The Data Protection Authority received a large number of complaints regarding unsolicited political communication via e-mail sent on 1/3/2024, entitled “100 days before the European elections”, by MEP Anna Michelle Asimakopoulou. Following this, the Authority investigated the case on its own initiative, exercising its investigative powers directly and controlling the actors involved.
Following a series of on-site inspections and taking evidence and data as part of the audit, it was found that a file containing personal data of all registered overseas voters for the June 2023 elections, for which the Ministry of Interior is the controller, and for which the applicable legislation does not provide for any case of transmission to recipients outside the Ministry, was moved outside the Ministry. That file contained, in addition to the known details of the electoral rolls, the e-mail addresses and contact telephone numbers of voters abroad, data which are excluded from the provision of copies of electoral rolls to the beneficiaries.
This file was created on 8 June 2023 for internal use at the Ministry of Interior in connection with a purpose related to the electoral process. It is concluded that the leak of this file occurred between 8 and 23 June 2023, as it was proven that on 23 June 2023 the file was forwarded to the then Secretary of Expatriates of the New Democracy, Nikos Theodoropoulos, by a sender whose identity and status has not been determined to date, in order, according to his claims, to use it for the analysis of the election results.
On 20 January 2024, the file in question was sent to Ms Asimakopoulou by Mr Theodoropoulos. Ms Asimakopoulou then processed the file from the Ministry of Interior in order to send an e-mail to all the voters contained therein. Ms Asimakopoulou’s e-mail did not contain the information required by Article 14 of the GDPR to inform its recipients, in particular as to the source of their personal data.
As far as the Ministry of Interior is concerned, the leak of a file intended exclusively for internal use constitutes an incident of breach of confidentiality of personal data and therefore a breach of personal data. The audit carried out by the Authority at the Ministry of Interior identified deficiencies in the procedures and data protection policies in place, shortcomings in the investigation of the incident as well as unsubstantiated communications of the circumstances of the incident. Finally, deficiencies and inaccuracies were found in the content of the relevant activity records kept.
With regard to Ms Asimakopoulou, the Authority found that the collection of personal data of absentee voters, including electronic contact details and their use for sending a political communication message was in breach of the basic principle of lawfulness, objectivity and transparency of processing, as it was carried out in violation of a number of provisions of the electoral legislation and furthermore could not have been reasonably expected for the data subjects (voters abroad).
The Authority imposed an administrative fine totalling EUR 400,000 on the Ministry of Interior, as controller, for breaches of Articles 5, 25, 30, 32 and 33 of the GDPR and instructed it to take action to bring its measures and procedures into compliance with the GDPR within a specified timeframe.
The Authority notes that the infringements found do not relate to the voting procedure.
The Authority imposed on Anna Michelle Asimakopoulou, as controller, an administrative fine totalling EUR 40,000 for infringements of Articles 5, 6 and 14 of the GDPR and ordered the deletion of the data in question.
As regards New Democracy and Mr Theodoropoulos, the Authority postponed the adoption of the decision, given that the latter, after the hearing and the submission of pleadings, submitted an affidavit as to how the electoral rolls were received by him, as a newer critical element, the content of which shows the need to further investigate the allegations made therein.
The judgment is available here.