On May 27, 2024, the Hellenic Data Protection Authority (HDPA) announced that it had published its Decision No. 16/2024 as issued on May 27, 2024, in which it imposed an administrative fine of €40,000 on MEP Anna Michelle Asimakopoulou and €400,000 on the Ministry of Interior for General Data Protection Regulation (GDPR) violations, following an investigation into complaints regarding unsolicited political communication.

Background to the HDPA's decision

The HDPA noted that it received a large number of complaints regarding unsolicited political communication via email from the MEP. Following an investigation, the HDPA established that a file with personal data of all registered foreign voters for the June 2023 elections, for which the Ministry of Interior is responsible for processing, was leaked outside of the Ministry. The file contained personal data, such as email addresses and contact telephone numbers of foreign voters, which is usually excluded from the provision of copies of electoral rolls to the beneficiaries. Subsequently, the MEP, who received the leaked data, processed the file in order to send an email to all the voters contained in it.

Findings of the HDPA

The HDPA found that the collection of personal data of emigrant voters, including electronic communication details and their use for sending a political communication message, was in violation of the basic principles of legality, objectivity, and transparency of processing. More specifically, the HDPA found the MEP in violation of Articles 5(1)(a), 6(1), and 14 of the GDPR, and the Ministry in violation of Articles 5(1)(f), 25(1), 30, 32, and 33(3)-33(5) of the GDPR.

Outcomes

In light of the above, the HDPA imposed a fine of €40,000 on the MEP and ordered the MEP, as a data controller, to delete all data of foreign voters. Furthermore, the HDPA fined the Ministry €400,000 and ordered the Ministry, as a data controller, to, among other things:

• record approved policies and check and review the procedures and measures that apply regarding the protection of personal data during the processing of voters' personal data;
• within three months of this decision, draw up relevant timetables for training, implementation, and updating of the above, alongside notifying the HDPA of the completion of such activities; and
• provide and implement specific measures to avoid, detect, and investigate personal data breach incidents.

You can read the press release here and the decision here, both only available in Greek, and the European Data Protection Board (EDPB) summary here.

Update: September 5, 2024

HDPA postpones decision after fining MEP and Ministry of Interior €440,000

On August 26, 2024, the HDPA announced that it had decided to postpone the issuance of the decision, following its Decision No. 16/2024 as issued on May 27, 2024, in which it imposed an administrative fine of €40,000 on the MEP and €400,000 on the Ministry for GDPR violations.

The HDPA explained that new information had been presented and there was a need to postpone the decision in order to gather new evidence.

You can read the decision, only available in Greek, here.