On September 23, 2024, the Hellenic Data Protection Authority (HDPA) announced that it had published its Decision No. 32/2024 as issued on the same date, in which it imposed an administrative fine of €150,000 on the Ministry of Citizen Protection for General Data Protection Regulation (GDPR) violations, following complaints on the introduction of the new type of identity card for Greek citizens.

Background to the decision

The complainant had requested information from the Ministry about the legality and data processing procedures related to the issuance of these new identity cards, such as the lawful basis for the processing of personal data, including biometric information stored on the identity cards, and also complained about the lack of a timely response to requests for information. Following the public debate on the new type of identity cards in the public sphere and in light of the complaint received, the HDPA initiated an ex officio investigation into the issue by seeking a response from the Ministry.

In its response, the Ministry provided a report explaining delays and the extensive administrative processes involved in implementing the new cards, which included handling numerous public inquiries and ensuring compliance with both European and national regulations concerning the security and processing of personal data.

The HDPA also examined legal issues around the Ministry's failure to conduct a proper Data Protection Impact Assessment (DPIA) before starting the data processing, as required under the GDPR, particularly for processing activities involving sensitive data like biometrics. Additionally, the HDPA raised concerns about transparency and the Ministry's obligation to inform citizens about the data processing methods and examined the storage of national and biometric data.

Findings of the HDPA

The HDPA found that the Ministry failed to meet its information obligations in violation of Articles 13 and 14 of the GDPR by delaying informing the data subjects for a long time and providing incorrect information on their website. The HDPA also found that the Ministry violated the minimization period according to Article 24 of the GDPR. Furthermore, the Ministry was found in violation of Article 35(1) of the GDPR for not conducting the required DPIA before starting the processing, and even after conducting the DPIA following the HDPA's instructions, the DPIA did not identify all the risks.

Outcomes

In light of the above, the HDPA fined the Ministry €50,000 for violations of Articles 13 and 14 of the GDPR and €100,000 for violations of Article 35(1) of the GDPR. The HDPA also ordered the Ministry to:

• document, while also updating the HDPA, the need to include data in the electronic medium other than those required by the European legislation; and
• take the necessary steps to adjust the processing regarding the issuance of IDs within six months from the notification of the decision, and inform the HDPA accordingly to ensure that IDs issued henceforth are in accordance with the decision.

You can read the press release here and the decision here, both only available in Greek.