Εθνική Υπηρεσία Πληροφοριών (National Intelligence Service) – €5,000 Fine (Greece, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Greece's data protection authority fined the National Intelligence Service for improperly sharing an employee's personal data without informing her. The employee's name and qualifications were transferred to other government bodies without a valid reason. This case underscores the need for transparency when handling personal data, especially in public institutions.
What happened
The National Intelligence Service unlawfully transferred an employee's personal data to other government agencies.
Who was affected
An employee of the National Intelligence Service whose personal data was shared without her knowledge.
What the authority found
The authority found that the service did not have a valid legal basis for transferring the employee's data and failed to inform her appropriately.
Why this matters
This fine highlights the importance of transparency in data handling, especially for public agencies. Organizations should ensure they have clear policies for data sharing and keep individuals informed about how their data is used.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 9 July 2022, the data subject, an employee of the [https://www.nis.gr/en National Intelligence Service] (the controller), filed a complaint with the Hellenic DPA for the unlawful transfer of her personal data. More specifically, she complained that the controller transferred her personal data, including her name, educational qualifications, and professional classification, to the Ministry of Citizen Protection and the Hellenic Police. The data subject asserted that she was not informed about the unnecessary transfer of her personal data, in violation of Article 13 GDPR, and further argued that the controller lacked a valid legal basis for this specific processing. On 12 April 2024, the controller responded to the Hellenic DPA, that the data transfer to the Ministry of Citizen Protection, a public body, was conducted under Article 26 of Greek Law 4624/2019, as part of fulfilling its official duties. The controller justified that this data was necessary for the adoption of the decisions on her transfer and placement in accordance with the provision of Article 74 of Greek law 4873/2021. Additionally, the controller argued that the data subject had not contacted the controller or submitted a complaint to them before filing the complaint with the Hellenic DPA, and for this reason, the DPA could choose to not investigate this complaint. On 1 May 2024, the data subject responded to the Hellenic DPA arguing that data was transferred on 15 December 2021, when the relevant law had not yet come into effect, as the Greek law 4873/2021 came into force on 16 December 2022. She claimed this rendered the transfer unlawful. Additionally, she asserted that there was a lack of transparency since she was not informed about this data processing under Article 13 GDPR. The data subject also highlighted that some of the transferred data, such as specific educational details, were unnecessary for the stated purpose, and alleged that the data had been disclosed to unauthorised personnel,
Related Enforcement Actions (0)
No other enforcement actions found for Εθνική Υπηρεσία Πληροφοριών (National Intelligence Service) in GR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
31 October 2024
Authority
Hellenic Data Protection Authority
Fine Amount
€5,000
GDPRhub ID
gdprhub-8606About this data
Cite as: Cookie Fines. Εθνική Υπηρεσία Πληροφοριών (National Intelligence Service) - Greece (2024). Retrieved from cookiefines.eu
Last updated: