accordance with current legislation [see Law 4727/2020 (A' 184), Law 4623/2019 (A' 137) and no. 118944 EX 2019 from 01-11-2019 Y.A. (Β΄ 3990)], b) with regard to the subjects' right of access to the data related to the issuance of identity cards of Greek citizens, the competent Services of the Greek Police may grant the requested information as provided by the provisions of the Code of Administrative Procedure (L.2690/1999 (A' 45)), as amended and in force), c) with regard to the separation of biometric data from the rest, it is pointed out that in the electronic storage medium incorporated in the identity cards of Greek citizens which are issued on hereof, no data related to the support or implementation of e-government services is stored. Finally with the above document, EL.AS. stated that he is going to recommend in the near future the drawing up of a new draft law with reference to new types of identity cards for Greek citizens and the process of issuing them, which will regulate in a uniform manner issues that had been created by the parallel validity of different pieces of legislation, both during the issuance of the old ones, and during the issuance of the new identity cards. The Authority, after examining the elements of the file and what emerged from the hearing before it and the Ministry's memoranda, after listening to the rapporteurs and the clarifications from the assistant rapporteurs, who were present without the right to vote, after a thorough discussion, THINKS IN AGREEMENT BY LAW 1) From the provisions of Articles 51 and 55 of the General Regulation (EU) 2016/679 for the protection of natural persons against the processing of personal data (hereinafter GDPR) and Article 9 of Law 4624/2019 (Official Gazette A΄ 137) it follows that the Authority has the authority to supervise the implementation of the provisions of the GDPR, Law 4624/2019 and other regulations concerning the protection of the individual from the processing of personal data. 2) According to article 4 par. 1) GDPR as "personal data" means "any information concerning an identified or identifiable person ("data subject"); an identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to identifier, such as a name, an ID number, location data, an online identifier or one or more factors that characterize the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person', while as "biometric data", defined by article 4 par. 14 GDPR, the "personal data resulting from special technical processing linked to physical, biological or behavioral characteristics of a natural person and which allow or confirm the indisputable identification of the natural person in question, such as facial images or fingerprint data'. Biometric methods mean the techniques for certifying the identity of natural persons through the analysis of their fixed characteristics. Biometric methods can be classified into two categories: i. techniques based on the analysis of physical or genetic characteristics (such as fingerprints, palm geometry, pupil analysis, facial features, DNA) and ii. in techniques based on behavioral analysis (such as signature, voice, typing style). 3) As defined in article 4 item 7 of the GDPR, the processor determines the purposes and the method of data processing. Fundamental to the determination of the controller is the functional criterion. In the public administration, the hierarchy is a way of its internal organization that aims to ensure the uninterrupted continuity of its 7 work and the coherence of the rules applied between the units and services that are subordinate to the higher body of the organization. Therefore, the functional criterion is concluded in principle with the powers conferred by law on a specific authority, service or legal entity under public law. Regarding the determination of the data controller for this particular case, in article 11 par. 2 of Regulation (EU) 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity cards of Union citizens and residence documents issued for Union citizens and their family members exercising the right of free movement (at 2 of the Regulation ( EU) 2019/1157) it is defined that "For the purpose of this regulation, the authorities responsible for issuing identity cards and residence documents are considered to be data controllers within the meaning of Article 4(7) of Regulation (EU) 2016/679 and are responsible for the processing of personal data." According to article 1 of Joint Ministerial Decision 8200/0-297647/2018 (Government Gazette B'1476/ 27-04-2018) "Issuance of a new type of Identity Card for Greek citizens", "Competent issuing authorities. Identity cards of Greek citizens are issued by the Security Department of the place of residence of the person concerned, for the region of the Directorate of Security of Attica or Thessaloniki, and by the Sub-Directorate or the Department of Security of the place of residence of the person concerned for the rest of the Country. Where such services do not exist, identity cards are issued by the Police Department, which exercises security responsibilities at the place of residence of the person concerned, and in the event that this does not exist either, identity cards are issued by the Police Sub-Directorate based in the area in question." Therefore, the Ministry of Citizen Protection, to which EL.AS. belongs, is the controller for the processing of personal data that takes place during the issuance of identity cards for Greek citizens. 4) The following provisions apply to the information contained in the new type of identity card for Greek citizens: a) Article 3 of Regulation (EU) 2019/1157 "1. Identity cards issued by Member States are produced in ID-1 format and contain a machine readable zone (MRZ). These identity cards are based on the specifications and minimum security standards set out in ICAO document 9303 and comply with the requirements set out in points c), d), f) and g) of the Annex to Regulation (EC) No. 1030/2002, as amended by Regulation (EU) 2017/1954. 2. The data elements included in the identity cards shall meet the specifications set out in part 5 of ICAO document 9303. By way of derogation 1X. Akrivopoulou, X. Anthopoulos, Introduction to Administrative Law, Hellenic Academic Electronic Journals publications, 2015, Chapter 3, p. 77. 2https://eur-lex.europa.eu/legal-content/EL/TXT/?uri= CELEX%3A32019R1157 8 from the first paragraph, the document number can be entered in zone I and the identification of a person's gender is optional.3. The document bears the title ("Identity Card") or another established national designation in the official language or official languages of the issuing Member State, and the words "Identity Card" in at least one other official language of the Union's institutional bodies. 4. The identity card contains, on the front, the two-digit country code of the issuing Member State, printed negatively within a blue rectangle and surrounded by twelve yellow stars. 5. Identity cards include a highly secure storage medium containing biometric data consisting of an image of the face of the card holder and two fingerprints in digital formats. To obtain the biometric identifiers, the Member States apply the technical specifications established by Commission executive decision C(2018)7767 (13). 6. The storage medium has sufficient capacity and capacity to ensure the integrity, authenticity and confidentiality of the data. The data stored is contactless accessible and secured as provided for in the implementing decision C(2018)7767. Member States shall exchange the information required to verify the authenticity of the storage medium and to access and verify the biometric data referred to in paragraph 5. 7. Children under the age of 12 may be exempted from the obligation to provide fingerprints. Children under the age of 6 are exempt from the obligation to provide fingerprints. Persons who are unable to provide fingerprints for physical reasons are exempted from the obligation to provide fingerprints. 8. Where necessary and proportionate to the objective pursued, Member States may record for national use information and remarks as required under national law. This does not reduce the effectiveness of the minimum security standards and the cross-border compatibility of identity cards. 9. If Member States incorporate a dual interface or a separate storage medium in the identity card, the additional storage medium shall comply with the relevant ISO standards and shall not affect the storage medium referred to in paragraph 5. 10. If Member States store in the identity cards data for e-services such as e-government and e-business, such national data shall be physically or logically separated from the biometric data referred to in paragraph 5. 11. If Member States add additional national security features to identity cards, the 9 cross-border compatibility of these identity cards and the effectiveness of the minimum security standards should not be reduced.' 3 b) Recital 21 of Regulation (EU) 2019/1157 "This Regulation does not provide a legal basis for the creation or maintenance of databases at national level for the storage of biometric data in the Member States, a matter that falls under national law which must comply with Union law on data protection. Also, this regulation does not provide a legal basis for the creation or maintenance of a central database at Union level." c) Recital 43 of Regulation (EU) 2019/1157 "It is necessary to clarify in this regulation the basis for the collection and storage of data on the storage medium of identity cards and residence documents.In accordance with Union or national law and respecting the principles of necessity and proportionality, Member States should be able to store other data on a medium storage for online services or other purposes related to the identity card or residence document. The processing of such other data, including its collection and the purposes for which it may be used, should be permitted by Union or national law. All national data for those purposes should be physically or logically separated from the biometric data referred to in this Regulation and their processing should be consistent with Regulation (EU) 2016/679.' d) Article 2 of ND 127/1969 (Government Gazette A' 29) "Evidentiary force of Police IDs", according to which "IDs include the following information: 1) Photograph of the holder. 2) Fingerprint. 3) Name. 4) Name. 5) Namesake. 6) Name mother. 7) Spouse's name and in the case of a married woman and her father's name. 8) Exact date of birth. 9) Place of birth. 10) Height (over 25 years old). 11) Face shape. 12) Colored eyes. 13) Blood group (to be completed optionally). 14) The card holder's status as a pensioner of the State or another main insurance fund. 15) Place of permanent or temporary residence. 16) Residential address. 17) Occupation. 18) Nationality. 19) Municipality or Community, in which the holder of the card is registered as well as the registration number of this registration. 20) Religion, and 21) Every other element 3 See and Opinion of the European Data Protection Supervisor "EDPS Opinion 7/2018 on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents", available at: https://edps.europa.eu/data-protection/our -work/publications/opinions/security-identity-cards-union-citizens_en 4See related Decision APDPX 510/17/15-05-2000, available at: https://www.dpa.gr/sites/default/files/2020- 10/2000_510-17.doc, StE Ol. 2281/2001, available at: http://www.greeklaws.com/pubs/uploads/1006.pdf ECtHR, Sofianopoulos and others v. Greece - decision on admissibility (app.no. 1988/02 1997/02 1977/02), available at: https://hudoc.echr.coe.int/eng#{%22fulltext%22:[%22sofianopoulos%22 ],%22itemid%22:[%22001-23654%22]} 10 determined by the decision of the Minister of Public Affairs, published in the Government Gazette." e) Article 3 par. 1 of Law 1599/1986 (Government Gazette A' 75), which states that: "1. The identity cards contain the following details of the holder: a.- Photo b.- Surname c.- First name d.- Surname and first name of father e.- Surname and first name of mother f.- Gender g.- Surname and first name of spouse n.- Date of birth (day, month, year) i.- Place of birth i.- Nationality k.- Religion l.- No. - Citizen id.- Electoral registration id.- Residential address id.- Owner's signature id.- Blood group id.- D.I.O.S. The details of the above b' and c' cases are also written in melamine characters (ELOT743)." In the above paragraph 1, article 23 of Law 4647/2019 (FEKA'204) added the following paragraph: "The identity card incorporates an electronic storage medium, which contains the photo of the holder in digital format, the details of the machine-readable zone of the card, two (2) fingerprints of the index fingers and of both hands holder and an approved electronic signature certificate, in accordance with Article 3 of Regulation (EU) 910/2014." Furthermore, paragraph 2 of the above article 3 provides that: "2. The information contained in the identity card, in accordance with the previous paragraph, must be entered, except for the information of the cases (blood group) and (D.I.O.S.) Donor of Tissues and Body Organs. These data are registered as long as the interested party requests them, who in the case of the D.I.O.S. is required to have full legal capacity." f) Article 3 of Joint Ministerial Decision 8200/0-297647/2018 (Government Gazette B'1476/ 27-04-2018) "Issuance of a new type of Identity Card for Greek citizens", as amended by Article 1 of YA 8200/0- 181621 (Government Gazette Β΄ 1671/14.05.2019), and subsequently with article 1 of YA 8200/0-109568 (Government Gazette Β' 824/17.02.2023), according to which: "1. The identity card is of ID-1 format, dimensions 85.6x54 mm ±0.75mm, thickness up to 1 mm, in accordance with the recommendations of ICAO DOC9303 version 7th and includes: the Visual Inspection Zone (VIZ), the Machine Readable Zone Zone - MRZ) and the integrated non-contact electronic storage medium, as defined in document 9303 of the International Civil Aviation Organization (ICAO) for machine-readable travel documents. 2. The substrate of the identity card is made of synthetic plastic, polycarbonate-pc. 3. The elements of the identity card are printed on it, as defined in Appendix A of article 14 hereof and in particular: 3.1. Zone 1 11- Coat of arms of the Hellenic Republic - Name of the Country (HELLENIC REPUBLIC / HELLENIC REPUBLIC) - Type of document (IDENTITY CARD) - The ICAO mark for the existence of an RFID chip - Identity number (IDENTITY NUMBER / CARD NUMBER) 3.2. Zone 2 - Surname - Name - Sex (Male / Female) - Date of birth - Nationality 3.3. Zone 3 - Date of Issue - Date of expiry - Issuing Authority - Card Access Number (CAN - Card Access Number)". 3.4. Zone 4 - Signature of bearer 3.5. Zone 5 - Owner's photo in a 37 x 30 mm frame "3.6. Zone 6 - Father's name - Mother's name - Place of birth - Blood type (optional) - Height (after reaching 24 years of age)". 3.7 Zone 7 In the Machine Readable Zone of the identity card, data is printed with machine-readable characters, according to ICAO document 9303. 4. In the integrated electronic storage medium, a photograph of the holder is stored in digital form of the card's Readable Zone (MRZ) and two (2) fingerprints of the index fingers of both hands of the applicant. in the case of one-handedness, a second fingerprint is also taken from the existing hand, in the same order as above. The 12 permanent or temporary inability to take fingerprints, apart from cases of obvious amputation, is proven by a medical certificate, which bears the signature of a doctor of the corresponding specialty with the confirmed condition. In addition, the above electronic medium stores the surname of the father, surname of the mother, the municipality of registration, the census number and the place of issuance of the slip, while it will be possible to store the data required for the Electronic Government Services, if it is decided to include them in the due medium. 5) Regarding the issue of storing biometric data in identity cards, with the 5 Decision RL v. Landeshauptstadt Wiesbaden, Case C-61/22 the Court of Justice of the EU ruled that Article 3 para. 5 of Regulation (EU) 2019/1157, does not constitute an unjustified restriction of articles 7 and 8 of the Charter of Fundamental Rights of the European Union, in conjunction with article 52 paragraph 1 thereof. 6) With the 2388-91/2019 decisions of the 4th Department of the 7-member composition of the Council of State, applications for annulment against the aforementioned Joint Ministerial Decision 8200/0-297647/2018 (Government Gazette B'1476/ 04-27-2018) were considered. In particular, with these decisions, the grounds for questioning the expediency of choosing the specific type of police identity card and for which a violation of the legislative and supra-legislative provisions on the protection of personal data, personality, personal freedom, free movement within the country, freedom of religious conscience and, relatedly, the article 3 of the Constitution, as well as exceeding legislative authority. With the above decisions of the Council of State, it was accepted, among other things, that the data "that are stored in the electronic non-contact storage medium of the new identities, are intended exclusively for reading by the passport control devices and require (for this reading) a distance of 3-4 centimeters between the body of the card and the said device (...) embedded non-contact electronic storage medium is protected by an access control mechanism, which denies access to its contents if the reader control system cannot prove that it is authorized to access that embedded non-contact electronic medium, and such proof is provided through a cryptographic protocol, which proves that the machine-reading control system knows the information coming from the machine-readable travel document holder's transposition page; the machine-reading control system must receive this information, which is provided by visual contact from the 5Judgment RL v. Landeshauptstadt Wiesbaden, 21 March 2024 , C‑61/22, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/? uri=CELEX:62022CJ0061 13 electronic travel document (from the machine-readable zone), before it is able to read the contactless electronic medium (…)'. Furthermore, with the above-mentioned decision 2388/2019 of the Court, the relevant application for annulment was partially accepted and the said joint ministerial decision was annulled only to the extent that it was provided that in the integrated non-contact electronic storage medium that includes the new type of identity card are stored ( and) "the data required for e-government services". In this regard, the Court ruled that e-government services have a very broad content, and the above data are not critical for proving the identity of Greek citizens and cannot be considered to be linked to the additional data of the holder, in accordance with the non-authorizing provisions for the issuance of the said KYA (article 3 Law 1599/ 1986), so the storage of these data is not supported by the relevant authorizing provisions. Following this decision of the Council of Ministers, Article 3 of Law 1599/1986 was supplemented with the aforementioned Article 23 of Law 4647/2019 (Official Gazette A' 204). 7) According to article 5 GDPR item a), c) and f) "1. Personal data: a) are processed lawfully and legitimately in a transparent manner with respect to the data subjects ("legality, objectivity and transparency"), (...) c) are appropriate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimization"),(...) f) are processed in a way that guarantees the appropriate security of personal data, including their protection from unauthorized or illegal processing and accidental loss, destruction or deterioration, using appropriate technical or organizational measures ("integrity and confidentiality")", while in accordance with paragraph 2 of the same article above "The data controller bears the responsibility and is able to demonstrate compliance with paragraph 1 ("accountability"). Furthermore, Article 6 para. 1 of the GDPR provides, among other things, that the processing is lawful only if at least one of the following conditions applies (legal bases of the processing): "a) the data subject has consented to the processing of his personal data for one more specific purpose, (…) c) the processing is necessary to comply with a legal obligation of the controller, (...) e) the processing is necessary for the fulfillment of a duty performed in the public interest or in the exercise of public authority delegated to the controller (...)". 6http://www.adjustice.gr/webcenter/portal/ste/pageste/epikairotita/apofaseis? 7 In particular, according to article 23 of Law 4647/2019, "At the end of paragraph 1 of article 3 of Law 1599/1986 (A' 75), a paragraph is added as follows: "The identity card incorporates an electronic storage medium, which contains the holder's photograph in digital format, the details of the machine-readable zone of the card, two (2) fingerprints of the holder's index fingers and both hands and an approved electronic signature certificate, in accordance with Article 3 of Regulation (EU) 910 /2014." » 148) Furthermore, in order to ensure the principle of transparency of processing, Article 12 para. 1 GDPR states that: "The controller shall take appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communication in the context of Articles 15 to 22 and Article 34 regarding the processing in a concise, transparent, understandable and easily accessible form, using clear and simple wording, in particular when it comes to information specifically addressed to children. The information is provided in writing or by other means, including, if appropriate, electronically. When requested by the data subject, the information may be given orally, provided that the identity of the data subject is proven by other means", while in paragraph 2 of the same article it is stated that "the data controller facilitates the exercise of rights of data subjects provided for in articles 15 to 22". In addition, the provisions of Articles 13 and 14 GDPR regulate the obligation to provide information from the controller if the personal data is collected from the data subject (Article 13 GDPR) and if the personal data has not been collected by the data subject (Article 14 GDPR). 9) In addition, with regard to the obligation of information on the part of the controller, recital 40 of Regulation (EU) 2019/1157 states: "Regulation (EU) 2016/679 of the European Parliament and of the Council (9) applies as regards the processing of personal data in the context of the application of this regulation. It is necessary to further clarify the guarantees applied to the processing of personal data, and in particular sensitive data such as biometric data. Data subjects should be informed that there is a storage medium in their documents that contains their biometric data and is accessible without contact, and they should be aware of all the cases in which the data contained in their identity card and residence documents are used. In any case, the data subjects should have access to the personal data processed in their identity cards and residence documents and should have the right to correct them by issuing a new document, in case the data in question is incorrect or incomplete (…) 10) Regarding the obligations of the data controller Article 24 para. 1 GDPR states that: "1. Taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying probability of occurrence and severity for the rights and freedoms of natural persons, the controller applies appropriate technical and organizational measures in order to ensure and be able to demonstrate that the processing is carried out in accordance with this regulation. The said measures 15 are reviewed and updated when deemed necessary.", while article 25 par. 1-2 GDPR states that: "1. Taking into account the latest developments, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of different probability of occurrence and severity to the rights and freedoms of natural persons from the processing, the controller effectively implements, both at the time of determining the means of processing and at the time of processing, appropriate technical and organizational measures, such as pseudonymization, designed to implement data protection principles, such as data minimization, and to incorporate the necessary guarantees in processed in such a way that the requirements of this regulation are met and the rights of the data subjects are protected. 2. The controller applies appropriate technical and organizational measures to ensure that, by default, only personal data necessary for the purpose of the processing are processed. This obligation applies to the scope of the personal data collected, the extent of their processing, their storage period and their accessibility. In particular, such measures ensure that, by definition, personal data are not made accessible without the intervention of the natural person to an indefinite number of natural persons." 11) Furthermore, according to article 35 par. 1 GDPR "When a type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing, may entail a high risk for the rights and freedoms of natural persons, the controller shall, prior to processing, assess the impact of the planned processing operations on the protection of personal data. An assessment may consider a set of similar processing operations which entail similar high risks.", while according to paragraph 3 of the same article above: "The data protection impact assessment referred to in paragraph 1 is required in particular in the case of: a) systematic and extensive assessment of personal aspects concerning natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal results in relation to a natural person or similarly significantly affect the natural person, b) large-scale processing of the special categories of data referred to in article 9 paragraph 1 or of personal data relating to criminal convictions and offenses referred to in article 10 or (..)" and paragraph 3 of the same article above: "The supervisory authority prepares and publishes a list of the types of processing operations which are subject to the requirement to carry out a data protection impact assessment pursuant to paragraph 1.(..)'. The Authority, pursuant to paragraph 16 4 of article 35 GDPR, has drawn up and published a list of the types of processing operations that are subject to the requirement to carry out an impact assessment regarding data protection pursuant to paragraph 1 (Decision 65/2018). In Decision 65/2018, it is stated that the execution of a Personal Data Protection Act is considered mandatory when at least one of the criteria of the 1st or 2nd category of processing grouping is met. In the 2nd category, item 2.2.3 refers to "data relating to a national identity number or other identification element of general application or a change in the terms and conditions of processing and use of these and related personal data", category to which the processing in question falls. 12) Regarding the provision of information to the data subjects, as required by the principle of transparency, in relation to the issuance of a new identity card, with no. Prot. Authority C/EIS/455/19-01-2024 memorandum, EL.AS. argued before the Authority that relevant information has been posted on its website. When reviewing the relevant section on the website: https://www.astynomia.gr/odigos-tou-politi/dikaiologitika/ekdosi-deltiou- taftotitas/enimerosi-gia-tin-epexergasia-dedomenon-prosopikou-charaktira-apo- ti-diefthynsi- kratikis-asfaleias-archigeiou-ellinikis-astynomia information text is found regarding issues of the specific processing of personal data, which is available to citizens. However, on the one hand, this update was not posted until the end of February 2024 on the relevant website (although the issuance of the new type of bulletins had already started in September 2023), on the other hand, the posted update contains incorrect references such as, in particular, an incorrect legal basis with regard to biometric data, since "express active consent" is mentioned which cannot constitute a valid legal basis for the processing in question, given that the obligation to issue an identity card derives from a provision of compulsory law in the exercise of public authority (Article 6 par. 1 section c) e) GDPR), while the consent, for it to be a valid basis, must be free (article 4 item 11 of GDPR) and should not be considered freely given if the data subject does not have a genuine or free choice or is not in a position to refuse or withdraw consent without prejudice (see GDPR Rec. 42). In addition, the said update also contains a reference to article 46 of Law 4624/2019 regarding the processing of special categories of data, but the provisions of this article refer to processing carried out by EL.AS exclusively for the purposes provided for in article 43 of the said law and do not apply to the disputed processing. Furthermore, the relevant information 8 Access Dates 12/3/2024, 30/4/2024 was not presented to the Authority. 9 Namely for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution criminal sanctions, including protection against threats to public safety and deterrence their. 17 text, which according to the contents of the Authority's order no. C/EIS/455/19-01-2024 memorandum "has been forwarded to all the issuing authorities of the country, in order to be posted at a clear point in the publishing office, with the aim of fully informing the subjects before the submission of a relevant application for the issuance of an identity card". 13) With reference to the information contained in the new identity card, it appears that in the integrated electronic storage medium (chip) are stored, except for the photo and fingerprints fingerprints, father's surname, mother's surname, municipality of registration, registration number and the place of issue of the ticket. These data are not included in the mandatory data according to article 3 par. 5 of Regulation (EU) 2019/1157 and their inclusion in the new bulletin identity, arises, according to the claims of the data controller, from application of national legal provisions, which also include elements that have been determined illegal and/or unconstitutional (see Supreme Court Decision 2281/2001), without expressly having repealed or amended at least one law. In addition, from article 3 par. 10 of the Regulation (EU) 2019/1157 it follows that national data stored on the embedded medium storage must relate to electronic services, while on the contrary in this case the additional data refer to simple identification details for which, in accordance with claims by the controller, there was not enough space on the front of it identity card. In any case, the controller did not document, not even with the document his memorandum but also not in the context of preparing the EAPD, its purposes processing of the relevant elements, with the consequence that the necessity of inclusion does not arise of these data. In particular, no documented answers were submitted by the responsible processing to the question of how the above data are accessible and editable by electronic medium, by which means, for which purposes and by which bodies. 14) In accordance with the requirements of article 35 par. 1 GDPR, in accordance with the principle of protection by design and by definition, the requirement to carry out an impact assessment on the data protection must take place at least before the start of processing. In the present case, the data controller had not carried out an assessment of the of effects of the planned acts of personal data processing for "nationals purposes' before starting to issue the new identity cards. 15) According to what is set out in the previous considerations, the data controller violated them articles 13 and 14 of the GDPR, due to the lack of information for a long time, as well as due to incorrect information in the citizen information text, which was posted late on the website of the controller. Furthermore, controller did not document, not even through the EAPDA, the observance of the principle of data minimization with respect to specific elements contained in the electronic storage medium such as 18 is analyzed in the above considerations, in violation of the obligations under article 24 GDPR. Furthermore, the controller violated Article 35 para. 1 GDPR, since he did not, therefore, the required impact assessment, even after the start of processing and only following the relevant communication from the Authority, while the impact assessment does not seem to have identify all the risks, as can be seen from the violations identified above. Based on the above, the Authority considers that there is a case to exercise the powers according to articles 58 par. 2 of the GDPR and 39 par.1 of Law 4624/2019 its corrective powers in relation to established violations and that it should, based on the circumstances established, be imposed, according to application of the provision of article 58 par. 2 sec. i' of the GDPR, effective, proportionate and dissuasive administrative fine according to article 83 of the GDPR, both for her rehabilitation compliance, as well as to prevent illegal behavior. Furthermore, the Authority took into account the criteria for measuring the fine, which are defined in article 39 par. 2 of Law 4624/2019 which applies to this case, the Guidelines Lines for the application and determination of administrative fines for its purposes Regulation 2016/679 issued on 03-10-2017 by the Article 29 Working Group (WP 253), as well as the Guidelines 04/2022 of the European Protection Council Data for the calculation of administrative fines in the context of the General Regulation, as well as the actual facts of the case under consideration, on the basis of which the gravity of the violation is considered serious, assessing in particular: • that the nature of the violations concerns the controller's accountability obligations but also rights of GDPR subjects, • that the processing concerns a basic activity of the data controller (issue of bulletins identities), • the large number of affected subjects, which in fact are all of them Greek citizens who are required to carry an identity card, • that the purpose of the processing is legitimate and that the processing does not appear to serious consequences immediately arise for the data subjects, • the fact that the controller received, following the intervention of the Authority, concrete steps in the right direction, such as carrying out the impact assessment and informing the citizens, but without these having been properly implemented in their entirety, as analyzed in the above considerations. 19 FOR THESE REASONS THE BEGINNING A. Enforces according to article 58 par. 2 item. i GDPR to the Ministry of Citizen Protection as controller, a fine of fifty thousand (50,000) for the violation of articles 13 and 14 of the GDPR. B. Enforces according to article 58 par. 2 item. i GDPR to the Ministry of Citizen Protection as controller, a fine of one hundred thousand (100,000) euros, for the violation of article 35 par. 1 of the GDPR. C. Gives an order, according to article 58 par. 2 item. 4 GDPR, to the Ministry of Citizen Protection as data controller, as taking the following actions: - To document, while also updating the corresponding EAPD, the need inclusion in the electronic medium of data, other than those required by the European legislation. - Based on the results of the above documentation, to take the appropriate actions adjustment of processing, regarding the issuance of identity cards, within six (6) months from the notification of the present, informing the Authority accordingly, so that henceforth the identities that will be issued to be in accordance with the provisions of this Decision. Although the validity of the identities, the issuance of which is based on the current legal framework, as described above, the Authority highlights the obligation to update and codify the legal framework regarding the data in the new form identity cards of Greek citizens and the process of issuing them, in order to matters that had been created on the one hand, since the abolition, are regulated in a uniform manner relevant provisions and on the other hand, from the parallel validity of different pieces of legislation, both when issuing the old ones, as well as when issuing the new identity cards, taking taking into account the individual issues analyzed in this Decision. The Secretary The President Konstantinos Menudakos Irini Papageorgopoulou 20