Ministry of Foreign Affairs – Violation Found (Greece, 2020)

The HDPA ran an on site audit at the Ministry of Foreign Affairs as being the data controller according to VIS Regulation and VIS Decision. VIS is an information system for exchanging data among states within Schengen area with an aim to improve common VISA policies. The audit was focused on security issues, which are provided for in Article 32 GDPR and Article 32 of VIS Regulation. Further security requirements are provided for in Article 9 of Council Decision 2008/633/JHA (VIS Decision). Fundamental element of the system is a central database which contains personal data including special categories. The HDPA prepared a detailed analysis of the findings arisen from the audit as well as of the relevant risks, which is however included in a final confidential report. Based on these findings, the HDPA ordered the Ministry of Foreign Affairs to comply with its recommendations that are included in the confidential report according to Article 58(2)(d) GDPR and inform the HDPA accordingly.