On July 5, 2024, the Hellenic Data Protection Authority (HDPA) announced that it had published its Decision No. 18/2024 as issued on the same date, in which it imposed an administrative fine of €15,000 on the Municipality of Alimos and €5,000 on Test IT Systems General Partnership (the processor) for General Data Protection Regulation (GDPR) violations, following an investigation into a complaint regarding unsecured data held by the Municipality.

Background to the HDPA's decision

The HDPA noted that it received a data breach notification from a complainant to which the HDPA was informed that thousands of files containing personal data held by the Municipality were easily accessible by any user via the Internet. During its investigation, the HDPA downloaded a large number of files with the personal data of citizens of the Municipality from the reported website, thereby confirming the complaint. The Municipality was informed of this data security gap, to which the Municipality confirmed that it had resolved with the processor, who was contracted to implement and support the Municipality's relevant online services. Upon receiving another complaint from the complainant, the HDPA established that the violation had persisted.

Findings of the HDPA

The HDPA found that the Municipality violated Articles 5(1)(f) and 32(1) of the GDPR by not taking appropriate technical and organizational measures to ensure the security of personal data against unauthorized or illegal processing and accidental loss, destruction, or damage. The HDPA also found the Municipality in violation of Articles 28(3), 33(4), 34(1), and 34(2) of the GDPR for failing to establish clear obligations of the processor towards the controller in relation to the accessing and processing of personal data stored on the website in the written contract. In addition, the Municipality was found to have violated Article 25(1) of the GDPR.

Furthermore, the HDPA found that the processor violated Articles 32(1) and 28(3) of the GDPR by not applying appropriate technical and organizational measures to ensure an appropriate level of security against risks after taking into account the latest developments, implementation costs, and the nature, scope, context, and the purposes of the processing, as well as the risk's likelihood of occurrence and severity for the rights and liberties of natural persons.

Outcomes

In light of the above, the HDPA imposed an administrative fine of €15,000 on the Municipality and issued a reprimand. The HDPA also fined the processor €5,000.

You can read the press release here and the decision here, both only available in Greek.