Background information
- Date of final decision: 2 April 2024
- National case
- Legal Reference(s): Articles 4, 5, 6, 7, 12-14, 22, 24, 25, 28, 30, 31, 35, 37-39, 51, 55, 58, 83 of GDPR, Article 39 of Law 4624/2019
- Controller: Ministry of Migration and Asylum
- Decision: Infringement of the GDPR, Administrative fine
- Keywords: own-initiative investigation, biometric data, Data Protection Impact Assessments
Summary of the Decision
Origin of the case
At the end of 2021, the Greek Supervisory Authority (SA) became aware of a decision of the Greek Government regarding the development and implementation of the “Centaur” programme by the Hellenic Ministry of Migration and Asylum in order to control the reception and accommodation facilities of third country nationals on the Aegean islands.
The Greek SA also received a request for information on border surveillance technologies from the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee), while a request for investigation and opinion on the procurement and implementation of the “Hyperion” and “Centaur” systems in reception and accommodation facilities for asylum seekers was submitted to the Authority by civil society organizations in February 2022.
In July 2022, the Authority also received a letter from the UNHCR Representation in Greece with regard to the above systems.
Key Findings
Having learned of the development and implementation of the “Centaur” and “Hyperion” programmes by the aforementioned Ministry in the premises of the Closed Controlled Access Centers and the Reception and Identification Centers for third-country nationals, the Authority proceeded to examine in-depth the integrated digital system for managing electronic and physical security (“Centaur”) and the integrated entry-exit control system with reader in combination with fingerprint ‒i.e. biometric data processing‒ (“Hyperion”) in the premises of the above-mentioned facilities for guests as well as employees and certified members of non-governmental organizations.
The Greek SA found a lack of cooperation on the part of the Ministry, as data controller, and further considered that the required Data Protection Impact Assessments carried out by the Ministry were substantially incomplete and limited in scope, and that serious shortcomings remain as regards the Ministry’s compliance with certain provisions of the GDPR in relation to the implementation of the systems in question.
Decision
The Greek SA imposed an administrative fine of € 175,000 on the Hellenic Ministry of Migration and Asylum for the breaches found in relation to the cooperation with the Authority and the impact assessments, while at the same time it sent the Ministry an order to comply within three months with its obligations under the GDPR.
For further information:
- National decision 13/2024: Αυτεπάγγελτη έρευνα για την ανάπτυξη και εγκατάσταση των Προγραμμάτων «Κένταυρος» και «Υπερίων» από το Υπουργείο Μετανάστευσης και Ασύλου αναφορικά με τον έλεγχο των δομών υποδοχής και φιλοξενίας πολιτών τρίτων χωρών. (Greek)
- Press release: Ministry of Migration and Asylum receives administrative fine and GDPR compliance order following an own-initiative investigation by the Hellenic Data Protection Authority (English)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.