Greek Data Protection Authority Fines Ministry of Interior Over Expatriate Data Leak

The Hellenic Supervisory Authority (SA) has imposed a fine on Greece's Ministry of Interior following a major leak of expatriates' personal information. The decision, announced on September 13, 2024, comes after a thorough investigation into complaints about unsolicited political communications received by Greek voters living abroad.

The Hellenic SA's investigation, which began after numerous complaints were filed on March 1, 2024, uncovered a serious breach in data protection protocols. A file containing sensitive personal information of all registered expatriate voters for the June 2024 elections was found to have been transferred outside the Ministry, violating existing legislation.

The leaked data included not only standard electoral roll information but also email addresses and telephone numbers of Greek expatriate voters - details that are explicitly excluded from distribution under current laws. The authority discovered that this information was sent to an unnamed recipient, allegedly for election result analysis purposes.

As a result of these findings, the Hellenic SA has levied a €400,000 fine against the Ministry of Interior for multiple infringements of the General Data Protection Regulation (GDPR). The Ministry was found to be in violation of Articles 5, 25, 30, 32, and 33 of the GDPR, which cover principles of data processing, data protection by design, records of processing activities, security of processing, and notification of personal data breaches.

In addition to the fine, the Ministry has been instructed to implement corrective measures to ensure compliance with GDPR regulations within a specified timeframe. The Hellenic SA emphasized that these infringements did not affect the integrity of the voting process itself.

A second, unnamed controller involved in the case was also fined €40,000 for GDPR violations and ordered to delete unlawfully processed data.

The investigation has wider implications, with the political party New Democracy and another potential controller still under scrutiny. The Hellenic SA has postponed its decision regarding these entities, citing the need for further investigation.

This case highlights the ongoing challenges in safeguarding personal data in the digital age, especially in the context of political processes. It serves as a stark reminder of the importance of robust data protection measures and the serious consequences of failing to implement them adequately.

As this story develops, it will likely fuel discussions about data privacy, political communication practices, and the role of regulatory bodies in enforcing data protection laws.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.