HDPA (Greece) - 27/2020

From GDPRhub
HDPA - 27/2020
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 32 GDPR
Article 58(2)(d) GDPR
Article 9 Council Decision 2008/633/JHA
Type: Investigation
Outcome: Violation Found
Decided: 11.08.2020
Fine: None
Parties: Ministry of Foreign Affairs
National Case Number/Name: 27/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: n/a

The Hellenic Data Protection Authority (HDPA) ordered the Ministry of Foreign Affairs to comply with its recommendations regarding the security issues it identified in the Visa Information System (VIS).

English Summary


The HDPA ran an on site audit at the Ministry of Foreign Affairs as being the data controller according to VIS Regulation and VIS Decision. VIS is an information system for exchanging data among states within Schengen area with an aim to improve common VISA policies. The audit was focused on security issues, which are provided for in Article 32 GDPR and Article 32 of VIS Regulation. Further security requirements are provided for in Article 9 of Council Decision 2008/633/JHA (VIS Decision). Fundamental element of the system is a central database which contains personal data including special categories.



The HDPA prepared a detailed analysis of the findings arisen from the audit as well as of the relevant risks, which is however included in a final confidential report. Based on these findings, the HDPA ordered the Ministry of Foreign Affairs to comply with its recommendations that are included in the confidential report according to Article 58(2)(d) GDPR and inform the HDPA accordingly.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.