HDPA (Greece) - 44/2019: Difference between revisions

From GDPRhub
mNo edit summary
Line 89: Line 89:
<pre>
<pre>


3/2/2021
Greek Republic
DATA PROTECTION AUTHORITY
PERSONAL CHARACTER
Decision 44/2019
Athens, 19-12-2019
No. Prot .: f /EE/ 8907 / 19-12-2019
RESOLUTION NO. 44/2019
(Department)
The Personal Data Protection Authority met in composition
Department at its headquarters on Wednesday, July 24, 2019 at the invitation of the President
in order to examine the case referred to in the background hereof.
Present were George Batzalexis, Vice President, disabled
President of the Authority, Konstantinos Menoudakos, the alternate members Panagiotis
Rodogiannis, Grigorios Tsolias as rapporteur, and Evangelos Papakonstantinou, in
replacement of the regular members Antoniou Symvoni, Charalambos Anthopoulos and
Konstantinos Lambrinoudakis who, although legally summoned in writing, did not
attended due to disability. The meeting was attended by, by order of the President, Mr.
George Roussopoulos, Specialist Scientist-Auditor as Assistant Rapporteur and Irene
Papageorgopoulou, employee of the Administrative Department of the Authority, as secretary, while
The other assistant rapporteur, Evmorfia - Iosifina Tsakiridou, was not present due to disability.
specialist scientist supervisor.
The Authority took into account the following:


AEGEAN BUNKERING SERVICES INC (hereinafter referred to as "ABS") submitted to
Authority the notification of violation case number C /EI􀃎/ 5432 / 18-06-2018
personal data, according to art. 33 of Regulation (EU) 2016/679 (General
Data Protection Regulation - hereinafter referred to as "GKPD") together with a supplement
1-3 Kifissias Ave., 11523 Athens, Tel.: 210-6475600, Fax: 210-6475628, contact@dpa.gr,www.dpa.gr
memorandum. At the same time, the same company submitted the reference number r / EIB / 5414 / 18-06-
2018 report ( she described it as a complaint) regarding a violation
personal data against Aegean Marine Petroleum Network Inc (hereinafter referred to as
"AMPNI") and ERNST & YOUNG HELLAS CERTIFIED AUDITORS-ACCOUNTANTS
(hereinafter referred to as "EY HELLAS"), which claims that persons associated with
The above two companies entered the ABS (data room) area without permission and
illegally copied the entire digital to portable storage media
server content that contains electronic files as well
e-mails and other communications of both employees
of ABS with third parties as well as employees of third companies by "cloning" him
original server (server) and thus creating a new file (clone
server) by copying the original server.
With the no. 2/2018 Provisional Order of its President (with reference no.
CI EX I 5432-1 I 22-06-2018), the Authority banned, until a final decision is issued, on
AMPNI and EV HELLAS as well as to any other company or natural person in which
all or part of what was copied in the case may have been transmitted
file (clone server), to process personal data in any way
in particular the e-mails contained in the copied file (server)
which were attached as a list at the end of that Provisional Order
forming an integral part ofit. Note that with the same decision
clarified that the above provision suspending the processing of personnel data
character contained in the copied server (clone server) does not
prevents the continuation of the operation of the original server (server) of the same
company, provided of course the processing of the data
of a personal nature takes place legally no. 5 and 6 par. 1 GKPD.
The Authority with no. prot. G / EX I 5414-1 I 26-6-2018 her document called the companies
AMRNI, ABS and EV HELLAS to provide information as well as to present
specific documents as well as any information necessary for a final decision
on the present case. On the above document:
The company EV HELLAS with its from 28-6-2018 Memorandum to the Authority
(prot. no. AIIMIX r / EI􀃎/ 5824 / 29-6-2018) stated that it has nothing to do with
case in question, was not even aware of the accused as illegal
processing of personal data. In addition, he requested the revocation of the temporary
order to the extent that it concerns her as a non-involved party and requested that she be exempted from
2
any investigation or audit carried out by the Authority in relation to this case. THE
Authority requested further clarifications from the company in question with reference number
CI EX I 5824-1 / 06-07-2018 her document, especially in relation to two persons who are alleged to
said representatives of the company "Ernst & Young" and are involved in its copying
server. EV HELLAS responded with its document number GI EIS / 6424 / 24-07-2018
denying any connection with such natural persons.
ii. The company ABS with its Report dated 28-6-2018 (prot. No.
r / EI􀃎/ 5825/29/06/2018) and her letter dated 03-7-2018 (prot. No. r / EIB I 5935 I 04-07-
2018) submitted documents to the Authority, including Organization policies with
the name "AEGEAN", which did not bear the date of drafting and application, no
bore the signatures of persons responsible for drafting and approval, while with the same
The company provided information in response to the Authority's questions.
iii. The company AMPNI with the from 13-7-2018 Treatment Application (no. APDPH
prot. r / EIB I 6211 / 13-7-2018) requested the cancellation and suspension of force, in whole or in part
part of the Provisional Order no. 2/2018 of the President of the Authority for the reasons
which are listed in detail there. With that request the company denied them all
against her, allegations submitted by the complainant company ABS, pointed out
ABS was a wholly - owned subsidiary and claimed, inter alia, that
legally gained access to email accounts
specific current or former employees of the AMPNI Group as well as other related
data in the context of internal research in relation to its important economic issues
including possible fraud against the company, that the
access to them was necessary in order for the company to be able to
comply with its reporting obligations and
notifications to the US Securities and Exchange Commission (SEC) under them
applicable laws and regulations, including U.S. law
securities legislation and New York Stock Exchange regulations as well
also in order to protect the Group from further loss and loss
that the internal investigation carried out has been obstructed by persons for
which are suspected of possessing important information in relation to the subjects
of internal control, that the e-mails exported were professional (corporate) and
therefore they are not personal data, that he made a copy
security (back up) of all system data, ie data that
involved third-party employees using the same server
3
(server) because the installation and operation of deletion software was detected and therefore
such processing was absolutely necessary to protect their integrity
of the AMR.NI Group by those who tried to destroy them without
authorization, that the information in question is derived from the requested information
e-mail is required for external auditors
PriwaterhouseCoopersS.A. ("PwC") in order to sign the company's annual report
for the financial year 2017.
Furthermore, the Authority received 11 complaints from individuals against it
AMPNI and EY HELLAS and in connection with the above incident, and
specifically the reference numbers r / EI:E / 5648 / 26-06-2018, r / EI:E / 5650 / 26-06-2018,
r / EI:E / 5651 I 26-06-20 l 8, r / EI:E / 5653 / 26-06-2018, r / EI:E / 5679 / 26-06-2018, r / EI:E / 5680 I 26-
06-2018, r / EI:E / 5681 / 26-06-2018, r / EI:E / 5682 I 26-06-2018, r / EI:E / 5683 I 26-06-2018,
r / EI:E / 5684 / 26-06-2018 and r / EI:E / 5685 I 26-06-2018, complaints of A, B, r, b., E, :ET, Z,
H, I, I and K respectively, who brought before the Authority for violation of
their personal data stored on the original server
and which was illegally copied in its entirety by the controlled company AMPNI with
given that some of the complainants were employees of third parties,
unrelated to AMPNI and its Group companies, as D and I worked in
"AEGEAN OIL", K worked at "AEGEAN NET FUELS", Z worked at
"AEGEAN PETROLEUM INTERNATIONAL", and B who worked at AEGEAN
SHIPPING MANAGEMENT "
The Authority after studying the above answers after the attached documents
sent:
i. in the company AMPNI the with no. prot. G /EX / 6211-1 / 14-8-2018 document with
who called her to provide additional clarifications and informed her of
complaints against it in order to state its views on them.
ii. in the company ABS with no. prot. G /EX / 5935-1 / 16-8-2018 document with which he called her
provide additional clarifications and documents.
The company ABS with its from 11-9-2018 Supplementary Memorandum to
Authority (prot. No. APDPH G /EIS / 7522 / 20-9-2018) provided additional clarifications
and documents and in particular: that the security policies originally submitted
written outside the EU in the US and applicable to AMPNI and its subsidiaries, that
in the internal working regulations of the Greek subsidiaries of AMPNI no
is there any reference to checking employees' corporate emails or
4
way that the company can carry out internal audits with sole responsibility
of AMPNI, that on the original server, the content of which
illegally copied by AMPNI kept personal data of third parties
of companies to the AMPNI Group as indicative of the companies "Aegean Net Fuels Ltd
Fze "," Aegean OIL SA "," Aegean Lubes "and" Aegean Gas ", that all the above companies
, together with ABS, AMPNI and its subsidiaries use informally and without any
written a contract on the infrastructure and servers of the ABS company and provided relevant
written documentation.
The company AMPNI with its documents from 10-09-2018 ( . . . ) and 17-9-2018 ( . . . ) (no.
prot. AIIAIIX r /EI􀃎/ 7306 / 10-09-2018 and r /EI􀃎/ 7434 / 17-9-2018 respectively) provided
additional clarifications and in particular that: The server from which
exported data (server) located in the computer room (computer room) in
ground floor of the building on Akti Kondili, in which the companies of the AMPNI Group
rent space for their facilities. In the computer room, as far as she knows
controlled company, in addition to the server, there are also servers of other companies
whose offices are housed in the same building, which are not related to the Group
AMPNI. The AMPNI Group does not have access to these servers. Also the controlled
company claimed that the server really belongs to the AMPNI group, it is owned
to the complainant ABS, which however does not process personal data for
on behalf of AMPNI, reiterated its claims that it was legal and necessary
processing of data for the purposes of its internal investigation and on its occasion
accidental detection with approved deletion software for protection
the data of the AMPNI Group, which was not personal and, therefore, has not been received
country violation, that any export of personal data from the EV
LLP took place by taking appropriate measures to secure the data, that the
export e-mails concerned a limited number of persons, that the team ofEY LLP did not
gained physical access to the server, that from the local IT staff of the AMPNI Group
five (5) accounts were created for EY LLP team members for these
have access to AMPNI systems, that it has not previously informed the
persons whose electronic accounts have been verified and accessed
by copying the server in order to avoid the risk of deterrence or
obstruction of the investigation no. 14 par. 5 ed. b 'GKPD, that legally and in application
of article 6 par. 1 par. c and in the GCC the data processing took place through it
5
copy of the server, and that the copied file is in the offices of EV at
Manchester United Kingdom.
The company AMRNI with its application from 10-10-2018 (APDPH no. Prot.
r /Ell:/ 8044 I 11-10-2018) requested the urgent examination of her request for removal
ofno. 2/18 Interim Order invoked by the Ministry
U.S. Justice summons to jury in relation to formal
criminal investigation for a possible criminal offense, in the context of which (summons)
was invited to send to the US and to duly submit, by .. . , information which
concern, inter alia, e-mails which
included in what it refers to as a "back up", the
processing which has been prohibited by the Authority until a final decision is taken
of. In particular, with the above application, the company AMR NI repeats them
claims she develops in her from 13-7-2018 Treatment Application claiming that
business (corporate) email accounts have been legally exported and therefore should
to revoke the no. 2/18 Interim Order to then transmit the data
( e-mail) in the USA
The Authority proceeded to call for a hearing of the companies ABS, AMPNI and EV
HELLAS with the reference numbers C /EX / 8303 / 18-10-2018, C /EX / 8302 / 18-10-2018 and
GI EX I 8301 / 18-10-2018 her documents, respectively, while with the No. 3 Provisional
Order of the President of the Authority (under reference number C /EX / 8345 / 19. 10. 2018), rejected the
application for treatment - revocation ofno. 2/2018 Interim Order receiving
note that the condition for cross-border transfer of personal data to
USA. recommends compliance with the general principles of processing, namely Articles 5 and 6
GPD, so that in case in which the data under cross-border transmission have
illegally collected, to prohibit their cross-border transmission.
During the meeting of the Department of the Authority on 07-11-2018 they were present on behalf of
of AMPNI the lawyers Panagiotis Bernitsas with AMDSA . . . , Marina Androulakaki
with AMDSA . . . and Areti - Tania Patsalia with AMDSA . . . . Also present was L, legal
ABS representative stating that he is represented by lawyer Leonidas Kotsalis with
AM􀆳I:A . . . . Lawyer Eleftheria Rizou was present on behalf of the complainants
AM􀆳I:A . . . . At the meeting were submitted by AMPNI the prot.
r / EII: / 8790 / 07-11-2018 and r / EII: / 8791 / 07-11-2018 documents from which it appears that the
ABS Board of Directors, by decision ofTitv, decided that the legal
a representative of company L is not entitled to appoint or dismiss
6
dismissed the former lawyer L. Kotsalis and appointed him
new lawyers of their company P. Bemitsa and I. Anagnostopoulos. Filed
also by the lawyer P. Bemitsa objection against the representation of the company ABS
by L. and the lawyer L. Kotsalis (reference number G /EIS / 8816 / 08-11-2018). The beginning
postponed the discussion of the case in order to consider the issue of representation
of ABS. Following the document number C / EII: I 9207 I 21-11-2018 of ABS from the
which shows that the BoD of the company replaced . . . his representative with
The Authority proceeded to new calls of the companies ABS, AMPNI and EV HELLAS with the
No. reference C /EX / 9 445 / 27-11-2018, C /EX / 9 449 / 27-11-2018 and C /EX / 9 448 / 27-11-2018
her documents. Furthermore, the former legal representative of ABS N.L. filed the
Protocol No. CI EIS / 9 771 / 04-12-2018 complaint, arguing that his own
personal data were affected by the incident.
During the meeting of the Department of the Authority on 05-12-2018, ext
part of the companies AMPNI and ABS the lawyers Panagiotis Bemitsas with AMDSA
. . . , Marina Androulakaki with AMDSA . . . and Areti - Tania Patsalia with AMDSA . . . , from
part of the company ERNST & YANG (HELLAS) CERTIFIED ACCOUNTANTS SA the Ioli
Katsirouba with AMDSP . . . and Alexandra Vraka with AMDSA . . . . The complainants
L and F were represented by Leonidas Kotsalis with AMDSA . . . while on behalf of the others
of the complainants, Eleftheria Rizou arrived with AMDSA . . .. It is noted that after
meeting ABS and AMPNI submitted the reference number C I EIS / 9981 / 11-12-
2018 request for exclusion of the rapporteur which was rejected with no. 42/2019 decision
of the beginning.
Representatives of companies and complainants were given a deadline and
submitted memoranda. Particularly:
i) EY HELLAS submitted the document number prot. r /EI􀃎/ 10252 I 19-12-2018, with
which reiterates their claims that it has nothing to do with the case.
ii) AMPNI and ABS filed the reference number C /EIS / 10259 I 19-12-
2018 memorandum, which was supplemented with the reference number r /EI􀃎/ 10398 I 28-12-2018
document while with the reference number r / EI􀃎 / 10316 I 24-12-2018 expressed objections to
the extension of the deadline for submission of memoranda until 15-01-2019, for which
decided by the department of the Authority and in general for the procedure followed.
In particular, the company ABS during the hearing process, but also with the above
In its memorandum, it withdrew the complaint against AMPNI and was represented by
jointly with ABS. He then relied on the following allegations: by decision
7
U.S. court automatically suspends any action globally
AMPNI Bankruptcy and therefore the
of the Authority proceedings against the company, that the complaint of ABS is inadmissible as well
exercised by a legal and not a natural person in violation of article 77 par. 1 GCP,
that the complaints of natural persons are inadmissible as it was not preceded
exercise of the relevant rights to the controller, that the GCC does not
applies in the case of AMPNI as it has no facility in Greece, that
had the right to conduct an internal audit of professional e-mails that did not
under the protection of personal data legislation, that the processing
e-mails was necessary for the purposes of AMPNI's legitimate interests in
No. 6 par. 1 ed. in the GCC, that it refers to the documents and data that it had
ABS as a complainant against AMPNI before withdrawing it
complaint, that the company e-mails are the property of AMPNI, that in the context
of the internal investigation it was decided to copy the e-mails of specific persons
but in the process of copying them the deletion software function emerged
of the entire server and the company was forced to make a total copy of it
creating a backup so that there was no previous time
information of data subjects, that although the establishment of its operation
delete software constitutes breach of personal data did not exist by
of the company no obligation to notify the Authority because it did not concern
personal data but corporate (business) e-mails and therefore could not
create a reasonable expectation of privacy for employees, otherwise
the necessary security measures have been taken, that even if corporate e-mails recommend
personal data, it was not proved that in them there was personal data, that no
attempted access to personal (private) electronic accounts
of the said employees but were exported from the company server, that
and in the Novartis case the Authority had ruled that there was a legitimate interest
compliance with the request of the US public authorities and was granted
the relevant data in the US, that every young person should be aware of
evidence to be provided by the complainants that there was no obligation
information of former and current employees of the AMPNI Group and finally that in case
imposition of administrative sanctions by the Authority not to order the destruction of the material
which has been copied as it contains critical documents and information in order to
delivered to the US authorities.
8
iii) The eleven original complainants jointly filed the prot.
r / EI:E / 268 / 15-01-2019 memorandum, while A submitted the reference number r / EI:E / 272 / 15-01-
2019 memorandum, in which it is claimed that: AMPNI never submitted to ABS
request for access to personal data legally, but straightforward
contact with Mr. N, . . . , with a proposal of synergy in illegal acts, offering him
amnesty, that the existence of deletion software is not met
in fact but there was a pretext to justify its copying
of the server given that from emails between N and
An employee of EV LLP appears to have requested a copy of his entirety
server several days before deleting software is detected,
that corporate data always contains personal data, that professional emails
contain personal data in accordance with the case law of the WEU, that the
ownership and possession of a server does not imply ownership of
personal data contained on the server, that has not been done
data separation and that execution contracts have never been signed
processing no. 28 GKPD, that none of the principles of Article 5 has been complied with
GPA so that the processing is unfair and that AMPNI's allegations of non-compliance
informing the subjects was contradictory.
Following the submission of the memoranda, AMPNI and ABS informed the Authority
(G / EIS / 452 / 22-01-2019) that they are in the process ofrelocation and that the company
"Warehouses of Aegean SA", with which they maintained common facilities, did not
delivers the original hard drive of the running ABS server,
despite the fact that he was not part of the Authority 's interim order, as
confirmed the Authority with its document number C / EX / 452-1 / 29-01-2019. According
with the companies AMPNI and ABS the processing of the backup (back up) that
is located in Manchester, United Kingdom and contains professional e-mails,
is the only way to ensure that key evidence
will not be permanently destroyed and any decision of the Authority it will order for
any reason the destruction of professional e-mails copied to
backup would be disproportionate and would interfere irreparably with
property rights and defense rights of the AMPNI Group.
As informed by AMPNI and ABS (G / EIS / 757 / 30-01-2019) relevant request
was discussed at the Magistrates' Court of Piraeus with a procedure of precautionary measures, initially with
9
issuance of a temporary order (see G / EIS / 757 / 30-01-2019). Finally, as informed
Beginning with the document number C / EI􀃎/ 2883 / 16-04-2019 of AMNPI and ABS in
the aforementioned court issued its decision no. 14/2019, ordering the
performance of mobile equipment in ABS.
On this issue, the company AEGEAN WAREHOUSES submitted the no.
prot. r / E􀍜 / 2111 / 19-03-2019 request requesting to clarify whether the return
of servers (servers) includes their content, ie data
of personal character - stored e-mails, while the Authority with the prot.
CI EX / 2111-1 / 23-04-2019 document informed that the questions submitted with
the application are not related to Interim Orders No. 2/2018 and 3/2018, but
concern issues of interpretation and execution of the . . . Decision of the Magistrates Court of Piraeus the
which do not fall within the competence of the Authority.
AMPNI and ABS have also submitted a number of related documents
active litigation in a US bankruptcy court and in particular a) under
no. prot. r / EIL / 740 / 30-01-2019 with
«NOTICE OF DEADLINE REQUIRING SUBMISSION OF PROOFS OF CLAIM ON OR
BEFORE 21-02-2019 »b) under reference number r /EI􀃎/ 1467 / 25-02-2019 entitled
«NOTICE OF HEARING TO CONSIDER CONFIRMATION OF THE CHAPTER 11
PLAN FILED BY THE DEBTORS AND RELATED VOTING AND OBJECTION
DEADLINES ", c) under reference number r / EIL / 2678 / 09-04-2019 entitled" NOTICE OF (A)
ENTRY OF OR DER CONFIRMING THE JOINT PLAN OF REORGANIZATION OF
AEGEAN MARINE PETROLEUM NETWORC INC. AND ITS DEBTORS AFFILIATES
PURSUANT TO CHAPTER 11 OF THE BANKRUPTCY CODE AND (B)
OCCURRENCE OF EFFECTIVE DATE ».
Finally, AMPNI and ABS, since (with reference number C I EX I 2214 / 21-03-2019
Authority document) became aware of the complainants' allegations through the 15-
01-2019 of their memorandums submitted the reference number r / EIL / 2616 / 05-04-2019
supplementary memorandum which in principle disputes its legality
extension of the deadline given for the submission of a memorandum at the hearing.
They then argue, refuting the complainants' plea that they did not
have not committed any act of unlawful processing of personal data, that no
there was no intention from the beginning to copy the server, nor that they invented as
justifying the existence of the deletion software, that the purpose of the procedure that
followed by the export of professional e-mails of a specified number of ex and
10
current employees of the AMPNI group, that no access to staff was attempted
(private) e-mail accounts, that some of the complainants only provide
some e-mails which contain their personal data, that after her
new information relating in particular to e-mail is provided
and exchange of e-mails from the management of PAE AEK, which is not included in
list of addresses attached to Interim Order 2/2018 of the Authority,
that the complainants were well aware that their corporate accounts were e-mail
title
intended for professional use only, to the extent that the copy is ultimately
contains personal data of individuals not affiliated with
AMPNI group then the company would be willing to separate or delete the data
concerning such individuals, that professional e-mails do not constitute
personal data, that the copying of the original server (server) was legal
due to force majeure due to the detection of the deletion software function as well
and that personal correspondence should not have been exchanged through
corporate e-mail accounts.
The Authority, from the hearing, from the details of the case file,
as well as from the memoranda submitted after the attached documents, after
heard the rapporteur and the clarifications of the assistant rapporteur G. Roussopoulos, who
withdrew after the debate and before the conference and the decision, and
after a thorough discussion, taking into account in particular:
1. The provisions of the Constitution, and in particular those of articles 2 par. 1, 5 par. 1, 5 A , 9,
9A, 19 par. 3, 17, 22, 25 and 28.
2. The provisions of the European Convention on Human Rights
04.11.1950 ratified by n.d. 53 of 19.9.1974, as in force today and in particular
those of Article 8.
3. The operating provisions of the Treaty on European Union, and in particular those
of Article 16.
4. The provisions of the Charter of Fundamental Rights of the European Union (2012 / C
326/02) and in particular those of Articles 7, 8 and 52.
5. The provisions of the Council of Europe Convention for the Protection of
versus automated processing of personnel data
character of28.1.1981 ("Contract 108"), ratified by Law 2068/1992, as
11
currently in force, in particular those of Articles 5 and 6.
6. The provisions of the General Regulation of Data Protection (GKPD) no.
679/2016.
7. The provisions of Law 2472/1997 insofar as they do not contradict the GCP
(see APDP 46/18 and 52/18)
8. The provisions of Directive no. 115/2001 of the Data Protection Authority
Personal Character on the subject of employee records
9. The no. 3/2010 Opinion of the Article 29 Working Party on the principle
of accountability (WP 173 / 13-7-2010)
10. The no. 2/2017 Opinion of the Working Party of article 29, for the elaboration
personal data at work (WP 249)
11. The Working Document of the Working Group of29-5-2002 of article 29 for
Workplace Electronic Surveillance (WP55)
12. The no. 8/2001 Opinion of the Working Party on Article 29 for elaboration
of personal data in the context of employment relationships (WP 48)
13. The no. 06/2014 Opinion of the Article 29 Working Group on
concept of the legal interests of the controller (WP 217), to the extent
which is interpretatively useful in the context of the present.
14. The Working Group Guidelines of Article 29 "Guidelines on
transparency under Regulation 2016/679 », WP260 rev.01, to the extent that it is
interpretively useful in the context of the present.
15. The no. 2/2018 Guidelines of the European Council
Data Protection " regarding the derogations provided for in Article
49 of Regulation 201 6/679 ".
16. The document of the Working Group of article 29 no. 18 / EN / WP 262 of 06-02-
2018 entitled "Guidelines on Article 49 of Regulation 2016/679"
17. The Article 29 Working Group Guidelines for
Notification of personal data breach (" Guidelines on Personal data
breach notification under Regulation 2016/679 WP 250 rev. 1)
18. The Guidelines (under consultation) no. 3/2018 of the European
Data Protection Council on the territorial scope of the GCC
12
THOUGHT ACCORDING TO THE LAW
1. With article 94 of the General Regulation of Data Protection (GKPD) no.
679/2016 was repealed from 25.5.2018 Directive 95/46 / EC, when it was entered into
application of the GCP according to art. 99 par. 2 of this. Law 2472/1997 is still in force in
to the extent that its provisions do not conflict with the GCC (see APDP 46/18 and
52/18).
2. The processing of personal data should be intended to
serves man. The right to protection of personal data
is not an absolute right, it must be valued in relation to its function in
society and be weighed against other fundamental rights in accordance with its principle
proportionality (Ait.Sk. 4 GKPD).
3. According to article 3 par. 1 GCP " this Regulation shall apply to
processing of personal data in the context of a
the establishment of a controller or processor in the Union,
regardless of whether the processing takes place within the Union ". In
No. 22 Recital of the GCC is defined for the concept of installation
that it «[ . . . ] presupposes the substantial and actual exercise of activity through
fixed settings. In this respect, the legal form of these arrangements, either
whether it is a subsidiary or a subsidiary with legal personality, is not decisive
of importance ".
4. According to article 4 par. 1 GCP as " personal data "
is defined as " any information relating to an identified or identifiable natural person
("Data subject ''); the identifiable natural person is one whose
identity can be verified, directly or indirectly, in particular by reference to an ID
ID, such as name, ID number, location data, online
ID ... ». Similar broad definition for the concept of data
of a personal nature pre-existed in article 2 par. a oflaw 2472/1997, in application
of Directive 95/46 / EC.
In this context, the e-mail address of an individual
is a personal data as it can act as
element of indirect or direct identification of its holder, allowing communication with
13
him. When the email address bears the name or associated
identifier of the natural person - user (e.g. johnsmith@ikea.sk)
then it is a matter of immediate identification and therefore constitutes personal data
in contrast to the address of a legal entity ( e.g. ikeacontact@ikea.com), the
which in principle does not constitute personal data 1
s. According to the case law of the Court of Justice of the European Union (ECJ),
the fact that the processing of information concerns the content of a professional
does not exert influence in that regard and does not invalidate their classification as
personal data 2 , nor does it constitute an exception to the relevant protection 3 ,
even when the controller acts in the context of public policy
tasks 4 , and the ' distinction of the data in question according to whether they fall under
in the private sphere or in the public sphere is clearly a result of confusion between the two
fall into the personal data and those that fall into the private
life » s
According to the case law of the European Court of Human Rights
Human Rights (ECtHR) the protection of "privacy" established in Article 8 thereof
European Convention on Human Rights (ECHR), which includes the
protection of personal data, does not exclude professional life and
is not limited to life within the place ofresidence (see APDPX 34/2018 and OE29
Working document for the monitoring of electronic communications in the workplace
of 29-5-2002, WP55, p. 8). Moreover, according to the same case law, in
protection of Article 8 of the ECHR subject to electronic letters (e-mails) 6 ,
1 ,,.. details, see the content of the response from 2 1-02-20 1 8 given by the European Commission to
in the context of question no. E-007 147/17 h!lJ'!://www.europarl.europa.eu/doceo/document/E-8-201 7-0071 74-
ASW EN.html? Redirect
, See WEU C-345/201 7 decision Sergejs Buivids of 14-02-201 9 par. 46, WEU C-398/201 5 decision Salvatore
Manni of 09-3-201 7 par. 34, WEU C-6 1 5/ 1 3 Client Earth decision of 1 6-7-2015, par. 30, 32, WEU C-92/09
& C-93/09 decision Volker und Markus Schecke GbR & Hartmut Eifert v Land Hessen of 09- 1 1-20 I 0
par. 59.
, See European Union Agency for Fundamental Rights (FRA), Handbook on
European legislation on personal data protection, 2014 edition p. 50 and 20 1 8 edition
(English) pp. 86-87.
, General Court EU T-496/1 3 McCullough judgment of 1 1 -6-20 1 5 on the inclusion of names
of data subjects in the minutes of the meeting regardless of the fact that they exercise publicly
power par. 66 or that they have already been made public see WEU C-127/1 3 Guido Strack decision of 02- 1 0-2014
especially par. I I I .
, See and T-639/15 to Ta-666/1 5 and T-94/1 6 Maria Psarra et al. European Parliament 1tap 52,
see and par. 50, 53 .
• George Garamukanwa v. UK decision of 14-5-201 9 on admissibility, para. 25, Copland v. United
Kingdom of 3-4-2007.
Therefore, not accepting that the above information (especially e-mails)
constitute personal data " would have the consequence that it is not required
in respect of such information, compliance with the principles and guarantees laid down in
in the field of personal data protection and, in particular,
principles concerning data quality and the legality of processing
their ... as well as respect for rights, access, correction and opposition
of the person concerned ... , but also the control exercised by the control authority ... "(WEU C-
434/16 decision Peter Nowak v Ireland Data Protection Commissioner of20-12-2017, par.
49).
6. The data subjects, whether they are employees or senior executives
administration or are connected in any way with the controller have a
a reasonable expectation of protection of their privacy in the workplace, which does not
removed from the fact that they use equipment, communication devices or
any other professional hardware or software facilities and infrastructure ( e.g.
electronic communications network, Wi-Fi, corporate email addresses
mail, servers, etc.) owned by the person in charge
processing (see APDPX 34/2018, 61/2004, Working Group article 29 WP55, ibid. p.
9).
The fact that an email has been sent by a corporation
mail address does not lead to the expulsion of the right to privacy
(see ECtHR, First Chamber, George Garamukanwa v. UK decision of 14-5-2019 on
admissible, para. 25), the right to protection of personal data
the nature of the data subjects, in particular the employees (see
No. 2072/2018 License s for cross-border transfer of personal data now and
former employees of the applicant company), the right to privacy
of communications and related location data (see OE29 Opinion 2/17, p. 22 et seq
OE29, WP55, ibid., P. 22), nor of course can it be accepted that the data
the personal nature of the data subjects generated by their use
1 Copland v UK of 03-7-2007, Amman v. Switzerland of l 6-02-2000, Kopp v. Switzerland of 25-3- 1 998,
Halford v. The United Kingdom of 25-6-1 997, Aalmoes and 1 1 2 others v the Netherlands
admissibility of 25- 1 1 -2004.
, See Press Release C / EX / 1728 / 0 1 .3.20 1 8 regarding the granting ofno. 2072/20 1 8 Transmission License
AilAfIX.
corporate media are the "property" or "property" of the person in charge
because he is the owner of the above media or
e-mail addresses, an approach adopted by
part of the case law of the US courts, but not of the European Union.
7. According to recital 39 of the ICCPR " any data processing
should be lawful and fair. It should be clear about
natural persons that personal data concerning them are collected,
used, taken into account or otherwise processed,
as well as to what extent the data is submitted or will be processed. The beginning
it requires any information and communication regarding the processing of such
personal data to be easily accessible and understandable and to
uses clear and simple language. This principle concerns in particular the updating of
data subjects regarding the identity of the controller and their
processing purposes and further information to ensure fair and
transparent treatment in relation to such natural persons and their right to
receive confirmation and obtain communication of the relevant data
subject to processing. It should be notified to
natural persons the existence of risks, rules, guarantees and rights in relation to
processing of personal data and how to exercise their rights in
in relation to this processing. In particular, the specific purposes of their processing
personal data should be clear, legal and defined
at the time of collection of personal data. Staff data
should be sufficient and relevant and limited to what is necessary for them
purposes of their processing. This requires in particular to ensure that space
storage of personal data should be kept to a minimum. The
Personal data should only be processed if the
purpose of processing can not be achieved by other means. To ensure that the
personal data are not retained longer than necessary, o
the controller should set deadlines for their deletion or for
periodic review. Every reasonable measure should be taken in order to
ensure that inaccurate personal data is corrected or
deleted.
8. According to recital 60 GIPD " The principles of fair and transparent
require the data subject to be informed of its existence
processing act and its purposes. The controller should provide
to the data subject any further information necessary for the
ensuring fair and transparent treatment taking into account specific circumstances and
the context in which staff data is processed
character ".
9. According to the last paragraph ofrecital 39 of the ICCPR " The data
should be processed in such a way as to ensure
the appropriate protection and confidentiality of personal data,
including to prevent any unauthorized access to this data
personal equipment and equipment used for their processing or
use of such personal data and such equipment . 11
10. According to article 4 par. 12 GKP as a violation of personnel data
character means II breach of security leading to accidental or unlawful
destruction, loss, alteration, unauthorized disclosure or access to data
personal information transmitted, stored or otherwise submitted
in process 11 •
According to the Guidelines of06-02-2018 of his Working Group
Article 29 of Directive 95/46 / EC (now the European Data Protection Council -
EDPB) for the Notification of personal data breach (" Guidelines on
Personal data breach notification under Regulation 201 6/679 WP 250 rev. 1) one of them
types of personal data breach is one that is categorized based on
principle of security of "confidentiality" when unauthorized access is established
in personal data ("confidentiality breach").
Violation of personal data also takes place with
illegal access to a server, and the taking of technical and organizational measures
server security is initially necessary to prevent it
associated risk due to the large volume of personal data contained in 9
• For more see Detailed Guide of the French Personal Data Protection Authority (CNIL)
"Security of Personal Data" which refers so much to the need for prior security measures for
17
in accordance with the European Network and Information Security Agency
(ENISA) 10 .
The collection and retention of personal data in the context
operation of a server without prior download of such necessary
technical and organizational security measures constitutes a breach of the principles set out in Article 5
par. 1 ed. a 'and f GKPD.
11. According to article 5 par. 1 in the GCP (" Principles governing processing
personal data ")" personal data shall be submitted to
processing in a way that guarantees the appropriate security of personnel data
including their protection against unauthorized or unlawful use
treatment and accidental loss, destruction or deterioration, using appropriate
technical or organizational measures ("integrity and confidentiality "), while in Article 32
par. 2 GKP is provided in the context of an assessment of an appropriate level of security h
taking into account the risk arising in particular from unauthorized access to data,
where an indicative list of security measures is given 1 1
The GCC requires the submission o f personal data that they have
has already been processed in accordance with the principles of article 5 par. I a 'to e' ' against
way that guarantees the appropriate security "(article 5 par. 1 par. f) so that in case
in which the principles other than that of security are met, to become in
processing is illegal. Respectively, if the intended processing from the beginning
is going to take place in a way that does not guarantee adequate security, it is unnecessary
the examination of the fulfillment of the principles provided by subsections a 'to e' of par. 1
of Article 5 of the ICCPR, as it will be unsafe and therefore illegal
processing.
In addition, the controller's obligation to "guarantee" safety
processing by taking appropriate technical and organizational measures
derives from the GCC-adopted risk-based approach ("risk
based approach ") so that" the degree of risk of each treatment becomes the key
servers in the context of GPA compliance and the risk of unauthorized access to personal
data stored on servers,
10 For more see "Reinforcing trust and security in the area of electronic communications and online services",
December 20 1 8 , chapter 7 "Server and DataBase Security" p. 38 ff.
11 For more see L. Mitrou in L. Kotsali -K. Menoudako, GKPD-Legal dimension and practical application,
Chapter VI. Notification of data breaches, p. 2 1 8 ff.
18
criterion for determining the extent of the relevant obligations " 12 (see also APDPH
51/2015 request sk. 4).
The European Court of Human Rights is in the same direction
in case I. v. Finland 13 examining an action on the basis of whether o
processor managed to "guarantee" the security of personnel data
found a violation of Article 8 of the ECHR by non-implementation of measures
security measures that led to unauthorized access to them.
Under the GCC state " integrity and confidentiality " have been reduced to
basic principles and conditions for the processing of personal data
No. 5 par. 1 ed. in GPD 14 so that the mentioned " appropriate technical and organizational
measures ", inter alia, to prevent, if implemented, any unauthorized
access to or use of the data and equipment used for
processing (see Application No. 39 of the GPA and the European Network Security Agency
and Information-ENISA 1s ). Therefore two of the three main goals of security
information systems (ie availability excluded) have been reduced to principles
and conditions for legal processing of personal data. The measures
they need to be more specific (see Article 32 of the GIP) and as required by its principle
and is determined by the provisions of article 24 par. 2 GCP, must
appropriate policies are applied, depending on the processing activities (see
All.MIX 6 7/2018). The existence of appropriate policy documents, approved by
administration of a body (responsible or executing the processing) applicable and
implemented in practice (a contrario APDP 98/2013 par. 5), is a basic criterion
to demonstrate compliance with the principle of integrity and confidentiality
(see APDPX 98/2013 ait. sk. 3. especially for information systems), to the extent that
lack of other evidence such as compliance with an approved code of conduct or
approved certification mechanism.
12 L. Mitrou, the GKPD, ibid., P. 96 and footnotes 270 and 27 1 with references to its corresponding positions
CIPL and ENISA.
" Decision of 1 7-7-2009, no. ref. 205 1 1/2003 par. 37 up to 46.
" See L. Mitrou, op.cit. p. 2 1 9, which states that " Security is an unconditional condition for
effective protection of personal data. However, it should be noted in advance that
This is a necessary but insufficient condition for data protection, as the
Protecting them from unauthorized access, disclosure and general use does not mean that
are subject to legal processing "but also the GCC itself, new law-new obligations-new
rights, Sakkoulas 20 17, p. 1 08 ff.
" "Handbook on Security of Personal Data Processing", December 2017, especially p. 8 as well as Guidelines
for SMEson the security of personal data processing ", December 2016, especially p. 12
19
12. According to Recital 78 GKPD " The protection of rights and
the freedoms of individuals versus the processing of personnel data
requires appropriate technical and organizational measures to
ensure that the requirements of this Regulation are complied with. In order to be able to
to demonstrate compliance with this Regulation, the controller should
establish internal policies and implement measures that respond in particular
principles of data protection already by design and by definition ".
13. According to Recital 82 GKPD " In order to prove
compliance with this Regulation, the controller or the executor
processing should keep records of the processing activities that are under
their responsibility ".
14. According to Recital 83 GKPD " To maintain security and
to avoid processing in breach of this Regulation, the responsible person
The processor or processor should evaluate the risks involved
develop and implement measures to mitigate these risks, such as
example through encryption. These measures should ensure appropriate
level of security, which includes confidentiality ... In the assessment
data security risk should be considered
resulting from the processing of personal data ... ".
15. According to Recital 87 GKPD " It should be ascertained against
whether all appropriate technological protection measures have been implemented and
organizational measures to immediately detect any breach of personnel data
character and immediate information of the supervisory authority and its subject
data ", as detailed in the 06-02-2018 Guidelines
of OE 29 for data breach notification (WP 250 rev. 1 ).
16. Appropriate accountability measures for the observance of the principles of article 5 par. 1 GKPD
may include (as recommended by the Working Party on Article 29 16 before
implementation of the GPA) the following non-exhaustive list of measures: adoption
16 Opinion no. 3/201 0 on the principle of accountability of 13-7-20 1 0 (WP 173) p. 13 ff. And p. 14
footnote 7 for international standards approved in Madrid by the competent authorities for their protection
personal data.
20
internal procedures before the creation of new processing operations, adoption
written and binding data protection policies available to individuals at
reporting data, mapping procedures, maintaining a directory
all data processing operations, appointment of a data protection officer
data and other persons responsible for data protection, provision
appropriate education and training for officials in their protection
establish procedures for managing access requests, correction
and deletion, which must be transparent to the persons referred to
data, establishment of an internal grievance mechanism, establishment
internal procedures for the effective management and reporting of infringements
security, conducting a privacy impact assessment in specialized
cases, implementation and oversight of verification procedures to ensure that
all measures not only exist on paper, but are applied and operate in
act (internal or external audits, etc.).
The Authority, in the context of the implementation of the GCP, has already referred to the obligations
the controller regarding his / her safety and general responsibility for
identifying appropriate technical and organizational measures, proposing
"Appropriate" measures which may be substantiated in individual proceedings or in
general security policies 1 1 , clarifying that " in any case, before
determining the security measures to be adopted, the proper evaluation of them is paramount
risks and their possible consequences 1sfor data subjects ... the
Implemented measures must be periodically reviewed, at least, but also
be proven validated by the administration of the person in charge or the executor
processing 19 ". Likewise, appropriate technical and organizational measures for its safety
processing of personal data under the FGM are proposed
and by the European Network and Information Security Agency (ENl SA). 20
1 1 www.d􀄤gr Section Security and in particular "Security Policy, Security Plan and Plan
Disaster Recovery "with reference to the minimum content of the security policy concerning
a description of the basic protection and safety principles applied ( organizational security measures,
technical security measures, physical security measures, definition ofroles, responsibilities,
duties, etc.)
" See and G. Roussopoulos, APDPH specialist scientist, "Processing security and notification
Violations "in the ECDC Report" GPD: the new landscape and the obligations of public
of Administration ", Athens, January 20 18, p. 20 ff. available at www.ekdd.gr/images/seminaria/GDPR.pdf
19 www.dp...!!,gr section "Security".
20 Cf. footnote 1 1 , Annex A p. 55 et seq.
21
17. In order for personal data to be legally processed,
ie processing in accordance with the requirements of the GGP, should be met
cumulatively the conditions of application and observance of the principles of article 5 par. 1 GCP,
as is clear from the recent ruling of the Court of Justice of the European Union
(CJEU) of 16-01-2019 in Case C-496/2017 Deutsche Post AG v Hauptzollamt
Cologne 21 . The existence of a legal foundation (art. 6 par. 1 GCC) does not exempt the
controller from the obligation to comply with the principles (art. 5 par. 1 GKP)
with regard to legitimacy, necessity and proportionality, the principle
of minimization 22 . In case of violation of any of
the principles set out in Article 5 ( I ) of the GIP, such processing shall be presented as non -
legal (subject to the provisions of the GCC) and there is no need to consider the conditions
implementation of the legal bases of Article 6 GIP 23 . Thus, the violation of the principles
of Article 5 of the GIPP illegal collection and processing of personnel data
character is not cured by the existence of a lawful purpose and legal basis ( cf.
Alli:iTIX 38/2004).
Moreover, the WEU with its decision of0l -10-2015 in the context of the case
C-201/14 (Smaranda Bara) considered as a condition for the fair and lawful processing of
personal data informing the data subject pre
of their processing 24
21 « 57 . However, any processing of personal data must be consistent with, on the one hand, the
principles to be observed with regard to data quality set out in Article 6 of the Directive
8ai􀃚􀃛z􀃜ret1'1iis"1-Jal 1J,;JJ'tff!Ii'l1i7Rdtfi!§ b'l- 911Ml1 &'1f['i#MWf1!11k,lfo/{'(cf<fNEiBrJn£iPles of legal processing
... C-465/00, C-138/01, C-139/01, C-131112 » . .
22 On this see L. Mitrou, the general regulation of personal data protection (new law-new
obligations-new rights), published by Sakkoula, 201 7 pp. 58 and 69-70.
23 Cf. !:1:E 5 1 7/201 8 par. 12: «[ ... ] in order for the personal data to be legal
processing, it is required in each case to meet the cumulative conditions of article 4 par. I of
Law 2472/1997, which, among other things, stipulates that data must be collected and processed
in a lawful and lawful manner, for clear and lawful purposes ... Provided that the conditions of
article 4 par. 1 of law 2472/1997 (legal collection and processing of data for clear and legal
purposes), it is further examined whether the conditions of the provision of article 5 par. 2 of n.
2472/1997 [legal bases] ". Also, cf. CoE in Plenary Session 2285/200 1 par. 10: «[ ... ] Only if
the above basic conditions are met, the provisions of articles 5 and 7 of the Law apply.
2472/1997, which impose as a farther additional, in principle, a condition for legal processing
personal data of a specific person, his consent ".
24 " 3 I. The person in charge of data processing or his representative have an obligation to inform the
content of which is set out in Articles IO and I I of Directive 95/46 and differs accordingly whether the
data are collected by the data subject or not, subject to reservation
of the exceptions provided for in Article 13 of that Directive [ ... ] 34. Consequently, the requirement of a legitimate
data processing provided for in Article 6 of Directive 95/46 obliges the administrative authority to:
inform the data subjects about the transfer of such data to another
administrative authority for the purpose of processing them by the second as the recipient of such data ".
22
18. Further, the controller, in the context of its compliance
principle of fair or just processing of personal data, owes
inform the data subject that his data is to be processed
in a lawful and transparent manner (see WEU C-496/17 ibid., paragraph 59 and WEU C-201/14
of0l -10-2015 par. 31-35 and especially 34) and to be in a position at any time to
prove its compliance with these principles (accountability principle according to art. 5 par. 2
in combination with articles 24 par. 1 and 32 GCP).
Processing personal data in a transparent manner is recommended
manifestation of the principle of fair treatment and linked to the principle of accountability,
giving subjects the right to exercise control over their data
making those responsible for processing accountable, according to the Working Group
Article 29 2s
Exceptionally and pursuant to article 14 par. 5 ed. 2nd GCP (" Information
provided ifp ersonal data has not been collected by
data subject "), paragraphs 1-4 of the same article do not apply and no
the relevant information is provided by the controller if it is likely to
greatly impair the achievement of the objectives of such processing. Condition
implementation of this provision in accordance with the Working Party of Article 29 26 recommends
the processing (collection) of such personal data has been carried out
legally, ie in accordance with the principles of article 5 par. 1 GKPD.
19. In addition, a new, central compliance model was adopted with the GCC
size of which is the principle of accountability, within which the person in charge
is obliged to plan, implement and generally take the necessary measures
and policies to ensure that data processing complies with the relevant
legislative provisions. In addition, the controller is responsible for further
to prove on its own and at all times its compliance with
principles of article 5 par. l GK.PD. It is no coincidence that the GCC incorporates accountability
(Article 5 (2) GCC) in the regulation of the principles (Article 5 (1) GCC) governing
processing, giving it the function of a mechanism for their observance,
essentially reversing the "burden of proof' as to its legality
25 Guidelines on transparency under Regulation
201 6/679) of 1 1 -4-201 8 (WP 260 rev. I), pp. 4 and 5.
2• Guidelines on transparency under Regulation
201 6/679) of 1 1 -4-201 8 (WP 260 rev. I), p. 3 1 par. 65.
23
(and in general the observance of the principles of article 5 par. l GCP),
transferring it to the controller, 21 so that it can be reasonably argued that he
bears the burden of invoking and proving the legality of the processing 2s .
Thus, it is the responsibility of the controller on the one hand to receive from
itself the necessary measures in order to comply with its requirements
On the other hand, to prove at all times its above compliance, without
in fact, the Authority should be required, in the context of the exercise of research-auditing
powers, to submit individual - specific questions and requests to
conformity assessment.
It is pointed out that the Authority due to the fact that the first period is elapsed
implementation of the GCP submits questions and requests in the context of the exercise of
its relevant research - control powers, in order to facilitate it on their part
accountants documentation of accountability. The controller must
in the context of the Authority's audits - investigations to present on its own and without
relevant questions and requests of the Authority the measures and policies adopted in
within the internal organization of his compliance, as he is aware of them
after designing and implementing the relevant internal organization.
20. Access by the controller, within an internal company
control, personal data stored on a hardware computer system and
software (server - server) is the processing of personal data,
as in the case of access to and control of a computer that uses
the subject (APDPX 34/2018).
The employer exercising his managerial right, under the self-evident condition
the observance of the principles of article 5 par. 1 GKPD and on the basis provided before
elaboration of specific procedures and guarantees within its organization
internal compliance in accordance with the principle of accountability, is entitled to exercise
control over the electronic media it provides to employees for
their work, provided that the relevant processing, in accordance with the principle of proportionality,
is absolutely necessary for the satisfaction of the legitimate interest it pursues and
provided that this obviously takes precedence over his rights and interests
27 On this see L. Mitrou, The principle of Accountability in Obligations of the controller [G.
Giannopoulos, L. Mitrou, G. Tsolias], Collective Volume L. Kotsali - K. Menoudakou " 0 GKPD, Nomiki
dimension and practical application ", published by Law Library, 20 18, p. 172 ff.
" P. de Hert, V. Papakonstantinou, D. Wright and S. Gutwirth, The proposed Regulation and the construction of
a principles-driven system for individual data protection, p. 1 4 1 .
24
employee, without prejudice to his fundamental freedoms no. 6 par. 1 ed. f
GKPD and after being informed even about the possibility ofrelated control (see
AIIMIX 34/2018).
21. Essential element of the legal operation of information systems and others
infrastructure and communication systems in the processing of personnel data
It is advisable to take appropriate security measures, in particular physical measures and
logical separation of hardware, software and data 29
22. In order to examine the legality of the access of the person in charge
processing no. 5 and 6 par. 1 GKPD in the personal data of
entities maintained in its corporate systems in the context of internal control,
previously examined no. 5 and 6 par. 1 GKP legality of the original
collection, processing and storage of personal data
character in systems. The illegal original collection, processing and preservation of
personal data e.g. on her computer or server
also makes any subsequent or further illegal (with
that is, a different purpose to the original no. 6 par. 4 GK.PD) distinct and independent
processing of the same personal data as in her case
copy them and save them on another digital storage medium ( eg usb stick,
server, pc, etc.), but even further in that of their transmission and use, even
in the event that the conditions for the application of a legal one would be met
based on article 6 par. 1 GK.PD, as e.g. that of subsection f, after non-compliance
of the processing principles of article 5 par. 1 GK.PD is not cured by the existence
legal purpose and legal basis (see recital no. 17 hereof and
cf. AIIMIX 38/2004).
23. Prerequisite for the transfer of personal data outside European
Union, provided that its general principles, procedures, conditions and guarantees are met
Chapter V of the GCC (Articles 44-50), constitutes the initial legal collection, processing and
retention of the same personal data no. 5 and 6 par. 1 GK.PD 30
,. Cf. AIIilITX 1 86/2014 an. l:K. 2, " D. Security measures - Techniques of measure separation of applications ", APDPH
5 1 /20 1 5 p. 1 1 and for the relevant concepts, cf.
201 3 .
,o Cf. no. 2/201 8 Guidelines o f the European Data Protection Council
"With regard to the derogations provided for in Article 49 of Regulation 2016/679 ", p. 3, Group
Article 29 of Directive 95/46 / EC with document no. 1 8 / EN / WP 262 of 06-02-201 8 entitled
"Guidelines on Article 49 of Regulation 201 6/679", p. 3 .
25
(see in this regard the No. 3/2018 Provisional Order of the President of the APDPH), so that if
the original collection was illegal, to become illegal and the later one
their cross-border transmission 31 • As the Authority did not consider, under the state of application of no.
9 Law 2472/199 7 in the context of company licensing for cross-border transmission
personal data of its former and current employees, in addition to
previous legal collection and processing of personal data
of these, the information of the data subjects is required before the transmission
in order to exercise their access and objection rights if
there are legal grounds 32 and the conditions of Chapter V are self-evident
of the GCC (Articles 44-50).
24. ABS, a subsidiary of AMPNl (parent company of the AMRNI Group),
notified the Authority of a data breach incident no. 33 fKIL􀍝 which
consisted of unauthorized access and copying from its server
ABS of this full content. As culprits of his illegal copying
server (ABS) company indicated the parent company of the same Group,
AMPNI and the company EY Hellas. In addition, ABS filed a complaint for
violation of personal data legislation to the detriment of companies
AMPNI and EV Hellas, while it requested the issuance of an act of suspension and prohibition
processing the copied content of its server.
The controlled company AMPNI briefly claimed that it legally acquired
access to the ABS server because the latter was a subsidiary
and held 100% of its share capital, that the contents of the e-mails were
corporate and therefore on the one hand belong to its property - property, on the other hand, do not belong
in the protection of personal data legislation, that access has taken place
in the context of internal corporate control and therefore the provision provided by
article 6 par. 1 par. the legal basis of the overriding legal interest given to it
provided the right of access and control as well as that the final copy of the whole
ABS server content became necessary, despite the fact that
The original design of the audit concerned targeted access to small e-mails
" Cf. the position of the European Data Protection Supervisor (EDPS) according to which in case
in which the data under cross-border transmission has been collected illegally, it is prohibited to
cross-border their transmission ( see !JnP.s://edp s .europa .eu/data-protection/data-protection/referencelibrfilY.
I international-transfers en)
,2 Cf. Press Release C / EX / 1 728 / 0 1 .3.20 1 8 regarding the granting of no. 2072/20 1 8 Transmission License
AIIMIX.
26
number of specific employees and executives of the AMPNI Group, because randomly
detected on the day of the audit, the operation of illegal deletion software already
deleted files on the server and thus a complete copy was obtained
security (back up).
The ABS company, before the withdrawal of the complaint against it
AMPNI, briefly argued that from the outset the targeting of the controlled AMPNI was
copy of the entire server (server) that included personal data
employees and executives of third companies as it emerged from relevant letters sent to her
were sent by AMPNI and not the targeted copying of specific e-mails
natural persons, that the audited company AMPNI illegally copied it
total content of the server due to the refusal of. . . ( . . . ) N to
accepts the request for copying because it relied on a relevant legal opinion from
which resulted in the illegality of such processing and that the illegality of the request
Copy of the server (server) results from the by the controlled company
AMPNI sending a letter declaring the exemption in advance
("Amnesty") ofN from any kind ofliability in case oflegal action
proceedings against him due to copying.
25. In the present case, it emerged at the discretion of the Authority that ABS,
subsidiary of the parent company AMR NI of the same Group, was the owner
servers that were installed in the office premises
where the Group's companies were housed on Akti Kondili 10 in Piraeus after
lease from the company "AEGEAN WAREHOUSES SA".
On the above-mentioned servers (servers) owned by the company ABS had
DANAOS software was installed and operated under a contract of use and
on the basis of a license obtained by the company "AEGEAN SHIPPING MANAGEMENT"
("ASM"), which, however, did not belong to the AMPNI Group. It should be noted that on
30-10-2018 and after the control process had already started by the Authority within it
in the present case, ABS entered into separate service contracts and
software maintenance with the company that provided the DANAOS software with respect to
companies of the AMR NI Group.
In the same computer infrastructure (hardware and software) except DANAOS (where
e-mails were saved), including virtual file servers
servers) AMPFSl (where fileshare and usershare files were stored) and AMPFS2 (where
27
attachments of e-mails stored in DANAOS), as shown in
in particular from the statements of12-7-2018 and 17-12-2018 . . . ofEY LLP
from 18-12-2018 statement of. . . of ABS 0, which was presented and invoked by
AMPNI.
The above hardware and software computing infrastructure (DANAOS, AMPFSI and
AMPFS2) was used to make electronic communications
e-mails from both employees and executives in the Group companies
AMPNI, as well as by employees and executives in third companies, outside the AMPNI Group
as in "Aegean Shipping Enterprises", "Aegean Agency" and "Aegean Oil"
(according to the statement of 0, op. cit.), but also in "Aegean Net Fuels Ltd Fze", Aegean
Lubes "and" Aegean Gas " 33
It is important that the ABS company, before its recall
had responded to relevant written questions from the Authority that companies outside
of the AMPNI Group used informally and without any written contract the
infrastructure and servers of the company ABS (prot. no. APDPX G /EIS / 7522 / 20-09-2018),
referring in fact to the letter of 03/7/2018 of the P AMPNI N Group, the
who stated that ABS has not entered into hosting and supply contracts
services with other companies.
It should be noted that N, employee on behalf of the AMPNI Group as . . . ( . . . ),
was hired by the company AEGEAN MANAGEMENT SERVICES"-" AMS", ie
from another company of the AMPNI Group (see Supplementary Memorandum AMPNI-ABS of
19-12-2018 pp. 9 and 10, AIIMIX r /EU: / 10259 / 19-12-2018).
Finally, the memoranda of AMPNI show that both companies are owned
in its Group, as well as third companies, outside the Group, used it
computer infrastructure (hardware and software) for the processing of electronics
correspondence of employees and executives, even accepting that it proceeded to
copying information of 34 third parties related to companies outside
Group and used the same computer infrastructure: " There was never any
33 According to the employees' complaints as well as the printouts of the e-mail addresses
mails submitted through ABS pleadings prior to the hearing before the Authority, in particular the
No. ATILiTIX r / EU: / 5432 / 18-6-20 1 8 supplementary memorandum.
" As noted above and will be developed below, AMPNI claims that this is
corporate-professional e-mails owned by it which do not constitute personal data.
The reference by AMRNI to personal data in its memoranda is recommended
auxiliary, in the same claim, not accepting that they constitute personal data.
28
intends to copy information other than the collection of specific data that
concerned the 18 users and related files related to the internal investigation
described above. Any further copying of information that has taken place
separately from the specific data collection related to the research carried out with
sole purpose of protecting against malicious permanent destruction of critical evidence
data related to internal research and its important business records
AMPNI Group "(see AMPNI Treatment Application no. Prot.
pp. 16-17). Similarly, AMPNI stated that "[ ... ] personal data of physicists
persons not affiliated in any way, now or in the past, with the Group
AMP NI under any relationship of employment, provision of services or otherwise or which is otherwise
pending criminal and I or civil investigations, then AMPNI would be willing to
delete the data concerning such natural persons and provide
evidence of this "(see Supplementary Memorandum AMPNI-ABS of 19-12-
2018 p. 23, Allt.IIX f' / EII: / 10259 / 19-12-2018 as well as Supplementary Memorandum
AMPNI-ABS of05-4-2019 pp. 8 and 12 AIMIIX f' / EII: / 2616 I 05-4-2019).
above copy of the entire contents of the computing infrastructure h
controlled company AMPNI created a new archiving system, a copy of which
which he forwarded to Manchester in the United Kingdom.
Finally, AMRNI stated that in the same common area (" computer room-computer
room ») were installed and more servers were running and
other companies whose offices are housed in the same building and which do not
related to the AMRNI Group (APDPH CI EIS / 7306 / 10-9-2018 p. 2 paragraph 3).
It follows from all of the above that both the parent company AMRNI and
subsidiaries of its Group, as well as third companies, outside the AMRNI Group, made
use and had physical access to the same area where they were located and
operated more servers (servers) of companies of both the AMPNI Group and
and third party companies and other legal entities outside the AMPNI Group but also
physical and logical access to the same computing infrastructure (hardware and software
DANAOS, AMPFS 1, AMPFS2) for the processing of e-mail
employees and their executives by processing the systems
electronic communications archiving. The above accesses and edits
personal data took place without any action being taken
physical and logical separation, and the person appointed as Head . . . ( . . . ) of the AMPNI Group
was hired by a Group company in order to provide services for both
29
With the
companies of the AMRNI Group, as well as for third companies outside the AMRNI Group, while the
licensing and service agreement with the software company DANAOS
was concluded by a third company outside the AMPNI Group to finally establish that
any kind of processing of personal data took place informally, without
the existence of any agreement between the companies inside and outside the AMRNI Group that
shared the same hardware and software infrastructure, without downloading any essentials
technical or organizational measure of internal compliance with the provisions of the FGM,
without relevant demarcations, resulting, as the documents show, to be set
finally issue a county specific server (server) and be brought before
civil courts to be resolved through the interlocutory proceedings
(AIIMIX I r /E IL / 733 / 30-01-2019).
26. The Authority in the exercise of its audit powers, both before
hearing (see APDPH no. prot. G /EX / 5414-1 / 26-6-2018 and APDPX no. prot.
G I EX I 6211-1 / 14-8-2018), as well as during the hearing requested from the audited company
AMPNI, among other things, to document its compliance as it had
obligation from no. 5 par. 2 GKP principle of accountability to its provisions
GPD and in particular in relation to obtaining the required " technical and organizational
measures taken for the security of personal data and
used infrastructure that supports processing by notifying us of any
relevant policy document or rules of procedure, whether it concerns the company itself or
applied at Group level . For example, list the measures it takes with regard to
in the physical access to the site of the MAIL SERVER in question, in the logical access to
application of MAIL SER VER, the policy of proper use of corporate emails by
its control policy (eg access and management rights
the said subsidiary and I or the complaining parent company, if the above
have been included in a text governing staff relations (eg Regulation
Work), as well as whether and how staff are informed in advance about
the above and in particular for any control of corporate emails, the relevant conditions, the
procedural guarantees for carrying out an audit, etc. "(see APDPH no. prot. G /EX / 5414-1 / 26-6-
2018 p. 2). The legality of copying the contents of the server
(server), in accordance with data breach notifications and complaints,
was requested in particular by the Authority among others, both at the hearing and before
of this (see APDPH no. prot. G /EX / 6211-1 / 14-8-2018 p. 2) to clarify " if and with
30
how the group staff and users in general were informed in advance
of email accounts for your company 's right to proceed
control of e-mails, the relevant conditions, the procedural guarantees of conducting an audit
etc .. as well as if, when and how the staff was informed about this
control . . . » .
27. The audited company AMR NI before the hearing and instead ofresponding t o no.
prot. APDPH CI EX I 5414-1 / 26-6-2018 document of the Authority submitted the from 13-8-2018
Application for Treatment for the revocation ofno. 2/2018 of his Interim Order
Chairman of the Authority without finally responding to any of the details
stated requests of the Authority, without substantiating no. 5 par. 2 GKPD the legal
operation of the infrastructure used (hardware and software - servers) that
supports the processing of personal data ( especially e-mails),
without providing any written documentation of internal compliance
to the FSAP, in particular to the requirements of secure data processing
without stating the necessary technical and organizational measures
received and without providing any personnel data management policy
character, no safety policy, no employee regulations and no one
proof of informing the subjects about the processing of their data and
the exercise of their related rights but also for the possibility of doing so
control in their e-mails.
The then complainant ABS, in response to the same document of the Authority
presented with the no. prot. AII􀆳IIX r / EI:E / 5935 / 04-07-2018 memorandum of documents
security policy, but which lacked chronology, signature, approval as well
and proof of their application, in addition they were not said to concern an unclear one
designated legal entity under the name "AEGEAN".
The audited company AMPNI then provided clarifications on the
questions asked by the Authority with no. prot. AIIMIX r /ES / 6211-1 / 14-8-2018
document, but again without documenting no. 5 par. 2 GKPD the legal
operation of the infrastructure used (hardware and software - servers) and
without providing any written documentation of internal compliance
to the GCC.
The then complainant ABS, in response to the same document of the Authority with the
No. prot. AIIAfIX r / EI:E / 7522 / 20-9-2018 document stated that the submitted by
The same Policies are drafted outside the European Union and specifically in the USA
as well as that they are applied by the parent company AMPNI, without presenting
relevant evidence. In addition, she claimed that the person presented in her memorandum
" AEGEAN Rules of Procedure " has been drafted exclusively for the subsidiaries
AMRNI companies and that no reference is made to their control
corporate e-mails of employees or how the company can proceed
above act for which the parent company is solely responsible and not the
same. Finally, in the same memorandum, ABS stated that both AMPNI Group companies and
and third companies outside the AMR NI Group use all informal and without any
written contract the infrastructure and servers of the company ABS.
28. During the meeting of05-12-2019 before the Authority, the company ABS, then
replacement of her legal representative and her attorney,
withdrew its complaint, which has no legal consequences for
continue the examination of the case before the Authority as it is not about one
private civil law dispute the subject matter of which is disposed of in accordance with
will of the parties. In addition, the Authority carries out ex officio audits on the basis of
information received regarding the breach of personal data
of subjects.
The company AMPNI both during the hearing before the Authority against
the meeting of05-12-2019, and later with the no. prot. AilMIX
r / EI􀃎/ 10259 / 19-12-2019 supplementary memorandum (jointly with ABS) submitted
clarifications as well as a series of allegations and objections, but again without
document no. 5 par. 2 GPO the legal operation of the used
infrastructure (hardware and software - servers) and without providing any kind
written documentation of its internal compliance with the FGM. On page 14 of
above memorandum AMPNI states that " The AMPNI Group has policies
IT security (see attachments as Annex D) ". This document is entitled
Information Systems Security Policy
Aegean Marine Petroleum Network Inc., bears the date of its signing
latest version on ... by ... Director ( ... ) II and compiled by ... ( ... ) N
in compliance not with the provisions of no. 679/2016 of the General Regulation
Data Protection or Directive 95/46 / EC but in compliance with the provisions
32
of the US legislation "Sarbanes Oxley Act 2002" ("SOX") and in particular the section (hereinafter
"Article") 404, as indicated on each page of that policy.
In particular, this US law was passed to address
corporate financial scandals and concerns corporate governance and
disclosure of financial transactions under which the provisions
law companies (whose securities are traded on US stock exchanges)
are obliged to integrate and implement internal control procedures as well
and to prepare annual financial reports to the Commission
US Securities and Exchange Commission ("Security Exchanges Commission -" SEC ") 35 , which include
Internal Controls Report for financial transactions
and the reliability of financial statements ("financial statements"). That said
report shall be made in accordance with the provisions of Article 404 SOX Act. Specifically, with
Article 404 SOX Act 36 introduces the obligation and responsibility of the company management to
set up, install and operate an internal control system
procedures related to the preparation of the company's financial statements
submitted to the US Securities and Exchange Commission ("SEC") and includes a
an internal audit report evaluating the effectiveness and
reliability of the internal control system during the previous annual management
use 37 .
From the above in conjunction with the content of this security policy
information systems under Article 404 SOX Act USA it appears that it does not
take into account the risks involved in data protection
personal data of the subjects through the use of the computer infrastructure
(DANAOS hardware and software, AMPFSl , AMPFS2) but aims to ensure
of the necessary corporate information to achieve the objectives described
above in relation to the US Securities and Exchange Commission (SEC).
,, cf. the website of the U.S. Securities and Exchange Commission in relation to Article 404 SOX in
􀄥gov/info/smallbus/404/gyide/intro.shtml and Sarbanes-oxleY.-1 0 I .com
,. ,°' details see "Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners",
The Institute of Internal Auditors.
3 7 SOX Act companies are required to submit to the Hellenic Capital Market Commission
US (SEC) form 1 0-K which includes an internal audit report stating its responsibility
management structure and internal control procedures regarding financial figures and
the adequacy of internal controls. A statement is also submitted by the party
external auditors of corrections on accounts, recording of off-balance sheet transactions,
changes in share ownership by members of management as well as information about its existence
code of ethics.
Decision 44/2019
From reading the US Article 404 SOX Act policy relied on by
AMPNI, moreover, the absence of any reference to
protection of personal data pursuant to the GIP or the Directive
95/46 I EC as well as any reference and measure of its internal organization
compliance with the principles of Article 5 GIP and the legal bases of Article 6
GPD, indicatively does not lack any provision in relation to: a) their rights
subjects (Articles 12-22 GCC), (b) the application of appropriate techniques; and
organizational measures in order to ensure and be able to demonstrate that the
processing is carried out in accordance with the GCP (article 24 par. 1 in combination with
Articles 25 and 30 of the ICCPR) and ( c) the application of appropriate technical and organizational measures
processing safety measures (Article 32 GIP). In addition, it is absent
any provision regarding the permissibility or not of the use of corporate infrastructure
electronic communication by AMPNI employees and executives in relation to
surveillance, access and control of electronic communications
AMPNI employees and executives and, if so, the terms, procedures and
guarantees to carry out relevant checks and investigations on personal data
their.
Finally, the US Article 404 SOX Act policy that provides and
cites AMPNI does not address the risks arising from
processing of personal data (see application no. 75 GKPD).
Finally, the controlled company AMPNI submitted together with ABS the no. prot.
AIIMIX r /En: / 2616 / 05-4-2019 supplementary memorandum to counter the
memoranda of the complainants and L, former legal representative of ABS, without
but again to document no. 5 par. 2 GKP its legal operation
used infrastructure (hardware and software - servers) and without
provide any written documentation of its internal compliance with
the GCC.
29. Moreover, the controlled company AMPNI, despite its requests and questions
At first, both before the hearing and during the hearing, he did not answer
did not document as it should due no. 5 par. 1 GPD the legality of the processing
personal data in the context of the operation of the used
infrastructure (hardware and software - "original servers").
In particular, it follows from all the above that the controlled company AMPNI
as controller did not take any internal compliance measures no. 5
par. 1 and 6 par. 1 GKPD in relation to the legal operation of the used
infrastructure (hardware and software - "original servers" DANAOS, AMPFSl ,
AMPFS2) which supports the processing of personal data (in particular
e-mails) included in an archiving system, nor provided by anyone
such written documentation of such internal compliance required by the GCC
according to no. 5 par. 2 GKPD, in particular to the requirements of secure data processing
of a personal nature, nor did it take the necessary technical and organizational measures no. 5
par. 1 ed. fin combination with no. 24 par. 1, 2 and 31 par. 1, 2 GKPD to guarantee the
appropriate security of personal data, including
protecting them from unauthorized or illegal processing and accidental loss,
destruction or deterioration (" integrity and confidentiality " ), nor did it appear to have been designed,
prepared and implemented in compliance with the provisions of article 5 par. I GCP the
any accountability measure referred to in recitals no. 11
and 16 hereof, including personnel data management policies
nature and security policies in accordance with the requirements of the GCP, nor received
measures of physical and / or rational segregation, nor produced a staff regulation or
another internal document containing provisions on data protection
nor provided any proof of their information
subjects for the processing of their personal data during
operation of the computer infrastructure used (hardware and software;
"Original servers" (DANAOS, AMPFSl , AMPFS2), the exercise ofrelated
their rights but also for the possibility of checking their e-mails.
On the contrary, the controlled company AMRNI focused its arguments
verbally at later or further stages in the processing of the same data,
that is, at the stage of access to the e-mail control servers (stage 2), in
subsequent copying (stage 3) and transmission to Manchester, United Kingdom (d)
stage) of the contents of the original servers ("copy server" ),
claiming that the conditions of article 6 par. 1 par. in the GCC for
processing of personal data, again without substantiating
No. 5 par. 2 GKPD the no. 5 par. 1 GCP legality of data processing
personal character sufficient for the verbal invocation of article 6 par. 1 ed. f
GPD on overriding legal interest. However, it was also extended to
3 5
Recital no. 17 o f the present, the processing o f personnel data
in violation of the principles of article 5 par. 1 GKPD is not treated by
existence oflegal purpose and legal basis no. 6 par. 1 GKPD.
In this case, the controlled company AMPNI had the obligation,
after proving that he owed no. 5 par. 2 GKP the taking and implementation of measures
compliance with the provisions of Articles 5 (1) and 6 (1) of the GIP
legality of the processing of personal data that took place
in the computer infrastructure used (hardware and software "prototypes
DANAOS, AMPFSl , AMPFS2), to then prove no. 5 par. 2
GKPD, also the legality no. 5 par. 1 and 6 par. 1 GKPD, of the later ones
(for the initial purposes) or further (for different purposes according to no. 6 par. 4
GPD) independent and distinct processing operations, namely: b) access and
checking the e-mails held on the servers, c) creating one
new archiving system after copying the original system
archiving and d) the transmission of the copy archiving system
(server - back up according to AMPNI) in Manchester, United Kingdom (see
with no. prot. All.MIX r /EU: / 7306 / 10-9-2018 O"l::A.. 6 K(ll AIIAfIX r /EI􀃎/ 7434 I 17-9-2018 O"l::A..
6 AMPNI documents).
In view of the above, given that the original collection, preservation and in general
processing of personal data contained in the systems
archiving of computer infrastructure (hardware and software "originals
DANAOS, AMPFS 1, AMPFS2) has already been deemed illegal and infringing
the provisions of article 5 par. 1 GCP and especially those of articles 5 par. 1 ed. a 'and f
and par. 2 in conjunction with articles 24 par. 1 and 2 and 32 par.
that subsequent or further processing of the same personnel data
character and in particular the access and control of e-mails, the copying of their content
"Original servers" and the creation of a new system
archiving, sending the new archiving-copy system to
Manchester United are also illegal and violate the whole
of the principles of article 5 par. 1 and 2 but also article 6 par. 1 GCC, as integral
linked to and originating from the original illegal processing of the data
personal character of the "original server" archiving system.
30. As a result of the above deficiencies, the Authority further notes, in accordance with
facts accepted in no. 25 recital, that the same
36
computer infrastructure (DANAOS server hardware and software, AMPFSI , AMPFS2)
used for the subsequent or further processing of personnel data
character (e-mails) of subjects who worked and were associated with both his companies
AMPNI Group, as well as with third companies, outside the AMPNI Group, without having received the
necessary measures of physical and logical separation resulting in its administrator
system- computer infrastructure to access and process for
AMPNI company account of personal data (e-mails) of subjects
of data not related to the same 38 • Hence the lack of
appropriate technical and organizational measures, in particular those requiring the natural
and logical separation, the threatened risk of confidentiality occurred and
integrity of personal data through access, copying and
their transfer to Manchester, United Kingdom.
It follows from the above that the subsequent or further processing, by
access, copying and transmission to Manchester,
personal data of individuals related to the Group
AMPNI was illegal because it concerned personal data that
from the beginning they had not been legally processed, while in terms of personnel data
nature of natural persons related to third companies outside the AMR NI Group,
in addition to the lack of physical and logical separation measures.
31. In view of the above, the Authority considers that the audited company AMR NI as responsible
processing:
on the one hand, did not apply all the principles of article 5 par. I GCP and 6 par. 1
GGP on the legality of the processing of personal data
(especially e-mails) that took place in the computer infrastructure used (hardware and
(original server software (DANAOS, AMPFSI , AMPFS2)), but also in
any subsequent or further processing of the same personnel data
character, nor proved by no. 5 par. 2 GPD the observance of these.
on the other hand, violated the provisions of articles 5 par. l ed. a 'and f and par. 2 in
in conjunction with Articles 24 (1) and (2) and 32 (1) and (2) of the GIPA on its principle
secure processing (in particular of the "confidentiality") of personnel data
" Cf. the printouts of the e-mails submitted through her memos
ABS before the hearing before the Authority, in particular no. AITt.IIX r / Ell: / 5432 / 1 8-6-201 8
supplementary memorandum with a list o f email addresses.
37
character that took place in the computing infrastructure used (hardware and
original server software (DANAOS, AMPFS l , AMPFS2) from non-download
appropriate technical and organizational measures, but also in the context of any subsequent
or further processing of the same personal data, as necessary
the examination of the observance of the principles of processing of subsections b ', c', d 'and e' of par. 1 of
article 5 as well as article 6 par. 1 GKPD, according to what was accepted in no.
Recital 11 hereof.
32. The objections and allegations of the audited company AMPNI:
i. As to the objection that the GCC does not apply in accordance with article 3 par. 1
as " [ ... ] AMRNI is a company based in the Republic of the Marshall Islands
(Marshall Islands), is listed on the NY Stock Exchange and is its head
AMRNI Group. AMRNI does not have an installation in Greece but maintains only one
mailing address in Piraeus. ABS is a 1 00% subsidiary of AMP NL Therefore,
AMP NI does not have the same facility in Greece [ ... ] the purpose of export I copying
data .... had nothing to do with the activities of the companies of the AMP NI Group
in GREECE. That is, there is no relationship between the purpose for which they were exported
data and the activities of Greek companies .. »( see Supplementary
Memorandum AMRNI and ABS APDPH no. prot. r /EI􀃎/ 10259 / 19-12-2018 p. 5-8).
From article 3 par. 1 GCP, recital 22 GCC and sub
consultation Guidelines 3/2018 of the European Protection Council
Given the territorial scope of the GGP, it follows that the GGP applies
in the processing of personal data in the context of its activities
installation of the controller, which presupposes the substantial and
actual exercise of an activity, which should not be construed narrowly and
typologically as with criterion e.g. the place ofregistration of the company in the relevant registers
registration (see WEU C-210/2016 Facebook (fan page) decision of05-6-2018 Application Sk.
in particular 56 and 53-55, 57, C-230/14 Weltimmo v NAIH decision of0l/10/2015 Ait. Sk. Especially
29 as well as 31).
In this case, the controlled company AMPNI only argues
on the subsequent or further processing of access-control of e-mails and
copying the contents of servers without interfering
claims on the legality of the original collection, preservation and processing of
personal data included in its archiving systems
38
computer infrastructure (DANAOS "original server" hardware and software,
AMPFS I , AMPFS2).
This computing infrastructure (hardware and software "prototypes
DANA OS, AMPFS I , AMPFS2) at the critical time was
established in Greece and specifically in Piraeus on the Kondili Coast no. I 0,
owned by ABS, a subsidiary of AMPNI and according to a statement
of AMPNI itself (see no. prot. APDPH G /EIS / 7306 / 10-9-2018 document ofp.
2): " The Server belongs to the AMPNI Group and in particular, was purchased together with the required
equipment, earlier in 2018, by ABS, member of the AMRNI Group and 1 00% subsidiary
of the Company ".
In addition, it turned out that the use of servers that were installed on
Greece and the processing of personal data through them received
country following decisions by AMPNI, which determined the purpose and manner
processing no. 4 par. 7 GKPD both for itself and for its subsidiaries
companies in the exercise of its activities. Further, according to a statement
of AMPNI itself ( see document no.
2): " The Server belongs to ABS, a member of the AMPNI Group. That is, in terms of ownership,
has been purchased from ABS. ABS, however, does not process personal data for
account of the Company ".
In addition to the above and in the alternative, the claim should be rejected;
AMPNI 's objection that it has no real but postal facility only in
Greece and that it is based in the Republic of the Marshall Islands (Marshall Islands) given
that she declares the address of Akti Kondili 10, in Piraeus as the address
installation and actual operation first, before the Authority with the
submitted Application for Treatment (see prot. no. APDPH I GI EIS / 6211 / 13-7-2018 p. 1) and
second, before the US Securities and Exchange Commission (SEC), as it turns out
from Annexes A and B attached to the aforementioned Application
Treatment, as well as from the annual report of 16/5/2017 39 which he refers to
C I EIS / 7306 / 10-9-2018 her document to the Authority and from which the statement results
of the following items: AEGEAN MARINE PETROLEUM NETWORK INC., 10, Akti
,. Cf. her to􀃦geanmarine.gcs-web.com/static-files/ebca7627-4368-4e6c-9a75-45862ad60cac
39
Kondili (Address of Principal Executive Office), Piraeus 185 45, Greece (the underlining
and bold from the Annexes),
For these reasons, the Authority rejects its objection - allegation
controlled company AMPNI.
ii. As to the objection according to which the US Bankruptcy Court
of the Southern District of New York issued an order with global force no. 362
(a) The US Bankruptcy Code under the AMPNI Bankruptcy Application, which provides:
according to her allegations, on the one hand, its continuation before the Authority is prohibited
proceedings, on the other hand, the exercise of control over a bankruptcy asset
property, which according to the audited company AMRNI includes' [ ... ] certain, if
not all, from the data under discussion are assets of the bankruptcy
property »
In this case, by no provision of national or European
legislation, but not by any international or other bilateral - transnational convention
it appears that the cited US Bankruptcy Court order produces
legal results in Greece, nor does the audited company AMPNI claim such
nor does it produce a Greek court decision recognizing
enforceability of such a foreign court order.
In addition, the audited company AMRNI misinterpreted the national and
European legislation on the protection of personal data
as a given in order to submit the relevant objection - claim that the data
personal information processed by the controller recommend
His "property" and therefore part of his "property", as will be demonstrated below.
For these reasons, the Authority rejects its objection - allegation
controlled company AMPNI.
iii. As to the allegation-objection that the complaint against the controlled company
ABS was submitted without right and therefore inadmissible by legal and not natural
person no. 77 par. 1 GKPD, ie the subsidiary ABS resulting in h
issued under no. 2/2018 Temporary Order of the President of the Authority to suffer
invalidity and that ABS withdrew its complaint against the auditee
of AMPNI company, is additionally pointed out under no. 28 recital
of the present that the audit was carried out ex officio according to no. 57 par. 1 ed. a 'and h'
40
GPD based on the information received by the Authority primarily from 18-6-2018
Notification of Data Violation Case submitted by ABS
(AIILllIX / r /EU: / 5432 / 18-6-2018). In any case, even if unacceptable
the complaint was submitted by the company ABS, the Authority is entitled no. 57 par. 1 ed. a'
and the GKPD in combination with no. 19 par. 1 case law 2472/199 7 to carry out
ex officio checks and investigations with only the information received for real
cases of breach of existing data protection legislation
personal. In addition, the Authority is entitled no. 19 par. 1 per. Iy 'v.
2472/199 7, but is not obliged to file requests or complaints that are judged
manifestly, vaguely, unfoundedly or submitted abusively or anonymously. Therefore, from
the above provisions, which apply as they do not conflict with
GPA (see APDP 46/18 and 52/18) it appears that the Authority had the right to
carry out an audit with only the factual information independently
the validity or not of the complaint.
In addition, the President of the Authority despite the submission on behalf of the company ABS
application for a temporary order, issued ex officio the no. 2/2018
Interim Order, taking note of the facts relied on
as it appears from the body of the Provisional Order itself to which it does not refer
that it accepts that request. Therefore the no. 2/2018 Interim Order of
President of the Authority does not suffer invalidity.
Finally, the ABS company withdrew its complaint against it
controlled company ABS, but also the complaint of inadmissible complaint by a lawyer
person do not find support in any provision of law given that it is not about
a private civil law dispute the subject matter of which is disposed of in accordance with
the will of the parties, and in addition, as stated above, the Authority investigates ex officio
any information on breaches of personnel data protection legislation
character (ad hoc AIIt.IIX 136/2015 mt. enc. 6 par. a ').
For these reasons, the Authority rejects its objections - allegations
controlled company AMPNI.
iv. As to the objection-allegation of inadmissibility of the individual complaints
natural persons because they have not previously contacted the controller
in order to exercise their rights under Articles 15-22 GCP, before
It should be noted that, on the one hand, the provisions of Article 77
41
par. 1 GPD it appears that every data subject has the right to submit
direct complaint to the Authority if it considers that the processing of personnel data
violates the GPA. In this case, the natural
persons denounced the violation of the GCP against them and not the non
satisfactory response of the audited company AMPNI in the exercise of
their rights under Articles 15-22 GCP.
In addition, as stated above, the Authority is engaged on its own initiative and investigates
any fact of violation of the current legislation for the protection of
personal data, whether or not the complainants bear the
burden of proving their allegations as well as whether or not they prove their validity
of their allegations.
In this case, the complainants complained about
alleged illegal copying of their personal data
were included in the computer infrastructure archiving systems (hardware and
"original server software" (DANAOS, AMPFSl , AMPFS2). The beginning
in order to verify the legality of such copying, it proceeded ex officio to
investigating the legality of the original collection, preservation and processing of
personal data included in the "original servers".
As already stated, the obligation to prove no. 5 par. 2 GPD of legality
of each treatment no. 5 par. I and 6 par. I GKPD is the responsibility of the person in charge
processing and not the data subject.
For these reasons, the Authority rejects its objection - allegation
controlled company AMPNI.
v. Regarding the objection-claim that the corporate e-mails exchanged by
Corporate e-mail accounts are not data
personal property and that they constitute an "asset" belonging to
"Ownership" of the company, the Authority has already rejected the relevant claim on the basis of
recitals 4, 5 and 6 hereof in order to reach a conclusion
that the audited company processed personal data
were included in a computer infrastructure archiving system (hardware and
"original server software" (DANAOS, AMPFSI , AMPFS2) without complying with
the principles of article 5 par. I and 6 par. I GKPD as well as in violation of its principle
safe processing no. 5 par. I ed. a 'and f GKPD.
42
Moreover, in this case, the fact that the email addresses
(e-mails) had as their first component, identifiers of the usemame, ie
of the form ovoga./i,nmvugo@-mtP-ia.gr is enough for their characterization as data
without the need to check the content of e-mails
in order to determine whether it is professional or private correspondence
or if they come from a corporate or private e-mail account,
in accordance with what has been accepted in recitals 4, 5 and 6 hereof.
Therefore, the claim of the controlled company AMPNI according to which the
Complainants must provide "personal" e-mails that
sent from non-corporate (private) email accounts
and include content copied personal data
by AMPNI in order to prove the validity of their complaint, on the one hand no
based on the above, on the other hand, the Authority considered that
the principles of article 5 par. I GCP and 6 par. 1 GCP regarding its legality
processing of personal data, ie the set of e-mails that
took place in the computer infrastructure used (hardware and software
"Original servers" DANAOS, AMPFSl , AMPFS2), but also any
subsequent or further processing of the same personal data,
so that there is no need to respond to the individual complaints of individuals, as it will
discussed below.
Finally, as already accepted with no. 6 recital of this o
claim of the audited company AMRNI according to which the data
personal belonging to the "property" or "property" of it comes in full
contrary to national and European law and that the controller does not
is the "owner" of the personal data it processes.
If the controller was the "owner" of the personnel data
character to be processed would not be introduced as a rule by article 6 par. 1 GCP h
ban on the processing of personal data so that it is required to
one of the legal bases provided there in order to legalize the
processing, nor would the data subject be granted a set of rights on it
control of personal data (art. 12-22 GKPD), in particular
objection, restriction, deletion or portability rights.
For these reasons, the Authority rejects its objection - allegation
controlled company AMPNI.
43
vi. Regarding the objection - claim of the controlled company AMRNI that any download
taken into account by the Authority new evidence presented by the complainants
after the end of the hearing violates her right to be heard, she must in principle
It should be noted that the audited company, on the one hand, received knowledge and copies of the documents
submitted by the complainants after the hearing as well
deadline of 15 days in order to submit its views on them (APDP no.
prot. G /EX / 2214 / 21-3-2019), on the other hand, she also presented new evidence after
the end of the hearing, but also placed on the allegations and the evidence
material provided by the complainants after the hearing (see Supplementary
Memorandum AMPNI & ABS with no. prot. AIMTIX r /EI􀃎/ 2616 I 05-4-2019).
In addition, it is not provided for in any provision of the CPC or other legislation
Prohibition of presenting new evidence after the end of the hearing
audited or that all the evidence on which the Authority will judge
must have been gathered before the hearing at a hearing given that the
The purpose of the hearing is to provide explanations and information for clarification
issues that may even have first arisen during it
as is the case with other constitutional hearings
established independent administrative authorities such as e.g. its Security Authority
Privacy of Communications (ADAE).
vii. As to the allegation - objection of the audited company about illegal
extension of the granted deadline for submission of a memorandum after the hearing will
It should be noted that the extension was legal since the controlled company AMPNI
together with ABS submitted a request for the exclusion of the rapporteur of the case after
commencement and during the submission deadline resulting in
the deadline for issuing a decision on the request for exemption is automatically suspended
and until a new deadline is provided. In no case could the
initial deadline for submitting a memorandum after the hearing, if not previously
the Department of the Authority decides on the request for exemption. On the contrary, on her part
controlled company AMPNI together with ABS, submission of memorandum by hearing
pending the request for exclusion of the rapporteur which they themselves had submitted and without
await the issuance of the decision on the exemption request comes in full
contrary to the request for exemption itself as on the one hand the companies requested the
44
with the exception of the rapporteur, while on the other hand they submitted a memorandum to the Department of Authority
in which the rapporteur participated.
For these reasons, the Authority rejects its objection - allegation
controlled company AMPNI.
viii. The audited company AMRNI makes the following allegations: that legally
entered the computer infrastructure used (hardware and software "prototypes
DANAOS, AMPFSl , AMPFS2) in order to
e-mail of specific individuals, former and current employees
and AMPNI Group executives, that these inspections were legal, that accidental
software for deleting already deleted files was discovered to make it
it is necessary to copy the entire computing infrastructure used,
including personal data (e-mails) of individuals
related to third party companies outside the AMR NI Groups, that there was no obligation
notification of an incident of personal data breach to the Authority by
detection of "malware" deletion, that as an employer he had under Article 6
par. 1 ed. GPP over legal interest in checking and copying e-mails
in the context of the audit carried out, that he was not obliged to inform the
data subjects, either before copying or after copying e-mails
their.
A prerequisite for answering the above allegations is, as stated above
in accordance with recitals no. 17, 18, 22, 29 and 30 of the present but also
from no. 3/2018 Provisional Order of the President of the Authority, the proof of it
legality of the initial processing (collection and preservation) of the data
of a personal nature taking place in the computing infrastructure used
(hardware and software of"original servers" DANAOS, AMPFSl , AMPFS2).
Given that the Authority considered it illegal and in particular a violation of the principle
of safe processing the original collection, preservation and generally processing of
personal data included in its archiving systems
computer infrastructure (DANAOS "original server" hardware and software,
AMPFSl , AMPFS2), it is provided that subsequent or further processing of the same
personal data, namely the access and control of e-mails, h
copy the contents of the "original servers" to a "server copy"
with which a new archiving system was created (back up according to AMR NI) and
45
the sending of the new archiving-copy system to his Manchester
United Kingdom are also illegal and violate all of its principles
Article 5 par. 1 and 2 but also Article 6 par. 1 GCC, as inextricably linked
and derived from the initial illegal processing of personnel data
the nature of the "original server" archiving system so that it is redundant
the examination of both the complaints of the natural persons and the one to be rebutted
examination of the claims of the controlled company AMPNI that focus
exclusively in the subsequent or further processing of personnel data
character. That is, even if their complaints had not been submitted
natural persons ( concerning subsequent or further processing), would be
copying the "original server" is illegal due to not filling them in from the beginning
conditions for the legal processing of personal data contents.
Thus, the invocation of the legal basis by the controlled company AMPNI
of article 6 par. 1 par. in the GCC for control, access, copying and
sending the content of the "original servers" (servers), but also invoking
of the need to copy due to "malware" detection can not
retroactively legitimize the earlier processing of
personal data in violation of articles 5 par. 1 and 6 par. 1 GCP
in accordance with what was accepted in recitals no. 17 and 22 of this.
For these reasons, the Authority rejects its objection - allegation
controlled company AMPNI.
33. On the contrary, the information in the file and the hearing did not show that
company " ERNST & YANG (BELLAS) CERTIFIED AUDITORS A CCOUNTANTS SA »Participated
or assisted in the breach by the controller
provisions of Articles 5 (1) and 6 (1) of the GIP, in particular at the access stage,
control, copying and transmission in Manchester, United Kingdom
personal data.
34. According to the GKPD (Ait. Sk. 148) in order to strengthen their enforcement
rules of this Regulation, sanctions, including administrative
fines should be imposed for any infringement of this Regulation,
in addition to or instead of the appropriate measures imposed by the supervisory authority
in accordance with this Regulation. In cases of minor breach or if
46
the fine that may be imposed would be a disproportionate charge in kind
person, a reprimand could be imposed instead of a fine.
The Authority after establishing the violation of the provisions of the GCP during
above, taking into account, in addition to the above, in particular the Guidelines
guidelines for the application and setting of administrative fines for its purposes
Regulation 2016/679 issued on 03-10-2017 by the Working Group of the article
29 (WP 253) and having duly taken into account the provisions of Article 83 of the ICCPR in measure
applicable in this case and in particular those provided for
from paragraph 2 of the same article criteria relate to the specific case that
examined by the Authority:
(a) the nature, gravity and duration of the infringement, taking into account
the nature, extent or purpose of the treatment concerned, and the number of
subj ects of the data affected by the infringement and the degree of damage suffered
namely:
i. the fact that the company violated the principles from article 5 par. 1 GKPD as well as
the obligation (principle) of accountability no. 5 par. 2 GKPD, ie violated
fundamental principles of the GBER for the protection of personnel data
character.
ii. the fact that the condition of safe processing no. 5 par. 1 ed. f
GPA is now reduced to a basic principle of data processing
personal nature so that, even if the other processing principles are followed
to make the processing totally illegal in the event that o
processor does not guarantee adequate security.
iii. the fact that it also becomes of fundamental importance the principle of accountability
under the new compliance model introduced with the FGM, where
burden of compliance and the relevant responsibility lies with the controller, o
which has been provided by the GCP with the necessary compliance tools.
iv. the fact that according to no. 3/2010 Opinion of its Working Group
Article 29 on the principle of accountability (WP l 73 / 13-7-2010) the establishment
internal accountability measures for compliance with processing principles (par. 39-51
and in particular par. 41 and 44) provides great opportunities for effective implementation
reducing the chances of the controller violating the
legislation and therefore the assessment of sanctions takes into account the
compliance with the principle of accountability (par. 38), while in case
breach of it requires substantial sanctions, such as in
case in which a controller does not comply with the statements made
contained in its binding internal policies, which are taken
in addition to the actual breach of the essential principles
data protection (par. 64).
47
v. the fact that the controller did not take any internal action
compliance with the accountability principle to be applied and
implementation of the principles of personal data processing by
No. 5 par. 1 GKPD, not even the ones provided as "basic" according to the Opinion
3/2010 of OE 29 (par. 44, ibid.)
vi. the fact that the violation of the above principles took place in the context
processing of personal data in a computer infrastructure (hardware
and software) which is used to service a large number
electronic communications of data subjects
vii. the fact that the violation of the above principles took place during the processing
personal data of labor subjects
characterized by a power imbalance between employer and
employees. The importance attached by the GCC to processing
of personal data in employment relationships is demonstrated by
fact that Article 88 thereof gives the national legislature the opportunity
establishing specific rules to ensure their protection
rights and freedoms of workers, including appropriate
and special measures to safeguard human dignity, the law
interests and fundamental rights of the person to whom
the data are reported, with particular emphasis on the transparency of the processing, the
intra-group data transmission and on-site monitoring systems
work. Therefore, the observance of the principles provided by article 5 par. 1
ed. a 'and par. 2 GKPD acquires in this case a special and important importance for
respect for the right to protection of personal data
character of employees.
viii. the fact that the principle of safe processing was substantially violated
personal data no. 5 par. 1 ed. in the GCC through
and ultimately achieve access, copy, transmission and in general
processing of personal data of data subjects
were affiliated with third parties, except the AMRNI Group
ix. the fact that the violation of the above principles is subject to the provisions
of article 83 par. 5 ed. a 'GKPD in cases of administrative enforcement
fines ofup to EUR 20,000,000 or, in the case of businesses, up to 4% of
total global annual turnover of the previous financial year
year, depending on which is higher, ie in the higher provided
category of the classification system of administrative fines, the imposition of
reserved, in accordance with the principle of proportionality,
in the case of the most serious violations of the GCC. Therefore, already from
the provisions of the GCP show that the violation of the principles provided
from article 5 par. 1 and par. 2 GKPD is treated as of greater importance
in relation to the violations provided by article 83 par. 4 GKPD.
48
x. the fact of causing damage to the right to data protection
personal data of the subjects from the violation of the above
authorities and, in particular , the processing of
personal data, secondly, the continuing in breach of it
GPD processing of personal data in several stages
(initial preservation and processing, access and control, copying, transmission)
and third, the complete deprivation of rights and the exercise of control over them
personal data of the data subjects (cf. Ait.Sk.
75 GKPD and OE 29 on administrative fines, ibid., P. 11 ).
xi. The fact that, from the information presented to the Authority, no evidence emerged against
at this stage the occurrence of material damage to the data subjects, nor
relied on relevant material damage
xii. the fact that the violation of the principles of article 5 par. 1 and par. 2 GKPD no
concerned, on the basis of the information provided to the Authority, data
personal provisions of Articles 9 and 10 of the GIP.
xiii. The fact that the violation of the principles of article 5 par. 1 and par. 2 concerned
any subject whose personal data occurred
processing in the context of its electronic communications service
from computer infrastructure (hardware and software) so that it is not one
individual or occasional infringement but for an infringement that has a systemic
(structural) character.
b) the deceit or negligence which caused the infringement
From the hearing before the Authority and the memoranda of the person in charge
shows that the company was completely unaware of the compliance obligations
in accordance with the requirements of the GCP, and in addition showed no willingness to comply, as
will be demonstrated below. Therefore, the violations found were
resulting from a lack of complete knowledge and application of the provisions of the GCC in
framework of the organization of internal compliance despite the fact that the responsible
could and should, in particular due to accountability, to
comply with the provisions of the GCP, thus violating the duty of care which
required by law.
(c) any action taken by the controller to
mitigate the damage suffered by data subjects,
The controller did not take any action to restore or
mitigation of the damage suffered by the data subjects, nor did it
informing them, even after the illegal processing of the data by him
their personal nature. It should be noted at this point that the person in charge
processing for non-prior updating of data subjects
invoked the exception of article 14 par. 5 ed. b 'GKPD so as not to damage the
achieving the objectives of the processing, namely the internal control relied on.
Regardless of the validity or otherwise of that claim, even after
completion of the alleged internal control, never the controller
informed data subjects of subsequent or further processing,
namely the copying and transmission of their data to Manchester, United Kingdom
Vassilios, especially natural persons affiliated with third parties outside the Group
AMPNI, so that to date they have not been informed about it. It is recalled that according
with what has been accepted hereby, the violation of the principles of article 5 par. 1 GCP
occurred at the expense of any subject whose data were found to be illegal
processing and not only of the complaining natural persons.
( d) the degree of responsibility of the controller, taking into account the techniques; and
organizational measures implemented pursuant to Articles 25 and 32,
The controller did not take into account technical and organizational measures, nor did he take any action
to the necessary evaluations in order to draw appropriate conclusions (see no. 28
request sk. of the present).
(e) any relevant previous infringements by the controller;
It appears from a relevant audit that no administrative sanction has been imposed to date by
the begining
(t) the extent of cooperation with the Authority to remedy the infringement
and limiting its potential adverse effects,
The Authority recognizes as a mitigating circumstance on the part of the person in charge
processing admission of illegal copying and sending to his Manchester
United Kingdom "[ . . . ] any e-mails of individuals who have not and I or have not
any employment or service relationship or any other relationship with companies
of the AMRNI group, which AMRNI would be available to separate and provide
evidence of this "(Supplementary Memorandum AMPNI-ABS ofOS-4-2019
pp. 8 and 12 AilMIX r /EI􀃎/ 2616 I 05-4-2019 last page, point 4) as well as the expression
of his intention, according to the above, to proceed with separation or deletion (see
Supplementary Memorandum AMPNI-ABS of 19-12-2018 p. 23), although it did not express
the same intention for the personal data of the other subjects
data.
g) the categories of personal data affected by the infringement , namely
Whereas this is not personal data referred to in Articles 9 and 10 of the GIP,
in accordance with the information provided to the Authority.
{h) the manner in which the supervisory authority was informed of the infringement, in particular
if and to what extent the controller or processor notified
the infringement,
In this case, the Authority was informed of the final findings
breaches primarily through the Data Breach Notification submitted by
ABS company as a result of which it carries out an ex-officio inspection. The person in charge
did not inform the Authority, nor did it notify itself of the Infringement
Data
i) any other aggravating or mitigating factor arising out of
circumstances of the particular case, such as the financial benefits that
or damage avoided, directly or indirectly, by the infringement
The Authority, in addition to the above, acknowledges as an additional mitigating factor that from
the data presented to it to date and on the basis of which it found
breach of the GPA, the controller did not reap any financial benefit, either
caused material damage to data subjects.
The Authority recognizes as aggravating the fact that the person in charge
has so far shown no intention of complying with
requirements of the GCP, nor has it informed the Authority of its inclusion in a program
internal compliance in order to make any data processing legal
of personal character no. 5 par. 1 and 6 par. 1 GKPD carried out in
computer infrastructure ("original server" hardware and software).
The person in charge of processing a series of documents to the Authority, especially after
listening, focused all his efforts on highlighting the importance that
had for him the use of the content of the copied servers ("back up"
servers according to him) for the purposes of internal control of the AMPNI Group and
consequently for the submission of relevant data to the Hellenic Capital Market Commission
of the US and the competent US judicial authorities, even asking not to
imposed by the Authority the sanction of the destruction of the content of the copied
at the time the Authority banned processing and
use the content of the copied servers, but not at that time
period of "original servers".
THE BEGINNING
Having taken into account the above
Because he decided the no. 58 par. 2 GKP exercising its corrective powers
in this case by imposing corrective measures
Because pursuant to the provision of article 58 par. 2 ed. d GKPD the Authority decided
to give an order to the company "AEGEAN MARINE PETROLEUM NETWOR K INC
(AMPNI) "as the controller to comply with the provisions of the GCP
the processing of personal data contained in both
in the computer infrastructure used (hardware and software "originals
DANAOS, AMPFS 1, AMPFS2), as well as in the new archiving system
a copy of the original servers sent to his Manchester
United Kingdom.
Because in particular the company should take all necessary internal measures
compliance and accountability to the principles of Article 5 par. 1 and par. 2 in combination
with article 6 par. 1 GKPD.
Because the above order must be executed within three (3) months from
receipt of this, informing the Authority.
Because the above corrective measure alone is not enough to restore it
compliance with the infringed provisions of the GCC in accordance with what has been accepted by
the no. 31 recital herein and in addition, at the time when
in fact the company despite the substantial admission on its part of at least part of it
violation of the GCC showed complete disregard for compliance with its provisions
Articles 5 and 6 par. 1 GCP.
Because the Authority considers that in this case based on the circumstances
should be found pursuant to the provision of article 58 par. 2 ed. 0 TKIL'.l va
in addition, effective, proportionate and dissuasive administrative money is imposed
fine no. 83 GPA, both for the restoration of compliance and for
punishment for this illegal behavior 40
Because the Authority found to have infringed the provisions of Articles 5 and 6 of the GIP
is subject to the provisions of article 83 par. 5 ed. a 'GPD in the cases
imposition of administrative fines up to EUR 20,000,000 or, in the case of undertakings, up to
4% of the total global annual turnover of the previous financial year
year, depending on which is higher.
Because the Authority took into account, on the one hand, that AMR NI has submitted an application
bankruptcy in the US, on the other hand, that according to the report submitted by the company in the year
2017 to the US Securities and Exchange Commission (SEC) its total revenue
("Total revenue") for the year 2016 was 4,076,219,000.00 US dollars. (see p. 157 in
attached no. prot. r / EIE / 7306 / 10-09-2018 document 41 ).
Because with the issuance of this it ceases no. 19 par. 7 a law 24 72/199 7 the validity of
Interim Orders of the President of the Authority No. 2/2018 and 3/2018 and are valid
now accepted in the operative part of this
FOR THOSE R EASONS
THE BEGINNING
A. Gives orders to the company «« AEGEAN MARINE PETROLEUM NETWORK INC
(AMPNI) »» as within three (3) months ofreceipt of this, informing
the begining
40 Cf. OE 29, Guidelines and the implementation and setting of administrative fines for them
purposes of Regulation 201 6/679 WP253, p. 6
" Also available at 􀄦geanmarine.gcs-web.com/static-files/ebca7627-4368-4e6c-9a75-45862ad60cac
52
i. make the processing operations in accordance with the provisions of the GCC
personal data contained in both used
computer infrastructure (DANAOS "original server" hardware and software,
AMPFS I , AMPFS2), as well as in the new copy archiving system
original server shipped to Manchester, United Kingdom,
ii. take all necessary internal compliance and accountability measures
principles of article 5 par. I and par. 2 in combination with article 6 par. I GCP.
B. Imposes on the company «« AEGEAN MARINE PETROLEUM NETWOR K INC
(AMPNI) "the effective, proportionate and dissuasive administrative fine
appropriate to the particular case according to its specific circumstances,
amounting to one hundred and fifty thousand (150,000.00) euros.
The Vice President The Secretary
George Batzalexis Irini Papageorgopoulou
</pre>
</pre>

Revision as of 17:15, 25 April 2021

HDPA - 44/2019
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1) GDPR

Article 5(2) GDPR

Article 6(1) GDPR

Article 32 GDPR

Article 33 GDPR

Article 58(2)(d) GDPR

Article 58(2)(i) GDPR

Article 83(5)(a) GDPR

Type: Complaint
Outcome: Upheld
Decided: 19.12.2019
Published: n/a
Fine: EUR 150,000
Parties: AEGEAN BUNKERING SERVICES INC ("ABS").

ERNST&YOUNG HELLAS CERTIFIED AUDITORS-ACCOUNTANTS ("EY Greece")

Aegean Marine Petroleum Network Inc. ("AMPNI") (Reorganized as Minerva Bunkering)

National Case Number: 44/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language:

Greek

Original Source: HDPA

The HDPA issued EUR 150,000 fine against Greek supplier of marine bunker fuels and lubricants for violations of the principles of lawfulness, fairness and transparency and the security of processing according to the GDPR, while carrying out data processing operations in computer infrastructures (server hardware and software).

English Summary

Facts

ABS filed a complaint against companies AMPNI and EY Greece for alleged violations of Article 33 GDPR. According to the complainant people related to the defendants entered without authorisation ABS's data room and illegally copied to mobile data carriers the entire digital content of the server which contains digital documents, e-mails and other electronic communications of ABS's employees with third parties as well as of third parties' employees. Then, these people created a clone server. Further, 11 other complaints filed before the HDPA by data subjects in relation to this incident.

Dispute

The DPA had to assess whether there was violation by both defendants regarding the notification obligation for personal data breaches to the supervisory authority.

Holding

The HDPA ordered AMPNI as the data controller in this case to bring the processing operations at stake into compliance with the GDPR within three months from the receipt of this decision as foreseen under Article 58(2)(d) GDPR. The company must take all necessary measures for internal compliance and accountability according to Article 5(1) GDPR, Article 5(2) GDPR and Article 6(1) GDPR. Since the company had totally ignored the its compliance with the mentioned provisions, the HDPA issued a fine EUR 150,000 according to Article 58(2)(i) GDPR and Article 83(5)(a) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

There is no available machine translated decision. Please refer to the Greek original decision for details.


3/2/2021
Greek Republic
DATA PROTECTION AUTHORITY
PERSONAL CHARACTER
Decision 44/2019
Athens, 19-12-2019
No. Prot .: f /EE/ 8907 / 19-12-2019
RESOLUTION NO. 44/2019
(Department)
The Personal Data Protection Authority met in composition
Department at its headquarters on Wednesday, July 24, 2019 at the invitation of the President
in order to examine the case referred to in the background hereof.
Present were George Batzalexis, Vice President, disabled
President of the Authority, Konstantinos Menoudakos, the alternate members Panagiotis
Rodogiannis, Grigorios Tsolias as rapporteur, and Evangelos Papakonstantinou, in
replacement of the regular members Antoniou Symvoni, Charalambos Anthopoulos and
Konstantinos Lambrinoudakis who, although legally summoned in writing, did not
attended due to disability. The meeting was attended by, by order of the President, Mr.
George Roussopoulos, Specialist Scientist-Auditor as Assistant Rapporteur and Irene
Papageorgopoulou, employee of the Administrative Department of the Authority, as secretary, while
The other assistant rapporteur, Evmorfia - Iosifina Tsakiridou, was not present due to disability.
specialist scientist supervisor.
The Authority took into account the following:

AEGEAN BUNKERING SERVICES INC (hereinafter referred to as "ABS") submitted to
Authority the notification of violation case number C /EI􀃎/ 5432 / 18-06-2018
personal data, according to art. 33 of Regulation (EU) 2016/679 (General
Data Protection Regulation - hereinafter referred to as "GKPD") together with a supplement
1-3 Kifissias Ave., 11523 Athens, Tel.: 210-6475600, Fax: 210-6475628, contact@dpa.gr,www.dpa.gr
memorandum. At the same time, the same company submitted the reference number r / EIB / 5414 / 18-06-
2018 report ( she described it as a complaint) regarding a violation
personal data against Aegean Marine Petroleum Network Inc (hereinafter referred to as
"AMPNI") and ERNST & YOUNG HELLAS CERTIFIED AUDITORS-ACCOUNTANTS
(hereinafter referred to as "EY HELLAS"), which claims that persons associated with
The above two companies entered the ABS (data room) area without permission and
illegally copied the entire digital to portable storage media
server content that contains electronic files as well
e-mails and other communications of both employees
of ABS with third parties as well as employees of third companies by "cloning" him
original server (server) and thus creating a new file (clone
server) by copying the original server.
With the no. 2/2018 Provisional Order of its President (with reference no.
CI EX I 5432-1 I 22-06-2018), the Authority banned, until a final decision is issued, on
AMPNI and EV HELLAS as well as to any other company or natural person in which
all or part of what was copied in the case may have been transmitted
file (clone server), to process personal data in any way
in particular the e-mails contained in the copied file (server)
which were attached as a list at the end of that Provisional Order
forming an integral part ofit. Note that with the same decision
clarified that the above provision suspending the processing of personnel data
character contained in the copied server (clone server) does not
prevents the continuation of the operation of the original server (server) of the same
company, provided of course the processing of the data
of a personal nature takes place legally no. 5 and 6 par. 1 GKPD.
The Authority with no. prot. G / EX I 5414-1 I 26-6-2018 her document called the companies
AMRNI, ABS and EV HELLAS to provide information as well as to present

specific documents as well as any information necessary for a final decision
on the present case. On the above document:
The company EV HELLAS with its from 28-6-2018 Memorandum to the Authority
(prot. no. AIIMIX r / EI􀃎/ 5824 / 29-6-2018) stated that it has nothing to do with
case in question, was not even aware of the accused as illegal
processing of personal data. In addition, he requested the revocation of the temporary
order to the extent that it concerns her as a non-involved party and requested that she be exempted from
2
any investigation or audit carried out by the Authority in relation to this case. THE
Authority requested further clarifications from the company in question with reference number
CI EX I 5824-1 / 06-07-2018 her document, especially in relation to two persons who are alleged to
said representatives of the company "Ernst & Young" and are involved in its copying
server. EV HELLAS responded with its document number GI EIS / 6424 / 24-07-2018
denying any connection with such natural persons.
ii. The company ABS with its Report dated 28-6-2018 (prot. No.
r / EI􀃎/ 5825/29/06/2018) and her letter dated 03-7-2018 (prot. No. r / EIB I 5935 I 04-07-
2018) submitted documents to the Authority, including Organization policies with
the name "AEGEAN", which did not bear the date of drafting and application, no
bore the signatures of persons responsible for drafting and approval, while with the same
The company provided information in response to the Authority's questions.
iii. The company AMPNI with the from 13-7-2018 Treatment Application (no. APDPH
prot. r / EIB I 6211 / 13-7-2018) requested the cancellation and suspension of force, in whole or in part
part of the Provisional Order no. 2/2018 of the President of the Authority for the reasons
which are listed in detail there. With that request the company denied them all
against her, allegations submitted by the complainant company ABS, pointed out
ABS was a wholly - owned subsidiary and claimed, inter alia, that
legally gained access to email accounts
specific current or former employees of the AMPNI Group as well as other related
data in the context of internal research in relation to its important economic issues
including possible fraud against the company, that the
access to them was necessary in order for the company to be able to
comply with its reporting obligations and
notifications to the US Securities and Exchange Commission (SEC) under them

applicable laws and regulations, including U.S. law
securities legislation and New York Stock Exchange regulations as well
also in order to protect the Group from further loss and loss
that the internal investigation carried out has been obstructed by persons for
which are suspected of possessing important information in relation to the subjects
of internal control, that the e-mails exported were professional (corporate) and
therefore they are not personal data, that he made a copy
security (back up) of all system data, ie data that
involved third-party employees using the same server
3
(server) because the installation and operation of deletion software was detected and therefore
such processing was absolutely necessary to protect their integrity
of the AMR.NI Group by those who tried to destroy them without
authorization, that the information in question is derived from the requested information
e-mail is required for external auditors
PriwaterhouseCoopersS.A. ("PwC") in order to sign the company's annual report
for the financial year 2017.
Furthermore, the Authority received 11 complaints from individuals against it
AMPNI and EY HELLAS and in connection with the above incident, and
specifically the reference numbers r / EI:E / 5648 / 26-06-2018, r / EI:E / 5650 / 26-06-2018,
r / EI:E / 5651 I 26-06-20 l 8, r / EI:E / 5653 / 26-06-2018, r / EI:E / 5679 / 26-06-2018, r / EI:E / 5680 I 26-
06-2018, r / EI:E / 5681 / 26-06-2018, r / EI:E / 5682 I 26-06-2018, r / EI:E / 5683 I 26-06-2018,
r / EI:E / 5684 / 26-06-2018 and r / EI:E / 5685 I 26-06-2018, complaints of A, B, r, b., E, :ET, Z,
H, I, I and K respectively, who brought before the Authority for violation of
their personal data stored on the original server
and which was illegally copied in its entirety by the controlled company AMPNI with
given that some of the complainants were employees of third parties,
unrelated to AMPNI and its Group companies, as D and I worked in
"AEGEAN OIL", K worked at "AEGEAN NET FUELS", Z worked at
"AEGEAN PETROLEUM INTERNATIONAL", and B who worked at AEGEAN
SHIPPING MANAGEMENT "
The Authority after studying the above answers after the attached documents
sent:

i. in the company AMPNI the with no. prot. G /EX / 6211-1 / 14-8-2018 document with
who called her to provide additional clarifications and informed her of
complaints against it in order to state its views on them.
ii. in the company ABS with no. prot. G /EX / 5935-1 / 16-8-2018 document with which he called her
provide additional clarifications and documents.
The company ABS with its from 11-9-2018 Supplementary Memorandum to
Authority (prot. No. APDPH G /EIS / 7522 / 20-9-2018) provided additional clarifications
and documents and in particular: that the security policies originally submitted
written outside the EU in the US and applicable to AMPNI and its subsidiaries, that
in the internal working regulations of the Greek subsidiaries of AMPNI no
is there any reference to checking employees' corporate emails or
4
way that the company can carry out internal audits with sole responsibility
of AMPNI, that on the original server, the content of which
illegally copied by AMPNI kept personal data of third parties
of companies to the AMPNI Group as indicative of the companies "Aegean Net Fuels Ltd
Fze "," Aegean OIL SA "," Aegean Lubes "and" Aegean Gas ", that all the above companies
, together with ABS, AMPNI and its subsidiaries use informally and without any
written a contract on the infrastructure and servers of the ABS company and provided relevant
written documentation.
The company AMPNI with its documents from 10-09-2018 ( . . . ) and 17-9-2018 ( . . . ) (no.
prot. AIIAIIX r /EI􀃎/ 7306 / 10-09-2018 and r /EI􀃎/ 7434 / 17-9-2018 respectively) provided
additional clarifications and in particular that: The server from which
exported data (server) located in the computer room (computer room) in
ground floor of the building on Akti Kondili, in which the companies of the AMPNI Group
rent space for their facilities. In the computer room, as far as she knows
controlled company, in addition to the server, there are also servers of other companies
whose offices are housed in the same building, which are not related to the Group
AMPNI. The AMPNI Group does not have access to these servers. Also the controlled
company claimed that the server really belongs to the AMPNI group, it is owned
to the complainant ABS, which however does not process personal data for
on behalf of AMPNI, reiterated its claims that it was legal and necessary
processing of data for the purposes of its internal investigation and on its occasion

accidental detection with approved deletion software for protection
the data of the AMPNI Group, which was not personal and, therefore, has not been received
country violation, that any export of personal data from the EV
LLP took place by taking appropriate measures to secure the data, that the
export e-mails concerned a limited number of persons, that the team ofEY LLP did not
gained physical access to the server, that from the local IT staff of the AMPNI Group
five (5) accounts were created for EY LLP team members for these
have access to AMPNI systems, that it has not previously informed the
persons whose electronic accounts have been verified and accessed
by copying the server in order to avoid the risk of deterrence or
obstruction of the investigation no. 14 par. 5 ed. b 'GKPD, that legally and in application
of article 6 par. 1 par. c and in the GCC the data processing took place through it
5
copy of the server, and that the copied file is in the offices of EV at
Manchester United Kingdom.
The company AMRNI with its application from 10-10-2018 (APDPH no. Prot.
r /Ell:/ 8044 I 11-10-2018) requested the urgent examination of her request for removal
ofno. 2/18 Interim Order invoked by the Ministry
U.S. Justice summons to jury in relation to formal
criminal investigation for a possible criminal offense, in the context of which (summons)
was invited to send to the US and to duly submit, by .. . , information which
concern, inter alia, e-mails which
included in what it refers to as a "back up", the
processing which has been prohibited by the Authority until a final decision is taken
of. In particular, with the above application, the company AMR NI repeats them
claims she develops in her from 13-7-2018 Treatment Application claiming that
business (corporate) email accounts have been legally exported and therefore should
to revoke the no. 2/18 Interim Order to then transmit the data
( e-mail) in the USA
The Authority proceeded to call for a hearing of the companies ABS, AMPNI and EV
HELLAS with the reference numbers C /EX / 8303 / 18-10-2018, C /EX / 8302 / 18-10-2018 and

GI EX I 8301 / 18-10-2018 her documents, respectively, while with the No. 3 Provisional
Order of the President of the Authority (under reference number C /EX / 8345 / 19. 10. 2018), rejected the
application for treatment - revocation ofno. 2/2018 Interim Order receiving
note that the condition for cross-border transfer of personal data to
USA. recommends compliance with the general principles of processing, namely Articles 5 and 6
GPD, so that in case in which the data under cross-border transmission have
illegally collected, to prohibit their cross-border transmission.
During the meeting of the Department of the Authority on 07-11-2018 they were present on behalf of
of AMPNI the lawyers Panagiotis Bernitsas with AMDSA . . . , Marina Androulakaki
with AMDSA . . . and Areti - Tania Patsalia with AMDSA . . . . Also present was L, legal
ABS representative stating that he is represented by lawyer Leonidas Kotsalis with
AM􀆳I:A . . . . Lawyer Eleftheria Rizou was present on behalf of the complainants
AM􀆳I:A . . . . At the meeting were submitted by AMPNI the prot.
r / EII: / 8790 / 07-11-2018 and r / EII: / 8791 / 07-11-2018 documents from which it appears that the
ABS Board of Directors, by decision ofTitv, decided that the legal
a representative of company L is not entitled to appoint or dismiss
6
dismissed the former lawyer L. Kotsalis and appointed him
new lawyers of their company P. Bemitsa and I. Anagnostopoulos. Filed
also by the lawyer P. Bemitsa objection against the representation of the company ABS
by L. and the lawyer L. Kotsalis (reference number G /EIS / 8816 / 08-11-2018). The beginning
postponed the discussion of the case in order to consider the issue of representation
of ABS. Following the document number C / EII: I 9207 I 21-11-2018 of ABS from the
which shows that the BoD of the company replaced . . . his representative with
The Authority proceeded to new calls of the companies ABS, AMPNI and EV HELLAS with the
No. reference C /EX / 9 445 / 27-11-2018, C /EX / 9 449 / 27-11-2018 and C /EX / 9 448 / 27-11-2018
her documents. Furthermore, the former legal representative of ABS N.L. filed the
Protocol No. CI EIS / 9 771 / 04-12-2018 complaint, arguing that his own
personal data were affected by the incident.
During the meeting of the Department of the Authority on 05-12-2018, ext
part of the companies AMPNI and ABS the lawyers Panagiotis Bemitsas with AMDSA
. . . , Marina Androulakaki with AMDSA . . . and Areti - Tania Patsalia with AMDSA . . . , from
part of the company ERNST & YANG (HELLAS) CERTIFIED ACCOUNTANTS SA the Ioli

Katsirouba with AMDSP . . . and Alexandra Vraka with AMDSA . . . . The complainants
L and F were represented by Leonidas Kotsalis with AMDSA . . . while on behalf of the others
of the complainants, Eleftheria Rizou arrived with AMDSA . . .. It is noted that after
meeting ABS and AMPNI submitted the reference number C I EIS / 9981 / 11-12-
2018 request for exclusion of the rapporteur which was rejected with no. 42/2019 decision
of the beginning.
Representatives of companies and complainants were given a deadline and
submitted memoranda. Particularly:
i) EY HELLAS submitted the document number prot. r /EI􀃎/ 10252 I 19-12-2018, with
which reiterates their claims that it has nothing to do with the case.
ii) AMPNI and ABS filed the reference number C /EIS / 10259 I 19-12-
2018 memorandum, which was supplemented with the reference number r /EI􀃎/ 10398 I 28-12-2018
document while with the reference number r / EI􀃎 / 10316 I 24-12-2018 expressed objections to
the extension of the deadline for submission of memoranda until 15-01-2019, for which
decided by the department of the Authority and in general for the procedure followed.
In particular, the company ABS during the hearing process, but also with the above
In its memorandum, it withdrew the complaint against AMPNI and was represented by
jointly with ABS. He then relied on the following allegations: by decision
7
U.S. court automatically suspends any action globally
AMPNI Bankruptcy and therefore the
of the Authority proceedings against the company, that the complaint of ABS is inadmissible as well
exercised by a legal and not a natural person in violation of article 77 par. 1 GCP,
that the complaints of natural persons are inadmissible as it was not preceded
exercise of the relevant rights to the controller, that the GCC does not
applies in the case of AMPNI as it has no facility in Greece, that
had the right to conduct an internal audit of professional e-mails that did not
under the protection of personal data legislation, that the processing
e-mails was necessary for the purposes of AMPNI's legitimate interests in
No. 6 par. 1 ed. in the GCC, that it refers to the documents and data that it had
ABS as a complainant against AMPNI before withdrawing it
complaint, that the company e-mails are the property of AMPNI, that in the context
of the internal investigation it was decided to copy the e-mails of specific persons

but in the process of copying them the deletion software function emerged
of the entire server and the company was forced to make a total copy of it
creating a backup so that there was no previous time
information of data subjects, that although the establishment of its operation
delete software constitutes breach of personal data did not exist by
of the company no obligation to notify the Authority because it did not concern
personal data but corporate (business) e-mails and therefore could not
create a reasonable expectation of privacy for employees, otherwise
the necessary security measures have been taken, that even if corporate e-mails recommend
personal data, it was not proved that in them there was personal data, that no
attempted access to personal (private) electronic accounts
of the said employees but were exported from the company server, that
and in the Novartis case the Authority had ruled that there was a legitimate interest
compliance with the request of the US public authorities and was granted
the relevant data in the US, that every young person should be aware of
evidence to be provided by the complainants that there was no obligation
information of former and current employees of the AMPNI Group and finally that in case
imposition of administrative sanctions by the Authority not to order the destruction of the material
which has been copied as it contains critical documents and information in order to
delivered to the US authorities.
8
iii) The eleven original complainants jointly filed the prot.
r / EI:E / 268 / 15-01-2019 memorandum, while A submitted the reference number r / EI:E / 272 / 15-01-
2019 memorandum, in which it is claimed that: AMPNI never submitted to ABS
request for access to personal data legally, but straightforward
contact with Mr. N, . . . , with a proposal of synergy in illegal acts, offering him
amnesty, that the existence of deletion software is not met
in fact but there was a pretext to justify its copying
of the server given that from emails between N and
An employee of EV LLP appears to have requested a copy of his entirety
server several days before deleting software is detected,
that corporate data always contains personal data, that professional emails
contain personal data in accordance with the case law of the WEU, that the

ownership and possession of a server does not imply ownership of
personal data contained on the server, that has not been done
data separation and that execution contracts have never been signed
processing no. 28 GKPD, that none of the principles of Article 5 has been complied with
GPA so that the processing is unfair and that AMPNI's allegations of non-compliance
informing the subjects was contradictory.
Following the submission of the memoranda, AMPNI and ABS informed the Authority
(G / EIS / 452 / 22-01-2019) that they are in the process ofrelocation and that the company
"Warehouses of Aegean SA", with which they maintained common facilities, did not
delivers the original hard drive of the running ABS server,
despite the fact that he was not part of the Authority 's interim order, as
confirmed the Authority with its document number C / EX / 452-1 / 29-01-2019. According
with the companies AMPNI and ABS the processing of the backup (back up) that
is located in Manchester, United Kingdom and contains professional e-mails,
is the only way to ensure that key evidence
will not be permanently destroyed and any decision of the Authority it will order for
any reason the destruction of professional e-mails copied to
backup would be disproportionate and would interfere irreparably with
property rights and defense rights of the AMPNI Group.
As informed by AMPNI and ABS (G / EIS / 757 / 30-01-2019) relevant request
was discussed at the Magistrates' Court of Piraeus with a procedure of precautionary measures, initially with
9
issuance of a temporary order (see G / EIS / 757 / 30-01-2019). Finally, as informed
Beginning with the document number C / EI􀃎/ 2883 / 16-04-2019 of AMNPI and ABS in
the aforementioned court issued its decision no. 14/2019, ordering the
performance of mobile equipment in ABS.
On this issue, the company AEGEAN WAREHOUSES submitted the no.
prot. r / E􀍜 / 2111 / 19-03-2019 request requesting to clarify whether the return
of servers (servers) includes their content, ie data
of personal character - stored e-mails, while the Authority with the prot.
CI EX / 2111-1 / 23-04-2019 document informed that the questions submitted with
the application are not related to Interim Orders No. 2/2018 and 3/2018, but

concern issues of interpretation and execution of the . . . Decision of the Magistrates Court of Piraeus the
which do not fall within the competence of the Authority.
AMPNI and ABS have also submitted a number of related documents
active litigation in a US bankruptcy court and in particular a) under
no. prot. r / EIL / 740 / 30-01-2019 with
«NOTICE OF DEADLINE REQUIRING SUBMISSION OF PROOFS OF CLAIM ON OR
BEFORE 21-02-2019 »b) under reference number r /EI􀃎/ 1467 / 25-02-2019 entitled
«NOTICE OF HEARING TO CONSIDER CONFIRMATION OF THE CHAPTER 11
PLAN FILED BY THE DEBTORS AND RELATED VOTING AND OBJECTION
DEADLINES ", c) under reference number r / EIL / 2678 / 09-04-2019 entitled" NOTICE OF (A)
ENTRY OF OR DER CONFIRMING THE JOINT PLAN OF REORGANIZATION OF
AEGEAN MARINE PETROLEUM NETWORC INC. AND ITS DEBTORS AFFILIATES
PURSUANT TO CHAPTER 11 OF THE BANKRUPTCY CODE AND (B)
OCCURRENCE OF EFFECTIVE DATE ».
Finally, AMPNI and ABS, since (with reference number C I EX I 2214 / 21-03-2019
Authority document) became aware of the complainants' allegations through the 15-
01-2019 of their memorandums submitted the reference number r / EIL / 2616 / 05-04-2019
supplementary memorandum which in principle disputes its legality
extension of the deadline given for the submission of a memorandum at the hearing.
They then argue, refuting the complainants' plea that they did not
have not committed any act of unlawful processing of personal data, that no
there was no intention from the beginning to copy the server, nor that they invented as
justifying the existence of the deletion software, that the purpose of the procedure that
followed by the export of professional e-mails of a specified number of ex and
10
current employees of the AMPNI group, that no access to staff was attempted
(private) e-mail accounts, that some of the complainants only provide
some e-mails which contain their personal data, that after her
new information relating in particular to e-mail is provided
and exchange of e-mails from the management of PAE AEK, which is not included in
list of addresses attached to Interim Order 2/2018 of the Authority,
that the complainants were well aware that their corporate accounts were e-mail
title
intended for professional use only, to the extent that the copy is ultimately
contains personal data of individuals not affiliated with
AMPNI group then the company would be willing to separate or delete the data
concerning such individuals, that professional e-mails do not constitute
personal data, that the copying of the original server (server) was legal
due to force majeure due to the detection of the deletion software function as well
and that personal correspondence should not have been exchanged through
corporate e-mail accounts.
The Authority, from the hearing, from the details of the case file,
as well as from the memoranda submitted after the attached documents, after
heard the rapporteur and the clarifications of the assistant rapporteur G. Roussopoulos, who
withdrew after the debate and before the conference and the decision, and
after a thorough discussion, taking into account in particular:
1. The provisions of the Constitution, and in particular those of articles 2 par. 1, 5 par. 1, 5 A , 9,
9A, 19 par. 3, 17, 22, 25 and 28.
2. The provisions of the European Convention on Human Rights
04.11.1950 ratified by n.d. 53 of 19.9.1974, as in force today and in particular
those of Article 8.
3. The operating provisions of the Treaty on European Union, and in particular those
of Article 16.
4. The provisions of the Charter of Fundamental Rights of the European Union (2012 / C
326/02) and in particular those of Articles 7, 8 and 52.
5. The provisions of the Council of Europe Convention for the Protection of
versus automated processing of personnel data
character of28.1.1981 ("Contract 108"), ratified by Law 2068/1992, as
11
currently in force, in particular those of Articles 5 and 6.
6. The provisions of the General Regulation of Data Protection (GKPD) no.
679/2016.
7. The provisions of Law 2472/1997 insofar as they do not contradict the GCP
(see APDP 46/18 and 52/18)

8. The provisions of Directive no. 115/2001 of the Data Protection Authority
Personal Character on the subject of employee records
9. The no. 3/2010 Opinion of the Article 29 Working Party on the principle
of accountability (WP 173 / 13-7-2010)
10. The no. 2/2017 Opinion of the Working Party of article 29, for the elaboration
personal data at work (WP 249)
11. The Working Document of the Working Group of29-5-2002 of article 29 for
Workplace Electronic Surveillance (WP55)
12. The no. 8/2001 Opinion of the Working Party on Article 29 for elaboration
of personal data in the context of employment relationships (WP 48)
13. The no. 06/2014 Opinion of the Article 29 Working Group on
concept of the legal interests of the controller (WP 217), to the extent
which is interpretatively useful in the context of the present.
14. The Working Group Guidelines of Article 29 "Guidelines on
transparency under Regulation 2016/679 », WP260 rev.01, to the extent that it is
interpretively useful in the context of the present.
15. The no. 2/2018 Guidelines of the European Council
Data Protection " regarding the derogations provided for in Article
49 of Regulation 201 6/679 ".
16. The document of the Working Group of article 29 no. 18 / EN / WP 262 of 06-02-
2018 entitled "Guidelines on Article 49 of Regulation 2016/679"
17. The Article 29 Working Group Guidelines for
Notification of personal data breach (" Guidelines on Personal data
breach notification under Regulation 2016/679 WP 250 rev. 1)
18. The Guidelines (under consultation) no. 3/2018 of the European
Data Protection Council on the territorial scope of the GCC
12
THOUGHT ACCORDING TO THE LAW
1. With article 94 of the General Regulation of Data Protection (GKPD) no.
679/2016 was repealed from 25.5.2018 Directive 95/46 / EC, when it was entered into

application of the GCP according to art. 99 par. 2 of this. Law 2472/1997 is still in force in
to the extent that its provisions do not conflict with the GCC (see APDP 46/18 and
52/18).
2. The processing of personal data should be intended to
serves man. The right to protection of personal data
is not an absolute right, it must be valued in relation to its function in
society and be weighed against other fundamental rights in accordance with its principle
proportionality (Ait.Sk. 4 GKPD).
3. According to article 3 par. 1 GCP " this Regulation shall apply to
processing of personal data in the context of a
the establishment of a controller or processor in the Union,
regardless of whether the processing takes place within the Union ". In
No. 22 Recital of the GCC is defined for the concept of installation
that it «[ . . . ] presupposes the substantial and actual exercise of activity through
fixed settings. In this respect, the legal form of these arrangements, either
whether it is a subsidiary or a subsidiary with legal personality, is not decisive
of importance ".
4. According to article 4 par. 1 GCP as " personal data "
is defined as " any information relating to an identified or identifiable natural person
("Data subject ''); the identifiable natural person is one whose
identity can be verified, directly or indirectly, in particular by reference to an ID
ID, such as name, ID number, location data, online
ID ... ». Similar broad definition for the concept of data
of a personal nature pre-existed in article 2 par. a oflaw 2472/1997, in application
of Directive 95/46 / EC.
In this context, the e-mail address of an individual
is a personal data as it can act as
element of indirect or direct identification of its holder, allowing communication with
13
him. When the email address bears the name or associated
identifier of the natural person - user (e.g. johnsmith@ikea.sk)
then it is a matter of immediate identification and therefore constitutes personal data
in contrast to the address of a legal entity ( e.g. ikeacontact@ikea.com), the
which in principle does not constitute personal data 1
s. According to the case law of the Court of Justice of the European Union (ECJ),
the fact that the processing of information concerns the content of a professional
does not exert influence in that regard and does not invalidate their classification as
personal data 2 , nor does it constitute an exception to the relevant protection 3 ,
even when the controller acts in the context of public policy
tasks 4 , and the ' distinction of the data in question according to whether they fall under
in the private sphere or in the public sphere is clearly a result of confusion between the two
fall into the personal data and those that fall into the private
life » s
According to the case law of the European Court of Human Rights
Human Rights (ECtHR) the protection of "privacy" established in Article 8 thereof
European Convention on Human Rights (ECHR), which includes the
protection of personal data, does not exclude professional life and
is not limited to life within the place ofresidence (see APDPX 34/2018 and OE29
Working document for the monitoring of electronic communications in the workplace
of 29-5-2002, WP55, p. 8). Moreover, according to the same case law, in
protection of Article 8 of the ECHR subject to electronic letters (e-mails) 6 ,
1 ,,.. details, see the content of the response from 2 1-02-20 1 8 given by the European Commission to
in the context of question no. E-007 147/17 h!lJ'!://www.europarl.europa.eu/doceo/document/E-8-201 7-0071 74-
ASW EN.html? Redirect
, See WEU C-345/201 7 decision Sergejs Buivids of 14-02-201 9 par. 46, WEU C-398/201 5 decision Salvatore
Manni of 09-3-201 7 par. 34, WEU C-6 1 5/ 1 3 Client Earth decision of 1 6-7-2015, par. 30, 32, WEU C-92/09
& C-93/09 decision Volker und Markus Schecke GbR & Hartmut Eifert v Land Hessen of 09- 1 1-20 I 0
par. 59.
, See European Union Agency for Fundamental Rights (FRA), Handbook on
European legislation on personal data protection, 2014 edition p. 50 and 20 1 8 edition
(English) pp. 86-87.
, General Court EU T-496/1 3 McCullough judgment of 1 1 -6-20 1 5 on the inclusion of names
of data subjects in the minutes of the meeting regardless of the fact that they exercise publicly
power par. 66 or that they have already been made public see WEU C-127/1 3 Guido Strack decision of 02- 1 0-2014
especially par. I I I .
, See and T-639/15 to Ta-666/1 5 and T-94/1 6 Maria Psarra et al. European Parliament 1tap 52,
see and par. 50, 53 .
• George Garamukanwa v. UK decision of 14-5-201 9 on admissibility, para. 25, Copland v. United
Kingdom of 3-4-2007.

Therefore, not accepting that the above information (especially e-mails)
constitute personal data " would have the consequence that it is not required
in respect of such information, compliance with the principles and guarantees laid down in
in the field of personal data protection and, in particular,
principles concerning data quality and the legality of processing
their ... as well as respect for rights, access, correction and opposition
of the person concerned ... , but also the control exercised by the control authority ... "(WEU C-
434/16 decision Peter Nowak v Ireland Data Protection Commissioner of20-12-2017, par.
49).
6. The data subjects, whether they are employees or senior executives
administration or are connected in any way with the controller have a
a reasonable expectation of protection of their privacy in the workplace, which does not
removed from the fact that they use equipment, communication devices or
any other professional hardware or software facilities and infrastructure ( e.g.
electronic communications network, Wi-Fi, corporate email addresses
mail, servers, etc.) owned by the person in charge
processing (see APDPX 34/2018, 61/2004, Working Group article 29 WP55, ibid. p.
9).
The fact that an email has been sent by a corporation
mail address does not lead to the expulsion of the right to privacy
(see ECtHR, First Chamber, George Garamukanwa v. UK decision of 14-5-2019 on
admissible, para. 25), the right to protection of personal data
the nature of the data subjects, in particular the employees (see
No. 2072/2018 License s for cross-border transfer of personal data now and
former employees of the applicant company), the right to privacy
of communications and related location data (see OE29 Opinion 2/17, p. 22 et seq
OE29, WP55, ibid., P. 22), nor of course can it be accepted that the data
the personal nature of the data subjects generated by their use
1 Copland v UK of 03-7-2007, Amman v. Switzerland of l 6-02-2000, Kopp v. Switzerland of 25-3- 1 998,
Halford v. The United Kingdom of 25-6-1 997, Aalmoes and 1 1 2 others v the Netherlands
admissibility of 25- 1 1 -2004.
, See Press Release C / EX / 1728 / 0 1 .3.20 1 8 regarding the granting ofno. 2072/20 1 8 Transmission License
AilAfIX.

corporate media are the "property" or "property" of the person in charge
because he is the owner of the above media or
e-mail addresses, an approach adopted by
part of the case law of the US courts, but not of the European Union.
7. According to recital 39 of the ICCPR " any data processing
should be lawful and fair. It should be clear about
natural persons that personal data concerning them are collected,
used, taken into account or otherwise processed,
as well as to what extent the data is submitted or will be processed. The beginning
it requires any information and communication regarding the processing of such
personal data to be easily accessible and understandable and to
uses clear and simple language. This principle concerns in particular the updating of
data subjects regarding the identity of the controller and their
processing purposes and further information to ensure fair and
transparent treatment in relation to such natural persons and their right to
receive confirmation and obtain communication of the relevant data
subject to processing. It should be notified to
natural persons the existence of risks, rules, guarantees and rights in relation to
processing of personal data and how to exercise their rights in
in relation to this processing. In particular, the specific purposes of their processing
personal data should be clear, legal and defined
at the time of collection of personal data. Staff data
should be sufficient and relevant and limited to what is necessary for them
purposes of their processing. This requires in particular to ensure that space
storage of personal data should be kept to a minimum. The
Personal data should only be processed if the
purpose of processing can not be achieved by other means. To ensure that the
personal data are not retained longer than necessary, o
the controller should set deadlines for their deletion or for
periodic review. Every reasonable measure should be taken in order to
ensure that inaccurate personal data is corrected or
deleted.

8. According to recital 60 GIPD " The principles of fair and transparent
require the data subject to be informed of its existence
processing act and its purposes. The controller should provide
to the data subject any further information necessary for the
ensuring fair and transparent treatment taking into account specific circumstances and
the context in which staff data is processed
character ".
9. According to the last paragraph ofrecital 39 of the ICCPR " The data
should be processed in such a way as to ensure
the appropriate protection and confidentiality of personal data,
including to prevent any unauthorized access to this data
personal equipment and equipment used for their processing or
use of such personal data and such equipment . 11
10. According to article 4 par. 12 GKP as a violation of personnel data
character means II breach of security leading to accidental or unlawful
destruction, loss, alteration, unauthorized disclosure or access to data
personal information transmitted, stored or otherwise submitted
in process 11 •
According to the Guidelines of06-02-2018 of his Working Group
Article 29 of Directive 95/46 / EC (now the European Data Protection Council -
EDPB) for the Notification of personal data breach (" Guidelines on
Personal data breach notification under Regulation 201 6/679 WP 250 rev. 1) one of them
types of personal data breach is one that is categorized based on
principle of security of "confidentiality" when unauthorized access is established
in personal data ("confidentiality breach").
Violation of personal data also takes place with
illegal access to a server, and the taking of technical and organizational measures
server security is initially necessary to prevent it
associated risk due to the large volume of personal data contained in 9

• For more see Detailed Guide of the French Personal Data Protection Authority (CNIL)
"Security of Personal Data" which refers so much to the need for prior security measures for
17
in accordance with the European Network and Information Security Agency
(ENISA) 10 .
The collection and retention of personal data in the context
operation of a server without prior download of such necessary
technical and organizational security measures constitutes a breach of the principles set out in Article 5
par. 1 ed. a 'and f GKPD.
11. According to article 5 par. 1 in the GCP (" Principles governing processing
personal data ")" personal data shall be submitted to
processing in a way that guarantees the appropriate security of personnel data
including their protection against unauthorized or unlawful use
treatment and accidental loss, destruction or deterioration, using appropriate
technical or organizational measures ("integrity and confidentiality "), while in Article 32
par. 2 GKP is provided in the context of an assessment of an appropriate level of security h
taking into account the risk arising in particular from unauthorized access to data,
where an indicative list of security measures is given 1 1
The GCC requires the submission o f personal data that they have
has already been processed in accordance with the principles of article 5 par. I a 'to e' ' against
way that guarantees the appropriate security "(article 5 par. 1 par. f) so that in case
in which the principles other than that of security are met, to become in
processing is illegal. Respectively, if the intended processing from the beginning
is going to take place in a way that does not guarantee adequate security, it is unnecessary
the examination of the fulfillment of the principles provided by subsections a 'to e' of par. 1
of Article 5 of the ICCPR, as it will be unsafe and therefore illegal
processing.
In addition, the controller's obligation to "guarantee" safety
processing by taking appropriate technical and organizational measures
derives from the GCC-adopted risk-based approach ("risk
based approach ") so that" the degree of risk of each treatment becomes the key

servers in the context of GPA compliance and the risk of unauthorized access to personal
data stored on servers,
10 For more see "Reinforcing trust and security in the area of electronic communications and online services",
December 20 1 8 , chapter 7 "Server and DataBase Security" p. 38 ff.
11 For more see L. Mitrou in L. Kotsali -K. Menoudako, GKPD-Legal dimension and practical application,
Chapter VI. Notification of data breaches, p. 2 1 8 ff.
18
criterion for determining the extent of the relevant obligations " 12 (see also APDPH
51/2015 request sk. 4).
The European Court of Human Rights is in the same direction
in case I. v. Finland 13 examining an action on the basis of whether o
processor managed to "guarantee" the security of personnel data
found a violation of Article 8 of the ECHR by non-implementation of measures
security measures that led to unauthorized access to them.
Under the GCC state " integrity and confidentiality " have been reduced to
basic principles and conditions for the processing of personal data
No. 5 par. 1 ed. in GPD 14 so that the mentioned " appropriate technical and organizational
measures ", inter alia, to prevent, if implemented, any unauthorized
access to or use of the data and equipment used for
processing (see Application No. 39 of the GPA and the European Network Security Agency
and Information-ENISA 1s ). Therefore two of the three main goals of security
information systems (ie availability excluded) have been reduced to principles
and conditions for legal processing of personal data. The measures
they need to be more specific (see Article 32 of the GIP) and as required by its principle
and is determined by the provisions of article 24 par. 2 GCP, must
appropriate policies are applied, depending on the processing activities (see
All.MIX 6 7/2018). The existence of appropriate policy documents, approved by
administration of a body (responsible or executing the processing) applicable and
implemented in practice (a contrario APDP 98/2013 par. 5), is a basic criterion
to demonstrate compliance with the principle of integrity and confidentiality
(see APDPX 98/2013 ait. sk. 3. especially for information systems), to the extent that
lack of other evidence such as compliance with an approved code of conduct or
approved certification mechanism.
12 L. Mitrou, the GKPD, ibid., P. 96 and footnotes 270 and 27 1 with references to its corresponding positions

CIPL and ENISA.
" Decision of 1 7-7-2009, no. ref. 205 1 1/2003 par. 37 up to 46.
" See L. Mitrou, op.cit. p. 2 1 9, which states that " Security is an unconditional condition for
effective protection of personal data. However, it should be noted in advance that
This is a necessary but insufficient condition for data protection, as the
Protecting them from unauthorized access, disclosure and general use does not mean that
are subject to legal processing "but also the GCC itself, new law-new obligations-new
rights, Sakkoulas 20 17, p. 1 08 ff.
" "Handbook on Security of Personal Data Processing", December 2017, especially p. 8 as well as Guidelines
for SMEson the security of personal data processing ", December 2016, especially p. 12
19
12. According to Recital 78 GKPD " The protection of rights and
the freedoms of individuals versus the processing of personnel data
requires appropriate technical and organizational measures to
ensure that the requirements of this Regulation are complied with. In order to be able to
to demonstrate compliance with this Regulation, the controller should
establish internal policies and implement measures that respond in particular
principles of data protection already by design and by definition ".
13. According to Recital 82 GKPD " In order to prove
compliance with this Regulation, the controller or the executor
processing should keep records of the processing activities that are under
their responsibility ".
14. According to Recital 83 GKPD " To maintain security and
to avoid processing in breach of this Regulation, the responsible person
The processor or processor should evaluate the risks involved
develop and implement measures to mitigate these risks, such as
example through encryption. These measures should ensure appropriate
level of security, which includes confidentiality ... In the assessment
data security risk should be considered
resulting from the processing of personal data ... ".
15. According to Recital 87 GKPD " It should be ascertained against
whether all appropriate technological protection measures have been implemented and
organizational measures to immediately detect any breach of personnel data
character and immediate information of the supervisory authority and its subject

data ", as detailed in the 06-02-2018 Guidelines
of OE 29 for data breach notification (WP 250 rev. 1 ).
16. Appropriate accountability measures for the observance of the principles of article 5 par. 1 GKPD
may include (as recommended by the Working Party on Article 29 16 before
implementation of the GPA) the following non-exhaustive list of measures: adoption
16 Opinion no. 3/201 0 on the principle of accountability of 13-7-20 1 0 (WP 173) p. 13 ff. And p. 14
footnote 7 for international standards approved in Madrid by the competent authorities for their protection
personal data.
20
internal procedures before the creation of new processing operations, adoption
written and binding data protection policies available to individuals at
reporting data, mapping procedures, maintaining a directory
all data processing operations, appointment of a data protection officer
data and other persons responsible for data protection, provision
appropriate education and training for officials in their protection
establish procedures for managing access requests, correction
and deletion, which must be transparent to the persons referred to
data, establishment of an internal grievance mechanism, establishment
internal procedures for the effective management and reporting of infringements
security, conducting a privacy impact assessment in specialized
cases, implementation and oversight of verification procedures to ensure that
all measures not only exist on paper, but are applied and operate in
act (internal or external audits, etc.).
The Authority, in the context of the implementation of the GCP, has already referred to the obligations
the controller regarding his / her safety and general responsibility for
identifying appropriate technical and organizational measures, proposing
"Appropriate" measures which may be substantiated in individual proceedings or in
general security policies 1 1 , clarifying that " in any case, before
determining the security measures to be adopted, the proper evaluation of them is paramount
risks and their possible consequences 1sfor data subjects ... the
Implemented measures must be periodically reviewed, at least, but also
be proven validated by the administration of the person in charge or the executor
processing 19 ". Likewise, appropriate technical and organizational measures for its safety

processing of personal data under the FGM are proposed
and by the European Network and Information Security Agency (ENl SA). 20
1 1 www.d􀄤gr Section Security and in particular "Security Policy, Security Plan and Plan
Disaster Recovery "with reference to the minimum content of the security policy concerning
a description of the basic protection and safety principles applied ( organizational security measures,
technical security measures, physical security measures, definition ofroles, responsibilities,
duties, etc.)
" See and G. Roussopoulos, APDPH specialist scientist, "Processing security and notification
Violations "in the ECDC Report" GPD: the new landscape and the obligations of public
of Administration ", Athens, January 20 18, p. 20 ff. available at www.ekdd.gr/images/seminaria/GDPR.pdf
19 www.dp...!!,gr section "Security".
20 Cf. footnote 1 1 , Annex A p. 55 et seq.
21
17. In order for personal data to be legally processed,
ie processing in accordance with the requirements of the GGP, should be met
cumulatively the conditions of application and observance of the principles of article 5 par. 1 GCP,
as is clear from the recent ruling of the Court of Justice of the European Union
(CJEU) of 16-01-2019 in Case C-496/2017 Deutsche Post AG v Hauptzollamt
Cologne 21 . The existence of a legal foundation (art. 6 par. 1 GCC) does not exempt the
controller from the obligation to comply with the principles (art. 5 par. 1 GKP)
with regard to legitimacy, necessity and proportionality, the principle
of minimization 22 . In case of violation of any of
the principles set out in Article 5 ( I ) of the GIP, such processing shall be presented as non -
legal (subject to the provisions of the GCC) and there is no need to consider the conditions
implementation of the legal bases of Article 6 GIP 23 . Thus, the violation of the principles
of Article 5 of the GIPP illegal collection and processing of personnel data
character is not cured by the existence of a lawful purpose and legal basis ( cf.
Alli:iTIX 38/2004).
Moreover, the WEU with its decision of0l -10-2015 in the context of the case
C-201/14 (Smaranda Bara) considered as a condition for the fair and lawful processing of
personal data informing the data subject pre
of their processing 24
21 « 57 . However, any processing of personal data must be consistent with, on the one hand, the
principles to be observed with regard to data quality set out in Article 6 of the Directive

8ai􀃚􀃛z􀃜ret1'1iis"1-Jal 1J,;JJ'tff!Ii'l1i7Rdtfi!§ b'l- 911Ml1 &'1f['i#MWf1!11k,lfo/{'(cf<fNEiBrJn£iPles of legal processing
... C-465/00, C-138/01, C-139/01, C-131112 » . .
22 On this see L. Mitrou, the general regulation of personal data protection (new law-new
obligations-new rights), published by Sakkoula, 201 7 pp. 58 and 69-70.
23 Cf. !:1:E 5 1 7/201 8 par. 12: «[ ... ] in order for the personal data to be legal
processing, it is required in each case to meet the cumulative conditions of article 4 par. I of
Law 2472/1997, which, among other things, stipulates that data must be collected and processed
in a lawful and lawful manner, for clear and lawful purposes ... Provided that the conditions of
article 4 par. 1 of law 2472/1997 (legal collection and processing of data for clear and legal
purposes), it is further examined whether the conditions of the provision of article 5 par. 2 of n.
2472/1997 [legal bases] ". Also, cf. CoE in Plenary Session 2285/200 1 par. 10: «[ ... ] Only if
the above basic conditions are met, the provisions of articles 5 and 7 of the Law apply.
2472/1997, which impose as a farther additional, in principle, a condition for legal processing
personal data of a specific person, his consent ".
24 " 3 I. The person in charge of data processing or his representative have an obligation to inform the
content of which is set out in Articles IO and I I of Directive 95/46 and differs accordingly whether the
data are collected by the data subject or not, subject to reservation
of the exceptions provided for in Article 13 of that Directive [ ... ] 34. Consequently, the requirement of a legitimate
data processing provided for in Article 6 of Directive 95/46 obliges the administrative authority to:
inform the data subjects about the transfer of such data to another
administrative authority for the purpose of processing them by the second as the recipient of such data ".
22
18. Further, the controller, in the context of its compliance
principle of fair or just processing of personal data, owes
inform the data subject that his data is to be processed
in a lawful and transparent manner (see WEU C-496/17 ibid., paragraph 59 and WEU C-201/14
of0l -10-2015 par. 31-35 and especially 34) and to be in a position at any time to
prove its compliance with these principles (accountability principle according to art. 5 par. 2
in combination with articles 24 par. 1 and 32 GCP).
Processing personal data in a transparent manner is recommended
manifestation of the principle of fair treatment and linked to the principle of accountability,
giving subjects the right to exercise control over their data
making those responsible for processing accountable, according to the Working Group
Article 29 2s
Exceptionally and pursuant to article 14 par. 5 ed. 2nd GCP (" Information
provided ifp ersonal data has not been collected by
data subject "), paragraphs 1-4 of the same article do not apply and no
the relevant information is provided by the controller if it is likely to
greatly impair the achievement of the objectives of such processing. Condition
implementation of this provision in accordance with the Working Party of Article 29 26 recommends
the processing (collection) of such personal data has been carried out
legally, ie in accordance with the principles of article 5 par. 1 GKPD.

19. In addition, a new, central compliance model was adopted with the GCC
size of which is the principle of accountability, within which the person in charge
is obliged to plan, implement and generally take the necessary measures
and policies to ensure that data processing complies with the relevant
legislative provisions. In addition, the controller is responsible for further
to prove on its own and at all times its compliance with
principles of article 5 par. l GK.PD. It is no coincidence that the GCC incorporates accountability
(Article 5 (2) GCC) in the regulation of the principles (Article 5 (1) GCC) governing
processing, giving it the function of a mechanism for their observance,
essentially reversing the "burden of proof' as to its legality
25 Guidelines on transparency under Regulation
201 6/679) of 1 1 -4-201 8 (WP 260 rev. I), pp. 4 and 5.
2• Guidelines on transparency under Regulation
201 6/679) of 1 1 -4-201 8 (WP 260 rev. I), p. 3 1 par. 65.
23
(and in general the observance of the principles of article 5 par. l GCP),
transferring it to the controller, 21 so that it can be reasonably argued that he
bears the burden of invoking and proving the legality of the processing 2s .
Thus, it is the responsibility of the controller on the one hand to receive from
itself the necessary measures in order to comply with its requirements
On the other hand, to prove at all times its above compliance, without
in fact, the Authority should be required, in the context of the exercise of research-auditing
powers, to submit individual - specific questions and requests to
conformity assessment.
It is pointed out that the Authority due to the fact that the first period is elapsed
implementation of the GCP submits questions and requests in the context of the exercise of
its relevant research - control powers, in order to facilitate it on their part
accountants documentation of accountability. The controller must
in the context of the Authority's audits - investigations to present on its own and without
relevant questions and requests of the Authority the measures and policies adopted in
within the internal organization of his compliance, as he is aware of them
after designing and implementing the relevant internal organization.

20. Access by the controller, within an internal company
control, personal data stored on a hardware computer system and
software (server - server) is the processing of personal data,
as in the case of access to and control of a computer that uses
the subject (APDPX 34/2018).
The employer exercising his managerial right, under the self-evident condition
the observance of the principles of article 5 par. 1 GKPD and on the basis provided before
elaboration of specific procedures and guarantees within its organization
internal compliance in accordance with the principle of accountability, is entitled to exercise
control over the electronic media it provides to employees for
their work, provided that the relevant processing, in accordance with the principle of proportionality,
is absolutely necessary for the satisfaction of the legitimate interest it pursues and
provided that this obviously takes precedence over his rights and interests
27 On this see L. Mitrou, The principle of Accountability in Obligations of the controller [G.
Giannopoulos, L. Mitrou, G. Tsolias], Collective Volume L. Kotsali - K. Menoudakou " 0 GKPD, Nomiki
dimension and practical application ", published by Law Library, 20 18, p. 172 ff.
" P. de Hert, V. Papakonstantinou, D. Wright and S. Gutwirth, The proposed Regulation and the construction of
a principles-driven system for individual data protection, p. 1 4 1 .
24
employee, without prejudice to his fundamental freedoms no. 6 par. 1 ed. f
GKPD and after being informed even about the possibility ofrelated control (see
AIIMIX 34/2018).
21. Essential element of the legal operation of information systems and others
infrastructure and communication systems in the processing of personnel data
It is advisable to take appropriate security measures, in particular physical measures and
logical separation of hardware, software and data 29
22. In order to examine the legality of the access of the person in charge
processing no. 5 and 6 par. 1 GKPD in the personal data of
entities maintained in its corporate systems in the context of internal control,
previously examined no. 5 and 6 par. 1 GKP legality of the original
collection, processing and storage of personal data
character in systems. The illegal original collection, processing and preservation of
personal data e.g. on her computer or server
also makes any subsequent or further illegal (with

that is, a different purpose to the original no. 6 par. 4 GK.PD) distinct and independent
processing of the same personal data as in her case
copy them and save them on another digital storage medium ( eg usb stick,
server, pc, etc.), but even further in that of their transmission and use, even
in the event that the conditions for the application of a legal one would be met
based on article 6 par. 1 GK.PD, as e.g. that of subsection f, after non-compliance
of the processing principles of article 5 par. 1 GK.PD is not cured by the existence
legal purpose and legal basis (see recital no. 17 hereof and
cf. AIIMIX 38/2004).
23. Prerequisite for the transfer of personal data outside European
Union, provided that its general principles, procedures, conditions and guarantees are met
Chapter V of the GCC (Articles 44-50), constitutes the initial legal collection, processing and
retention of the same personal data no. 5 and 6 par. 1 GK.PD 30
,. Cf. AIIilITX 1 86/2014 an. l:K. 2, " D. Security measures - Techniques of measure separation of applications ", APDPH
5 1 /20 1 5 p. 1 1 and for the relevant concepts, cf.
201 3 .
,o Cf. no. 2/201 8 Guidelines o f the European Data Protection Council
"With regard to the derogations provided for in Article 49 of Regulation 2016/679 ", p. 3, Group
Article 29 of Directive 95/46 / EC with document no. 1 8 / EN / WP 262 of 06-02-201 8 entitled
"Guidelines on Article 49 of Regulation 201 6/679", p. 3 .
25
(see in this regard the No. 3/2018 Provisional Order of the President of the APDPH), so that if
the original collection was illegal, to become illegal and the later one
their cross-border transmission 31 • As the Authority did not consider, under the state of application of no.
9 Law 2472/199 7 in the context of company licensing for cross-border transmission
personal data of its former and current employees, in addition to
previous legal collection and processing of personal data
of these, the information of the data subjects is required before the transmission
in order to exercise their access and objection rights if
there are legal grounds 32 and the conditions of Chapter V are self-evident
of the GCC (Articles 44-50).
24. ABS, a subsidiary of AMPNl (parent company of the AMRNI Group),
notified the Authority of a data breach incident no. 33 fKIL􀍝 which

consisted of unauthorized access and copying from its server
ABS of this full content. As culprits of his illegal copying
server (ABS) company indicated the parent company of the same Group,
AMPNI and the company EY Hellas. In addition, ABS filed a complaint for
violation of personal data legislation to the detriment of companies
AMPNI and EV Hellas, while it requested the issuance of an act of suspension and prohibition
processing the copied content of its server.
The controlled company AMPNI briefly claimed that it legally acquired
access to the ABS server because the latter was a subsidiary
and held 100% of its share capital, that the contents of the e-mails were
corporate and therefore on the one hand belong to its property - property, on the other hand, do not belong
in the protection of personal data legislation, that access has taken place
in the context of internal corporate control and therefore the provision provided by
article 6 par. 1 par. the legal basis of the overriding legal interest given to it
provided the right of access and control as well as that the final copy of the whole
ABS server content became necessary, despite the fact that
The original design of the audit concerned targeted access to small e-mails
" Cf. the position of the European Data Protection Supervisor (EDPS) according to which in case
in which the data under cross-border transmission has been collected illegally, it is prohibited to
cross-border their transmission ( see !JnP.s://edp s .europa .eu/data-protection/data-protection/referencelibrfilY.
I international-transfers en)
,2 Cf. Press Release C / EX / 1 728 / 0 1 .3.20 1 8 regarding the granting of no. 2072/20 1 8 Transmission License
AIIMIX.
26
number of specific employees and executives of the AMPNI Group, because randomly
detected on the day of the audit, the operation of illegal deletion software already
deleted files on the server and thus a complete copy was obtained
security (back up).
The ABS company, before the withdrawal of the complaint against it
AMPNI, briefly argued that from the outset the targeting of the controlled AMPNI was
copy of the entire server (server) that included personal data
employees and executives of third companies as it emerged from relevant letters sent to her
were sent by AMPNI and not the targeted copying of specific e-mails
natural persons, that the audited company AMPNI illegally copied it
total content of the server due to the refusal of. . . ( . . . ) N to

accepts the request for copying because it relied on a relevant legal opinion from
which resulted in the illegality of such processing and that the illegality of the request
Copy of the server (server) results from the by the controlled company
AMPNI sending a letter declaring the exemption in advance
("Amnesty") ofN from any kind ofliability in case oflegal action
proceedings against him due to copying.
25. In the present case, it emerged at the discretion of the Authority that ABS,
subsidiary of the parent company AMR NI of the same Group, was the owner
servers that were installed in the office premises
where the Group's companies were housed on Akti Kondili 10 in Piraeus after
lease from the company "AEGEAN WAREHOUSES SA".
On the above-mentioned servers (servers) owned by the company ABS had
DANAOS software was installed and operated under a contract of use and
on the basis of a license obtained by the company "AEGEAN SHIPPING MANAGEMENT"
("ASM"), which, however, did not belong to the AMPNI Group. It should be noted that on
30-10-2018 and after the control process had already started by the Authority within it
in the present case, ABS entered into separate service contracts and
software maintenance with the company that provided the DANAOS software with respect to
companies of the AMR NI Group.
In the same computer infrastructure (hardware and software) except DANAOS (where
e-mails were saved), including virtual file servers
servers) AMPFSl (where fileshare and usershare files were stored) and AMPFS2 (where
27
attachments of e-mails stored in DANAOS), as shown in
in particular from the statements of12-7-2018 and 17-12-2018 . . . ofEY LLP
from 18-12-2018 statement of. . . of ABS 0, which was presented and invoked by
AMPNI.
The above hardware and software computing infrastructure (DANAOS, AMPFSI and
AMPFS2) was used to make electronic communications
e-mails from both employees and executives in the Group companies
AMPNI, as well as by employees and executives in third companies, outside the AMPNI Group
as in "Aegean Shipping Enterprises", "Aegean Agency" and "Aegean Oil"

(according to the statement of 0, op. cit.), but also in "Aegean Net Fuels Ltd Fze", Aegean
Lubes "and" Aegean Gas " 33
It is important that the ABS company, before its recall
had responded to relevant written questions from the Authority that companies outside
of the AMPNI Group used informally and without any written contract the
infrastructure and servers of the company ABS (prot. no. APDPX G /EIS / 7522 / 20-09-2018),
referring in fact to the letter of 03/7/2018 of the P AMPNI N Group, the
who stated that ABS has not entered into hosting and supply contracts
services with other companies.
It should be noted that N, employee on behalf of the AMPNI Group as . . . ( . . . ),
was hired by the company AEGEAN MANAGEMENT SERVICES"-" AMS", ie
from another company of the AMPNI Group (see Supplementary Memorandum AMPNI-ABS of
19-12-2018 pp. 9 and 10, AIIMIX r /EU: / 10259 / 19-12-2018).
Finally, the memoranda of AMPNI show that both companies are owned
in its Group, as well as third companies, outside the Group, used it
computer infrastructure (hardware and software) for the processing of electronics
correspondence of employees and executives, even accepting that it proceeded to
copying information of 34 third parties related to companies outside
Group and used the same computer infrastructure: " There was never any
33 According to the employees' complaints as well as the printouts of the e-mail addresses
mails submitted through ABS pleadings prior to the hearing before the Authority, in particular the
No. ATILiTIX r / EU: / 5432 / 18-6-20 1 8 supplementary memorandum.
" As noted above and will be developed below, AMPNI claims that this is
corporate-professional e-mails owned by it which do not constitute personal data.
The reference by AMRNI to personal data in its memoranda is recommended
auxiliary, in the same claim, not accepting that they constitute personal data.
28
intends to copy information other than the collection of specific data that
concerned the 18 users and related files related to the internal investigation
described above. Any further copying of information that has taken place
separately from the specific data collection related to the research carried out with
sole purpose of protecting against malicious permanent destruction of critical evidence
data related to internal research and its important business records

AMPNI Group "(see AMPNI Treatment Application no. Prot.
pp. 16-17). Similarly, AMPNI stated that "[ ... ] personal data of physicists
persons not affiliated in any way, now or in the past, with the Group
AMP NI under any relationship of employment, provision of services or otherwise or which is otherwise
pending criminal and I or civil investigations, then AMPNI would be willing to
delete the data concerning such natural persons and provide
evidence of this "(see Supplementary Memorandum AMPNI-ABS of 19-12-
2018 p. 23, Allt.IIX f' / EII: / 10259 / 19-12-2018 as well as Supplementary Memorandum
AMPNI-ABS of05-4-2019 pp. 8 and 12 AIMIIX f' / EII: / 2616 I 05-4-2019).
above copy of the entire contents of the computing infrastructure h
controlled company AMPNI created a new archiving system, a copy of which
which he forwarded to Manchester in the United Kingdom.
Finally, AMRNI stated that in the same common area (" computer room-computer
room ») were installed and more servers were running and
other companies whose offices are housed in the same building and which do not
related to the AMRNI Group (APDPH CI EIS / 7306 / 10-9-2018 p. 2 paragraph 3).
It follows from all of the above that both the parent company AMRNI and
subsidiaries of its Group, as well as third companies, outside the AMRNI Group, made
use and had physical access to the same area where they were located and
operated more servers (servers) of companies of both the AMPNI Group and
and third party companies and other legal entities outside the AMPNI Group but also
physical and logical access to the same computing infrastructure (hardware and software
DANAOS, AMPFS 1, AMPFS2) for the processing of e-mail
employees and their executives by processing the systems
electronic communications archiving. The above accesses and edits
personal data took place without any action being taken
physical and logical separation, and the person appointed as Head . . . ( . . . ) of the AMPNI Group
was hired by a Group company in order to provide services for both
29
With the
companies of the AMRNI Group, as well as for third companies outside the AMRNI Group, while the
licensing and service agreement with the software company DANAOS
was concluded by a third company outside the AMPNI Group to finally establish that
any kind of processing of personal data took place informally, without

the existence of any agreement between the companies inside and outside the AMRNI Group that
shared the same hardware and software infrastructure, without downloading any essentials
technical or organizational measure of internal compliance with the provisions of the FGM,
without relevant demarcations, resulting, as the documents show, to be set
finally issue a county specific server (server) and be brought before
civil courts to be resolved through the interlocutory proceedings
(AIIMIX I r /E IL / 733 / 30-01-2019).
26. The Authority in the exercise of its audit powers, both before
hearing (see APDPH no. prot. G /EX / 5414-1 / 26-6-2018 and APDPX no. prot.
G I EX I 6211-1 / 14-8-2018), as well as during the hearing requested from the audited company
AMPNI, among other things, to document its compliance as it had
obligation from no. 5 par. 2 GKP principle of accountability to its provisions
GPD and in particular in relation to obtaining the required " technical and organizational
measures taken for the security of personal data and
used infrastructure that supports processing by notifying us of any
relevant policy document or rules of procedure, whether it concerns the company itself or
applied at Group level . For example, list the measures it takes with regard to
in the physical access to the site of the MAIL SERVER in question, in the logical access to
application of MAIL SER VER, the policy of proper use of corporate emails by
its control policy (eg access and management rights
the said subsidiary and I or the complaining parent company, if the above
have been included in a text governing staff relations (eg Regulation
Work), as well as whether and how staff are informed in advance about
the above and in particular for any control of corporate emails, the relevant conditions, the
procedural guarantees for carrying out an audit, etc. "(see APDPH no. prot. G /EX / 5414-1 / 26-6-
2018 p. 2). The legality of copying the contents of the server
(server), in accordance with data breach notifications and complaints,
was requested in particular by the Authority among others, both at the hearing and before
of this (see APDPH no. prot. G /EX / 6211-1 / 14-8-2018 p. 2) to clarify " if and with
30
how the group staff and users in general were informed in advance
of email accounts for your company 's right to proceed

control of e-mails, the relevant conditions, the procedural guarantees of conducting an audit
etc .. as well as if, when and how the staff was informed about this
control . . . » .
27. The audited company AMR NI before the hearing and instead ofresponding t o no.
prot. APDPH CI EX I 5414-1 / 26-6-2018 document of the Authority submitted the from 13-8-2018
Application for Treatment for the revocation ofno. 2/2018 of his Interim Order
Chairman of the Authority without finally responding to any of the details
stated requests of the Authority, without substantiating no. 5 par. 2 GKPD the legal
operation of the infrastructure used (hardware and software - servers) that
supports the processing of personal data ( especially e-mails),
without providing any written documentation of internal compliance
to the FSAP, in particular to the requirements of secure data processing
without stating the necessary technical and organizational measures
received and without providing any personnel data management policy
character, no safety policy, no employee regulations and no one
proof of informing the subjects about the processing of their data and
the exercise of their related rights but also for the possibility of doing so
control in their e-mails.
The then complainant ABS, in response to the same document of the Authority
presented with the no. prot. AII􀆳IIX r / EI:E / 5935 / 04-07-2018 memorandum of documents
security policy, but which lacked chronology, signature, approval as well
and proof of their application, in addition they were not said to concern an unclear one
designated legal entity under the name "AEGEAN".
The audited company AMPNI then provided clarifications on the
questions asked by the Authority with no. prot. AIIMIX r /ES / 6211-1 / 14-8-2018
document, but again without documenting no. 5 par. 2 GKPD the legal
operation of the infrastructure used (hardware and software - servers) and
without providing any written documentation of internal compliance
to the GCC.
The then complainant ABS, in response to the same document of the Authority with the
No. prot. AIIAfIX r / EI:E / 7522 / 20-9-2018 document stated that the submitted by

The same Policies are drafted outside the European Union and specifically in the USA
as well as that they are applied by the parent company AMPNI, without presenting
relevant evidence. In addition, she claimed that the person presented in her memorandum
" AEGEAN Rules of Procedure " has been drafted exclusively for the subsidiaries
AMRNI companies and that no reference is made to their control
corporate e-mails of employees or how the company can proceed
above act for which the parent company is solely responsible and not the
same. Finally, in the same memorandum, ABS stated that both AMPNI Group companies and
and third companies outside the AMR NI Group use all informal and without any
written contract the infrastructure and servers of the company ABS.
28. During the meeting of05-12-2019 before the Authority, the company ABS, then
replacement of her legal representative and her attorney,
withdrew its complaint, which has no legal consequences for
continue the examination of the case before the Authority as it is not about one
private civil law dispute the subject matter of which is disposed of in accordance with
will of the parties. In addition, the Authority carries out ex officio audits on the basis of
information received regarding the breach of personal data
of subjects.
The company AMPNI both during the hearing before the Authority against
the meeting of05-12-2019, and later with the no. prot. AilMIX
r / EI􀃎/ 10259 / 19-12-2019 supplementary memorandum (jointly with ABS) submitted
clarifications as well as a series of allegations and objections, but again without
document no. 5 par. 2 GPO the legal operation of the used
infrastructure (hardware and software - servers) and without providing any kind
written documentation of its internal compliance with the FGM. On page 14 of
above memorandum AMPNI states that " The AMPNI Group has policies
IT security (see attachments as Annex D) ". This document is entitled
Information Systems Security Policy
Aegean Marine Petroleum Network Inc., bears the date of its signing
latest version on ... by ... Director ( ... ) II and compiled by ... ( ... ) N
in compliance not with the provisions of no. 679/2016 of the General Regulation
Data Protection or Directive 95/46 / EC but in compliance with the provisions
32

of the US legislation "Sarbanes Oxley Act 2002" ("SOX") and in particular the section (hereinafter
"Article") 404, as indicated on each page of that policy.
In particular, this US law was passed to address
corporate financial scandals and concerns corporate governance and
disclosure of financial transactions under which the provisions
law companies (whose securities are traded on US stock exchanges)
are obliged to integrate and implement internal control procedures as well
and to prepare annual financial reports to the Commission
US Securities and Exchange Commission ("Security Exchanges Commission -" SEC ") 35 , which include
Internal Controls Report for financial transactions
and the reliability of financial statements ("financial statements"). That said
report shall be made in accordance with the provisions of Article 404 SOX Act. Specifically, with
Article 404 SOX Act 36 introduces the obligation and responsibility of the company management to
set up, install and operate an internal control system
procedures related to the preparation of the company's financial statements
submitted to the US Securities and Exchange Commission ("SEC") and includes a
an internal audit report evaluating the effectiveness and
reliability of the internal control system during the previous annual management
use 37 .
From the above in conjunction with the content of this security policy
information systems under Article 404 SOX Act USA it appears that it does not
take into account the risks involved in data protection
personal data of the subjects through the use of the computer infrastructure
(DANAOS hardware and software, AMPFSl , AMPFS2) but aims to ensure
of the necessary corporate information to achieve the objectives described
above in relation to the US Securities and Exchange Commission (SEC).
,, cf. the website of the U.S. Securities and Exchange Commission in relation to Article 404 SOX in
􀄥gov/info/smallbus/404/gyide/intro.shtml and Sarbanes-oxleY.-1 0 I .com
,. ,°' details see "Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners",
The Institute of Internal Auditors.
3 7 SOX Act companies are required to submit to the Hellenic Capital Market Commission
US (SEC) form 1 0-K which includes an internal audit report stating its responsibility
management structure and internal control procedures regarding financial figures and
the adequacy of internal controls. A statement is also submitted by the party
external auditors of corrections on accounts, recording of off-balance sheet transactions,
changes in share ownership by members of management as well as information about its existence
code of ethics.

Decision 44/2019
From reading the US Article 404 SOX Act policy relied on by
AMPNI, moreover, the absence of any reference to
protection of personal data pursuant to the GIP or the Directive
95/46 I EC as well as any reference and measure of its internal organization
compliance with the principles of Article 5 GIP and the legal bases of Article 6
GPD, indicatively does not lack any provision in relation to: a) their rights
subjects (Articles 12-22 GCC), (b) the application of appropriate techniques; and
organizational measures in order to ensure and be able to demonstrate that the
processing is carried out in accordance with the GCP (article 24 par. 1 in combination with
Articles 25 and 30 of the ICCPR) and ( c) the application of appropriate technical and organizational measures
processing safety measures (Article 32 GIP). In addition, it is absent
any provision regarding the permissibility or not of the use of corporate infrastructure
electronic communication by AMPNI employees and executives in relation to
surveillance, access and control of electronic communications
AMPNI employees and executives and, if so, the terms, procedures and
guarantees to carry out relevant checks and investigations on personal data
their.
Finally, the US Article 404 SOX Act policy that provides and
cites AMPNI does not address the risks arising from
processing of personal data (see application no. 75 GKPD).
Finally, the controlled company AMPNI submitted together with ABS the no. prot.
AIIMIX r /En: / 2616 / 05-4-2019 supplementary memorandum to counter the
memoranda of the complainants and L, former legal representative of ABS, without
but again to document no. 5 par. 2 GKP its legal operation
used infrastructure (hardware and software - servers) and without
provide any written documentation of its internal compliance with
the GCC.
29. Moreover, the controlled company AMPNI, despite its requests and questions
At first, both before the hearing and during the hearing, he did not answer
did not document as it should due no. 5 par. 1 GPD the legality of the processing
personal data in the context of the operation of the used
infrastructure (hardware and software - "original servers").

In particular, it follows from all the above that the controlled company AMPNI
as controller did not take any internal compliance measures no. 5
par. 1 and 6 par. 1 GKPD in relation to the legal operation of the used
infrastructure (hardware and software - "original servers" DANAOS, AMPFSl ,
AMPFS2) which supports the processing of personal data (in particular
e-mails) included in an archiving system, nor provided by anyone
such written documentation of such internal compliance required by the GCC
according to no. 5 par. 2 GKPD, in particular to the requirements of secure data processing
of a personal nature, nor did it take the necessary technical and organizational measures no. 5
par. 1 ed. fin combination with no. 24 par. 1, 2 and 31 par. 1, 2 GKPD to guarantee the
appropriate security of personal data, including
protecting them from unauthorized or illegal processing and accidental loss,
destruction or deterioration (" integrity and confidentiality " ), nor did it appear to have been designed,
prepared and implemented in compliance with the provisions of article 5 par. I GCP the
any accountability measure referred to in recitals no. 11
and 16 hereof, including personnel data management policies
nature and security policies in accordance with the requirements of the GCP, nor received
measures of physical and / or rational segregation, nor produced a staff regulation or
another internal document containing provisions on data protection
nor provided any proof of their information
subjects for the processing of their personal data during
operation of the computer infrastructure used (hardware and software;
"Original servers" (DANAOS, AMPFSl , AMPFS2), the exercise ofrelated
their rights but also for the possibility of checking their e-mails.
On the contrary, the controlled company AMRNI focused its arguments
verbally at later or further stages in the processing of the same data,
that is, at the stage of access to the e-mail control servers (stage 2), in
subsequent copying (stage 3) and transmission to Manchester, United Kingdom (d)
stage) of the contents of the original servers ("copy server" ),
claiming that the conditions of article 6 par. 1 par. in the GCC for
processing of personal data, again without substantiating
No. 5 par. 2 GKPD the no. 5 par. 1 GCP legality of data processing

personal character sufficient for the verbal invocation of article 6 par. 1 ed. f
GPD on overriding legal interest. However, it was also extended to
3 5
Recital no. 17 o f the present, the processing o f personnel data
in violation of the principles of article 5 par. 1 GKPD is not treated by
existence oflegal purpose and legal basis no. 6 par. 1 GKPD.
In this case, the controlled company AMPNI had the obligation,
after proving that he owed no. 5 par. 2 GKP the taking and implementation of measures
compliance with the provisions of Articles 5 (1) and 6 (1) of the GIP
legality of the processing of personal data that took place
in the computer infrastructure used (hardware and software "prototypes
DANAOS, AMPFSl , AMPFS2), to then prove no. 5 par. 2
GKPD, also the legality no. 5 par. 1 and 6 par. 1 GKPD, of the later ones
(for the initial purposes) or further (for different purposes according to no. 6 par. 4
GPD) independent and distinct processing operations, namely: b) access and
checking the e-mails held on the servers, c) creating one
new archiving system after copying the original system
archiving and d) the transmission of the copy archiving system
(server - back up according to AMPNI) in Manchester, United Kingdom (see
with no. prot. All.MIX r /EU: / 7306 / 10-9-2018 O"l::A.. 6 K(ll AIIAfIX r /EI􀃎/ 7434 I 17-9-2018 O"l::A..
6 AMPNI documents).
In view of the above, given that the original collection, preservation and in general
processing of personal data contained in the systems
archiving of computer infrastructure (hardware and software "originals
DANAOS, AMPFS 1, AMPFS2) has already been deemed illegal and infringing
the provisions of article 5 par. 1 GCP and especially those of articles 5 par. 1 ed. a 'and f
and par. 2 in conjunction with articles 24 par. 1 and 2 and 32 par.
that subsequent or further processing of the same personnel data
character and in particular the access and control of e-mails, the copying of their content
"Original servers" and the creation of a new system
archiving, sending the new archiving-copy system to
Manchester United are also illegal and violate the whole
of the principles of article 5 par. 1 and 2 but also article 6 par. 1 GCC, as integral

linked to and originating from the original illegal processing of the data
personal character of the "original server" archiving system.
30. As a result of the above deficiencies, the Authority further notes, in accordance with
facts accepted in no. 25 recital, that the same
36
computer infrastructure (DANAOS server hardware and software, AMPFSI , AMPFS2)
used for the subsequent or further processing of personnel data
character (e-mails) of subjects who worked and were associated with both his companies
AMPNI Group, as well as with third companies, outside the AMPNI Group, without having received the
necessary measures of physical and logical separation resulting in its administrator
system- computer infrastructure to access and process for
AMPNI company account of personal data (e-mails) of subjects
of data not related to the same 38 • Hence the lack of
appropriate technical and organizational measures, in particular those requiring the natural
and logical separation, the threatened risk of confidentiality occurred and
integrity of personal data through access, copying and
their transfer to Manchester, United Kingdom.
It follows from the above that the subsequent or further processing, by
access, copying and transmission to Manchester,
personal data of individuals related to the Group
AMPNI was illegal because it concerned personal data that
from the beginning they had not been legally processed, while in terms of personnel data
nature of natural persons related to third companies outside the AMR NI Group,
in addition to the lack of physical and logical separation measures.
31. In view of the above, the Authority considers that the audited company AMR NI as responsible
processing:
on the one hand, did not apply all the principles of article 5 par. I GCP and 6 par. 1
GGP on the legality of the processing of personal data
(especially e-mails) that took place in the computer infrastructure used (hardware and
(original server software (DANAOS, AMPFSI , AMPFS2)), but also in
any subsequent or further processing of the same personnel data

character, nor proved by no. 5 par. 2 GPD the observance of these.
on the other hand, violated the provisions of articles 5 par. l ed. a 'and f and par. 2 in
in conjunction with Articles 24 (1) and (2) and 32 (1) and (2) of the GIPA on its principle
secure processing (in particular of the "confidentiality") of personnel data
" Cf. the printouts of the e-mails submitted through her memos
ABS before the hearing before the Authority, in particular no. AITt.IIX r / Ell: / 5432 / 1 8-6-201 8
supplementary memorandum with a list o f email addresses.
37
character that took place in the computing infrastructure used (hardware and
original server software (DANAOS, AMPFS l , AMPFS2) from non-download
appropriate technical and organizational measures, but also in the context of any subsequent
or further processing of the same personal data, as necessary
the examination of the observance of the principles of processing of subsections b ', c', d 'and e' of par. 1 of
article 5 as well as article 6 par. 1 GKPD, according to what was accepted in no.
Recital 11 hereof.
32. The objections and allegations of the audited company AMPNI:
i. As to the objection that the GCC does not apply in accordance with article 3 par. 1
as " [ ... ] AMRNI is a company based in the Republic of the Marshall Islands
(Marshall Islands), is listed on the NY Stock Exchange and is its head
AMRNI Group. AMRNI does not have an installation in Greece but maintains only one
mailing address in Piraeus. ABS is a 1 00% subsidiary of AMP NL Therefore,
AMP NI does not have the same facility in Greece [ ... ] the purpose of export I copying
data .... had nothing to do with the activities of the companies of the AMP NI Group
in GREECE. That is, there is no relationship between the purpose for which they were exported
data and the activities of Greek companies .. »( see Supplementary
Memorandum AMRNI and ABS APDPH no. prot. r /EI􀃎/ 10259 / 19-12-2018 p. 5-8).
From article 3 par. 1 GCP, recital 22 GCC and sub
consultation Guidelines 3/2018 of the European Protection Council
Given the territorial scope of the GGP, it follows that the GGP applies
in the processing of personal data in the context of its activities
installation of the controller, which presupposes the substantial and
actual exercise of an activity, which should not be construed narrowly and

typologically as with criterion e.g. the place ofregistration of the company in the relevant registers
registration (see WEU C-210/2016 Facebook (fan page) decision of05-6-2018 Application Sk.
in particular 56 and 53-55, 57, C-230/14 Weltimmo v NAIH decision of0l/10/2015 Ait. Sk. Especially
29 as well as 31).
In this case, the controlled company AMPNI only argues
on the subsequent or further processing of access-control of e-mails and
copying the contents of servers without interfering
claims on the legality of the original collection, preservation and processing of
personal data included in its archiving systems
38
computer infrastructure (DANAOS "original server" hardware and software,
AMPFS I , AMPFS2).
This computing infrastructure (hardware and software "prototypes
DANA OS, AMPFS I , AMPFS2) at the critical time was
established in Greece and specifically in Piraeus on the Kondili Coast no. I 0,
owned by ABS, a subsidiary of AMPNI and according to a statement
of AMPNI itself (see no. prot. APDPH G /EIS / 7306 / 10-9-2018 document ofp.
2): " The Server belongs to the AMPNI Group and in particular, was purchased together with the required
equipment, earlier in 2018, by ABS, member of the AMRNI Group and 1 00% subsidiary
of the Company ".
In addition, it turned out that the use of servers that were installed on
Greece and the processing of personal data through them received
country following decisions by AMPNI, which determined the purpose and manner
processing no. 4 par. 7 GKPD both for itself and for its subsidiaries
companies in the exercise of its activities. Further, according to a statement
of AMPNI itself ( see document no.
2): " The Server belongs to ABS, a member of the AMPNI Group. That is, in terms of ownership,
has been purchased from ABS. ABS, however, does not process personal data for
account of the Company ".
In addition to the above and in the alternative, the claim should be rejected;
AMPNI 's objection that it has no real but postal facility only in
Greece and that it is based in the Republic of the Marshall Islands (Marshall Islands) given
that she declares the address of Akti Kondili 10, in Piraeus as the address

installation and actual operation first, before the Authority with the
submitted Application for Treatment (see prot. no. APDPH I GI EIS / 6211 / 13-7-2018 p. 1) and
second, before the US Securities and Exchange Commission (SEC), as it turns out
from Annexes A and B attached to the aforementioned Application
Treatment, as well as from the annual report of 16/5/2017 39 which he refers to
C I EIS / 7306 / 10-9-2018 her document to the Authority and from which the statement results
of the following items: AEGEAN MARINE PETROLEUM NETWORK INC., 10, Akti
,. Cf. her to􀃦geanmarine.gcs-web.com/static-files/ebca7627-4368-4e6c-9a75-45862ad60cac
39
Kondili (Address of Principal Executive Office), Piraeus 185 45, Greece (the underlining
and bold from the Annexes),
For these reasons, the Authority rejects its objection - allegation
controlled company AMPNI.
ii. As to the objection according to which the US Bankruptcy Court
of the Southern District of New York issued an order with global force no. 362
(a) The US Bankruptcy Code under the AMPNI Bankruptcy Application, which provides:
according to her allegations, on the one hand, its continuation before the Authority is prohibited
proceedings, on the other hand, the exercise of control over a bankruptcy asset
property, which according to the audited company AMRNI includes' [ ... ] certain, if
not all, from the data under discussion are assets of the bankruptcy
property »
In this case, by no provision of national or European
legislation, but not by any international or other bilateral - transnational convention
it appears that the cited US Bankruptcy Court order produces
legal results in Greece, nor does the audited company AMPNI claim such
nor does it produce a Greek court decision recognizing
enforceability of such a foreign court order.
In addition, the audited company AMRNI misinterpreted the national and
European legislation on the protection of personal data

as a given in order to submit the relevant objection - claim that the data
personal information processed by the controller recommend
His "property" and therefore part of his "property", as will be demonstrated below.
For these reasons, the Authority rejects its objection - allegation
controlled company AMPNI.
iii. As to the allegation-objection that the complaint against the controlled company
ABS was submitted without right and therefore inadmissible by legal and not natural
person no. 77 par. 1 GKPD, ie the subsidiary ABS resulting in h
issued under no. 2/2018 Temporary Order of the President of the Authority to suffer
invalidity and that ABS withdrew its complaint against the auditee
of AMPNI company, is additionally pointed out under no. 28 recital
of the present that the audit was carried out ex officio according to no. 57 par. 1 ed. a 'and h'
40
GPD based on the information received by the Authority primarily from 18-6-2018
Notification of Data Violation Case submitted by ABS
(AIILllIX / r /EU: / 5432 / 18-6-2018). In any case, even if unacceptable
the complaint was submitted by the company ABS, the Authority is entitled no. 57 par. 1 ed. a'
and the GKPD in combination with no. 19 par. 1 case law 2472/199 7 to carry out
ex officio checks and investigations with only the information received for real
cases of breach of existing data protection legislation
personal. In addition, the Authority is entitled no. 19 par. 1 per. Iy 'v.
2472/199 7, but is not obliged to file requests or complaints that are judged
manifestly, vaguely, unfoundedly or submitted abusively or anonymously. Therefore, from
the above provisions, which apply as they do not conflict with
GPA (see APDP 46/18 and 52/18) it appears that the Authority had the right to
carry out an audit with only the factual information independently
the validity or not of the complaint.
In addition, the President of the Authority despite the submission on behalf of the company ABS
application for a temporary order, issued ex officio the no. 2/2018
Interim Order, taking note of the facts relied on
as it appears from the body of the Provisional Order itself to which it does not refer
that it accepts that request. Therefore the no. 2/2018 Interim Order of

President of the Authority does not suffer invalidity.
Finally, the ABS company withdrew its complaint against it
controlled company ABS, but also the complaint of inadmissible complaint by a lawyer
person do not find support in any provision of law given that it is not about
a private civil law dispute the subject matter of which is disposed of in accordance with
the will of the parties, and in addition, as stated above, the Authority investigates ex officio
any information on breaches of personnel data protection legislation
character (ad hoc AIIt.IIX 136/2015 mt. enc. 6 par. a ').
For these reasons, the Authority rejects its objections - allegations
controlled company AMPNI.
iv. As to the objection-allegation of inadmissibility of the individual complaints
natural persons because they have not previously contacted the controller
in order to exercise their rights under Articles 15-22 GCP, before
It should be noted that, on the one hand, the provisions of Article 77
41
par. 1 GPD it appears that every data subject has the right to submit
direct complaint to the Authority if it considers that the processing of personnel data
violates the GPA. In this case, the natural
persons denounced the violation of the GCP against them and not the non
satisfactory response of the audited company AMPNI in the exercise of
their rights under Articles 15-22 GCP.
In addition, as stated above, the Authority is engaged on its own initiative and investigates
any fact of violation of the current legislation for the protection of
personal data, whether or not the complainants bear the
burden of proving their allegations as well as whether or not they prove their validity
of their allegations.
In this case, the complainants complained about
alleged illegal copying of their personal data
were included in the computer infrastructure archiving systems (hardware and
"original server software" (DANAOS, AMPFSl , AMPFS2). The beginning
in order to verify the legality of such copying, it proceeded ex officio to

investigating the legality of the original collection, preservation and processing of
personal data included in the "original servers".
As already stated, the obligation to prove no. 5 par. 2 GPD of legality
of each treatment no. 5 par. I and 6 par. I GKPD is the responsibility of the person in charge
processing and not the data subject.
For these reasons, the Authority rejects its objection - allegation
controlled company AMPNI.
v. Regarding the objection-claim that the corporate e-mails exchanged by
Corporate e-mail accounts are not data
personal property and that they constitute an "asset" belonging to
"Ownership" of the company, the Authority has already rejected the relevant claim on the basis of
recitals 4, 5 and 6 hereof in order to reach a conclusion
that the audited company processed personal data
were included in a computer infrastructure archiving system (hardware and
"original server software" (DANAOS, AMPFSI , AMPFS2) without complying with
the principles of article 5 par. I and 6 par. I GKPD as well as in violation of its principle
safe processing no. 5 par. I ed. a 'and f GKPD.
42
Moreover, in this case, the fact that the email addresses
(e-mails) had as their first component, identifiers of the usemame, ie
of the form ovoga./i,nmvugo@-mtP-ia.gr is enough for their characterization as data
without the need to check the content of e-mails
in order to determine whether it is professional or private correspondence
or if they come from a corporate or private e-mail account,
in accordance with what has been accepted in recitals 4, 5 and 6 hereof.
Therefore, the claim of the controlled company AMPNI according to which the
Complainants must provide "personal" e-mails that
sent from non-corporate (private) email accounts
and include content copied personal data
by AMPNI in order to prove the validity of their complaint, on the one hand no
based on the above, on the other hand, the Authority considered that
the principles of article 5 par. I GCP and 6 par. 1 GCP regarding its legality

processing of personal data, ie the set of e-mails that
took place in the computer infrastructure used (hardware and software
"Original servers" DANAOS, AMPFSl , AMPFS2), but also any
subsequent or further processing of the same personal data,
so that there is no need to respond to the individual complaints of individuals, as it will
discussed below.
Finally, as already accepted with no. 6 recital of this o
claim of the audited company AMRNI according to which the data
personal belonging to the "property" or "property" of it comes in full
contrary to national and European law and that the controller does not
is the "owner" of the personal data it processes.
If the controller was the "owner" of the personnel data
character to be processed would not be introduced as a rule by article 6 par. 1 GCP h
ban on the processing of personal data so that it is required to
one of the legal bases provided there in order to legalize the
processing, nor would the data subject be granted a set of rights on it
control of personal data (art. 12-22 GKPD), in particular
objection, restriction, deletion or portability rights.
For these reasons, the Authority rejects its objection - allegation
controlled company AMPNI.
43
vi. Regarding the objection - claim of the controlled company AMRNI that any download
taken into account by the Authority new evidence presented by the complainants
after the end of the hearing violates her right to be heard, she must in principle
It should be noted that the audited company, on the one hand, received knowledge and copies of the documents
submitted by the complainants after the hearing as well
deadline of 15 days in order to submit its views on them (APDP no.
prot. G /EX / 2214 / 21-3-2019), on the other hand, she also presented new evidence after
the end of the hearing, but also placed on the allegations and the evidence
material provided by the complainants after the hearing (see Supplementary
Memorandum AMPNI & ABS with no. prot. AIMTIX r /EI􀃎/ 2616 I 05-4-2019).
In addition, it is not provided for in any provision of the CPC or other legislation

Prohibition of presenting new evidence after the end of the hearing
audited or that all the evidence on which the Authority will judge
must have been gathered before the hearing at a hearing given that the
The purpose of the hearing is to provide explanations and information for clarification
issues that may even have first arisen during it
as is the case with other constitutional hearings
established independent administrative authorities such as e.g. its Security Authority
Privacy of Communications (ADAE).
vii. As to the allegation - objection of the audited company about illegal
extension of the granted deadline for submission of a memorandum after the hearing will
It should be noted that the extension was legal since the controlled company AMPNI
together with ABS submitted a request for the exclusion of the rapporteur of the case after
commencement and during the submission deadline resulting in
the deadline for issuing a decision on the request for exemption is automatically suspended
and until a new deadline is provided. In no case could the
initial deadline for submitting a memorandum after the hearing, if not previously
the Department of the Authority decides on the request for exemption. On the contrary, on her part
controlled company AMPNI together with ABS, submission of memorandum by hearing
pending the request for exclusion of the rapporteur which they themselves had submitted and without
await the issuance of the decision on the exemption request comes in full
contrary to the request for exemption itself as on the one hand the companies requested the
44
with the exception of the rapporteur, while on the other hand they submitted a memorandum to the Department of Authority
in which the rapporteur participated.
For these reasons, the Authority rejects its objection - allegation
controlled company AMPNI.
viii. The audited company AMRNI makes the following allegations: that legally
entered the computer infrastructure used (hardware and software "prototypes
DANAOS, AMPFSl , AMPFS2) in order to
e-mail of specific individuals, former and current employees
and AMPNI Group executives, that these inspections were legal, that accidental
software for deleting already deleted files was discovered to make it
it is necessary to copy the entire computing infrastructure used,
including personal data (e-mails) of individuals
related to third party companies outside the AMR NI Groups, that there was no obligation
notification of an incident of personal data breach to the Authority by
detection of "malware" deletion, that as an employer he had under Article 6
par. 1 ed. GPP over legal interest in checking and copying e-mails
in the context of the audit carried out, that he was not obliged to inform the
data subjects, either before copying or after copying e-mails
their.
A prerequisite for answering the above allegations is, as stated above
in accordance with recitals no. 17, 18, 22, 29 and 30 of the present but also
from no. 3/2018 Provisional Order of the President of the Authority, the proof of it
legality of the initial processing (collection and preservation) of the data
of a personal nature taking place in the computing infrastructure used
(hardware and software of"original servers" DANAOS, AMPFSl , AMPFS2).
Given that the Authority considered it illegal and in particular a violation of the principle
of safe processing the original collection, preservation and generally processing of
personal data included in its archiving systems
computer infrastructure (DANAOS "original server" hardware and software,
AMPFSl , AMPFS2), it is provided that subsequent or further processing of the same
personal data, namely the access and control of e-mails, h
copy the contents of the "original servers" to a "server copy"
with which a new archiving system was created (back up according to AMR NI) and
45
the sending of the new archiving-copy system to his Manchester
United Kingdom are also illegal and violate all of its principles
Article 5 par. 1 and 2 but also Article 6 par. 1 GCC, as inextricably linked
and derived from the initial illegal processing of personnel data
the nature of the "original server" archiving system so that it is redundant
the examination of both the complaints of the natural persons and the one to be rebutted
examination of the claims of the controlled company AMPNI that focus
exclusively in the subsequent or further processing of personnel data
character. That is, even if their complaints had not been submitted
natural persons ( concerning subsequent or further processing), would be
copying the "original server" is illegal due to not filling them in from the beginning
conditions for the legal processing of personal data contents.
Thus, the invocation of the legal basis by the controlled company AMPNI
of article 6 par. 1 par. in the GCC for control, access, copying and
sending the content of the "original servers" (servers), but also invoking
of the need to copy due to "malware" detection can not
retroactively legitimize the earlier processing of
personal data in violation of articles 5 par. 1 and 6 par. 1 GCP
in accordance with what was accepted in recitals no. 17 and 22 of this.
For these reasons, the Authority rejects its objection - allegation
controlled company AMPNI.
33. On the contrary, the information in the file and the hearing did not show that
company " ERNST & YANG (BELLAS) CERTIFIED AUDITORS A CCOUNTANTS SA »Participated
or assisted in the breach by the controller
provisions of Articles 5 (1) and 6 (1) of the GIP, in particular at the access stage,
control, copying and transmission in Manchester, United Kingdom
personal data.
34. According to the GKPD (Ait. Sk. 148) in order to strengthen their enforcement
rules of this Regulation, sanctions, including administrative
fines should be imposed for any infringement of this Regulation,
in addition to or instead of the appropriate measures imposed by the supervisory authority
in accordance with this Regulation. In cases of minor breach or if
46
the fine that may be imposed would be a disproportionate charge in kind
person, a reprimand could be imposed instead of a fine.
The Authority after establishing the violation of the provisions of the GCP during
above, taking into account, in addition to the above, in particular the Guidelines
guidelines for the application and setting of administrative fines for its purposes
Regulation 2016/679 issued on 03-10-2017 by the Working Group of the article
29 (WP 253) and having duly taken into account the provisions of Article 83 of the ICCPR in measure
applicable in this case and in particular those provided for
from paragraph 2 of the same article criteria relate to the specific case that
examined by the Authority:
(a) the nature, gravity and duration of the infringement, taking into account
the nature, extent or purpose of the treatment concerned, and the number of
subj ects of the data affected by the infringement and the degree of damage suffered
namely:
i. the fact that the company violated the principles from article 5 par. 1 GKPD as well as
the obligation (principle) of accountability no. 5 par. 2 GKPD, ie violated
fundamental principles of the GBER for the protection of personnel data
character.
ii. the fact that the condition of safe processing no. 5 par. 1 ed. f
GPA is now reduced to a basic principle of data processing
personal nature so that, even if the other processing principles are followed
to make the processing totally illegal in the event that o
processor does not guarantee adequate security.
iii. the fact that it also becomes of fundamental importance the principle of accountability
under the new compliance model introduced with the FGM, where
burden of compliance and the relevant responsibility lies with the controller, o
which has been provided by the GCP with the necessary compliance tools.
iv. the fact that according to no. 3/2010 Opinion of its Working Group
Article 29 on the principle of accountability (WP l 73 / 13-7-2010) the establishment
internal accountability measures for compliance with processing principles (par. 39-51
and in particular par. 41 and 44) provides great opportunities for effective implementation
reducing the chances of the controller violating the
legislation and therefore the assessment of sanctions takes into account the
compliance with the principle of accountability (par. 38), while in case
breach of it requires substantial sanctions, such as in
case in which a controller does not comply with the statements made
contained in its binding internal policies, which are taken
in addition to the actual breach of the essential principles
data protection (par. 64).
47
v. the fact that the controller did not take any internal action
compliance with the accountability principle to be applied and
implementation of the principles of personal data processing by
No. 5 par. 1 GKPD, not even the ones provided as "basic" according to the Opinion
3/2010 of OE 29 (par. 44, ibid.)
vi. the fact that the violation of the above principles took place in the context
processing of personal data in a computer infrastructure (hardware
and software) which is used to service a large number
electronic communications of data subjects
vii. the fact that the violation of the above principles took place during the processing
personal data of labor subjects
characterized by a power imbalance between employer and
employees. The importance attached by the GCC to processing
of personal data in employment relationships is demonstrated by
fact that Article 88 thereof gives the national legislature the opportunity
establishing specific rules to ensure their protection
rights and freedoms of workers, including appropriate
and special measures to safeguard human dignity, the law
interests and fundamental rights of the person to whom
the data are reported, with particular emphasis on the transparency of the processing, the
intra-group data transmission and on-site monitoring systems
work. Therefore, the observance of the principles provided by article 5 par. 1
ed. a 'and par. 2 GKPD acquires in this case a special and important importance for
respect for the right to protection of personal data
character of employees.
viii. the fact that the principle of safe processing was substantially violated
personal data no. 5 par. 1 ed. in the GCC through
and ultimately achieve access, copy, transmission and in general
processing of personal data of data subjects
were affiliated with third parties, except the AMRNI Group
ix. the fact that the violation of the above principles is subject to the provisions
of article 83 par. 5 ed. a 'GKPD in cases of administrative enforcement
fines ofup to EUR 20,000,000 or, in the case of businesses, up to 4% of
total global annual turnover of the previous financial year
year, depending on which is higher, ie in the higher provided
category of the classification system of administrative fines, the imposition of
reserved, in accordance with the principle of proportionality,
in the case of the most serious violations of the GCC. Therefore, already from
the provisions of the GCP show that the violation of the principles provided
from article 5 par. 1 and par. 2 GKPD is treated as of greater importance
in relation to the violations provided by article 83 par. 4 GKPD.
48
x. the fact of causing damage to the right to data protection
personal data of the subjects from the violation of the above
authorities and, in particular , the processing of
personal data, secondly, the continuing in breach of it
GPD processing of personal data in several stages
(initial preservation and processing, access and control, copying, transmission)
and third, the complete deprivation of rights and the exercise of control over them
personal data of the data subjects (cf. Ait.Sk.
75 GKPD and OE 29 on administrative fines, ibid., P. 11 ).
xi. The fact that, from the information presented to the Authority, no evidence emerged against
at this stage the occurrence of material damage to the data subjects, nor
relied on relevant material damage
xii. the fact that the violation of the principles of article 5 par. 1 and par. 2 GKPD no
concerned, on the basis of the information provided to the Authority, data
personal provisions of Articles 9 and 10 of the GIP.
xiii. The fact that the violation of the principles of article 5 par. 1 and par. 2 concerned
any subject whose personal data occurred
processing in the context of its electronic communications service
from computer infrastructure (hardware and software) so that it is not one
individual or occasional infringement but for an infringement that has a systemic
(structural) character.
b) the deceit or negligence which caused the infringement
From the hearing before the Authority and the memoranda of the person in charge
shows that the company was completely unaware of the compliance obligations
in accordance with the requirements of the GCP, and in addition showed no willingness to comply, as
will be demonstrated below. Therefore, the violations found were
resulting from a lack of complete knowledge and application of the provisions of the GCC in
framework of the organization of internal compliance despite the fact that the responsible
could and should, in particular due to accountability, to
comply with the provisions of the GCP, thus violating the duty of care which
required by law.
(c) any action taken by the controller to
mitigate the damage suffered by data subjects,
The controller did not take any action to restore or
mitigation of the damage suffered by the data subjects, nor did it
informing them, even after the illegal processing of the data by him
their personal nature. It should be noted at this point that the person in charge
processing for non-prior updating of data subjects
invoked the exception of article 14 par. 5 ed. b 'GKPD so as not to damage the
achieving the objectives of the processing, namely the internal control relied on.
Regardless of the validity or otherwise of that claim, even after
completion of the alleged internal control, never the controller

informed data subjects of subsequent or further processing,
namely the copying and transmission of their data to Manchester, United Kingdom
Vassilios, especially natural persons affiliated with third parties outside the Group
AMPNI, so that to date they have not been informed about it. It is recalled that according
with what has been accepted hereby, the violation of the principles of article 5 par. 1 GCP
occurred at the expense of any subject whose data were found to be illegal
processing and not only of the complaining natural persons.
( d) the degree of responsibility of the controller, taking into account the techniques; and
organizational measures implemented pursuant to Articles 25 and 32,
The controller did not take into account technical and organizational measures, nor did he take any action
to the necessary evaluations in order to draw appropriate conclusions (see no. 28
request sk. of the present).
(e) any relevant previous infringements by the controller;
It appears from a relevant audit that no administrative sanction has been imposed to date by
the begining
(t) the extent of cooperation with the Authority to remedy the infringement
and limiting its potential adverse effects,
The Authority recognizes as a mitigating circumstance on the part of the person in charge
processing admission of illegal copying and sending to his Manchester
United Kingdom "[ . . . ] any e-mails of individuals who have not and I or have not
any employment or service relationship or any other relationship with companies
of the AMRNI group, which AMRNI would be available to separate and provide
evidence of this "(Supplementary Memorandum AMPNI-ABS ofOS-4-2019
pp. 8 and 12 AilMIX r /EI􀃎/ 2616 I 05-4-2019 last page, point 4) as well as the expression
of his intention, according to the above, to proceed with separation or deletion (see
Supplementary Memorandum AMPNI-ABS of 19-12-2018 p. 23), although it did not express
the same intention for the personal data of the other subjects
data.
g) the categories of personal data affected by the infringement , namely
Whereas this is not personal data referred to in Articles 9 and 10 of the GIP,
in accordance with the information provided to the Authority.
{h) the manner in which the supervisory authority was informed of the infringement, in particular
if and to what extent the controller or processor notified
the infringement,
In this case, the Authority was informed of the final findings
breaches primarily through the Data Breach Notification submitted by
ABS company as a result of which it carries out an ex-officio inspection. The person in charge
did not inform the Authority, nor did it notify itself of the Infringement
Data
i) any other aggravating or mitigating factor arising out of
circumstances of the particular case, such as the financial benefits that
or damage avoided, directly or indirectly, by the infringement

The Authority, in addition to the above, acknowledges as an additional mitigating factor that from
the data presented to it to date and on the basis of which it found
breach of the GPA, the controller did not reap any financial benefit, either
caused material damage to data subjects.
The Authority recognizes as aggravating the fact that the person in charge
has so far shown no intention of complying with
requirements of the GCP, nor has it informed the Authority of its inclusion in a program
internal compliance in order to make any data processing legal
of personal character no. 5 par. 1 and 6 par. 1 GKPD carried out in
computer infrastructure ("original server" hardware and software).
The person in charge of processing a series of documents to the Authority, especially after
listening, focused all his efforts on highlighting the importance that
had for him the use of the content of the copied servers ("back up"
servers according to him) for the purposes of internal control of the AMPNI Group and
consequently for the submission of relevant data to the Hellenic Capital Market Commission
of the US and the competent US judicial authorities, even asking not to
imposed by the Authority the sanction of the destruction of the content of the copied
at the time the Authority banned processing and
use the content of the copied servers, but not at that time
period of "original servers".
THE BEGINNING
Having taken into account the above
Because he decided the no. 58 par. 2 GKP exercising its corrective powers
in this case by imposing corrective measures
Because pursuant to the provision of article 58 par. 2 ed. d GKPD the Authority decided
to give an order to the company "AEGEAN MARINE PETROLEUM NETWOR K INC
(AMPNI) "as the controller to comply with the provisions of the GCP
the processing of personal data contained in both
in the computer infrastructure used (hardware and software "originals
DANAOS, AMPFS 1, AMPFS2), as well as in the new archiving system
a copy of the original servers sent to his Manchester
United Kingdom.
Because in particular the company should take all necessary internal measures
compliance and accountability to the principles of Article 5 par. 1 and par. 2 in combination
with article 6 par. 1 GKPD.
Because the above order must be executed within three (3) months from
receipt of this, informing the Authority.
Because the above corrective measure alone is not enough to restore it
compliance with the infringed provisions of the GCC in accordance with what has been accepted by

the no. 31 recital herein and in addition, at the time when
in fact the company despite the substantial admission on its part of at least part of it
violation of the GCC showed complete disregard for compliance with its provisions
Articles 5 and 6 par. 1 GCP.
Because the Authority considers that in this case based on the circumstances
should be found pursuant to the provision of article 58 par. 2 ed. 0 TKIL'.l va
in addition, effective, proportionate and dissuasive administrative money is imposed
fine no. 83 GPA, both for the restoration of compliance and for
punishment for this illegal behavior 40
Because the Authority found to have infringed the provisions of Articles 5 and 6 of the GIP
is subject to the provisions of article 83 par. 5 ed. a 'GPD in the cases
imposition of administrative fines up to EUR 20,000,000 or, in the case of undertakings, up to
4% of the total global annual turnover of the previous financial year
year, depending on which is higher.
Because the Authority took into account, on the one hand, that AMR NI has submitted an application
bankruptcy in the US, on the other hand, that according to the report submitted by the company in the year
2017 to the US Securities and Exchange Commission (SEC) its total revenue
("Total revenue") for the year 2016 was 4,076,219,000.00 US dollars. (see p. 157 in
attached no. prot. r / EIE / 7306 / 10-09-2018 document 41 ).
Because with the issuance of this it ceases no. 19 par. 7 a law 24 72/199 7 the validity of
Interim Orders of the President of the Authority No. 2/2018 and 3/2018 and are valid
now accepted in the operative part of this
FOR THOSE R EASONS
THE BEGINNING
A. Gives orders to the company «« AEGEAN MARINE PETROLEUM NETWORK INC
(AMPNI) »» as within three (3) months ofreceipt of this, informing
the begining
40 Cf. OE 29, Guidelines and the implementation and setting of administrative fines for them
purposes of Regulation 201 6/679 WP253, p. 6

" Also available at 􀄦geanmarine.gcs-web.com/static-files/ebca7627-4368-4e6c-9a75-45862ad60cac
52
i. make the processing operations in accordance with the provisions of the GCC
personal data contained in both used
computer infrastructure (DANAOS "original server" hardware and software,
AMPFS I , AMPFS2), as well as in the new copy archiving system
original server shipped to Manchester, United Kingdom,
ii. take all necessary internal compliance and accountability measures
principles of article 5 par. I and par. 2 in combination with article 6 par. I GCP.
B. Imposes on the company «« AEGEAN MARINE PETROLEUM NETWOR K INC
(AMPNI) "the effective, proportionate and dissuasive administrative fine
appropriate to the particular case according to its specific circumstances,
amounting to one hundred and fifty thousand (150,000.00) euros.
The Vice President The Secretary
George Batzalexis Irini Papageorgopoulou