HDPA (Greece) - 27/2023

From GDPRhub
HDPA - 27/2023
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(e) GDPR
Article 206 Law 4820/2021
Type: Complaint
Outcome: Partly Upheld
Started: 12.01.2022
Decided: 13.07.2023
Published: 13.07.2023
Fine: n/a
Parties: "A"
Athens Medical Association (AMA)
National Case Number/Name: 27/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: DPA (in EL)
Initial Contributor: Evangelia Tsimpida

The Athens Medical Association (AMA) collected its members' Covid-19 vaccination certificates to comply with domestic public health legislation. The Hellenic DPA (HDPA) held that the processing carried out by was lawful for the purposes of Article 6(1)(e) GDPR.

English Summary


On 12 January 2022, a doctor and member of the Board of the Athens Medical Association (AMA) submitted a complaint to the Hellenic DPA (HDPA) against the Athens Medical Association. The complaint alleged the illegal collection of the AMA members' Covid-19 vaccination certificates. The AMA had requested its members who managed private practices to electronically send their Covid-19 vaccination certificates and upload them to an electronic platform created by the Athens Medical Association.

In their complaint to the HDPA, the data subject requested the HDPA to prohibit the AMA from collecting members' Covid-19 vaccination certificates or, in any event, if the collection was deemed lawful, to order the AMA bring their processing into compliance with the GDPR.

The HDPA contacted the AMA and requested more information from them about their vaccination certificate collection. The AMA replied that the collection was carried out under Articles 6(1)(e) and 9(1)(i) GDPR, in line with Article 206 of Law No. 4820/2021 which prescribed the mandatory vaccination of staff employed in health care. The AMA stated that the purpose of the processing was to allow it to fulfil its duties in inspecting the compliance of health care institutions and professionals under its responsibility.


The HDPA held that the processing carried out by the AMA was lawful for the purposes of Articles 5(1)(a) , 6(1)(e) and 9(2)(i) GDPR, but that the AMA had retained the certificates beyond the retention period prescribed by Article 5(1)(e) GDPR.

Firstly, in relation to Articles 5(1)(a) , 6(1)(e) and 9(2)(i) GDPR the HDPA took into account Article 206 of Law No. 4820/2021. It held that Article 206 of Law No. 4820/2021 fulfilled the requirements of Article 6(3)(b) GDPR, as it provided for the overriding public interest of protecting public health workers against the Covid-19 virus.

Secondly, in relation to the transparency requirements under Article 5(1)(a) GDPR, the HDPA held that the platform used by the AMA for uploading the certificates was lawful as it informed the AMA members of the purpose of collection and the legal bases relied upon for the processing (Articles 6(1)(e) and 9(2)(i) GDPR).

Thirdly, in relation to Article 5(1)(e) GDPR, the HDPA found that the AMA no longer had any reason to retain its members' Covid-19 vaccination certificates, as the period of retention necessary for the purposes of processing had expired.

As a result, the HDPA held that the collection of the Covid-19 vaccination certificates was permissible, in the then exceptional circumstances, for the protection of public health and in the context of the fulfilment of the AMA's legal responsibilities. However, it noted the expiry of the retention period, and ordered the AMA to erase any data retained relating to the vaccination certificates.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

The Authority, on the occasion of a submitted complaint, examined, within the framework of its ex officio competence, the legality of the collection by the Athens Medical Association of the vaccination certificates against the covid-19 coronavirus of its doctors - members, as scientific managers of PPH institutions, as applicable of the provisions of article 206 of Law 4820/2021 and the relevant regulations of the under no. D1a/GP.oc. 52796 (Government Gazette Β΄3959/27.08.2021) KYA and ruled that for the proposed purpose of processing, i.e. to assist in the exercise of the authority of the Association of compliance of PPH institutions with the special health provision of article 206 of Law 4820/2021, for the sake of service overriding and compelling public interest related to the protection of public health, there is no reason to retain the disputed personal data.