Municipality X (To ensure the confidentiality of the specific municipality, the term "X" is employed as a placeholder.) – Violation Found (Greece, 2023)

On 20 June 2023, an individual reported a data breach on city council X's website, because citizens' personal data was easily accessible on the controller's website by modifying the last five digits of the permalink (URL). On 21 June 2023, the HDPA communicated orally with the city council regarding the breach. In response, the controller promptly ceased the website's operations and officially notified the HDPA of the breach in accordance with Article 33 GDPR. Corrective measures to fix the issue were also implemented. Despite this, the website remained vulnerable, leading to continued exposure of personal data. Due to the ongoing unresolved data breach and the substantial risks it posed for a large number of persons, the HDPA issued a temporary order under Article 58(2) GDPR and Article 15(8) of Law 4624/2019. The interim order instructed the city council to take immediate action to restrict access to personal data files on its website and to cease all processing operations. The HDPA noted that the order was to stay in place until it could be ensured that the files containing user personal data could only be accessed by authorized users or the data subjects themselves. These restrictions will remain in effect until the SA issues a new decision, allowing processing operations to begin again.