HDPA - 20/2020
|HDPA - 20/2020|
|Relevant Law:||Article 2(2)(a) GDPR|
Article 4(15) GDPR
Article 6(1)(e) GDPR
Article 9(2)(g) GDPR
Article 37(1) GDPR
Article 37(3) GDPR
Article 45 GDPR
Article 51 GDPR
Article 55 GDPR
Article 58(2)(d) GDPR
Article 10(5) of Greek Data Protection Act
Article 9 of Greek Data Protection Act
|Parties:||401 Athens General Military Hospital|
|National Case Number/Name:||20/2020|
|European Case Law Identifier:||n/a|
|Original Source:||HDPA (in EL)|
The Hellenic Data Protection Authority (HDPA) found itself competent to decide over case concerning personal data processed by the 401 Athens General Military Hospital, insofar this data is not classified information related to activities concerning national security. The HDPA found the processing lawful but ordered the Hospital to appoint a DPO.
English Summary[edit | edit source]
Facts[edit | edit source]
A data subject complained that 401 Athens General Military Hospital unlawfully processed personal data of people entering the hospital, collecting details from their ID and information about where exactly in the hospital they intend to go, time of entrance and exit.
The Military Hospital claimed that this information was necessary for the security of the hospital and that in any case, the DPA was not competent to deal with the case as it concerns data related to activities concerning national security.
Dispute[edit | edit source]
Holding[edit | edit source]
The HDPA found, first of all, itself competent to decide on the case as the personal data collected (a) has not been characterised as "classified information" (b) nor does it relate to activities concerning national security, as required by the national Data Protection Act.
Then, the HDPA rejected the complaint as it found the processing necessary for the protection of military facilities and thus lawful according to Articles 6(1)(e) and 9(2)(g) GDPR.
Lastly, the HDPA imposed the corrective measure of Article 58(2)(d), ordering the Military Hospital to appoint a DPO.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
HELLENIC REPUBLIC AUTHORITY FOR THE PROTECTION OF PERSONAL DATA Postal: DG 1-3 115 23 ATHENS TEL.: 210-6475600 FAX: 210-6475628 FA IN 20/2020 The Personal Data Protection Authority met, at the invitation of its President, at a regular meeting at its headquarters on Tuesday 03.03.2020 at 09:00, by postponement from 25.02.2020, in order to examine thecasementioned in the history of the present.Attended by the President of the Authority, Konstantinos Menoudakos and the regular members of the Authority Spyridon Vlachopoulos, Charalambos Anthopoulos, Konstantinos Lambrinoudakis and Eleni Martsokou.The meeting was also attended by Gregory Tsolias, an alternate member of the Authority, as rapporteur.Present, without the right to vote, was Hariklia Laziu, legal auditor – lawyer, as assistant rapporteur, and Georgia Palaiologos, an employee of the department of administrative affairs, as secretary. The Authority took into account the following: With the...(and no. No.A denounces breach of personal data law, as upon entering the gate of the 401 Military Hospital of Athens (hereinafter ‘401’) GSNA) was asked to show the identity of a member of a military family, withholding her ID card until she left the hospital and finally recorded without her consent in a daily data sheet of her police identity card. The Authority, in its examination of the above complaint,AFRIC C/EX/4278-1/01.07.2019, G/EX/4178-2/17.07.2019 and C/EX/2478-3/27.09.2019 documents, delimiting its competence, underlined that it has competence to deal with the processing of personal data, i.e. the data of the police identity, which – according to the complaint – are entered by the Hospital in a daily bulletin, as part of a filing system, and called on the 401 GSNA to provide specific explanations. In response to the above documents of the Authority, in 401 GSNA with No. No. ...,...and... documents (in no.IFRIC C/ES/4880/11.07.2019, G/ES/6099/09.09.2019, G/S/7034/16.10.2019, respectively), clarified, inter alia, that the following information shall be entered in a daily bulletin on the basis of military legislation when entering the hospital:1) name, 2) ID number, 3) office or place of visit, 4) purpose of visit and 5) time of entry – exit, held for a decade.Furthermore, according to the 401 GPA, the above information constitutes simple personal data and does not fall within any specific category, since the status of the visit is not noted, i.e. if it is a patient and the related health problem, and only what is expressly required and strictly necessary in accordance with the relevant regulations – orders for the safety of military installations is recorded.Furthermore, in 401 GSNA, citing Article 10 of Law No 4624/2019, argues that:‘(...) we do not believe that you have competence in matters relating to national security.In addition, you are told that 401 GSNA is an Organic Formation of the General Staff, subject to an administrative management relationship and as a result of this it is obliged to comply with the provisions of military regulations.As a result, it is established that the Military Regulation (...) and the relevant classified orders (...) which determine how the control of entry and exit to military installations is carried out, constitute the legal basis for processing personal data.Finally, with regard to compliance with the obligation to appoint a Data Protection Officer (hereinafter DPO), 401 GNSA notes:‘According to the relevant, an Office of the Protection Officer has been set up. Data at the National Defence General Staff and has competence in matters of personal data protection in both the General Staffs and the subordinated Units – Services, therefore also in the 401 GSNA. Subsequently, the Authority with the Nos. Nos.C/EX/4278-6/07.11.2019 (following the C/EX/4278-4/01.11.2019 document) and C/EX/4278-7/07.11.2019 (following the W/EX/4278-5/01.11.2019 document) documents invited the 401 GSNA, as legally represented, and A, respectively, as presented at a plenary session of the Authority on Friday 15.11.2019 and 11:00 in order to discuss the abovementioned hearing.C/ES/7710/08.11.2019 and S/G/7750/11.11.2019, respectively, documents) submitted a request for postponement.As a result, the Authority set a new date for discussion of the case on 03.12.2019 at 10:30,whichwas announced to the representatives of the 401 GSNA who were present at this meeting on 15.11.2019, while A was informed by the No.No.IFRIC C/EX/4278-8/15.11.2019 document.At the meeting of the Authority on03rd.12.2019 attendedthe 401 GSNA, through Major General Konstantinos Karliaftis, Commander, G, Director.Office and B, and the complainant A. This meeting was attended by D., Data Protection Officer of the Hellenic National Defence General Staff.At the end of the meeting, the attendees requested and received a deadline for the submission of a written pleading, on the one hand, 401 GSNA until 08.01.2020 and A (whichrequesteda copy of the 401 GPA memorandum before submitting its own) until 15.01.2020.In 401 GSNA submitted a memo to the Authority in advance....(and no. No.DFRIC C/ES/92/08.01.2020) its document, whereas A, on the contrary, did not request a copy of the 401 GSNA pleading within the prescribed period, nor submitted a relevant memo within the deadline. The Authority, after having examined the information in the file, after hearing the rapporteur and the explanations given by the Assistant Rapporteur, who was present without the right to vote and who left after the case and before the conference and the decision, after an in-depth debate, HE THOUGHT ACCORDING TO THE LAW. 1. Since, by the provisions of Rules 51 and 55 of the General Rules of Procedure, DataProtection 2016/679 (hereinafter 'GDPR') and Article 9 Law 4624/2019 (Government Gazette L'137) show that the Authority has competence to oversee the implementation of the provisions of GDPR, this law and other regulations concerning the protection of individuals against the processing of personal data.However, in order for the Authority to deal with L’s complaint against 401 GWN, pursuant to Articles 57(1), point (g) of GDPR and 13 par. 1 point g. 4624/2019, and to exercise respectively the powers conferred on it by the provisions of Articles 58 GDPR and 15 Law 4624/2019, the claim of 401 GWN should be examined in a national context, which, citing Article 10(5) of the complaint, states that the complaint does not relate to the national issue. 2. According to recital 16 of the GDPR, this Regulation does not apply to issues of protection of fundamental rights and freedoms or to the free movement of personal data related to activities outside the scope of Union law, such as activities relating to national security.The provisions of Article 2 concerning its substantive scope provide that the GDPR shall not apply ‘in the context of an activity outside the scope of Union law’ (paragraph 2(a)) and 'by competent authorities for the purposes of preventing, investigating, detecting or prosecuting criminal offences or executing criminal sanctions, including protection and prevention against risks threatening public security' (paragraph 2 d).Furthermore, Article 23 of the GDPR provides for the possibility of introducing, by means of a legislative measure, restrictions on the rights to the obligations and rights of Articles 12-22 and Articles 34 and 5, where such restrictions respect the substance of fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society to ensure, inter alia, the security of the State (e.g. (a), public security (e.g. c) and the prevention, investigation, detection or prosecution of criminal offences, including the threat of penalties and penalties.Finally, Article 45(2) GDPR with regard to transfers of personal data to a third country or international organisation provides that in assessing the adequacy of the level of protection, the Commission shall take into account, in particular, the following elements:‘the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including with regard to public security, defence, national security and criminal law and access by public authorities to personal data, as well as the application of this legislation (...)' (paragraph (a').It follows from the above provisions that the concept of national security is found in Article 45 of the GDPR concerning transfers on the basis of an adequacy decision (and in the petitions).16; scope and 104 – transmissions), while in particular reference is made to the concept of public security (Articles 2, 23 and 45 and paragraph 45).19, 50, 73, 104) and State security (Article 23). Law 4624/2019, specifying the Authority’s competence, provides in article 10(5):‘The Authority shall not be competent to review any processing of personal data carried out by the judicial and public prosecutor’s authorities in the context of their judicial function and judicial functions, as well as processing of classified personal data carried out for national security activities.’According to the explanatory statement of the law, Article 10 defines the Authority’s competence in compliance with Article 55 GDPR.Article 55 GDPR provides for a restriction only in respect of processing operations carried out by courts under their jurisdiction (paragraph 3), i.e. the first indent provided for in Article 10(5).It is also worth noting that, according to the same explanatory statement, Article 10(4) provides that the Authority exercises the respective supervisory powers provided for by specific provisions of international and Union law relating to the processing of personal data. This means, on the basis of the explanatory statement, inter alia, the provisions governing the Schengen Information System, the Europol Information System, the Eurodac Information System and the Convention on the use of information technology in the customs sector.It follows from the systematic interpretation of the provisions of paragraphs 4 and 5 of Law 4624/2019 that the legislator does not generally exclude national security issues from the Authority’s competence, since international and transnational agreements expressly provide for the Authority’s competence. 3. In view of this, taking into account recital 16 of GDPR 2016/679, the Authority considers that a relative limitation of the exercise of its powers through the Implementing Law for reasons of national security does not, in principle, conflict with the GDPR. Furthermore, it follows from the wording of paragraph 5 of Article 10 of Law 4624/2019 that the Authority does not have competence to control processing operations carried out for national security activities where the following two conditions are cumulatively met:these are operations for the processing of classified personal data, and more accurately, information entered in filing systems that have been competently rated and which constitute personal data; and (b) these are personal data processing operations carried out for national security activities. The documents in the file, the hearing and the post-hearing memo of 401 GSNA did not show that the daily bulletin, as part of a filing system as well as the personal data entered in the above daily bulletin and collected by the subjects upon entry into the 401 GSNA, (i.e. the name, identity number, office or site of visit, the purpose of the visit and the time of entry – exit), have been appropriately designated as the National Security Regulation (ECT510313/EC/EC)The Authority therefore considers that in the present case it has not been demonstrated that the first condition for the application of Article 10(5) of Law 4624/2019 has been fulfilled and is therefore competent to exercise its powers, rejected as unfounded of the relevant allegation-objection of 401 GPA. Even if the first condition were met, it would have to be demonstrated, furthermore, that the second condition for the application of Article 10 par.5 Law 4624/2019, i.e. that such processing of classified information attributed to a natural person (personal data) is carried out for activities related to national security. ‘national security’ is an indefinite legal concept which must, on the basis of the data available in each case, be interpreted, identified and documented ad hoc by the controller. Therefore, the vague and general invocation of the assistance of national security in order to exclude the Authority from the exercise of its responsibilities is not sufficient, but it is required in this case that the processing is carried out for an activity relating to the national security of Greece, unless it is obvious that this concept (e.g. purely military installations with military materials, not accessible to the public) is evident.The Authority, in fact, with the Opinion no.As regards the provision of Article 10(5) of Law No 4624/2019, Regulation (EEC) No 01/2020 held that: ‘Due to the generality of the provision which excludes the Authority’s control of the processing of classified personal data carried out in connection with national security activities, there are difficulties in classifying those acts.In view of this, the following provision should be added to paragraph 5:‘The authorities processing classified personal data in the context of national security activities shall inform and cooperate with the Authority on compliance with the law on personal data protection and in particular the adoption and compliance with the necessary general security measures.’; According to article 1 of Law 2292/1995 "Organisationand Function of the Ministry of National Defence, command and control of the armed forces and other provisions" (Government Gazette A’ 35/15-02-1995), which defines the mission of the Armed Forces, "The National Defence includes all functions and activities, developed by the State, in order to protect the territorial integrity, national independence and sovereignty and security of citizens against any external attack or threat, as well as the support of national interests”.In addition, documents sent to the Authority since 401 during the pre-trial procedure of this case refer to military legislation, including the principles and organisation of military security involving the establishment of a specific procedure for entry into military installations, as a security measure for military units (APFRIC No.7034/16-10-2019).In addition, in 401 GSNA supported with its post-heared memorandum (APFS No. Prot.Having regard to Regulation (EEC) No 92/08-01-2020)‘[...] the freedom of the bodies responsible for the national security of the country to adopt specific security measures without mediation or control by overlying Authorities is lawful, consistent and in line with the new provision of Law 4624/2019, which has established precisely this independence and the initiative of action with regard to the management of security issues and in this regard and the entry into military facilities of the military facilities., Paragraph 5 of Article 10 of Law 4624/2019 (...)It should be noted that this provision is consistent and consistent in the spirit of Regulation EU 2016/679 which in paragraph 1b of Article 23 gives wide scope for action to the national legislator regarding the limitation of the data subject’s rights as a necessary and proportionate measure to safeguard the country’s national defence. It followsfrom the foregoing that in 401 GSNA did not invoke facts, nor did it provide relevant evidence to show that the recording in the daily personal data of persons entering the hospital facilities for the provision of health services constitutes, in accordance with Article 10(5) of Law 4624/2019, ‘national security activity’, and argued that the measures taken concernthe military safety of the installationson the grounds of the relevant legislation in which, however, there is no mention of national security.In particular, the Ministerial Decision No.Y4a/137327 of the Ministers of National Defence and Health and Social Solidarity (Government Gazette B' 1757/09.11.2010) concerning the "framework of cooperation between the Hospitals and Health Centres of the NHS with the Military Hospitals and the Health Services of the Armed Forces" provides for the possibility for citizens ofthe country to enter for the provision of health services in the military hospitals of Athens and Greece. Thessaloniki, among them in the 401 GSNA, as well as the possibility of evacuating patients to these hospitals through the EKAB or direct telephone appointment, without stipulating that citizens are bound by any kind of confidentiality or confidentiality of classified information in order not to disclose to any third party the fact of their entry and stay for reasons of hospitalisation or escort or visit of patients, as provided in other cases (cf. article 35 N. 3978/2011 OJ A' 137/16-6-2011) “Project Agreements” The importance for the issue under consideration of the lack of confidentiality or confidentiality for reasons of national security by persons admitted to hospitals, subject to personal data, is confirmed by the position of 401 GSNA (APFRIC No. p.7034/16-10-2019) that according to the National Security Regulation, inter alia, the level of security assigned to certain information, which is proportionate to the risk posed to national security, is provided for by notification to unauthorised persons. The claim of 401 GPA at the hearing that the same, without the mediation or control of the Authority alone, has the absolute freedom to choose and adopt security measures but also to determine the level of such measures in relation to those entering its premises, although well founded, is not relevant to the question of the Authority’s audit competence in this case.The Authority does not have any kind of competence over the physical security measures of 401 GSNA, which the Authority selects and implements, but in so far as a processing is not carried out for an activity relating to national security, it shall exercise its supervisory power to assess the legality of processing and further relevant issues, e.g. whether the controller has taken the necessary technical and organisational security measures in accordance with Articles 5(1), 24 and 32 of the GDPR. For the above reasons, the Authority considers that none of the conditions of the provisions of Article 10(5) of Law 4624/2019 are fulfilled and therefore the request-objection of the Authority’s lack of competence to deal with A’s complaint against 401 GPA is rejected for reasons of national security. 4. Since Article 5 of the GDPR lays down the processing principles governing the processing of personal data.In particular, paragraph 1 states that personal data, inter alia:Are collected for defined, explicit and legitimate purposes and are not further processed in a manner incompatible with those purposes (...), (c) are appropriate, relevant and limited to what is necessary for the purposes for which they are processed ('minimisation of 5. Since Article 6(1) GDPR provides, inter alia, that:‘Treatment shall be lawful only if and if at least one of the following conditions applies:The data subject has consented to the processing of his personal data for one or more specific purposes; (...) e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority entrusted to the controller.’; Article 9(1) GDPR introduces, in principle, a prohibition on the processing of information falling within specific categories of personal data, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or membership of a trade union, as well as genetic data, biometric data with a view to the undeniable identification of a person, health data or data relating to the sexual life of a natural person or sexual orientation.Paragraph 2 of that Article provides that:‘Paragraph 1 shall not apply in the following cases:The data subject has given explicit consent to the processing of such personal data for one or more specific purposes, unless Union or Member State law provides that the prohibition referred to in paragraph 1 cannot be lifted by the data subject (...) (g) the processing is necessary for reasons of substantial public interest, under Union or Member State law, which is proportionate to the objective pursued, respects the substance of the right to data protection and provides for appropriate and specific safeguards of the underlying interests.’; 6. Because, in the case under review, it appears from the data of the case file that in 401 GSNA collects and keeps for a decade the name, identity number, office or place of visit, the purpose of the visit and the time of entry and exit of incoming persons, hospital patients or patients’ visitors.The Authority considers, in this case, taking into account the provision of Article 4, point.15 and recital 35 of GDPR, that the collection and maintenance of the information relating to the purpose of a natural person’s visit, in so far as it concerns a patient of the hospital constitutes information falling within the specific category of personal data, as combined with the relevant record of the provision of health services of the 401 GPA may immediately disclose information on the state of health of the natural person concerned. The Authority further considers that the processing of this information is lawful, in accordance with the provisions of Articles 5 and 6(1)(e), as well as 9 par. 2 paragraph of GDPR, even in so far as patients and patients themselves are concerned, in so far as the essential or essential public interest may consist of the protection, by military regulations, of military installations. In the light of the above, the Authority considers A’s complaint against 401 GSNA to be rejected as unfounded. 7. Because the GDPR recognises the Data Protection Officer (hereinafter DPO) as a key component of the new data governance system and establishes the conditions for its designation, position and tasks.In particular, with regard to the DPO definition, Article 37(1) GDPR provides that 'The controller and processor shall appointa controller in each case in which:the main activities of the controller or processor constitute processing operations which, by reason of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale, or (c) the main activities of the controller or processor which constitute large-scale processing of specific categories of data and against Article 9.Furthermore, paragraph 3 of Article 37 GDPR provides that 'If thecontroller or processor is a public authority or a public body, a single data protection officer may be appointed for several such authorities or several such bodies, taking into account their organisational structure and size’. 8. Because, from the records kept by the Authority pursuant to GDPR and Law 4624/2019, it appears that the General Staff of National Defence proceeded with the no.C/ES/8303/29.11.2019 (replaced by no.C/ES/3837/29.05.2019 application) for the communication to the Authority of the DPO’s contact details, in accordance with the above provisions of Article 37 of the GDPR and Article 6 of Law 4624/2019.Furthermore, from the data of the case file, it appears that in 401 GSNA, citing the possibility provided by the provisions of articles 37 par.3 of GDPR and 6 par.2 Law 4624/2019, argues that it has complied with the fulfilment of the DPO definition, since the DPO (and/or the DPO office) of the Hellenic National Defence General Staff, according to his claims, has competence in matters of protection of personal data in both the General Staffs and the Subordinates of the General Staffs. According to the aforementioned provisions of GDPR and L.4624/2019, provision is made for the possibility of appointing a DPO for more public authorities or bodies, but in this case, in accordance with the guidelines“relating to data protectionofficers" issued by the working group referred to in Article 29, the controller or processor must ensure that a single data protection officer, assisted by a group if necessary, can effectively perform all his duties for all public authorities and public bodies. The Authority considers, in this regard, that the definition of a single DPO and/or DPO office in the National Defence General Staff for all the services and responsibilities of the Hellenic National Defence General Staff and its supervised bodies is not sufficient for the effective performance of its duties and with respect to the 401 GPA, which requires the designation of DPO independently, given that it is a public body, which has as its main activity the systematic monitoring of physical services in a large scale of patients and in respect of the 401 GPA, which requires the definition of DPO independently, given that it is a public body, which has as its main activity the systematic monitoring of physical services in a large scale of patients and patients.In view of this, the Authority considers that, in this particular case, it is appropriate to exercise the corrective power referred to in Article 58(2)(d) GDPR by imposing the obligation to appoint a Data Protection Officer in 401 as an appropriate corrective measure. FOR THEIR SAKES The Authority a) rejects as unfounded the allegation- objection of the 401 General Military Hospital of Athens that pursuant to article 10(5) § L. 4624/2019, the Authority has no competence to deal with the complaint of A against him in so far as it concerns the processing of personal data carried out for activities related to national security; B) rejects as unfounded the complaint of A against the 401 General Military Hospital of Athens and considers that this treatment is legal, in accordance with the provisions of Articles 5, 6 par. 1 point (e) and 9 par. 2 (g) GDPR 2016/679 and c) calls, pursuant to article 58 par.2 verse. d GDPR 2016/679, 401 General Military Hospital of Athens to ensure that the definition of Data Protection Officer in a manner that corresponds to the 4624/2019 requirements. The PresidentThe Secretary Konstantinos Menoudakos