Ministry of Citizan Protection – €150,000 Fine (Greece, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A citizen filed a complaint about the issuance of new identity cards containing biometric data and the Ministry of Citizen Protection's failure to respond to an inquiry about the legality of this data processing. The HDPA initiated an investigation to examine the Ministry's compliance with GDPR, focusing on data minimization, transparency, and security measures. The Ministry explained its actions, including conducting a Data Protection Impact Assessment (DPIA), assessing risks, and implementing safeguards for biometric data. The DPA stressed the importance of providing adequate public information and ensuring individuals' rights regarding personal data access. The Hellenic Data Protection Authority (HDPA) found that the Ministry of Citizen Protection violated provisions of the GDPR related to transparency and data minimization concerning the issuance of new identity cards that contain biometric data. Specifically, the Ministry had failed to provide timely responses and sufficient information to the public regarding the processing of personal data in compliance with GDPR requirements. Reasoning: First, the DPA held that the controller violated Article 12 (Transparency) of the GDPR by failing to provide clear and timely information to the complainant and the public about the processing of their personal data in relation to the new identity cards. This included details about the legality, purpose, and scope of the data collection. Second, the DPA found that the Ministry had not fully complied with the principle of data minimization under Article 5(1)(c) of the GDPR. The authority noted concerns about the scope of biometric data collected and questioned whether all the data being processed was necessary for the stated purpose (issuance of identity cards). Third, the DPA emphasized the need for a Data Protection Impact Assessment (DPIA), as required by Article 35 of the GDPR, due to the high risks posed by the processing of biometric data. The Ministry had initiated th
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A citizen filed a complaint about the issuance of new identity cards containing biometric data and the Ministry of Citizen Protection's failure to respond to an inquiry about the legality of this data processing. The HDPA initiated an investigation to examine the Ministry's compliance with GDPR, focusing on data minimization, transparency, and security measures. The Ministry explained its actions, including conducting a Data Protection Impact Assessment (DPIA), assessing risks, and implementing safeguards for biometric data. The DPA stressed the importance of providing adequate public information and ensuring individuals' rights regarding personal data access. The Hellenic Data Protection Authority (HDPA) found that the Ministry of Citizen Protection violated provisions of the GDPR related to transparency and data minimization concerning the issuance of new identity cards that contain biometric data. Specifically, the Ministry had failed to provide timely responses and sufficient information to the public regarding the processing of personal data in compliance with GDPR requirements. Reasoning: First, the DPA held that the controller violated Article 12 (Transparency) of the GDPR by failing to provide clear and timely information to the complainant and the public about the processing of their personal data in relation to the new identity cards. This included details about the legality, purpose, and scope of the data collection. Second, the DPA found that the Ministry had not fully complied with the principle of data minimization under Article 5(1)(c) of the GDPR. The authority noted concerns about the scope of biometric data collected and questioned whether all the data being processed was necessary for the stated purpose (issuance of identity cards). Third, the DPA emphasized the need for a Data Protection Impact Assessment (DPIA), as required by Article 35 of the GDPR, due to the high risks posed by the processing of biometric data. The Ministry had initiated th
Related Enforcement Actions (0)
No other enforcement actions found for Ministry of Citizan Protection in GR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
23 September 2024
Authority
Hellenic Data Protection Authority
Fine Amount
€150,000
GDPRhub ID
gdprhub-8316About this data
Cite as: Cookie Fines. Ministry of Citizan Protection - Greece (2024). Retrieved from cookiefines.eu
Last updated: