The HDPA initiated an ex officio investigation into the issuance of new Greek identity cards, following a citizen’s complaint regarding the legality of the process, and the general public debate surrounding this government project.

The investigation revealed that the Hellenic Police had failed to properly conduct a DPIA. Such an assessment is obligatory in cases where large – scale processing of special categories of data – in this instance biometric information – takes place (Art. 35 par. 3  point b’  GDPR).

Specifically, the performance of a DPIA  is obligatory when processing activities pose a high risk to the rights and freedoms of individuals (Art. 35  par. 1 GDPR). In accordance with the principle of data protection by design and by default (Art.  25 GDPR), when the performance of a DPIA is deemed necessary, it must be fulfilled prior to the commencement of the processing activities, as early as possible in the design phase of the operation, even if certain processing actions remain undefined.

However, in the case of issuance of new Greek ID cards, the Hellenic Police did not conduct the DPIA during the design phase or prior to the commencement of data processing. Instead, the DPIA was conducted in the midst of the identity card issuance process and after the data processing had already begun, following the HDPA’s given order during the abovementioned ex officio audit.

As a result, the HDPA imposed an administrative fee of €100,000 on the Greek Ministry of Citizen Protection, as the data controller, for violating the provisions regarding the performance of a DPIA (Decision 32/2024 HDPA).

The GDPR does not provide a precise definition of the terms that establish the necessity of a DPIA, such as  “high risk” and “large-scale processing”, leading to legal ambiguity.

According to EDPB’s guidelines, a “risk” refers to a scenario involving an event and its potential consequences, assessed in terms of both severity and likelihood. This risk primarily relates to data protection and privacy, but it can also extend to other fundamental rights such as freedom of expression, movement, and thought.

Even though no clear criteria are provided for determining when the processing qualifies as “large-scale”, the WP29 has suggested some indicators, such as the volume and variety of data being processed, the duration of the processing, and its geographical scope. However, no specific quantitative thresholds have been set, and the EDPB has refrained from providing numeric guidelines for what constitutes “large-scale processing”.

Due to this indeterminacy, national supervisory authorities, including the HDPA, have issued and made public lists of processing activities that necessitate the performance of a DPIA (Art.  35 par. 4 GDPR). In Greek jurisdiction, the HDPA’s Decision 65/2018 identifies, among others, the large-scale processing of national identification numbers as an action requiring an impact assessment.

Because of the ambiguity and the lack of clear definitions in the law, precautionary technical and organizational measures must be taken.

Therefore, according to EDPB’s guidelines, when there is uncertainty, a DPIA should be conducted nonetheless, in order to ensure compliance and protection of the  individuals’ rights.

Edited by Michales Kamposos