The Authority with its Decision No. 32/2024, examined issues arising from the introduction of the new type of identity cards for Greek citizens, which include biometric data.

In particular, the Authority discovered shortcomings on the provision of general information to the Data Subjects, while it further concluded that the required impact assessment regarding Data Protection was carried out belatedly and had deficiencies.

More specifically, following a citizen's complaint, due to the non execution of their request which concerned the provision of information and the overall legality of the processing of their information for the issuance of the new identity card, and was submitted to the Ministry of Citizen Protection by a data subject, the Authority addressed inquiries to the Hellenic Police regarding the type of processing that the personal data, held in the electronic storage medium of the new ID card, may undergo, the entities which are authorized to carry out the processing, how, by which means and with what aim, the way the rights of the data subjects are fulfilled (and, especially, the right of access to the data held on the electronic identity storage medium) and how to separate national data from biometric data.

In this context, the legal expression "biometric data" is defined under Article 4 par. 14 of GDPR as the "personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data", whereas as biometric methods are meant the techniques used to authenticate the identity of a person through the analysis of their steady characteristics. Biometric methods can be classified in two categories: i. techniques based on the analysis of physical or genetic characteristics (such as fingerprints, palm geometry, pupil analysis, facial features, DNA) and ii. techniques based on behavioral analysis (such as signature, voice, typing style).

According to the Authority's Decision under discussion, the Ministry of Citizen Protection violated Articles 13 and 14 of the GDPR, as required by the principle of transparency, due to the lack of information for a long period of time, as well as due to incorrect information in the information text for citizens [in particular, an incorrect legal basis regarding biometric data, as it refers to "evident active consent" which cannot constitute a valid legal basis for the aforementioned processing, given that the obligation to issue an identity card derives from a provision of mandatory law imposed during the execution of public authority (Article 6(1)(c)(e) of the GDPR)], , which was belatedly posted on the Ministry's website. Furthermore, the Ministry of Citizen Protection did not justify the compliance with the principle of data minimization regarding specific data (such as the father's surname, mother's surname, the municipality of registration, the population register number and the place where the identity card was issued) contained in the electronic storage medium, violating the obligations enumerated under Article 24 of the GDPR, whereas it also violated Article 35 para. 1 of the GDPR, for it did not carry out the required impact assessment, as required, up until the beginning of the processing and only after communication from the Authority, while the impact assessment does not appear to have detected all risks, as is emerging from the aforementioned violations found above.

For the infringements found above, the Authority imposed a total fine of EUR 150,000 on the Ministry of Citizen Protection, as the Data Controller, while it also called the Ministry for compliance, within a period six months.

Finally, although the Authority pointed out that the validity of the identification cards is not in doubt, it nevertheless stressed the need to update and codify the legal framework regarding the details of the new type of identification cards for Greek citizens.

For the full text of the Decision no.32/2024: click here