Fine of €175,000 on the Greek Ministry of Migration and Asylum for GDPR breaches

Ministry of Migration and Asylum received administrative fine and GDPR compliance order following an own-initiative investigation by the  Data Protection Authority of Greece.

At the end of 2021, the Greek Supervisory Authority (SA) became aware of a decision of the Greek Government regarding the development and implementation of the “Centaur” programme by the Hellenic Ministry of Migration and Asylum in order to control the reception and accommodation facilities of third country nationals on the Aegean islands. 

The Greek SA also received a request for information on border surveillance technologies from the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee), while a request for investigation and opinion on the procurement and implementation of the “Hyperion” and “Centaur” systems in reception and accommodation facilities for asylum seekers was submitted to the Authority by civil society organizations in February 2022.

In July 2022, the Authority also received a letter from the UNHCR Representation in Greece with regard to the above systems.

Having learned of the development and implementation of the “Centaur” and “Hyperion” programmes by the aforementioned Ministry in the premises of the Closed Controlled Access Centers and the Reception and Identification Centers for third-country nationals, the Authority proceeded to examine in-depth the integrated digital system for managing electronic and physical security (“Centaur”) and the integrated entry-exit control system with reader in combination with fingerprint ‒i.e. biometric data processing‒ (“Hyperion”) in the premises of the above-mentioned facilities for guests as well as employees and certified members of non-governmental organizations. 

The Greek SA found a lack of cooperation on the part of the Ministry, as data controller, and further considered that the required Data Protection Impact Assessments carried out by the Ministry were substantially incomplete and limited in scope, and that serious shortcomings remain as regards the Ministry’s compliance with certain provisions of the GDPR in relation to the implementation of the systems in question.

The Greek SA imposed an administrative fine of € 175,000 on the Hellenic Ministry of Migration and Asylum for the breaches found in relation to the cooperation with the Authority and the impact assessments, while at the same time it sent the Ministry an order to comply within three months with its obligations under the GDPR. (source edpb.europa.eu / photo freepik.com)

Comments

Post a Comment

Editorial

Editorial
George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

Intellectual property: the figurative sign consisting of the phrase ‘RUSSIAN WARSHIP, GO F* *K yourself’ in Russian and English cannot be registered as an EU trade mark

Image
In its Judgment in Case T-82/24 (Administration of the State Border Guard Service of Ukraine v EUIPO) (RUSSIAN WARSHIP, GO F**K YOURSELF) the General Court ruled that the figurative sign consisting of the phrase ‘RUSSIAN WARSHIP, GO F* *K yourself’ in Russian and English cannot be registered as an EU trade mark. That phrase, which has become a symbol of Ukraine’s fight against Russian aggression, is not perceived as an indication of a commercial origin.  The Administration of the State Border Guard Service of Ukraine (Kyiv, Ukraine) requests the General Court of the European Union to annul the decision of the European Union Intellectual Property Office (EUIPO) of 1 st December 2023, which refused registration of the following figurative sign as an EU trade mark: ‘RUSSIAN WARSHIP, GO F* *K yourself’ That mark is a war cry uttered by the Ukrainian border guard on Snake Island on 24th February 2022, the first day of the full-scale Russian invasion of Ukraine. Registration was sou...
Read more

Prohibiting contact between children and their mother in custody and contact rights case was unjustified (ECtHR)

Image
The case of X and Others v. Slovenia (application nos. 27746/22 and 28291/22) concerned custody decisions and contact rights following the separation of X from her children’s father in 2018. It also concerned the reassignment of X’s court case to a particular judge.  In Chamber's judgment in the case, the European Court of Human Rights held, unanimously, that there had been a violation of Article 6 § 1 (right to a fair trial) of the European Convention on Human Rights, as regards X’s right to a tribunal established by law, and violations of Article 8 (right to respect for private and family life) with respect both to:  - the applicant children, as regards the order to remove them from X’s (their mother’s) care in March 2020, their not being represented in the contact and custody proceedings, and their not being allowed contact with their mother;  - X, for not being allowed contact with her children.  The Court found in particular that the President of the District Co...
Read more

ECtHR elects a new Vice-President of the Court and two new Section Presidents

Image
The European Court of Human Rights has elected on 23.9.2024 a new Vice-President of the Court – Judge Ivana Jelić (elected in respect of Montenegro). She will take up her duties on 1 November 2024.  The Court has also elected at the same date two new Section Presidents – Judges Lado Chanturia (elected in respect of Georgia) and Ioannis Ktistakis (elected in respect of Greece). They will also take up their duties on 1 November 2024. Ivana Jelić was born on 17 March 1975 in Podgorica, Montenegro and was elected Judge of the European Court of Human Rights on 12 July 2018. Lado Chanturia was born on 14 April 1963 in Tsalenjikha, Georgia, was elected Judge of the European Court of Human Rights on 8 January 2018 and is Vice-President of Section since 18 May 2023. Ioannis Ktistakis was born on 3 January 1971 in Thebes, Greece and was elected Judge of the European Court of Human Rights on 8 March 2021. (source/photo: echr.coe.int) Read more here
Read more

A holding by purely financial investors in a law firm may be prohibited (CJEU)

Image
The EU Court of Justice ruled in Case C-295/23 (Halmer Rechtsanwaltsgesellschaft) that a holding by purely financial investors in a law firm may be prohibited. Such a prohibition is justified in order to ensure the independence of lawyers.  A Member State may prohibit holdings by purely financial investors in the capital of a law firm. Such a restriction on the freedom of establishment and the free movement of capital is justified by the objective of ensuring that lawyers can exercise their profession independently and in compliance with their professional conduct obligations.  The German law firm Halmer Rechtsanwaltsgesellschaft is challenging before the Higher Bavarian Lawyers’ Court (Germany) a decision of the Munich Bar Association of 9 November 2021 which revoked its registration with the bar association on account of the fact that an Austrian limited liability company acquired shares [1] in it for purely financial purposes. Under the German legislation applicable at the ...
Read more

European Data Protection Board clarifies rules for data sharing with third country authorities and approves EU Data Protection Seal certification

Image
During its latest plenary, the European Data Protection Board (EDPB) published  guidelines on Art.48 GDPR  about data transfers to third country authorities and  approved a new European Data Protection Seal. Αs stated in a press release from the EDPB, in a highly interconnected world, organisations receive requests from public authorities in other countries to share personal data. The sharing of data can, for instance, be of help to collect evidence in the case of crime, to check financial transactions or approve new medications. When a European organisation receives a request for a transfer of data from a ‘third country’ (i.e. non-European countries) authority, it must comply with the General Data Protection Regulation (GDPR). In its guidelines, the EDPB zooms in on Art. 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to such requests. In this way, the guidelines help organisations to make a decision on whether...
Read more

GDPR and rail transport: A customer’s gender identity is not necessary data for the purchase of a transport ticket

Image
In its judgment in Case C-394/23 (Mousse) the EU Court of Justice ruled that a rail transport customer’s gender identity is not necessary data for the purchase of a transport ticket. The collection of data regarding customers’ titles is not objectively indispensable, in particular where its purpose is to personalise commercial communication.  The association Mousse challenged, before the French data protection authority (the CNIL), [1] the practice of the French railway undertaking SNCF Connect whereby the latter systematically requires its customers to indicate their title (‘Monsieur’ or ‘Madame’) (‘Mr’ or ‘Ms’) when purchasing transport tickets online. That association takes the view that that requirement infringes the General Data Protection Regulation (GDPR), [2] in particular in the light of the principle of data minimisation, because an indication of the title, which corresponds to a gender identity, does not appear to be necessary for the purchase of a rail transport ticket....
Read more