Hellenic Ministry of Interior – €440,000 Fine (Greece, 2024)

The Hellenic DPA (HPDA) received 236 complaints regarding unsolicited political communication sent via e-mail by MEP Anna Michelle Asimakopoulou on 1 March 2024. In response, the HDPA initiated an investigation, which consisted of communications and requests for information from the Ministry, the New Democracy party, and Ms Asimakopoulou -- all of which were considered controllers for the processing. The HDPA found a file containing personal data of all registered voters abroad for the June 2023 elections, for which the Ministry of Interior is a controller. The file was created for internal use at the Ministry of Interior in connection with a purpose related to the electoral process. It contained the names, countries, email addresses and telephone numbers of over 20,000 overseas voters. This data was not otherwise available. On 18 March 2024, the HDPA received a notification of a personal data breach from the Ministry, which approximated the date of the incident as May 2023. The HDPA determined that the leak of this file from the Ministry occurred between 8 and 23 June 2023. On 23 June 2023, the file was provided to the then New Democracy Secretary of Greek Expatriates (political party) by an unidentified sender. On 20 January 2024, the then-secretary sent Ms Asimakopoulou the file via Whatsapp. Upon receiving the file, the MEP then processed the data, exporting the email addresses to MailChimp to add them to her mailing list. On 1 March 2024, she emailed the mailing list, including the data subjects mentioned above. Her email did not inform recipients of how their data was obtained. The MEP claimed to have received the file on the basis of party instructions. She also argued that there was no specific regulation on political communication and she had reasonably considered she had an overriding legitimate interest in informing unknown voters about absentee voting. The Hellenic DPA imposed an administrative fine of €400,000 for violations of Articles 5,