Supreme Council For Civil Personnel Selection (ASEP) – Violation Found (Greece, 2020)

The Supreme Council For Civil Personnel Selection (hereinafter ASEP) uploads on its website tables with the ranking and the appointment of candidates, which includes personal data and possibly special categories of personal data. ASEP asked the HDPA for a prior consultation according to Article 36(1) and 36(3)(b) GDPR after it carried out a DPIA, which showed that the mentioned publication would possibly result in high risk for the rights and freedoms of individuals, despite any measures ASEP would take to mitigate the risk. ASEP claimed that there is the legal basis of Article 6(1)(e) GDPR -public interest and exercise of official authority vested in it, which falls within the exception of Article 9(2)(j) GDPR. It also claimed that it took some measures to mitigate the risks, while implementing certain technical measures such as a system which would require a password would undermine the transparency that is required by law in this procedure and would be overly costly. The HDPA found that the calculation of the cost of possible technical measures was based on empirical calculations and not on specific technical data. It is of the opinion that adequate measures such as a unique password for each candidate can be implemented with lower cost and are advisable; that the columns where sensitive data is added, such as "disability 50%" should be replaced with general headlines such as "special categories" without disclosing what the special category is; that identification data, such as name and surname, should be not visible when people other than the candidates access the tables; the tables should be published only for a time period that is absolutely necessary to the purpose of the publication; and that these measures should be applicable both with regard to the online publication of the tables and the hard-copy publication at the Authority's premises.