Εθνική Υπηρεσία Πληροφοριών (National Intelligence Service) – €5,000 Fine (Greece, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 9 July 2022, the data subject, an employee of the [https://www.nis.gr/en National Intelligence Service] (the controller), filed a complaint with the Hellenic DPA for the unlawful transfer of her personal data. More specifically, she complained that the controller transferred her personal data, including her name, educational qualifications, and professional classification, to the Ministry of Citizen Protection and the Hellenic Police. The data subject asserted that she was not informed about the unnecessary transfer of her personal data, in violation of Article 13 GDPR, and further argued that the controller lacked a valid legal basis for this specific processing. On 12 April 2024, the controller responded to the Hellenic DPA, that the data transfer to the Ministry of Citizen Protection, a public body, was conducted under Article 26 of Greek Law 4624/2019, as part of fulfilling its official duties. The controller justified that this data was necessary for the adoption of the decisions on her transfer and placement in accordance with the provision of Article 74 of Greek law 4873/2021. Additionally, the controller argued that the data subject had not contacted the controller or submitted a complaint to them before filing the complaint with the Hellenic DPA, and for this reason, the DPA could choose to not investigate this complaint. On 1 May 2024, the data subject responded to the Hellenic DPA arguing that data was transferred on 15 December 2021, when the relevant law had not yet come into effect, as the Greek law 4873/2021 came into force on 16 December 2022. She claimed this rendered the transfer unlawful. Additionally, she asserted that there was a lack of transparency since she was not informed about this data processing under Article 13 GDPR. The data subject also highlighted that some of the transferred data, such as specific educational details, were unnecessary for the stated purpose, and alleged that the data had been disclosed to unauthorised personnel,
GDPR Articles Cited
National Law Articles
On 9 July 2022, the data subject, an employee of the [https://www.nis.gr/en National Intelligence Service] (the controller), filed a complaint with the Hellenic DPA for the unlawful transfer of her personal data. More specifically, she complained that the controller transferred her personal data, including her name, educational qualifications, and professional classification, to the Ministry of Citizen Protection and the Hellenic Police. The data subject asserted that she was not informed about the unnecessary transfer of her personal data, in violation of Article 13 GDPR, and further argued that the controller lacked a valid legal basis for this specific processing. On 12 April 2024, the controller responded to the Hellenic DPA, that the data transfer to the Ministry of Citizen Protection, a public body, was conducted under Article 26 of Greek Law 4624/2019, as part of fulfilling its official duties. The controller justified that this data was necessary for the adoption of the decisions on her transfer and placement in accordance with the provision of Article 74 of Greek law 4873/2021. Additionally, the controller argued that the data subject had not contacted the controller or submitted a complaint to them before filing the complaint with the Hellenic DPA, and for this reason, the DPA could choose to not investigate this complaint. On 1 May 2024, the data subject responded to the Hellenic DPA arguing that data was transferred on 15 December 2021, when the relevant law had not yet come into effect, as the Greek law 4873/2021 came into force on 16 December 2022. She claimed this rendered the transfer unlawful. Additionally, she asserted that there was a lack of transparency since she was not informed about this data processing under Article 13 GDPR. The data subject also highlighted that some of the transferred data, such as specific educational details, were unnecessary for the stated purpose, and alleged that the data had been disclosed to unauthorised personnel,
Related Enforcement Actions (0)
No other enforcement actions found for Εθνική Υπηρεσία Πληροφοριών (National Intelligence Service) in GR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
31 October 2024
Authority
Hellenic Data Protection Authority
Fine Amount
€5,000
GDPRhub ID
gdprhub-8606About this data
Cite as: Cookie Fines. Εθνική Υπηρεσία Πληροφοριών (National Intelligence Service) - Greece (2024). Retrieved from cookiefines.eu
Last updated: