the Municipality of Alimos – €15,000 Fine (Greece, 2024)

Files containing personal data of citizens of the Municipality of Alimos (the controller) were accessible to any visitor of a specific website. To get access to those files, visitors had to change the last five-digit number appearing of the website’s URL. An individual (the data subject) complained about the abovementioned functionality with the Greek DPA (HDPA). For the data subject the functionality was a data breach. The DPA informed the controller about the complaint. In response, the controller notified the DPA of the data breach in accordance with Article 33 GDPR. The controller argued that they relied on services provided by third party (the processor). Nevertheless, the controller immediately implemented appropriate measures and the data were no longer publicly accessible. The controller stated that out of 45,000 available files, only 1,200 files were accessed and the access was made from two specific IP addresses. The data subject informed the DPA twice that despite update of the website it was still possible to access the personal data. Then, each time, the controller implemented additional updates and new measures. Regarding the data breach, the controller emphasised that it lasted for a short time, affected a small number of files, containing the data of simple nature and corrective measures were applied. As a result, the breach was assessed by the controller as posing a low risk. The DPA upheld the complaint. The DPA found the controller violated Article 5(1)(f), Article 25(1), Article 28(3), Article 32(1), Article 33(4), Article 34(1), Article 34(2) GDPR. The controller failed to implement appropriate technical and organizational security measures to preserve the confidentiality of the personal data, as well to verify the accuracy of implemented measures. That led to the data breach. The data breach caused unauthorised access to personal data of citizens of the Municipality of Alimos, for example copies of identity cards, driving licenses. The