HDPA (Greece) - 47/2022

From GDPRhub
HDPA - 47/2022
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 28(3) GDPR
Article 28(10) GDPR
Article 29 GDPR
Article 25(4) of Law 1756/88
Article 5 of the Civil Code
Type: Complaint
Outcome: Partly Upheld
Fine: 5,000 EUR
Parties: EDOEAP
National Case Number/Name: 47/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: n/a

The Greek DPA imposed a €5,000 fine on a processor for acting as an independent controller in violation of Article 28(10) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The Uniform Reporting Organisation of Supplementary Care Insurance (EDOEAP) (the controller), appointed EDYTE S.A. (the processor) in the context of the voting as well as nomination of a Board of Directors and Audit Committee. They concluded an agreement, in line with Article 28(3) GDPR, according to which the processor processed voters' data on behalf of the controller.

In December 2021, three candidates asked the processor to disclose data of voters (including names, email addresses, details about the vote and unique voter ID) based on a prosecutor's order. The prosecutor's order seemed to be related to an investigation into the course of the elections and their legality, challenged by some of the candidates. The processor informed the controller, who objected to the operation claiming that the prosecutor's order had been revoked. Nevertheless, the processor disclosed the data.

On 21 January 2022, the controller notified the Greek DPA of a personal data breach under Article 33 GDPR by the processor related to the transmission of the data.

Holding[edit | edit source]

The DPA considered that it was not an issue of security breach but rather that it had to examine whether the processor legally provided the requested information. In particular, the DPA asked the processor to clarify on which legal basis the data was disclosed and whether data subjects had been informed prior to the disclosure.

The processor seemed to believe that they were under a legal obligation to disclose the data in order to comply with the prosecutor's order. However, the requested data did not fall under the category of public documents, hence was not subject to the provision of Article 25(4) of Law 1756/88. Consequently, its provisions were not applicable in this case of Article 5 of the Civil Code and the prosecutor's order was binding on the administration only in the context of criminal proceedings. As a result, the processor had no valid legal basis for the disclosure of the data.

Based on the collected information, the DPA concluded that the processor forwarded the requested data despite the explicit objection of the controller, in violation of Article 29 GDPR, and without being expressly obliged to do so by law. As a consequence, the data of 4,515 natural persons insured at the controller's organisation, who participated in the electronic vote, was transferred to unauthorised third parties without justification, a proportionality assessment or an adequate weighing of interests.

Therefore, the Greek DPA held that the processor acted as an independent controller within the meaning of Article 28(10) GDPR. It imposed a €5,000 fine on the processor for this violation.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

  1 Athens, 06-09-2022 Prot. No.: C/EX/2194 DECISION 47/2022 The Personal Data Protection Authority convened at the invitation of its President in a meeting on Tuesday 31.5.2022 at 10.00 a.m., in order to examine the case referred to in the present history. The President of the Authority Konstantinos Menudakos and the regular members of the Authority Charalambos Anthopoulos, Aikaterini Iliadou, Christos Kalloniatis, Konstantinos Lambrinoudakis, and Grigorios Tsolias were present. Also present were the alternate members of the Authority, Georgios Kontis, as rapporteur, and Christos Papatheodorou, in place of regular member Spyridonos Vlachopoulos, who, although legally summoned, did not attend due to disability. Present without the right to vote were Kalliopi Karveli, expert scientist, as assistant rapporteur, and Irini Papageorgopoulou, employee of the Authority's Administrative Affairs Department, as secretary. The Authority took into account the following: On January 21, 2022, the Unified Journalistic Organization for Supplementary Insurance and Care (hereinafter "EDOEAP"), in its capacity as data controller, submitted to the Authority no. prot. C/EIS/831/21.01.22 notification of an incident of violation by the processor EDYTE S.A. In particular, as mentioned, EDOEAP (processing manager) carried out searches through the ZEUS platform of EDYTE S.A. (executor). Three candidates requested from EDYTE S.A. personal data of voters (who voted and how) based on a relevant prosecutorial order. EDYTE SA (as executor) informed the person in charge (EDOEAP) on 10-12-2021. Three days later, the person in charge expressed opposition to the transmission, informing EDYTE that he too had received a prosecutor's order, which had, however, been "revoked". Despite this, the executor proceeded to transfer (invoking his obligation under the law) and informed the person in charge on 12-01-2022. EDOEAP submitted the above notification because it considered that there was a breach of confidentiality and therefore an incident of art. 33 of the GDPR. In this case, there is no question of a lack of security/breach, but the question arises, examined ex officio, whether EDYTE S.A., as the processor, legally provided the relevant data. In the context of examining the case, the Authority sent to EDYTE S.A. and to EDOEAP the no. 499/22-02-2022 letter on the subject of "Transmission of personal data to third parties" with the following questions: 1) On what legal basis was the specific transfer made and more specifically if the said transfer was made based on Article 29 of the GDPR or based on a legal obligation from another provision of law, and 2) If the data subjects were previously informed of this transmission. A) EDYTE S.A. at no. prot. C/EIS/3791/09.03.22 its memorandum stated the following: On Monday, October 11, 2021, the EDOEAP sent a message via electronic mail to the User Assistance Office of the "ZEUS Digital Ballot" requesting to use the service to carry out the Archaeresion of, which would be held between November 19 and 24. On October 15, 2021, a Personal Data Processing Agreement was signed between EDOEAP and EDYTE S.A. which defines the relations between the two parties. After the elections on Saturday, November 27, 2021, EDYTE S.A. received by e-mail "Official request for investigation and granting of details of the electronic voting carried out in EDOEAP through the ZEUS electronic ballot box" from A (who signs as former ... EDOEAP and ...), who requested the granting of the of the following information: a) a complete copy of the body of electors, as it was formed at the end of the voting, b) a printout of the 3 electoral result, as it was formed by entering the "keys" held by the members of the Electoral Committee, as well as the exact time of entering the "keys" and extracting the result, c) IP addresses, through which more than one vote may have been submitted (including mass voting from a computer) and time when these votes were submitted, d) any changes in the voter list by the Administrator or changes to e-mails that were initially declared by the electors, in order to send them the voting links, e) number of electors conditions – voters who changed their vote (ie, voted and voted again) during electronic voting and f) copies of all e-mails sent to voters after their vote was finally submitted. That is, a list of voters and next to it the e-mail to which the confirmation that they voted was sent. EDYTE SA responded to the above request, with the no. first ... her letter, that: "both the legal and contractual obligations of EDYTE S.A. they do not allow it to share the information in question". Then on 9.12.21, EDYTE S.A. received, by mail, the no. prot. ... prosecutor's order (following the relevant application of Messrs. A, B and C) by which EDYTE S.A. was ordered the provision of the following information ("except for VAT number and social security number"): "A) Full copy of the body of electors, as it was formed at the end of the voting, B) Any changes in the electoral roll by the Administrator or changes in e-mails that were declared by the electors from the beginning, in order to send them the voting links, C) The number of electors - voters who changed their vote during the electronic voting, D) Copies of all e-mails sent to the electors after the final submitting their vote. E) The number of voters through the electronic ballot beyond the time period from 9 am. to 7 a.m. F) A complete copy of the result of the electronic ballot box and the exact time of entering the "keys" and extracting the result G) The existing pdf file at EDYTE that contains a printout in anonymized form of all the electronic ballots, as they came from the automatic counting in the ZEYS system, as well as the accompanying CSV and JSON files containing the anonymized ballots and H) The IP addresses, 4 through which more than one vote may have been submitted and the time at which these votes were submitted, as well as the number of votes cast were transmitted from each IP as long as more than one vote was transmitted from it." EDYTE SA informed the data controller about the transfer in question, so that he, for his part, could inform the data subjects, and at the same time, on the same day, he was informed by the Director ... of EDOEAP, that a prosecutor's order had also been issued to EDOEAP, which had been revoked, because their body is not bound by the provisions of Law 1756/1988 and as N.P.I.D. does not fall within the scope of the provision of article 25 par. 4 of Law 1756/1988, on the basis of which the prosecutor's order in question was granted. Then, on December 16, 2021, and in accordance with the provisions of article 29 of the GDPR, EDYTE S.A. provided the applicants with the relevant documents, having as it states in its memorandum, as a Public Sector company, by law (article 25 par. 4b L. 1756/1988 and article 5 of the Code of Administrative Procedure) an obligation to comply with the said prosecutor's order . B) EDOEAP in its memorandum of 8.3.22 stated the following: EDOEAP expressed its objections to the transmission in question because a) the requested data concerned personal data of a large number of subjects (about 4500 natural persons), of particular importance, b ) there was no justification of the necessity and proportionality for the provision of the data, c) there was a contractual commitment between EDOEAP-EDYTE which made the latter the processor, d) the prosecutor's order referred to a set of information possessed by EDYOTE as the processor and for the whose transmission or not should have been decided exclusively by the HR, e) the corresponding request of the applicants to the EDOEAP was answered and only aggregated data was granted, f) the corresponding prosecutorial order to the EDOEAP was revoked and should have been with the same legal documentation and basis to revoke the corresponding one to EDYTE, g) that the disputed data are at the disposal of EDYTE, as executed processing, does not automatically make them 5 public documents, h) the prosecutor's order is binding on the administration, only in the context of pending criminal proceedings (preliminary examination, preliminary investigation, interrogation), i) the requested information is included in the category of private and not purely public documents, and finally j) with regard to the information of the subjects, EDOEAP explicitly expressed its objection to the transmission of the data, so the obligation to inform was on EDYTE, which acted voluntarily as an independent data controller. Following these, the Authority with the no. prot. C/EX/ 861/05.04.22 and C/EX/860/05.04.22 calls respectively called EDOEAP and EDYTE SA. to attend the meeting of the Authority on 12th 04.22, in order to discuss the above case. During the hearing on 12.04.2022, a) on behalf of EDOEAP, Stavros Kapakos, Chairman of the Board of Directors of the Organization, D, ... Director of EDOEAP, E, Director ..., Antonis Kainourgios and Angeliki Skouteri, lawyers, attended F, Head ... and Z, DPO of the Organization, b) on behalf of EDYTE S.A. H, Director ..., Th, ..., I, ..., Zoe Panagiotara, Head of the Legal Service, Eugenia Doubi, Katerina Haniotaki, Nikos Arvanitis, Thodoris Konstantakopoulos, Lawyers, K, ..., and L , Deputy DPO of EDYTE S.A. EDYTE S.A. through its representatives during the above hearing of 12.04.22, but also with the supplementary memorandum from 13.05.22 of the managing director of Aristidis Sotiropoulos, stated the following: a) the data in question were granted exclusively and only to members of EDOEAP in the context of agreed procedure, b) EDYTE S.A. is bound by the constitutional imperatives and public law obligations that govern the Administration, including the right of access to public documents, consequently, the failure to provide the necessary data to the applicant members of the EDOEAP to verify the correctness of the election results and elections process would constitute a violation of the constitutional principles, and the partial satisfaction of the right of access to administrative 6 documents would be incomplete, c) the EDOEAP's reference to the distinction between administrative and private documents is irrelevant, given that the documents granted are administrative, in accordance with the provisions of article 5 CDD/sia, d) the prosecutor's order confirms the necessity and correctness of the granting of the data, without being able to place a legal limitation on the functional satisfaction of the right of access to administrative documents, and e) the TIN of the participants in the elections was necessary for the full satisfaction of of the governed's right of access to administrative documents, does not fall under any exception to its notification and EDYTE granted it exclusively to those who requested it and had a special legal interest.  EDOEAP through its representatives during the above hearing of 12.04.22, but also with the one from 13.05.22 and with no. prot. C/EIS/6970 filed with the Authority a supplementary memorandum of the attorney of attorney of Antonios Kainourgios stated the following: a) EDYTE S.A. transferred a large volume of data (about 4,515 natural persons) to unauthorized third parties, without relevant justification, weighing of interests, assessment of necessity and proportionality, taking measures to minimize data and in any case without the consent of EDOEAP as data controller, b) the data requested and transmitted also included personal data: name data, e-mail addresses (email, number of voters per IP), voting details such as voting time, how many times the user voted, when the user was last connected, if he received confirmation of vote, but also the unique voter id of each voter (which was his tax identification number, requested by EDYTE S.A. for the identification of each user, which are data of particular importance, as they include data related to voting and they concern the secrecy of the process and the relative rights of the voters, but also electronic data communication related to its privacy and need special evaluation in relation to any requests for access to them, c) the applicants invoked for their request only their interest as candidates to have access to said data without further specialization, nor justification of necessity and proportionality in order to take place the necessary 7 weightings and minimization of the data that will be given, nor invoking any legal actions that have taken place and in the context of which the relevant grant would be necessary, d) the prosecutorial order concerned a set of information, the which were held by EDYTE S.A. in the context of its cooperation and relationship as the processor and for which the controller should and was entitled to decide whether or not to transfer, e) the specific prosecutorial order is not binding on the Administration, but even in the event that EDYTE S.A. considered that he should have delivered the information requested in the prosecutor's order, he should, in compliance with GDPR requirements, have anonymized or minimized the provided data, i.e. the removal of any element that could lead to the identification of the users of the platform and in particular the VAT number of these, given that they were a way of connecting the users to the platform in question, f) by their nature and content, the provided data constitute EDOEAP records and the fact that they were at the disposal of EDYTE SA, as the processor on behalf of of EDOEAP, does not make them public documents and g) EDYTE S.A. acted despite the contrary opinion of the controller, i.e. independently as controller for the specific processing, and bears the same obligation to inform the data subjects of this transmission. The Authority, after examining the elements of the file and the hearing process and after hearing the rapporteur and the assistant rapporteur, after a thorough discussion, THINKS IN ACCORDANCE WITH THE LAW 1. In accordance with the provisions of article 4 para. 7 and 8 of GDPR, "controller" is defined as the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of processing personal data, while "processor" natural or legal person, public authority, agency or other 8 body that processes personal data on behalf of the data controller. In the event that two or more controllers jointly determine the purposes and means of processing, they are jointly controllers. They determine their respective responsibilities for compliance with the obligations arising from the GDPR, in particular with regard to the exercise of the rights of the data subject and their respective duties by agreement between them, unless and to the extent that the respective responsibilities of the controllers are determined by Union law or the law of the Member State to which the controllers are subject. This agreement should properly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects, and the substance of the agreement is made available to the data subject (Article 26 GDPR). The processing by the processor must, in accordance with the provisions of article 28 paragraph 3 of the GDPR, be governed by a contract or other legal act subject to the law of the Union or the Member State, which binds the processor in relation to the controller processing and determines the object and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects as well as the obligations and rights of the controller and the processor, while in in the event that the processor determines the purposes and means of the processing in violation of the GDPR, then he is considered the controller for the specific processing and is burdened with all the obligations arising from the Regulation as an independent processor (Article 28 par. 10 GDPR). Furthermore, in accordance with the provisions of Article 29 of the GDPR, the processor should process the data only on the instructions of the data controller, unless obliged to do so by the law of the Union or the Member State. 9 2. Access to public documents is provided for in article 5 of the Civil Code. In particular, in accordance with the provisions of paragraph 1 of this article, every interested party has the right, after a written request, to take cognizance of administrative documents, and administrative documents are understood to mean those drawn up by public services, such as reports, studies, minutes , statistics, circular instructions, responses from the Administration, opinions and decisions. According to the established jurisprudence of the SC and the NSK, public documents are also considered private documents, which were used or taken into account to determine the administrative action or to form an opinion or judgment of the administrative body and are an element of the reasoning of the issued administrative act . Furthermore, according to paragraph 2 of the above article, anyone who has a special legal interest is entitled, following his written request, to obtain knowledge of the private documents kept in the public services and related to his case which is pending in them or has been processed by they. Finally, according to paragraph 3 of the same article, the right of access to public documents does not exist in cases where the document concerns the private or family life of a third party, or if privacy is violated which is provided for by special provisions. 3. Regarding the binding nature of the prosecutor's order, according to the Authority's Opinion 3/2009, the prosecutor's order is binding on the Administration, only in the context of preliminary investigation, preliminary investigation and main investigation. In the other cases, there is an obligation on the part of the Administration, in the sense of a mandatory order to investigate the request for granting or not granting a document. 4. In the case under consideration, both from the elements of the case file and from the hearing procedure, the following emerged: In the context of the nomination of the Board of Directors and the Audit Committee of EDOEAP, EDYTE S.A. was designated as the processor on behalf of EDOEAP with a contract concluded between them for the conducted electronic voting. 10 In particular, this contract defined both the service to be provided and the means by which it will be provided (ZEUS electronic platform), as well as the role of EDYTE SA. as the processor on behalf of EDOEAP. After the completion of the election process and the announcement of the results, EDYTE informed EDOEAP with its letter of 13.1.2021 that it received the order from ... from three candidates applying for the elections (former members of the Board of Directors not elected based on election results) to transmit to them a set of data that it holds regarding these elections, including voters' personal data, and that it intends to proceed with this transmission. EDOEAP with its document dated 13.12.21 informed EDYTE that it has received a prosecutor's order with similar requests from the applicants, which was revoked due to its non-public nature, as an NPID not subject to the provisions of article 25 par. 4 of the Law. 1756/88, and subsequently with his letter of 14.12.21 he explicitly expressed his opposition to this transmission, due to the nature of the documents as private, not subject to public documents and the role of EDYTE as performing the processing on his behalf. However, EDYTE proceeded to transmit on 17.12.21 the requested details of the voters to the three applicants, with the claim that it had an obligation to execute the prosecutor's order and grant the requested details on the basis of the right of access to public documents. The data transmitted by EDYTE to the applicants were names of the voters (about 4,500 natural persons), electronic addresses (email, IP address), as well as the unique voter id of each voter, which was their tax identification number, because it was requested by EDYTE, for the identification of each user, given that the connection with taxisnet codes had also been selected. 5. Because the data transmitted are private documents and do not fall under the category of public documents, since the EDOEAP is an NPID, not subject to the provisions of article 25 par. 4 of Law 1756/88, consequently they are not applicable in this case the provisions of article 5 of the Road Traffic Act, as the Authority has also issued an opinion with the Gnmd. 3/2009, n