Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Greece: HDPA fines NIS €10,000 for the transmission of employee redeployment data
On October 31, 2024, the Hellenic Data Protection Authority (HDPA) announced that it had published its Decision No. 39/2024 and Decision No. 40/2024 as issued on the same date, in which it imposed an administrative fine of €10,000 on the National Intelligence Service (NIS) for General Data Protection Regulation (GDPR) violations, following complaints by two employees who served in the NIS.
Background to the decision
The HDPA noted that, on December 15, 2021, the NIS claimed that it transmitted the details of reassignment and deployment of the complainants, which included their personal data, to the Minister of Citizen Protection, the Deputy Minister of Citizen Protection, and the head of the Greek Police, following the provisions of Article 74 of Law 4873/2021 (requiring the compulsory redeployment of civil staffs of the NIS), which had just been signed into law on the same day. However, the complainants claim that the transmission of their data was done without any legal basis, as Law 4873/2021 did not come into force until December 16, 2021, when it was published in the official gazette.
Findings of the HDPA
The HDPA found in favor of the complainants, stating that the Law only acquired formal force and legal status after it was published in the official gazette, therefore, the transmission of the data before then was done without legal basis but also without prior notification of the complainant. Subsequently, the HDPA found NIS in violation of the principles of legality, objectivity, and transparency (Article 5(1)(a) of the GDPR). Furthermore, NIS was found not to have met the conditions for providing relevant information to the data subjects as required under Article 13 of the GDPR.
Outcomes
In light of the above, the HDPA fined NIS a total of €10,000, particularly €4,000, in each case, for the violation of Article 5(1)(a) of the GDPR and €1,000, in each case, for the violation of Article 13 of the GDPR.
You can read the press release for Decision No. 39/2024 here and the decision here and read the press release for Decision No. 40/2024 here and the decision here, all only available in Greek.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
