401 Athens General Military Hospital – Dismissed (Greece, 2020)

A data subject complained that 401 Athens General Military Hospital unlawfully processed personal data of people entering the hospital, collecting details from their ID and information about where exactly in the hospital they intend to go, time of entrance and exit. The Military Hospital claimed that this information was necessary for the security of the hospital and that in any case, the DPA was not competent to deal with the case as it concerns data related to activities concerning national security. The HDPA found, first of all, itself competent to decide on the case as the personal data collected (a) has not been characterised as "classified information" (b) nor does it relate to activities concerning national security, as required by the national Data Protection Act. Then, the HDPA rejected the complaint as it found the processing necessary for the protection of military facilities and thus lawful according to Articles 6(1)(e) and 9(2)(g) GDPR. Lastly, the HDPA imposed the corrective measure of Article 58(2)(d), ordering the Military Hospital to appoint a DPO.