Vickyk:
|Jurisdiction=Greece
|DPA-BG-Color=background-color:#ffffff;
|DPAlogo=LogoGR.jpg
|DPA_Abbrevation=HDPA
|DPA_With_Country=HDPA (Greece)
|Case_Number_Name=45/2025
|ECLI=
|Original_Source_Name_1=HDPA
|Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2026-01/45_2025%20anonym.pdf
|Original_Source_Language_1=Greek
|Original_Source_Language__Code_1=EL
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Type=Other
|Outcome=
|Date_Started=19.03.2020
|Date_Decided=17.06.2025
|Date_Published=31.12.2025
|Year=2025
|Fine=
|Currency=
|GDPR_Article_1=
|GDPR_Article_Link_1=
|GDPR_Article_2=
|GDPR_Article_Link_2=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=par. 1, art. 46. Law 4624/2019
|National_Law_Link_1=https://www.dpa.gr/sites/default/files/2023-06/4624_2019%2520%25CE%25BC%25CE%25B5%2520%25CF%2584%25CF%2581%25CE%25BF%25CF%2580%25CE%25BF%25CF%2580%25CE%25BF%25CE%25B9%25CE%25AE%25CF%2583%25CE%25B5%25CE%25B9%25CF%2582.pdf
|National_Law_Name_2=par. 4 (a), art. 15, Law 4624/2019
|National_Law_Link_2=https://www.dpa.gr/sites/default/files/2023-06/4624_2019%2520%25CE%25BC%25CE%25B5%2520%25CF%2584%25CF%2581%25CE%25BF%25CF%2580%25CE%25BF%25CF%2580%25CE%25BF%25CE%25B9%25CE%25AE%25CF%2583%25CE%25B5%25CE%25B9%25CF%2582.pdf
|National_Law_Name_3=
|National_Law_Link_3=
|National_Law_Name_4=
|National_Law_Link_4=
|Party_Name_1=”Homo Digitalis” non-profit organization
|Party_Link_1=https://homodigitalis.gr/en/
|Party_Name_2=Hellenic Police
|Party_Link_2=https://www.astynomia.gr/?lang=en
|Party_Name_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
|Initial_Contributor=Vicky Kalantzi
|
}}
Following a request by the Greek non-profit organization ”Homo Digitalis”, for the issuance of an opinion on the ‘’Smart Policing’’ system, the Hellenic DPA issued a warning against activating that system, as any operation of it would constitute unlawful processing of personal data.
== English Summary ==
=== Facts ===
The Greek non-profit organization ‘’Homo Digitalis’’ submitted to the HDPA its request dated 19-03-2020, for the issuance of an opinion regarding the lawfulness of the procurement contract for ‘’Smart Policing’’ systems between the Hellenic Police and the company INTRACOM, due to the exceptionally significant and serious challenges which arise for the protection of the personal data of data subjects within the Hellenic territory, and the likelihood of a breach by the Hellenic Police of EU legislation on the protection of personal data.
The contract on ‘’Smart Policing’’ concerns the deployment of modern technologies involving smart portable devices in foot and vehicle patrols, with the aim of determining and verifying the identity of citizens subject to on-the-spot checks via the use of biometric data (fingerprints, photos, etc.), and that the proposed action promotes the identification of citizens through such portable devices on site, without requiring their transfer to the nearest police station for the verification of their personal details.
=== Holding ===
According to paragraph 1 of article 46, Law 4624/2019, the processing of special categories of personal data, including biometric data, requires explicit provision in law.
For the deployment of ‘’Smart Policing’’ the Hellenic Police relied on the provisions of articles 27–29 of Presidential Decree 342/1977, which, however, on the one hand refer to accused persons, arrestees, convicted persons, as well as to individuals whose identity cannot be established by any other means, provided that an order is issued by the competent authority responsible for establishing identity, namely the “Administrative Officer of the Gendarmerie or the City Police”; and, on the other hand, constitute particularly old and outdated regulations, which clearly do not cover the concept of biometric data, and in particular the taking of biometric photographs, in light of personal data protection legislation. Consequently, they cannot serve as the necessary legal basis for the intended processing, by which, therefore, the fundamental principle of lawfulness is violated.
Pursuant to paragraph 4 (a) of article 15 of Law 4624/2019, the Authority issued a warning against the activation of the ‘’Smart Policing’’ system, given that, under the existing legal framework, any operational (productive) use of the system would constitute unlawful processing of personal data and would violate the provisions of the aforementioned law.
== Comment ==
The ‘’Smart Policing’’ project was funded by the EU ; it cost 4,000,000 million euros.
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
<pre>
Athens, 31/12/2025
No. Prot.: 4648
DECISION 45/2025
The Personal Data Protection Authority met following an invitation from its President via videoconference, on Tuesday, 17 June at 11.30 a.m., in order to examine the case, which is mentioned below in the
history of this decision. The President of the Authority,
Konstantinos Menudakos and the regular members of the Authority Konstantinos
Lamprinoudakis, Christos Kalloniatis as rapporteur and Aikaterini Iliadou were present, as well as the alternate members Christos Papatheodorou, Nikolaos Livos, as
rapporteur, and Maria Psalla, replacing, respectively, the regular members
Spyros Vlachopoulos, Charalambos Anthopoulos and Grigorios Tsolias, who,
although legally summoned in writing, did not attend due to impediment. Present
without the right to vote were Georgios Roussopoulos, Head of
the Supervisory Project Directorate, and Helene Maragou, Specialist Scientist, as assistants
to the rapporteur, as well as Irini Papageorgopoulou as Secretary and Georgia
Palaiologou as coordinator of the teleconference, employees of the
Administrative Affairs Department of the Authority.
The Authority took into account the following:
By no. prot. C/ΕΙΣ/2140/19-03-2020 document of the Non-Profit
Organization Homo Digitalis, a request was submitted to the Authority for an opinion
regarding the legality of the contract for the supply of systems for Smart Policing between the Hellenic Police (hereinafter referred to as EL.AS.) and
INTRACOM due to the extremely important and serious challenges, such as
1
1-3 Kifissias Ave., 11523 Athens
T: 210 6475 600 • E: contact@dpa.gr • www.dpa.grlisted in this document, which arise for the protection of
personal data of subjects in the Greek Territory and the possibility
of a breach by the EL.AS. of the EU legislation on the protection of personal data. Specifically, the document in question states that this
contract concerns the application of modern technologies of smart portable
devices in pedestrian and vehicle patrols, with the aim of determining and
verifying the identity of citizens subject to on-site control and that
the proposed action promotes the identification of citizens through these
portable devices on-site without bringing them to the nearest Police Department for verification of information. Furthermore, it is stated that there was a relevant posting –
announcement on the website of the Hellenic Police already in 2019 and that the technical specifications document posted on the same website provides a detailed
description of the modern technologies that will be used in the smart
portable devices. The same document also states that one of the
purposes is “to provide a single work environment to the end user
of the smartphone device that will achieve, through a single application/interface
of searches in existing databases and the acquisition of biometric
data, the search, finding and identification of persons” and that “The
entry of search data will be carried out by acquiring biometric
characteristics (fingerprint and photograph) or by keying in data
by the user or by using software (OCR, MRZ, CHIP, etc.) or by a combination of
the 3 possibilities. Obtaining results from the search for biometric data,
will be carried out using identification software, either existing or,
supplied by the said contract… As for the on-site acquisition of
fingerprints, this capability will be available on at least 500
mobile devices, and will can be done either by using only the smartphone device and/or a suitable additional device that will be offered for this purpose. In case this specific feature is covered by an additional device, then the smartphone and additional device pair will fully interoperate, providing unified functionality in the use of the applications that will be developed and taking into account that communication with the central systems will be done by the smartphone. The received fingerprint data
2 will be compared in parallel, after parameterization, with the corresponding fingerprint data in the national AFIS (from the e-TAP project),
as well as with the Central SIS II AFIS Database in Strasbourg – provided that
the latter will have been put into operation during the implementation period of the contract –
and then, based on additional comparisons-searches that will be made centrally
by the system under procurement, a concise
response of operational interest will be received on the portable device. Regarding the on-site taking of
photographs, one of the objectives of the action is the delivery to the Hellenic Police,
of facial recognition software, through which the
comparison with digital facial photograph files will be made in order to
recognize and identify a person under examination. In fact, there is no facial photo recognition information system in the Hellenic Police at this time. Specifically, the photos that will be taken on the spot by smartphones along with the relevant accompanying data (at least geographical location and time) will be compared, through an appropriate – in hardware and software – central infrastructure, which will be provided for this purpose, with existing digital photo archives of the Hellenic Police. The facial photo data will be compared centrally, through an appropriate infrastructure that will be provided within the framework of this contract, and then, based on additional comparisons-searches that will be carried out by the system under consideration centrally, a concise response of operational interest will be received on the mobile device. Homo Digitalis, as it informed the Authority, submitted an open
letter to the Minister of Citizen Protection on 16-12-2019, requesting
more information on the contract in question and, in particular, requested
to be informed whether a prior consultation with the APDPH
has taken place regarding the said contract and whether an impact assessment is available in the context of the said contract, as well as whether special provisions are in force in
current Greek law that provide for addressing the existing
risks, including guarantees and procedures to
ensure the protection of personal data and the privacy of
data subjects, given that this involves the processing of special
categories of personal data (such as biometric data),
which is only permitted when strictly necessary, subject to
appropriate safeguards for the rights and freedoms of the data subjects and where permitted by Union or Member State law, while presupposing the existence of a specific legal provision allowing the collection and processing of said biometric data (facial image and fingerprints) through the portable devices provided for in said convention. In the response received by Homo Digitalis from the Hellenic Police. and which
is
attached to the submitted request for an opinion, there was a reference to the provisions of
Convention 108, of the GDPR, which, in the opinion of Homo Digitalis, is
not
applicable given that the provisions of Chapter IV of Law
4624/2019 are
applicable.
3917/2011
at the given time point at which the
relevant Presidential Decree for the
installation and operation of surveillance systems in public spaces had not
been issued, as authorized by it.
In addition, no affirmative answer was provided to the question of
conducting a relevant personal data impact assessment.
Following this, the Authority decided to examine the matter and sent it to
EL.AS. the document with the number of the Authority’s protocol G/EX/2140-1/26-08-2020 for providing
opinions regarding the procurement of the system in question and in particular providing
information regarding the specific legal basis of the intended
processing, other elements of the processing, such as data retention time,
informing the subjects and any impact assessment.
With the number of the Authority’s protocol G/EIS/6712/05-10-2020 the Traffic Police Directorate
of the Hellenic Police. responded to the Authority confirming that the entire
action was checked for its legal adequacy by the Hellenic
Police Headquarters and stated that the acquisition of biometric data (fingerprint
and facial photograph) for the purpose of identifying the individual’s details,
which will be carried out using the mobile device, will be directly compared
with the National Database and Records of the Hellenic Police and will not
be stored in an existing system database, but will be discarded
4immediately upon completion of the identification workflow. It is noted in this
document that the actions of the end users of the mobile devices will
be recorded in a special action log file without maintaining the
search query if it includes biometric data and that the
contractor of the project is obliged to ensure full compliance of the design of the
implemented project with the existing Information Security Policy and
Information Systems of the Hellenic Police, as well as that
the preparation of a “Security Documentation Report” is provided for, while the preparation of
a data protection impact assessment is not provided for.
The Authority subsequently sent a new document with protocol number G/EX/ 2648/21-
10-2022 requesting information on whether the system has been put into pilot and/or
production operation as well as the provision of any updated
data regarding the questions raised in its previous document.
With the no. of the Authority G/EIS/12272/05-12-2022 response document of the
Traffic Policing Directorate of the Hellenic Police, it is underlined that the action focuses on
the supply of modern portable electronic devices of the “smart phone” type,
which, through a single application/interface for searches in existing
databases (national and European) and the acquisition of biometric
characteristics (through the scanning method), license plate numbers and
document data, achieve the quick and safe search and
identification of persons and objects with the aim of using these
devices by foot and vehicle patrols of the Hellenic Police,
so as to achieve the direct identification and verification of the identity
of citizens who are subject to in an on-site inspection and in the context of its general
preventive checks. The final delivery of the project is set for 31-
12-2022 and by then an impact assessment study will have been carried out.
However,
“during the operation of the project in question at an operational level, all appropriate tests are carried out in order to evaluate
and optimize all its parameters and the following were implemented: a) For
the smooth operation and assurance of communications and data of
all the project’s portable devices, the internationally recognized software of the manufacturing
company VMWare has been installed and
configured, fully satisfying the applicable provisions and the security policy of the Agency. b) The development of the facial photo recognition system is a key pillar of the project, providing: the creation of a single central function for comparing facial photos from a total of three existing databases, special software for using the facial identification feature from a mobile device, a process that is achieved without maintaining any biometric data element in the system. c) The special application for taking fingerprints using a smartphone type device with a special fingerprint receiver attached, in order to carry out searches for the identification of individuals, is carried out without maintaining any biometric data element in the system. d) In order to facilitate the operation of the Smart Policing applications and their proper integration into the existing authorization infrastructure of the Hellenic Police, distinct authorization roles were created for the Project in question (Head of History, GIS Superuser, GIS User, Search User, Report User, GIS History User, Search History User).”.
Furthermore, the Legal Support Department of the Organization and Legal Support Directorate of the Hellenic Police. sent to the Authority the additional information document with the Authority’s reference number
Γ/ΕΙΣ/1236/16-02-2023, in which, however,
again, there is no reference to the conduct of a personal data impact assessment
. Regarding the issue of the legal basis for the use of the system, the preliminary ruling of the Court of Justice of the European Union in case C-205/21 is invoked and it is noted that the taking of fingerprints and photographs using Smart Policing “meets the requirements of Article 10 of Directive 680/2016, given that: a) it is provided for by national law (Articles 27-29 of Presidential Decree 342/1977 of the Regulation on the operation of the Criminal Investigations Directorate/AEA, which is still in force in accordance with paragraph 4 of Article 62 of Law 1481/1984) and therefore, in order for photographs and fingerprints to be taken, strict, precise and detailed conditions must be met. of the above-mentioned Presidential Decree 342/1977, which are based on specific and
objective or subjective elements sufficient and appropriate to justify
by law, the said receipt, b) is absolutely necessary, as it serves
a specific purpose related to the prevention of criminal offences or threats
to public security and c) the purpose pursued by the data processing in question
cannot be achieved equally effectively by
using other categories of data that affect less the rights of
data subjects”.
As for the description of the system, it is reiterated that it does not constitute a surveillance and control system, that the biometric data are sent only for the purpose of searching without storage or other processing on portable devices or at a point of central equipment, the existing national automated fingerprint identification system (AFIS) and the facial photo recognition system do not contain any other nominal data in their records other than biometrics. Therefore, a possible identification returns to the system a unique number, through which the corresponding nominal data are extracted, which are searched automatically in all the databases available to the Hellenic Police. The use is only through the authorization system of the Police on Line network and the user’s data is recorded. Users are also trained in security and personal data protection issues and accept the Hellenic Police Information and Information Systems Security Policy. Finally, with regard to further security measures, it is stated that: to “shield the Smart Policing system from external interference, but also to prevent any access by unauthorized individuals, the management of mobile devices is carried out at a central level with the Enterprise Mobility Management (EMM) system “Workspace One” from VMWare, which is considered one of the leading systems of its type consistently over the last decade according to the assessment firms Gartner and Forrester, while data at all levels (mobile device – although no data is stored on it -, network communication, central storage system) is encrypted using internationally widespread algorithms. Finally, the procurement of Next Generation Firewalls
software and a Subsystem for secure interconnection – management of smart portable
devices is sought, while in collaboration with the Contractor we will proceed to initiate
appropriate actions for the Security of Information Systems,
Applications, Media and Infrastructures, the protection of the integrity,
confidentiality and availability of information, the protection of
processed and stored personal data, by methodically searching for and
locating the technical measures and the organizational-administrative
procedures.…Finally, the participation of a Security Manager for
information and network systems (Infrastructure & Information Security)
in the Contractor’s project team is sought, as is the possession of ISO/IEC27001 certification by
the Contractor.
Following the above, the Authority, with its summons G/EX/1475/02-05-2025
invited the Hellenic Police to a hearing before the Plenary Session of the Authority on 13/05/2025
in order to present its views and provide answers and
clarifications on the matter in question.
At the said meeting, which took place via videoconference,
there were present on behalf of the controller, namely the Hellenic Police, A,
Police Deputy Director of the Directorate of Organization and Legal
Support/A.E.A., B, Police Officer B’ of the Traffic Police Directorate/A.E.A.
and C, Police Officer B’ of the Traffic Police Directorate/A.E.A. as well as the
Data Protection Officer of the Hellenic Police, D. The participants, after having answered
the questions of the President, the rapporteur, the members and the assistant rapporteur
and having orally developed their views, were given a deadline to submit a written
memorandum in further support of their claims, which
was submitted within the deadline, with the document number Γ/ΕΙΣ/4518/26-05-2025
of the Authority.
8 In its memorandum, the Hellenic Police reiterates in essence what was
mentioned in its previous written responses to the Authority
describing the said system as an action using modern portable electronic devices of the “smart phone” type which, through a single
application/interface for searches in existing databases, license plate numbers and document data, achieve the quick and
secure search and identification of vehicles, persons and objects. The
objective
of the project is the use of these portable devices in the context of
police checks, which, among other things, verify
the identity of citizens subject to an on-site check, in order
to achieve the least possible inconvenience and to instill a sense of security
in citizens. The project includes one thousand (1000) Samsung S10e dualsim devices,
and five hundred (500) external fingerprint devices. The
above-mentioned smartphone devices have pre-installed applications
and software developed within the framework of the project. For the implementation of the
project, the No. 59/2019 mixed contract between the Hellenic
Police and the Economic Entity with the name INTRACOM S.A.
Telecommunication Solutions Company, which was signed on 5 June 2019
and provides for the supply of Smart Policing Systems
and the provision of network telecommunications interconnection services, among others
on the condition that the services provided are in accordance with the technical
specifications of the No. 8/2018 Declaration of the Hellenic
Police Headquarters and the technical offer of the Economic Entity dated 15/6/2018.
It is further stated that “According to the provisions of the said
contract, among other things, a condition is included for the project contractor to
fully comply with the design of the implemented project, with the existing
Information Security Policy and Information Systems of the Hellenic
Police. In addition, the “Security Documentation Report” was prepared which
includes identification of the Project’s assets, the threats and
the risk that they entail as a risk
assessment, as well as the method of risk management,
proposing appropriate measures and practices for all key
security areas, in order to ensure the confidentiality, integrity and
availability of the Project’s resources. In addition, the said report
identifies the expected maximum data retention periods. Although the said contract was concluded before the issuance of Law 4624/2019,
by Decision No. … of 15/11/2022 of the Chief of Staff/A.E.A.,
as amended by Decision No. … of 28/11/2022, a working group was established with the objective of conducting an impact assessment on data protection
(hereinafter, DPIA). The aforementioned working group
completed its work with the preparation of the DPIA on 30/01/2023.
Subsequently, the aforementioned DPD was submitted to the Data Protection Officer
of the Hellenic Police (hereinafter referred to as DPO) in order to formulate comments and
observations thereon. For the above DPD, the DPO issued document no.
… dated 23/12/2022 and the similar one dated 20/01/2023”.
The memorandum reiterates that the operation of the
smartphone type devices and the data, which are the subject of management and
used to access the project’s capabilities, are protected
by special software in accordance with the specifications of the subsystem for secure
interconnection and management of smart portable devices of the Technical Specifications Issue, parameterized in accordance with no. … from 4/11/2019
Project implementation study, that for the functions of the above devices, distinct user roles have been designed, which are activated after relevant
authorization, depending on the needs of the respective competent Service that
uses them (e.g. Traffic Police, Police Services, etc.), that the biometric
data (fingerprint and facial photograph) that are subject to
processing for the purposes of verifying the identity of the person being checked,
which is carried out using the portable device, are
compared
directly with the National Fingerprint Database and the corresponding
photographic archive of the Criminal Investigations Directorate (National
Criminal Service of the Country), respectively and are not stored in
an existing system database, but are discarded immediately upon completion
of the identification workflow and that the recording function
10 user actions (user actions logging), while regarding its general implementation
and use, it has been developed in accordance with the current “Information Security and Information Systems Policy” of the Hellenic
Police. It is noted that the Smart Policing project is an action,
in which new functions are constantly being included in the context of the digitalization of
administrative procedures, and that the Agency is taking actions
to review and update the project’s functions with continuous improvement
of technical and organizational measures, while subsequently the update
of the relevant project reports, including the EAPD, is imminent.
The Hellenic Police. sent along with the memorandum a copy of the conducted
DPIA, to which reference is made, as well as copies of a document from the Hellenic Police that
deals with issues related to the ongoing personal data impact assessment
regarding the “smart policing” system, as well as
a document from the Hellenic Police DPO that includes observations on the
above-mentioned DPIA.
The Authority, after examining the elements of the file and those that emerged from the hearing before it and the memorandum of the person in charge of the processing, with the supplementary documents thereof, after hearing the rapporteurs and the clarifications from the assistant rapporteurs, who attended without the right to vote, following a thorough discussion, HAS DECIDED IN ACCORDANCE WITH THE LAW 1. From the provisions of article 9 and article 13 par. 1 item. a’ and h’ of
Law 4624/2019 (Government Gazette A’ 137) it follows that the Authority has the duty and power to
monitor and enforce the implementation of the provisions of the GDPR, the
above-mentioned law and other regulations concerning the protection of
individuals from the processing of personal data, as well as to carry out
ex officio investigations and/or audits for the implementation of Law 4624/2019.
112. Article 43 of Chapter D of Law 4624/2019 provides that “1. The
provisions of this Chapter regulate the protection of natural
persons with regard to the processing of personal data by
competent authorities for the purposes of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal penalties,
including the safeguarding against and
deterrence of threats to public security. 2. This Chapter shall apply to the processing of personal data by competent authorities for the purposes
set out in paragraph 1.
3. Article 44 of the same law states that: “For the purposes of this
Chapter, the following definitions shall apply: a) “personal data”: any information relating to an identified or identifiable natural person (“data subject”), an identifiable natural person being one whose
identity can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number,
location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic,
psychological, economic, cultural or social identity of that natural person;
b) “processing”: any operation which is performed on personal data or on sets of personal data, whether or not by automated means, such as the collection, registration, the
organization, structuring, storage, adaptation or alteration, retrieval,
searching of information, use, disclosure by transmission, dissemination or any other form of
making available, association or combination, restriction, erasure or
destruction
l) “biometric data”: personal data resulting from
specific technical processing linked to the physical, biological or behavioral
characteristics of a natural person, and which allow or confirm the
unequivocal identification of that natural person, such as
facial images or dactyloscopic data”.
124. Article 45 par. 1 of Law 4624/2019 provides for the principles of
processing and, among others, according to item a’ of par. 1 “Personal data shall: a) be processed fairly and lawfully; b) be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; c) be adequate, relevant and not excessive in relation to the purposes for which they are processed”. Furthermore, in accordance with the principle of accountability expressly defined in the second paragraph of the same article “the controller shall be able to demonstrate compliance with his obligations under the previous paragraph 1 (“accountability”)”. This principle entails the obligation of the controller to be able to demonstrate compliance with the principles of art. 45 par. 1.
5. According to article 45A of the aforementioned law which concerns the lawfulness of processing: “1. The processing of personal data shall be lawful only if it is based on Union law and is necessary for the performance of a task carried out by the competent authorities for the purposes referred to in Article 43. 2. The specific arrangements referred to in paragraph 1, which include the legal basis for processing by the competent authorities for the purposes referred to in Article 43, shall specify at least the purposes of the processing, the personal data which are processed and the purposes of the processing, the procedures for preserving the integrity and confidentiality of the personal data, and the authority or authorities which are competent, by virtue of the tasks assigned to them by law, to carry out such processing. 6. According to Article 46 of Law 4624/2019, which concerns the processing of
special categories of personal data: “The processing of
personal data revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs, or
trade union membership, as well as the processing of genetic
data, biometric data for the exclusive identification of a
natural person or data concerning health or sexual life or
sexual orientation, shall be permitted only when they are strictly necessary for
the achievement of the objectives of Article 43 and provided that: a) they are expressly provided for by
law or Union law and b) they are required to protect the vital
interests of the data subject or another natural person, or c) This
processing concerns data which have been expressly made public
by the data subject. 2. When the processing concerns the special categories of data referred to in paragraph 1, appropriate safeguards shall be applied to protect the data subject, such as: a) specific specifications and requirements for security and control of processing, b) specific and short time limits within which the necessity of further processing of the data in question shall be reviewed and documented, c) measures to raise the awareness of the persons involved in the processing of the data, d) restrictions on access to the data in question within the competent authority, e) storage and processing of the special categories of data in a manner that is distinct from the processing of other categories of data, f) pseudonymisation of personal data belonging to the special categories, provided that this does not impede the achievement of the purpose of the processing, g) encryption of the data, h) specific procedural arrangements which
ensure the lawful processing and the protection of the rights of
individuals in the event of transmission or processing of these data for
other purposes.”.
7. According to Article 65 of the same law concerning the assessment of the impact of the processing on the protection of personal data, “1. If a form of processing, in particular when new technologies are used, is likely to create a significant risk to the protected legitimate interests of the data subjects by reason of the nature, scope, circumstances and purposes of the processing, the controller shall first assess the consequences of carrying out the processing for the data subjects. 2. In order to investigate similar processing operations with similar potential for significant risk, a joint impact assessment on the protection of personal data may be carried out. 3. The impact assessment shall take into account the rights of the data subject affected by the processing and shall contain at least the following: (a) a systematic description of the envisaged operations and the purposes of the processing; (b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes pursued; (c) an assessment of the risks to the protected legitimate interests of the data subject; and (d) the measures to be taken to address the risks, including the safeguards, safeguards and procedures to ensure the protection of personal data and to the demonstration of compliance with legal requirements. 4. Where necessary, the controller shall verify whether the processing complies with the requirements resulting from the impact assessment.
8. Articles 6-8 of Law 4624/2019 provide for the definition, position and tasks of the DPO in public bodies. In particular, Article 7 provides that
“1. The public body shall ensure that the data protection officer is involved, in a timely manner, in all matters relating to the protection of personal data.” and Article 8 provides that: “1. In addition to his/her tasks
under the GDPR, the DPO shall have at least the following tasks:…c)
provide advice on the impact assessment on the protection of personal data and monitor its implementation in accordance with
Article 65.
9. Articles 27-29 of Presidential Decree 342/1977 define the following: “Article 27
Subjects to Forensic Marking
1. Every person shall be subject to forensic marking, namely: fingerprinting, anthropometry,
description and photography:
a) Lawfully arrested, detained, convicted,
imprisoned, or charged by the Authority by law, for
any criminal offense or misdemeanor, regardless of
the place of commission and the degree of participation in the committed or attempted
crime.
15 b) Convicted by a foreign criminal court, for an act
characterized also by Greek criminal laws as a felony or
misdemeanor, provided that the conviction was officially communicated to the Directorate through the
National Central Bureaus of the INTERPOL member countries or through
diplomatic channels.
c) Acquitted or released from a felony or misdemeanor charge, if the relevant decision imposed preventive, reformatory or therapeutic measures on him, as well as if the acquittal or release was due to actual repentance or a reason excluding the imputation, as well as any person in respect of whom an acquittal was issued, for the same reasons as above.
d) Deported by judicial or administrative decision.
e) Administratively deported, in accordance with applicable laws, even if no conviction was issued against him.
f) Pursued or wanted, by criminal search warrants,
and arrested.
g) Entering the country as a fugitive.
h) Having habitually led a disorderly life and being characterized by the Police
Authorities as a suspect of committing a crime.
i) Requesting in writing for his marking and provided that there are serious reasons for this.
j) Arrested or convicted for violations of articles 413, 415,
422, 423, 424, 446, 447, 448, 449, 450, 454 and 456 of the Criminal Code and of
article 98 of L.D. 3030/54 “on Rural Police”.
2. However, for the individuals subject to criminal marking in accordance with the above, an individual file, a fingerprint card in the decimal collection and a photograph in the relevant archives are kept by the Criminal Service that carried out the marking, the heads of this Division and the Public Prosecution Service.
16 3. Criminal marking of those accused of political and social crimes is permitted only with the order or permission of the competent Investigative or Prosecutorial Authority.
4. Individuals subject to criminal marking and those who refuse to do so are prosecuted and punished in accordance with the provisions of article 225, paragraph 2, of the Criminal Code.
Article 28 Subject to fingerprinting and photography only
The following shall be subjected to fingerprinting and photography only:
a) Persons whose identity is unknown and cannot otherwise be ascertained.
The order to this effect shall be issued by the person in charge of verifying the identity
of the Administrative Officer of the Gendarmerie or the City Police. The identification data thus obtained, after the appropriate action has been taken to verify the identity and to verify that they do not belong to marked
or wanted persons, shall be destroyed ex officio.
b) Any body subject to an autopsy or postmortem examination to verify its identity, or the use of the identification data by the Forensic Services and the destruction of any such data.
Article 29 Subject to Fingerprinting Only
1. The following shall be subject to fingerprinting only:
a) Those applying for the issuance of a certificate of good conduct.
b) Those who were duly present at the scene of a crime
(victims, etc.), whose fingerprinting is intended to compare their fingerprints with those found at the scene of the crime.
c) Those considered to be suspects of a criminal act.
2. The fingerprint cards obtained in accordance with the previous paragraph,
after their comparative examination:
17 a) Those of subsection a are returned to the Authority that accepted the request.
b) Those of subsections b and c are destroyed ex officio, after the appropriate comparative examination and comparison has been carried out.
10. In the case under examination, it is established from all the elements of the file and
what emerged from the hearing that the required legal basis for the processing entailed by
the use of the system in question does not
exist.
In this regard, it is noted that the aforementioned Article 45A of Law 4624/2019
was added with Article 38 of Law 5002/22 following the initiation by the European Commission of a referral procedure against Greece in April 2022 with the letter of formal notice dated
06.4.2022 1 for a breach of EU law
due to the non-incorporation of a series of articles of Directive (EU) 2016/680, including
Article 8. However, Article 45A, paragraph 1 of Law 4624/2019 provides the
general legislative basis for the establishment of specific regulations for the processing
of personal data for the purpose of ascertaining crimes in the context of criminal
procedures. Therefore, the provision of this article does not constitute a specific
national regulation in itself but the general provision for the establishment of a specific national regulation,
such as, for example, that provided for in the special case of Article 201 of the CCP for
the permitted processing of DNA or for electronic
surveillance in the context of house arrest as a restrictive condition under Article 284 of the CCP. The specific
1
INFR(2022)2021 C(2022) 1666 final
2For this purpose, see European Commission, Communication from the Commission to the European Parliament
and the Council, First report on application and functioning of the Data Protection Law Enforcement
Directive (EU) 2016/680 (‘LED’), COM(2022) 364 final, p. 9 footnote 39 and explanatory memorandum to Law
5002/22.
3
See ΑΠΔΠΧΠ Γνμδ 1/2020, Γνμδ 3/2020.
4For details on the cross-reference and the obligation to apply in parallel the conditions for carrying out individual investigative actions to those provided for in Chapter D of Law 4624/2019, see G. Tsolia, Processing of personal data in the context of criminal investigations: the analysis of genetic data (DNA) for the verification of crimes in the light of EU law (on the occasion of the ECJ C-205/21), Criminal Law 2024, 10 ff., especially 15 ff., 22 ff.
5Regarding no. prot. 369/23.01.2024 Opinion – “Observations on draft provisions of the Criminal Procedure Code and the Criminal Procedure Code” to the Ministry of Justice regarding the amendment of the provisions of art. 284 of the Criminal Procedure Code and in particular art. 288 of the Criminal Procedure Code on the electronic surveillance of undertrials and convicted persons in the context of imposing restrictive conditions, which was adopted.
18national regulation to be enacted in accordance with the provisions of par. 1 of article
45 of law 4624/2019, must include the elements provided for in par. 2 of the
same article.
Therefore, for the processing of personal data to achieve
the purposes of article 43 par. 1 of law 4624/2019, it is required, based on the principle of
lawfulness, which is enshrined in article 45A of law 4624/2019 in
the framework of Directive (EU) 2016/680, to be provided for in a formal law, which will 6
provide for substantive and procedural conditions and guarantees, such as,
among others, the exercise of the rights of the subjects, the purposes of
processing, the personal data subject to processing
and the retention and deletion period of the data, as also stated in
No. 4/2024 Opinion of the Authority regarding the installation of a
8 surveillance system of the Greek Police.
Furthermore, according to par. 1 of article 46 of law 4624/2019, for the
processing of special categories of personal data, including
biometric data, an explicit provision in
law is required. In this case, the Hellenic Police invokes the provisions of articles 27-29 of Presidential Decree
342/1977, which, however, refer to accused, arrested,
convicted persons as well as to persons other than these, whose identity
cannot be verified in any other way, provided, however, that
6 See Law 5002/2022 Procedure for lifting the confidentiality of communications, cybersecurity and protection of citizens’ personal data, article 13: “Procurement of software and monitoring devices by the State. A presidential decree, issued within three (3) months from the entry into force of this Law, upon a proposal by the Ministers of Citizen Protection, National Defense, Justice and Digital Governance, shall determine the conditions under which the conclusion of contracts by state structures for the procurement of software or monitoring devices of article 370F of the Criminal Code for the fulfillment of their purposes, as well as additional terms of their use.” 7Cf. Judgment C-548/21 ECJ, para. 123 “[…] Articles 13 and 54 of Directive 2016/680, interpreted in the light of Article 47 and Article 52(1) of the Charter, must be interpreted as precluding national legislation which allows the competent authorities to attempt to access data contained in a mobile telephone without informing the data subject, in the context of the applicable national procedures, of the grounds on which the authorisation granted by a judge or an independent administrative authority to access the data is based, once such information is no longer likely to jeopardise the tasks of the competent authorities under the directive”. See Opinion 4/2024 of the APA on the surveillance system for the prevention and suppression of criminal acts and traffic management for the needs of the G.A.D.A., sec. 12.
19 an order is issued by the person responsible for verifying the identity of an “Administrative Officer of the Gendarmerie or the City Police” and on the other hand they constitute
particularly old and outdated regulations, which obviously do not capture
the concept of biometric data and the taking of biometric photographs
in the light of the legislation on the protection of personal data and cannot, therefore, constitute the necessary legal basis for the
intended processing, which, therefore, violates the fundamental principle
of lawfulness, given that, based on the foregoing, the lawfulness of
this processing presupposes, as provided for in Articles 45 A and 46 of
Law 4624/2019, the establishment of a special national regulation, containing as a minimum
A
the elements of par. 2 of the said article 45 .
It is also noted that during the hearing before the Authority, the
representative of the Hellenic Police argued that the system, although put into pilot operation for a short period of time, is currently not used, but
this claim is not contained in the submitted memorandum, resulting in
doubt remaining about the potentially unlawful processing from any
productive operation of the system.
12. Regarding the performance of the required DPIA, the Hellenic Police after
providing a copy of it to the Authority, it claimed that it was carried out only in 2023
with the active participation of the DPO and not during the period of the procurement of the
contract, as the
law 4624/2019 on the protection of personal data, which incorporated
Directive (EU) 2016/680, had not been issued during the critical period of the procurement. However, given that l. 4624/2019, by which
Directive (EU) 2016/680 was incorporated, entered into force on 29-08-2019 (and
regardless of the fact that the deadline set for its transposition into the national
legal order had expired on 25-05-2018), the EL.AS. was obliged, in accordance with
Article 65 of the above law, to carry out a DPIA at least from
the above date of entry into force of this law, as it was informed
by the Authority and did so subsequently with delay. With these data,
a violation of the said article arises, however, in view of the fact that
the processing was limited to a pilot application without causing damage to
20 data subjects, the Authority considers that there is no case for imposing
the sanction of the administrative fine provided for in the
applicable to the present case
Article 82 of Law 4624/2019.
FOR THESE REASONS
The Authority addresses, in accordance with par. 4 item a’ article 15 of law 4624/2019
warning for the non-activation of the Smart Policing System given that under the existing legal framework, any productive operation of the system would constitute illegal processing of personal data and would violate the provisions of the aforementioned law.
The President The Secretary
Konstantinos Menuudakos Irini Papageorgopoulou
21
</pre>