Hellenic Police – Violation Found (Greece, 2025)

The Greek non-profit organization ‘’Homo Digitalis’’ submitted to the Greek DPA (HDPA) a request, for the issuance of an opinion regarding the lawfulness of the procurement contract for ‘’Smart Policing’’ systems between the Hellenic Police (the controller) and the company INTRACOM. The request was based on the exceptionally significant and serious risks posed to the protection of personal data of individuals within the Hellenic territory, as well as the likelihood that the controller may be in breach of EU data protection legislation. The contract on ‘’Smart Policing’’ concerns the deployment of modern technologies involving smart portable devices in foot and vehicle patrols, with the aim of determining and verifying the identity of citizens subject to on-the-spot checks via the use of biometric data (fingerprints, photos, etc.), and that the proposed action promotes the identification of citizens through such portable devices on site, without requiring their transfer to the nearest police station for the verification of their personal details. The HDPA issued a warning against the activation of the ‘’Smart Policing’’ system, given that, under the existing legal framework, any operational (productive) use of the system would constitute unlawful processing of personal data. According to [https://www.dpa.gr/sites/default/files/2020-08/LAW%204624_2019_EN_TRANSLATED%20BY%20THE%20HDPA.PDF Article 46(1) of Law 4624/2019,] the processing of special categories of personal data, including biometric data, requires explicit provision in law. For the deployment of ‘’Smart Policing’’ the Hellenic Police relied on the provisions of [https://ia37rg02wpsa01.blob.core.windows.net/fek/01/1977/19770100109.pdf Articles 27 and 29 of Presidential Decree 342/1977]. These provisions, however, apply exclusively to accused persons, arrestees, convicted persons, and individuals whose identity cannot be established by other means, and only where an order has been issued by the competent aut