HDPA - 20/2020

From GDPRhub
Revision as of 08:27, 29 July 2020 by AL (talk | contribs)
HDPA - 20/2020
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 2(2)(a) GDPR
Article 4(15) GDPR
Article 6(1)(e) GDPR
Article 9(2)(g) GDPR
Article 37(1) GDPR
Article 37(3) GDPR
Article 45 GDPR
Article 51 GDPR
Article 55 GDPR
Article 58(2)(d) GDPR
Article 10(5) of Greek Data Protection Act
Article 9 of Greek Data Protection Act
Type: Complaint
Outcome: Rejected
Decided: 03.03.2020
Published: 20.07.2020
Fine: None
Parties: 401 Athens General Military Hospital
National Case Number/Name: 20/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: n/a

The Hellenic Data Protection Authority (HDPA) found itself competent to decide over case concerning personal data processed by the 401 Athens General Military Hospital, insofar this data is not classified information related to activities concerning national security. The HDPA found the processing lawful but ordered the Hospital to appoint a DPO.

English Summary


A data subject complained that 401 Athens General Military Hospital unlawfully processed personal data of people entering the hospital, collecting details from their ID and information about where exactly in the hospital they intend to go, time of entrance and exit.

The Military Hospital claimed that this information was necessary for the security of the hospital and that in any case, the DPA was not competent to deal with the case as it concerns data related to activities concerning national security.



The HDPA found, first of all, itself competent to decide on the case as the personal data collected (a) has not been characterised as "classified information" (b) nor does it relate to activities concerning national security, as required by the national Data Protection Act.

Then, the HDPA rejected the complaint as it found the processing necessary for the protection of military facilities and thus lawful according to Articles 6(1)(e) and 9(2)(g) GDPR.

Lastly, the HDPA imposed the corrective measure of Article 58(2)(d), ordering the Military Hospital to appoint a DPO.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.