HDPA (Greece) - 31/2023

From GDPRhub
HDPA - 31/2023
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(c) GDPR
Type: Complaint
Outcome: Upheld
Started: 22.09.2022
Decided: 11.10.2023
Published:
Fine: 1000 EUR
Parties: n/a
National Case Number/Name: 31/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Inder-kahlon

DEYA X violated GDPR's data minimization principle Article 5(1)(c) by sharing an employee's personal and health data with multiple recipients without proper justification. The HDPA ordered DEYA X to create internal policies to ensure GDPR compliance. A fine of 1,000 euros was also imposed.

English Summary[edit | edit source]

Facts[edit | edit source]

Inter-municipal Water Supply - Sewerage Company X (DEYA X) is a data controller involved in a case regarding the violation of data protection regulations under the GDPR. DEYA X processed the personal data of an employee, specifically health data related to her (Certificate of positive coronavirus diagnostic test). This processing involved sending emails and documents to various recipients, both within and outside DEYA X, without proper justification or necessity.

The employee contends that the data was initially shared for the purpose of taking sick leave and should not have been further processed, while DEYA X maintains that there was a legitimate necessity for the data disclosure.

Holding[edit | edit source]

After hearing both parties via video conferencing on 21-June-2023, and after giving time to provide additional proofs. The data protection authority held that DEYA X violated the data minimization principle under Article 5(1)(c) of the GDPR by inappropriately sharing personal and health data, both within the organization and with external authorities.

DEYA X was found to have failed in implementing adequate internal policies and procedures regarding data access and sharing. The Authority ordered DEYA X to establish internal policies to comply with GDPR within 3 months and a fine of 1,000 euros was imposed.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

DECISION 31/2023 The Personal Data Protection Authority met in a composition of the Department via teleconference on 04-10-2023 at the invitation of its President, in order to examine the case referred to in the history of the present. Georgios Batzalexis, Deputy President, in the absence of the President of the Authority, Constantinos Menoudakos, the regular member, Konstantinos Lambrinoudakis, the alternate member Maria Psalla, in place of the regular member, Grigorio Tsolia, who, although he had been legally invited in writing, was absent due to disability and the substitute member, Nikolaos Livos as rapporteur according to articles 3 para. b' and 8 para. 2 of the Regulation of Operation of the Authority. The meeting was attended by order of the President, Kyriaki Karakasi, legal auditor - lawyer, as assistant rapporteur and Irini Papageorgopoulou, employee of the Authority's administrative affairs department, as secretary. The Authority took into account the following: With the no. prot. C/EIS/10340/22-09-2022 her complaint A complains that an illegal disclosure of her health data to third parties took place. In particular, he states that on 03-23-2022 he sent to the already denounced Intermunicipal Water Supply and Sewerage Company X (hereafter DEYA X), where he serves as an employee of TE Civil Engineering, a Certificate of Positive Diagnostic Test for Corona Virus COVID-19, registering the result of the molecular control to which he already submitted on 03-22-2022, while on 03-24-2022 he was informed by the competent Civil Protection Service that he had to remain in isolation for five (5) days after the diagnosis. However, on the expiry date of the five-day isolation, i.e. 28-03-2022, according to the complainant's claims, her attending physician recommended that she take a five-day leave due to her fatigue after the symptoms of the coronavirus subsided. Subsequently, on 03-29-2022 and while the complainant's relevant License Bulletin had been issued for the period from 03-28-2022 to 04-01-
2022, she herself came, after carrying out a self-diagnostic test that was negative, as stated in the complaint, to the premises of the complainant in support of a matter that concerned her and would be discussed before the Board of Directors of DEYA X. In fact, according to the complaints, the President of the due to the Board of Directors informed the complainant that she could appear if she wished. The complainant notes that when she came, the Secretary of the Board of Directors was verbally informed of the fact of her illness in the previous period due to the fact that she was asked about it in front of her by the Director of the Administrative - Financial Service of DEYA X. In the case of the complainant, seven persons were present for life, including the General Director of DEYA X. In addition, according to the complaint, on 03-30-2022, DEYA X was requested to send the result of the self-diagnostic control, to which the complainant was submitted during date of the above meeting of the Board of Directors. It is noted that the complainant, responding to the request for collection by DEYA X of the result in question, sent the latter on 03-30-2022 to the e-mail address of the complainant's staff. Furthermore, the General Director of DEWA X on 31-03-2022 sent an electronic message to the Personnel Department of DEWA X, the President and the Secretariat of the Board of Directors of DEWA X, the Director of Administration and Finance as well as the Head of her Administrative Department as of the above complainant referring in detail to the complainant's appearance before the above Board of Directors from 29-03-2022 and addressing the question to the Head of the Administrative Department as to whether the complainant had posted on the day of her appearance before the Board a Certificate of Negative Diagnostic Test for Corona Virus COVID -19, in the context of "informal", as he notes, 3 of the relevant rule. And according to the allegations of the complainant, the e-mail in question in no way served the purpose of informing the members of the Board of Directors of DEYA X, as the live meeting with her presence had already taken place, while it is noted, among other things, in the context of the examination of a complaint that the General Manager never informed the employees of DEYA X in writing informing them of any "informal rules" regarding the procedure for returning sick employees to the facilities of the complainant. In addition, it is emphasized that the recipient of the General Director's message in question due to the nature of the question that was raised, i.e. whether a certificate of a negative corona virus test was registered, was the Head of the Administrative Department and therefore notification to the other recipients was unnecessary. Subsequently, according to the complaints, the General Director of DEWA X sent to the Autonomous Directorate of Civil Protection of Region Ψ, the letter with no. first ... document, with which information was requested regarding the determination of the measures that DEYA X must take in order for its actions to be in line with the urgent measures to deal with the negative consequences of the emergence of COVID-19 and the need to limit the spread of, while at the same time information was requested as to whether the complainant's lifetime participation in the 29-03-2022 meeting of the Board of Directors of DEYA X was legalized. The General Director presented in the above document to the above-mentioned Directorate of Region P a detailed medical history of her of the complainant by attaching, among other things, the results of the relevant earlier diagnostic tests to which the complainant had submitted, as well as the medical opinions that the latter had submitted to her Service. In fact, the same document that the General Director of DEYA X addressed to the aforementioned Directorate, she forwarded it further, including, in fact, the attached documents that accompanied it, as stated above, to the members of the Board of Directors of DEYA X. Moreover, as noted by complainant, the attached documents included her data such as her Social Security Registration Number, her Tax Registration Number and her contact telephone number, for the disclosure of which to third parties and even without her consent, there was no reason. In response to the above document4 of DEWA X, the above Autonomous Directorate with no. prot. ... document pointed out that the only bodies responsible for tracking are the General Secretariat of Civil Protection and the National Public Health Organization, which exclusively collect, process and manage the data of confirmed cases of COVID-19, referring at the same time to no. 6214/23-12-2021 vol. 2 Official Gazette with its amendments for the applicable measures and isolation procedures. In view of the above, the complainant complains about illegal processing of the above special category of data concerning her health, in that they were disclosed to third parties without her prior information and consent, although, in fact, the sole purpose for which she disclosed said data to already reported MONDAY X was the taking of sick leave. Besides, according to the complainant's claims, her details could have been deleted from the above documents that concerned her and disclosed to third parties, as stipulated. With reference to the facts that followed the above disputed processing of the complainant's personal data, the latter states that with her application dated 23-05-2022 to the Data Protection Officer of DEYA X, she requested, among other things, to be notified of the how much the Data Protection Officer himself was aware of the disclosure and further transmission to third parties of the data concerning her health as well as of the purpose of the processing in question. Furthermore, with the aforementioned application, the complainant stated to DEYA X, on the one hand, that she wishes to limit the processing of the data related to her state of health, on the other hand, that she "opposes their deletion", as she has objections to their processing, according to with article 21 par. 1 of the GDPR, which is based on article 6 par. 1 item or GDPR. In his reply dated 24-05-2022, the Data Protection Officer of DEYA X stated that he had not received knowledge of the incident cited by the complainant, while with his reply dated 30-05-2022 to the complainant, he provided the latter with the following information: "...as regards the Employee's health data, these are processed by DEYA X for the purpose of providing sick leave or if they are necessary for the provision of the Employee's services to DEYA X. Their processing may5 is necessary based on labor law and social security law, as well as to confirm their suitability for the specific job position in the context of the periodic medical check-up carried out by the Occupational Doctor". Subsequently, it is stated that on 06-03-2022, the request to object to the disputed processing as well as the request to limit the processing of the complainant's personal data were notified to DEYA X through the Data Protection Officer. With no. first ... her application to DEYA X, the complainant reinstated the above requests for opposition and restriction of processing, after requesting to be informed, among other things, about the legality and the purpose for which the disclosure and transmission to third parties took place of her health data. Subsequently, DEVA X with no. first ... document he sent to the complainant argued, among other things, that both the Board of Directors of DEYA X as well as the General Manager and the Financial Director exercise management and therefore this requires access, processing and control of personal data of the staff for the achievement of the intended purpose in the context of exercising effective administration. With regard to the transmission of the disputed data of the complainant to Region P, DEYA X claims that the processing was lawful, as it took place on the basis of article 24 par. 1 c.  a' and d' of Law 4624/2019, while ending up inviting the complainant to provide explanations regarding how official documents and electronic messages concerning her and of which she was not the recipient came to her knowledge. In addition, in the context of the complaint under consideration, it is mentioned, among others, the no. first ... letter from DEYA X to the Autonomous Directorate of Civil Protection of Region Ψ, with which, according to the complaints, the request to restrict and object to the processing of personal data of the complainant was accepted. The Authority, in the context of examining the above complaint, with no. prot. C/EX/3100/05-12-2022 its document, requested from DEYA X clarifications on the complainants, calling on the latter to take a position in particular regarding the controversial processing of the complainant's health data (i.e. her according to the allegations of the notification of these both to the members of the Board of Directors of DEYA X as well as to the Director of Administration and Finance, as well as to the Department of Civil Protection of the Region6 Ψ), to clarify whether the information took place on behalf of the Data Protection Officer of their Service (providing any existing relevant documents) as well as to determine how the health data of the complainant first came to the knowledge of the Director of Administration and Finance, namely on 29-03-2022. Subsequently, the Authority, in the context of examining the complaint in question, with no. prot. C/EX/3101/05- 12-2022 document requested clarifications from the Autonomous Directorate of Civil Protection of Region Ψ, asking it, in particular, to specify which data of the complainant may be processed by reason of competence, in the context of the latter's illness from COVID-19, as well as to state the actions it has taken regarding the case of the complainant since the receipt of the first relevant document received, i.e. from 04-1-2022 until the date of receipt of the above document from the Authority, providing any existing relevant documents. Following this, with the no. prot. C/EIS/12638/16-12-2022 its response document, DEYA X, after repeating the complainant's medical history, briefly mentions, among other things, the following: first of all, she notes that the complainant was not legalized as she was processing and in particular, receipt and reference to a document addressed by the latter to DEYA X of e-mail messages between members of the board of the complainant and its staff and which concerned the complainant. Next, regarding the passing of the health data of the complainant to the knowledge sphere of the Financial Director of DEYA X, DEYA X points out that due to the nature of the latter's responsibilities regarding the preparation of payroll and the granting of permits, it became necessary for him to process the disputed data of her complainant. It is argued that the said Director's verbal reference to the state of health of the complainant in front of both the latter and another employee of the staff of DEYA X, escapes the scope of the GDPR. In addition, reference is made to no. prot. (DEYA X) ... document of the Autonomous Civil Protection Department of Region Ψ, according to which no further processing of the complainant's data took place on behalf of the latter. With reference to the disputed notification to the Autonomous Directorate of Civil Protection of Region Ψ, DEYA X notes that it was legal, insofar as the Service in question processes relevant data of patients with coronavirus and therefore already7 knew the above data of the complainant, while it took place on the basis of the provision of article 24 par. 1 par. a and d of Law 4624/2019. The complainant further points out that with no. 7672/24-06-2022 document she requested from the said Independent Directorate that the file related to the complainant's case be returned to her as well as any copies thereof to ensure and limit any further processing. To this end, it cites the response of the above-mentioned Independent Directorate, which confirms for its part that the disputed documents concerning the complainant have not been forwarded to third parties, no employee or third party had access to the contents of the file relating to the complainant's case and no processing of its disputed data has taken place. In addition, the complained DEYA X reiterates the allegation of the necessity of passing the data in question both to the Board of Directors of DEYA X, as well as to the General Director and the Director of Administrative - Finance in the context of effective administration. The complainant adds that the relevant information was also given for the sake of protecting the health of the members of the Board of Directors, while she mentions that it was the complainant herself who presented to the Service the medical certificate of her illness with coronavirus, disclosing in this way her medical condition. Finally, the Autonomous Directorate of Civil Protection of Region Ψ with no. prot. C/EIS/12636/16-12-2023 her reply to the Authority, clarified that the Director of the Service in question received a sealed envelope with the documents that were forwarded to him by the complained DEYA X and related to the complainant, mentioning also the no. first ... their relevant reply document, according to which they referred DEYA X to the General Secretariat of Civil Protection and the National Public Health Organization as entities that exclusively process the data of confirmed cases of coronavirus as well as to the applicable regulatory provisions for the measures and isolation procedures. Subsequently, the said Autonomous Directorate confirms that it received the above-mentioned no. first ... document from DEYA X to which he answered the following: "a) these data have not been transmitted to third parties, either in paper or digitally, to natural or legal persons by applying the relevant legislation on the protection of personal data without regulation. b) No person from our Service or a third party had in any way8 access to both the content and the written information of the data received, since there was a relevant care on the part of the Director and c) The data contained in the file have not been subjected to absolutely no form of processing and are kept strictly in their original form and condition". Finally, the above-mentioned Independent Directorate states that with their reply document to DEYA X, the disputed file was also returned to the latter, since the Directorate lacked any other competence regarding the disputed case. Following this, the Authority called with no. prot. C/EXE/1503/12-06-2023, C/EXE/1507/12-06-2023 and C/EXE/1509/12-06-2023 summons the complainant, the Autonomous Directorate of Civil Protection of Region P and the complained of, respectively, in a hearing, so that they can be heard at the 21-06-2023 meeting via video conference of the competent Department. At the above meeting, the complainant appeared through her attorney, Anna Konstantopoulou, (with the Athens Board of Directors...), and the complained DEYA X was represented by the chairman of its Board of Directors, B, while the General Manager of DEYA X was also present. , C, the Head of the Directorate of Administrative - Financial Services of DEYA X, D as well as the attorney of the complainant, Nikolaos Kaptanis, (with AM DS ...). The Data Protection Officer of DEWA X, E, was also present, in case there was a need for further clarifications. The Autonomous Directorate of Civil Protection of Region Ψ was represented during the hearing by its Director, F, who, after repeating what was supported and in no. prot. C/EIS/12636/16-12-2022 document he had addressed to the Authority, he answered the questions put to him before the Department of the Authority arguing, among other things, that the file in question concerning the complainant has been returned to DEYA X, without any processing having taken place on behalf of its Service. He also emphasized that during the time that passed until the disputed file was returned to DEYA X, the latter was kept without access to it by anyone other than the Director and after confirming that at the present time no data is kept in the file of his Service that to concern the complainant, he left the teleconference with the consent of the President of the Department. After the aforementioned hearing, both the complainant and the accused DEYA X were given a deadline to submit any memoranda to further support their claims until 07-07-2023. Subsequently, the complainant timely submitted the no. first C/EIS/5024/06-07-2023 her memorandum, in which she states, among other things, that according to the letter dated 09-09-2022 she received from the Data Protection Officer of DEYA X, the purpose of the processing of health data of the complainant's employees is the provision of sick leave or the provision of services to DEYA X. The complainant points out that the organs of the complained-of Intermunicipal Enterprise as a special public purpose that operates as a legal entity under private law of a public benefit nature, governed by the rules of the private economy, they are not administrative bodies and their acts or omissions do not concern the exercise of public authority. It is emphasized that both DEYA X and the Autonomous Directorate of Civil Protection of Region P are not responsible for the monitoring, evaluation, tracing, control of the coronavirus epidemic, as well as that the aforementioned Autonomous Directorate and the members of the Board of DEYA X are not are authorized as they receive the health data of the complainant. Finally, the complainant, after summarizing again the facts of the disputed day of the meeting of the Board of Directors of DEYA X, clarifies that the issue that would be discussed and concerned her, was related to an official issue of filling a position of responsibility ( see pp. 19-21 of the hearing of the complainant's memorandum).  The complained-about DEYA X timely sent the no. prot. C/EIS/5059/07-07-2023 her memorandum with which, after reiterating most of these allegations with the above no. prot. C/EIS/12638/16-12-2022 her document to the Authority, briefly notes, among other things, the following: It is pointed out by DEYA X that the complainant presented during the controversial meeting of the Board of Directors on 29-03-2022 a different picture of her state of health from that certified after a clinical examination by the doctor, who diagnosed in his opinion dated 03-28-2023 that the complainant was suffering from coronavirus with symptoms of fever and fatigue. The complainant reiterates the allegation of legal notification of the complainant's data to the Independent Directorate of Civil Protection of Region Ψ, as the latter processes relevant personal data, so it already knew the complainant's data. In fact, DEYA X also refers to the difficulty of ascertaining the competent agency or the correct law to apply due to the complex national legislative framework. Subsequently, the complainant10 repeats the content of No. first ... document of the Autonomous Directorate of Civil Protection of Region Ψ concluding that there was no violation of the legislation on personal data, as it is confirmed that the communicated data of the complainant was not processed by the aforementioned Directorate. Furthermore, DEYA X supports the legal nature of the notification of the complainant's data to the above Directorate in the provision of article 24 par. 1 sub. a' and d' of Law 4624/2019. With reference to the disputed (after the fact) informing the executives of DEYA X about the health status of the complainant, DEYA X considers it reasonable especially in view of the fact that some members of the Board of Directors are under immunosuppression. In addition, the complainant points out that the Finance Director of DEYA X is in charge of payroll and licensing and is therefore legally processing the complainant's disputed health data. Next, DEYA X notes that its Board of Directors as well as the General Manager and the Financial Director process employee data in the context of effective management. And within the aforementioned context, the controversial e-mail from 31-03-2022 was sent by the General Director (and) to the members of the Board of Directors, who perform their duties in a confidential manner, otherwise they would not be legally exercising their managerial duties, as any illness affects the orderly operation of DEYA X and the relevant information is required for the readjustment of service priorities based on the available human resources. According to the complainant, the processing of the complainant's data took place for the protection of public health and in the context of good administration. In fact, DEVA X reiterates the allegation of illegal processing on the part of the complainant of official e-mail messages that concerned her. Finally, the complainant cites its difficult financial situation with the significant reduction of its collectability and the increase of its fixed and inelastic costs, emphasizing its character as a provider of a public good business and pointing out the risk of financial deadlock and the continuation of its operation which will caused any imposition of a fine against it with the consequent resolution and liquidation thereof. The Authority, after examining the elements of the file, after hearing the rapporteur and the clarifications from the assistant rapporteur, and after a thorough discussion,11 DECIDED IN ACCORDANCE WITH THE LAW 1. Because, from the provisions of articles 51 and 55 of the General Protection Regulation Data (Regulation 2016/679) and Article 9 of Law 4624/2019 (Government Gazette A΄ 137) shows that the Authority has the authority to supervise the implementation of the provisions of the GDPR, this law and other regulations concerning the protection of individuals from the processing of personal data. In particular, from the provisions of articles 57 par. 1 item f of the GDPR and 13 par. 1 item g΄ of Law 4624/2019 it follows that the Authority has the authority to deal with A's complaint, since the disputed personal data of the complainant, including her health data, as detailed above, were included in the filing system maintained by the said Service for the complainant as its employee and therefore the extraction from the above filing system and further communication of this data to another Service, in this case the Autonomous Directorate of Civil Protection of Region Ψ constitutes processing falling within the scope of articles 2 par. 1 of GDPR1 and 2 of Law 4624/2019. Furthermore, the sending by e-mail of the complainant's health data from the General Director of the complainant to the members of the Board of Directors of the latter, as well as to the Secretariat of the said Board, the Director of Administrative and Financial Affairs and the Head of the Administrative Department of DEYA X constitutes automated processing subject in principle, also according to the above, to the regulatory scope of the GDPR and Law 4624/2019. 2. Because, according to article 4 par. 2 of the GDPR as processing means "any act or series of acts carried out with or without the use of automated means, on personal data or sets of personal data, such as the collection, registration, organization, structuring, storage, adaptation or alteration, retrieval, retrieval of information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, limitation, or 1 According to the provision in question: "This regulation applies to, in whole or in part, the automated processing of personal data, as well as to the non-automated processing of such data which are included or are to be included in a filing system". 12 deletion or destruction", while in accordance with the provisions of article 4 para. 7 GDPR as a data controller means "the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of processing personal data (…)". And according to Opinion 1/2010 on the concepts of "controller" and "processor" of the Article 29 Working Group for the definition of the controller, according to the aforementioned definition, three main elements are taken into account: a) the personal aspect ("the natural or legal person, public authority, agency or other body"), b) the possibility of multiple control ("who, alone or jointly with others") and c) the key features for the distinction of the controller from other actors ("determine the purposes and manner of personal data processing"). It is pointed out that the concept of data controller plays a decisive role in the application of personal data protection rules, the proof of compliance with them (principle of accountability, Article 5 para. 2 GDPR) and the assignment of responsibilities in the event of their violation. Furthermore, it is explained in the above-mentioned Opinion 1/2010 regarding the first element – as contained in the immediately preceding paragraph: “In the strategic perspective of the distribution of responsibilities, and in order to provide the persons to whom the data refer a more stable and reliable reference entity for exercising their rights under the Directive, it is preferable to consider the company or body as controller rather than a specific person within the company or body. The company or body will ultimately be held responsible for the processing of the data and for the obligations arising from data protection law, unless there is clear evidence that a natural person is responsible. In general, it should be assumed that the company or public body is responsible for the processing activities that take place in the context of their activities and risks. Sometimes, companies and public bodies appoint a specific person responsible for carrying out the processing tasks. However, even where a specific natural person is appointed to ensure compliance with data protection principles or to process personal data13, that natural person will not be the controller, but will act for account of the legal entity (company or public body), which will remain responsible in case of violation of the principles in its capacity as controller (…) However, in the strategic perspective of the division of responsibilities, it is preferable to consider the company or body as controller rather than a specific person within the company or body. The company or body will ultimately be held responsible for data processing and obligations under data protection law, unless there is clear evidence that a natural person is responsible, for example where a natural person who works for a company or a public body uses data for his own purposes, outside of the company's activities." In addition, it is clarified in the aforementioned Opinion 1/2010 of the Article 29 Working Group: "(...) It does not matter if the data processing decision is "lawful", in the sense that the entity that took the relevant decision was authorized to do so or that the controller has been formally appointed, according to a specific procedure. The question of the lawfulness of the processing of personal data will matter at a different stage and will be assessed in the light of other articles (in particular, Articles 6-8) of the Directive. In other words, it is important to ensure that, even in those cases where data processing is unlawful, a controller can easily be identified and held responsible for the processing (…)”2 .  In view of the above, it follows that the complained-about DEYA X through its General Director, who, even if it is accepted that she acted voluntarily, in any case does not emerge or be proven from all the elements of the file that she acted for her own goals outside the scope and of the potential control of the activities of the complained legal entity3, determined the purpose and method of processing the health data of the complainant and is therefore responsible for the processing. In particular, with the disputed processing of the data 2 See in this regard and the no. 54/2021 decision of the Authority, s. 4, available on the website www.dpa.gr 3Opinion 1/2010 of the OJ on article 29, WP 169 from 16.02.2010, available on the website https://ec.europa.eu/justice/article-29/documentation/ opinion-recommendation/files/2010/wp169_en.pdf, p. 16.14 concerning the complainant, in particular with the disclosure of her health data not only within the sphere of the controller but also to the Autonomous Directorate of Civil Protection of Region Ψ, the The General Manager acted with a view to ensuring the smooth operation of the services of the complained-about company4 as data controller. 3. Article 5 par. 1 of the General Regulation (EU) 2016/679 for the protection of natural persons against the processing of personal data (hereinafter GDPR) sets out the principles that must govern a processing. In particular, paragraph 1 states that: "1. Personal data: a) are processed lawfully and legitimately in a transparent manner in relation to the data subject ("legality, objectivity and transparency"), b) are collected for specified, explicit and lawful purposes and are not further processed against in a manner incompatible with those purposes; further processing for archiving purposes in the public interest or for scientific or historical research or statistical purposes shall not be deemed incompatible with the original purposes pursuant to Article 89(1) ("purpose limitation"), c) are appropriate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimization") ...'. 4. It is noted, moreover, that with GDPR a new compliance model was adopted, the central dimension of which is the above-mentioned principle of accountability, in the context of which the data controller is obliged to plan, implement and generally take the necessary measures and policies, in order for the processing of the data to be in accordance with the relevant legislative provisions. In addition, the controller is burdened with the further duty to prove by himself and at all times his compliance with the principles of article 5 par. 1 GDPR. It is no coincidence that the GDPR includes accountability (see Article 5 para. 2 GDPR) in the regulation of the principles (Article 5 para. 1 GDPR) that govern the processing, giving it the function of a compliance mechanism , essentially reversing the "burden of proof" in terms of the legality of the processing (and in general the observance of the principles of article 5 par. 1 4 See in this regard also article 19 of the Internal Service Organization of the complainant (Official Gazette ...).15 GDPR), transferring it to the controller, so that it can be validly argued that he bears the burden of invoking and proving the legality of the processing5. Because, as the Authority has judged6, taking into account the decisions of the Court of Justice of the European Union (CJEU)7 and the Council of State8, in order for personal data to be lawfully processed, i.e. processed in accordance with the requirements of the GDPR, it should to cumulatively meet the conditions of application and observance of the principles of article 5 par. 1 GDPR. The existence of a legal basis (Articles 6 and 9 GDPR) does not exempt the data controller from the obligation to comply with the principles (Article 5 paragraph 1 GDPR) regarding legality, necessity and proportionality and the principle of minimization9. In the event that any of the principles provided for in article 5 para. 1 of the GDPR is violated, the processing in question is considered illegal (subject to the provisions of the GDPR) and the examination of the conditions for applying the legal bases of articles 6 and 9 of the GDPR is omitted , for the processing, respectively, of simple and special category personal data. Consequently, the illegal collection and processing of personal data in violation of the principles of Article 5 GDPR is not cured by the existence of a legitimate purpose and legal basis10. 5. In this case, as it appears from the details of the case file (see the document with no. prot. ... of the complainant) the General Director of DEYA X on 31-03-
2022 communicated to the Personnel Department of DEYA X, to the President and the Secretariat of the Board of Directors of the latter as well as to the Director of its Administrative - Financial Department, an email message, which included data concerning the complainant, such as in particular a detailed analysis of her performance in from 03-29-2022 meeting of the board of the complainant regarding her illness from coronavirus. The purpose of the said message, according to the complainant, was to ask the Head of the Administrative Department of DEYA X whether she had 5 See in this regard Decisions APD 25/2022, sc. 1, 26/2019, sc. 7 and APD 43/2019, sc. 6. 6 See in particular, decision 44/2019 of the Authority, s. 17, and 54/2021, s. 8, available on its website. 7 See CJEU decision of 16-01-2019 in case C-496/2017 Deutsche Post AG v. Hauptzollamt Köln, sc. 57. 8 See SC decision 517/2018, sc. 12. 9 See L. Mitrou, the general personal data protection regulation (new law - new obligations - new rights), Sakkoula ed., 2017 pp. 58 and 69-70. 10 See in particular decisions 54/2021 and 38/2004 of the Authority, available on its website.16 the complainant submitted a Certificate of negative diagnostic test for coronavirus posted on the gov.gr system during the controversial meeting of 03-29-2022. From the examination of the details of the file, it appears that, also on behalf of the General Director of the complainant, it was sent with no. first ... of a document to all the members of the Board of Directors of the latter by which they were notified of the no. prot. (of DEYA X) ... a document that had been sent to the Autonomous Directorate of Civil Protection of Region P. With said document, which included as attachments, among other things, the medical opinions of the complainant and the results of the diagnostic tests on the which the latter was submitted, the above-mentioned Autonomous Directorate was requested to provide information on the one hand about the measures that DEYA X must take in order to harmonize with the urgent measures to deal with the negative consequences of the emergence of the coronavirus and the need to limit its spread, on the other hand for the legalization of the lifetime participation of the complainant in the contested meeting of 03-29-2022. The two above processing operations, regardless of the legality of the initial collection of the medical opinion from 28-03-2022 that the complainant herself presented to DEYA X, took place within the sphere of this data controller, to the extent that they were disclosed to certain of the employees of DEWA X as well as the members of its Board of Directors. However, in order to serve the purposes for which the above processing took place, it was not necessary to share all of the said data without exception to all recipients even within the sphere of this Processor, i.e. DEYA X. In particular, in the first case the purpose of sending the message, in any case within the sphere of DEYA X as data controller, which consisted of the question to the Head of the Administrative Department of the complainant about whether the complainant had submitted a Certificate of Negative Diagnostic Test for coronavirus on the date of her participation in the disputed meeting of the Board of Directors, on 03-29-2022, could be achieved by sending the disputed message only to the Head of the Administrative Department, without notifying the other recipients, especially taking into account the fact that the meeting in the presence of the complainant had already done. As well as for the second above notification to all 17 members of the Board of Directors of DEYA X, thus again within the sphere of the data controller, of a document that addressed specific questions to another service including a series of documents that contained as simple personal data of the complainant as and special categories, therefore, it is immediately established that the purpose of informing the members of the Board of Directors, besides that it seems in principle to be devoid of meaning because they were already aware of the state of health of the complainant from the date of the disputed meeting on 29-03-2022 in which the however, the complainant was present in person and any knowledge of this information afterwards could hardly be justified for the sake of protecting the health of the workers - contrary to the arguments to the contrary put forth by DEYA X11 -, could only be achieved by sending the document to Autoteli Directorate of Civil Protection of the Region Ps without the other accompanying documents or the simple reference of the questions raised in response to said Directorate. Therefore, from the above, it follows that DEYA X, as data controller, in violation of the principle of minimization, communicated the data of the complainant to several recipients even within the sphere of this data controller, without the said processing being deemed necessary, according to the foregoing. Furthermore, from the data in the file, no internal policy or other internal document is presented, in the context of which specific official recipients of the employees' data are identified within the sphere of the alleged data controller, from which classified access to information that constitutes a special category of data (health data). The above finding regarding the non-existence of relevant internal policies is also reinforced by the fact that again within the sphere of this Data Processor, that is DEYA X, the complainant as an employee of the latter she became aware of official documents concerning her, of which she was not the recipient.  Besides, it is noted that the restriction of the disputed personal data as well as the recipients of said personal data of the complainant to those necessary for the achievement of the intended purpose may not be 11 See indicatively p. 22 of with no. prot. C/EIS/5059/07-07-2023 with the hearing of her Memorandum as well as her relevant previously presented claims in the context of no. prot. G/EIS/12638/16-12-
2022 of its response document to the Authority.18 with the aim of affecting the effective exercise of administration of DEYA X, especially in view of the fact that they took place after the presence of the complainant at the disputed 29-03-2022 meeting of the Board of Directors of the complainant, while the present members of it appears from the information in the file that the said Board of Directors was already aware of the state of health of the complainant, as mentioned above. With reference to the claim of DEYA X, which is presented first with its hearing Memorandum12, that informing the members of its Board of Directors was necessary for reasons of readjustment of service priorities due to the absence of the complainant as well as for reasons of safeguarding of the proper functioning of the office, it is rejected as useless and therefore inadmissible to the extent that even if it is assumed to be accurate - something that would hardly be accepted considering that it was the absence of an employee - in any case, for the information of the members of the Board of Directors and in the two cases above, the acts of processing the disputed data of the complainant were not logically necessary, as they took place as detailed above. Finally, it is noted that the issue that would be discussed at the contested meeting of the board of the complainant, related to the issue of the complainant's professional development13 and therefore her above health data that underwent the aforementioned processing operations were in no way critical for the members of the Board of Directors of DEYA X, insofar as they were not related to their judgment in the context of issuing a decision on the topic to be discussed at the meeting. Therefore, the violation of the provision of article 5 par. 1 item. c' of the GDPR for both of the above-described independent processing operations, rejecting all relevant allegations of the complainant. 6. With reference to the already mentioned above data processing of the complainant outside the sphere of the data controller which this time consists in the sending by the General Director of DEYA X of the above with no. (of DEYA X) ... electronic message to the Autonomous Directorate of Civil Protection of Region Ψ including a series of documents with personal 12 See p. 25 of with hearing and with no. prot. G/EIS/5059/07-07-2023 Memorandum of DEYA X. 13 See pp. 19-21 of no. prot. C/EIS/5024/06-07-2023 after hearing the Complainant's Memorandum as well as the documents related to the above issue presented by DEYA X with no. prot. C/EIS/5059/07-07-2023 with hearing her Memorandum.19 data of the complainant and not only simple but also of a special category, i.e. her health data (see in particular medical opinions that concerned her as well as results of diagnostic tests for coronavirus disease to which the latter had undergone), namely the following: Firstly, it is noted that with the document in question, with which the personal data of the complainant were forwarded from the complainant to the above-mentioned Autonomous Directorate, directions were requested, as mentioned above, about what measures the complainant must take in order for her actions to be in line with the urgent measures to deal with the negative consequences of the outbreak of the coronavirus, as well as whether the presence of the complainant at the 29-03-2022 meeting was legalized of the Board of Directors of DEYA X. However, by no. first ... response of the above Independent Directorate shows that the last lack of any competence as decided on the two questions addressed to it by the complained DEYA X, to the extent that, as stated in the above response "the only bodies responsible for carrying out tracking are the General Secretariat of Civil Protection and the National Public Health Organization who collect, process and manage conclusively the data of confirmed cases of COVID-19". Besides, with the above document, the Autonomous Directorate referred DEYA X to no. 6214/23.12.2021 vol. 2 of the Official Gazette as well as in its amendments or clarifications, where isolation measures and procedures are thoroughly provided for. Therefore, from the above answer of the Autonomous Directorate, it follows that it is unfoundedly put forward by the no. prot. C/EIS/12638/16-12-2022 response of the complainant to the Authority (see pp. 17 and 22) that the Directorate in question manages and processes personal data concerning patients and therefore already knew her personal data complainant14. Likewise, this claim of the accused, which the latter brings back with no. prot. C/EIS/5059/07-07-2023 with hearing its Memorandum (see p. 7 of the latter), as far as the letter of the provisions invoked by DEYA X itself, the above competence of the processing 14 See in this regard and the one with no. prot. 11338/20-01-2020 document of the General Secretary of Civil Protection of the Ministry of Citizen Protection, according to which: "... the only competent Bodies for carrying out tracking are the General Secretariat of Civil Protection and the National Public Health Organization which collect, process and manage exclusively the data of confirmed cases of COVID-19".20 personal data of those suffering from coronavirus from the disputed Autonomous Directorate of Civil Protection of Region P. Furthermore, even if it were to be assumed that the Autonomous Directorate of Civil Protection of Region P was competent to deal with the questions put to it by the complained DEYA X, it was not required according to the rules of common sense to attach to the e-mail in question, among other things, the medical opinions of the complainant as well as the results of the diagnostic tests to which the latter had been submitted, since the data in question does not contribute anything to a Service in order for the latter to decide on what are the already regulatory measures that must be taken to limit the spread of the coronavirus as well as on whether the for life participation of an employee who was or is suffering from coronavirus in a meeting of a collective body. In view of the above, it appears that the principle of minimization of Article 5 para. 1 para. c of the GDPR was violated, as the complained DEYA X disseminated both simple and special category data, i.e. health data, of the complainant to the above Independent Directorate, while such a thing was not objectively necessary for the fulfillment of the purpose of the answer to the questions raised, given the content of the latter, as detailed above. In particular, even in the event that the said Autonomous Directorate was competent to deal with the above issues raised by the General Director of the complainant regarding the determination of the necessary measures to limit the spread of the coronavirus, it would not serve her, by logical necessity, to has the documents attached to the e-mail in question containing the data of the complainant (see in particular the medical opinions provided by the latter and the results of the diagnostic tests to which she had undergone), in order to rule on them. Given the violation of the principle of minimization of Article 5 para. 1 f. c of the GDPR, as stated above, as one of the fundamental principles that must govern any processing, such as the disputable disposal of the complainant's data to the Autonomous Directorate of Civil Protection of Region Ψ, the verification of the foundation of one of the legal bases of Article 6 (in conjunction with Article 9) of the GDPR and by extension the relevant claims of the ΖΟΝΑ21 X, which in any case, does not appear in principle to be founded15, as the existence of any legal foundations does not exempt the data controller from observing and applying the general processing principles of article 5 par. 1 GDPR as discussed above (see above section 4). Following these, the violation of the provision of article 5 par. 1 item. c of the GDPR and therefore the further allegations of the complainant are completely unfounded and are therefore rejected. Finally, it is noted that with no. first ... (no. first SECOND X ...) document of the Autonomous Directorate of Civil Protection of Region Ψ, the latter confirmed that the content of the file in question with the personal data of the complainant has not been forwarded to third parties and only the Director of the Service in question was aware of its content, while no have undergone any kind of further processing. With the above mentioned document, the relevant file of the complainant was returned to DEYA X. During the hearing, it was confirmed by the Director, Mr. F, that no data of the complainant from the disputed file forwarded by DEWA X has been included in the file of the above Independent Directorate and that the file has been returned. Following this, there is no reason for further control of the above Directorate, due to the Authority's competence. 7. Because the violation of the principle of minimization according to article 5 par. 1 item c of the GDPR and in fact in three (3) separate acts of processing, as detailed immediately above. In addition, it is established that the violation of the basic principles provided for in article 5 of the GDPR that must govern any processing of personal data, entails the imposition of of the relevant sanctions according to article 83 par. 5 item. a' of the GDPR.  8. In accordance with the GDPR (Rep. Sk. 148) in order to strengthen the enforcement of the rules of this Regulation, sanctions, including administrative fines, should be imposed for each violation of this Regulation, in addition to or instead of the appropriate measures imposed by the supervisory authority in accordance with this Regulation. 15 Compare in this regard the no. 30/2021 Decision of the Authority, s. 19.22 9. Based on the above, the Authority considers that there is a case to exercise the powers according to article 58 par. 2 item. d' and i' of the GDPR its corrective powers in relation to the identified violations. 10. The Authority further considers that the imposition of a single corrective measure is not sufficient to restore compliance with the provisions of the GDPR that have been violated and that it must, based on the circumstances established, be imposed, pursuant to the provision of article 58 par. 2 sec. i of the GDPR, and an effective, proportionate and dissuasive administrative fine according to article 83 of the GDPR both to restore compliance and to punish illegal behavior16. 11. Furthermore, the Authority took into account the criteria for measuring the fines defined in article 83 par. 2 of the GDPR, paragraph 5 par. a' of the same article, according to which the violation of the provisions regarding the fundamental principles processing falls under the highest prescribed category of the classification system of administrative fines, which are applicable in this case, the Guidelines for the application and determination of administrative fines for the purposes of Regulation 2016/679 issued on 03-10-2017 by the Working Group of article 29 (WP 253), the Guidelines of the European Data Protection Board for the calculation of administrative fines under the GDPR17 as well as the actual data of the case under consideration and in particular: A. For the violation of the provision of article 5 par. 1 item c' of the GDPR regarding the notification by the General Director of DEYA X and from 31-03-2022 to the President and the Secretariat of the Board of Directors of the latter as well as to the Director of the Administrative-Financial Department thereof, an email message with a detailed analysis of the representation of the complainant at the 29-03-2022 meeting of the Board of Directors of the complainant regarding her illness from coronavirus as well as for the violation of the aforementioned provision of article 5 par. 1 item. c' of the GDPR which 16 See OE 29, Guidelines for the application and determination of administrative fines for the purposes of Regulation 2016/679 WP253, p. 6. 17 See EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 2.1, adopted on 24 may 2023, where it is stated among other things (see p.3 and 6) that they are applied in addition to the aforementioned Guidelines for the implementation and determination of administrative fines for the purposes of Regulation 2016/679, WP253.23 refers to the DEYA X dispatch with no. first ... of a document to all the members of the Board of Directors of the latter by which they were notified of the no. first (of DEYA X) ... a document that had been sent to the Autonomous Directorate of Civil Protection of Region Ψ including as attachments, among other things, the medical opinions of the complainant and the results of the diagnostic tests to which the latter was submitted, the Authority, taking taking into account the criteria of the aforementioned no. 148 of the preamble of the GDPR, considering that these are processing operations that took place within the sphere of this controller, instructs the complained DEYA X to make the processing operations of the personal data in which it carries out comply with the provisions of the GDPR by forming within three (3 ) months from the notification of the present relevant internal policies for the recipients of personal data as well as for the classified access within DEYA X to its internal documents especially when they include health data. B. For the third independent violation of the principle of minimization of article 5 par. 1 item. c' of the GDPR, which concerns the sending by DEYA X of the above with no. first (of DEYA X) ... electronic message to the Autonomous Directorate of Civil Protection of Region Ψ including, among other things, the medical opinions of the complainant and the results of the diagnostic tests to which the latter was submitted, the Authority takes into account: i. The fact that the violation of the provision of article 5 par. 1 item c' of the GDPR, concerns a fundamental principle that must govern every act of processing personal data (article 83 par. 2 a' GDPR). ii. The fact that the disputed processing also related to the complainant's health data, as the disputed notified document included as attached documents, among other things, the complainant's medical opinions as well as the results of the diagnostic tests to which the latter was submitted (Article 83 par. 2 g GDPR). iii. The fact that the above violation was not of long duration, while it concerned only one affected data subject to whom it did not, however, cause financial damage (Article 83 par. 2 a' GDPR).24 iv. The fact that the violation of the principle of minimization is attributable to negligence on the part of the complainant, since, for example, she did not take care to ask her Data Protection Officer about the correct way to manage a personal data processing issue (Article 83 para. 2 b GDPR ). v. The absence of previous established violations of the complainant as a relevant audit shows that no administrative sanction has been imposed on her by the Authority to date (article 83 par. 2 f GDPR). vi. The fact that from the data brought to the attention of the Authority and on the basis of which it established the violation of the GDPR, the data controller did not obtain a financial benefit, nor did it cause material damage to the complainant (Article 83 par. 2 k GDPR). vii. The fact that the complainant sent to the Autonomous Directorate of Civil Protection of Region Ψ the no. first ... document stating that it decided to limit the further processing of the complainant's personal data, as they were included in no. first ... request sent to the above-mentioned Independent Directorate and asked to be informed about whether the Independent Directorate transmitted the personal data of the complainant to third parties, about how many people in said Directorate became aware of the disputed data as well as whether the personal of the data submitted to any other processing operation. At the same time, he requested the return of the case file as well as any copy, whether physical or electronic. Therefore, it follows from the above that the complained DEYA X took the above action to mitigate the consequences of the processing that took place in violation of the principle of minimization as mentioned in detail above (article 83 par. 2 c GDPR). viii. The fact that the content of the file in question with the personal data of the complainant, as confirmed by the said Independent Directorate, was not forwarded to third parties and only the Director of the Service in question became aware of it, and the personal data in question did not suffer no further processing, while the relevant file of the complainant was returned to DEYA X (Article 83 par. 2 k GDPR). ix) The fact that the complainant serves a public benefit purpose and presents deficit financial statements (see the relevant financial statements for the 25th year of 2022, published on the website of DEYA X, ...), taking into account article 39 of Law 4624 /2019. 12. Based on the above, the Authority unanimously decides that the administrative sanctions referred to in the ordinance should be imposed on the person complained of as controller, which are judged to be proportional to the gravity of the violations, while in addition, they are effective measures in the direction of compliance with the provisions on the protection of personal data, at the same time, they have a deterrent character to avoid further violations of the relevant legislation on the part of the complainant. Therefore, the conditions for the controller to exercise the corrective powers of article 58 par. 2 d' and i' of the GDPR are met, which are considered proportional to the gravity of the violation. FOR THESE REASONS the Authority a) Imposes on the complained data controller Intermunicipal Water Supply - Sewerage Company X, the effective, proportional and dissuasive administrative monetary fine appropriate to the specific case, according to its special circumstances, in the amount of one thousand (1,000) euros for the violation of article 5 par. 1 pc. c' of the GDPR, as it is analyzed in sub-section B. of paragraph 11 of the present, in accordance with articles 58 par. 2 item. i' and 83 par. 5 item a' GDPR and b) gives an order, according to article 58 par. 2 item. d of the GDPR, to the data controller (DEYA X) to make the personal data processing operations in which it carries out comply with the provisions of the GDPR by formulating, within three (3) months from the notification of this, relevant internal policies for the recipients of personal data as and for the classified access within DEYA X to its internal documents especially when they include health data.26 The Deputy President The Secretary