The participation of Homo Digitalis in a meeting of the National Commission for Human Rights was successfully completed
On Friday, January 23, we attended in person at the offices of the National Commission for Human Rights for a hearing of individuals and organizations on Artificial Intelligence and Human Rights. There, together with other civil society organizations, public authorities, Independent Authorities, AI research centers and members of the academic community, we presented our views regarding the Digital Omnibus on AI package of measures.
The organization was represented by Lefteris Chelioudakis.
We sincerely thank the organizers for the inclusion and for the opportunity to express the positions of Homo Digitalis.
The participation of Homo Digitalis in an event on the DNA and CAIDA was successfully completed
On January 19, we were invited by Amazon Web Services (AWS) to attend an event focused on legislative initiatives concerning digital policy issues, such as the Digital Networks Act (DNA) and the Cloud and AI Development Act (CAIDA), alongside representatives from institutional bodies and law firms.
During the event, we had the opportunity to express our strong concerns regarding the then-upcoming proposed provisions of the DNA and to put forward the positions of our network. You can read a related commentary on the proposed provisions by epicenter.works here.
The organization was represented by Lefteris Chelioudakis and Konstantinos Kakavoulis. We would like to sincerely thank the organizers for the inclusion and for the opportunity to present our views.
Our educational activities in Messinia were successfully completed, in collaboration with the Captain Vassilis & Carmen Constantakopoulos Foundation
In 2025, as part of our educational initiatives in Messinia, we partnered with the Captain Vassilis & Carmen Constantakopoulos Foundation to deliver the educational presentations “Digital Footprint” and “Cyberbullying” in schools across the region.
Through 36 educational presentations in 30 school units, 1,620 students took part in activities highlighting the importance of digital literacy, prevention and responsible online behavior in the digital environment. During the period March–May 2025, presentations were delivered in 11 schools and during November–December 2025, in 19 schools.
This collaboration underscores the importance of partnerships between educational institutions and charitable foundations, with the shared goal of strengthening knowledge and ensuring the safety of children and young people.
Risk Management in the Digital World - A Chore or A Necessity?
Written by Ioannis Ntokos*
“Nothing in life is certain but death and taxes,” Benjamin Franklin (or someone before him) once said. But the phrase could well include another component, risk. “Death, taxes, and risk.” In the digital world, risks are a constant that we must take into account, whether as citizens, product or service providers, or as experts in the field of risk management. Let’s see how proper risk management can provide certainty and security in the digital space.
What does risk mean, and why does it deserve attention?
The digital world changes rapidly, every day. The concept of risk, however, is relatively static: every system, every program, every person using technology creates an “opening,” a vulnerability. These openings are not dangerous in themselves, but they are vulnerable to threats that can exploit them. Consider, for example, a flaw in a computer system at a nuclear power plant, a flawed process for accessing sensitive data, a bad setup of a network switch. The alarm bells are ringing.
The risk is there before you do anything, it is “inherent.” It is there by default, without any protective measures being taken. When you ride a bike, the very act of riding is a risk. In the digital world, the inherent risk arises from things like human carelessness, the complexity of systems, or the value of data shared with others. Risk itself is a certainty, a constant of life. That does not mean we ignore it.
So far, so good. The fact that I cross the threshold of my door every morning is a dangerous situation, theoretically. What is the point of action if the risk is there anyway? The next stage is to identify which risks require attention and action. This requires cold observation and logical thinking. Some risks are more significant than others, so they must go through the risk management "filter".
Calculating Risk
In its simplest form, risk (numerical or not) is simply a function of probability and impact. A given risk has (negative) consequences (impact) with some frequency (probability). Being able to quantify the variables of probability and impact in a quantitative way (using precise and detailed numbers, usually monetary for impact and annual occurrence units for probability) or qualitative way (using more arbitrary calculations, usually using a scale from 1 to 5) brings us closer to calculating risk.
In the example of cycling, a risk is my sudden encounter with a brown bear (and the unpleasant consequences that might follow). The likelihood of this happening varies depending on the situation - if I am riding my bike in an area of Korydallos, the chances of encountering a bear are close to zero. If I have gone cycling in the Pindos mountains, the situation changes dramatically. The impact of the encounter with the bear also changes. If I carry bear spray or have watched many videos on how to deal with a brown bear (the author of this article has watched quite a few such videos), I may escape with bruises and scratches (or a broken bicycle). If I lack knowledge and tools, things become more difficult.
Here the importance of protective measures and the transition from inherent to residual risk also becomes apparent. Through the protective measures at my disposal (spray), I can lower the impact of the encounter from certain death to admission to the hospital for stitches. Residual risk is the risk that remains after we take protective measures against it! Protective measures are an integral part of risk management.
Risk Management Methods
There are four appropriate ways to deal with a risk, once it has been perceived (and quantified or quantified). These options are: acceptance, transfer, reduction or elimination.
Acceptance means that you understand the risk and hold on to it, not passively or ignorantly, but rationally. Some risks are so small that it costs more to deal with them than to accept them. If I ride my bike downtown, I accept the infinitesimal chance (0.00001%) that a bear will attack me, and I enjoy my ride.
Transfer is the assignment of risk to someone else (usually through insurance). The risk does not disappear, it simply changes hands. The responsibility remains with the person subject to the risk, but there is coverage in case of damage due to the risk. In the bear scenario, I hope my insurance covers such attacks, or at least my family receives a lump sum (through my life insurance) in case the spray doesn’t help.
Speaking of spray, this is a risk reduction method! Reduction means that you limit the likelihood or impact, and it is the most common method of dealing with risks. This includes any form of preventive protection. Every protective measure I take aims to reduce the risk. If I’m out cycling in the Pindus Mountains with 10 other friends, the chances of the bear attacking me instead of one of them are drastically reduced!
Elimination is the most absolute option, as you move away from the risk and its source. Elimination is the final cleanup: the recognition that something is beyond “patching.” Are there many hungry bears on the mountain I’m planning to visit? I choose the sea instead of the mountain and I have peace of mind!
While the above ways of dealing with risk are all tried and tested, there is one reaction that is not legitimate - risk ignorance. Knowing the risk and consciously choosing to ignore it will inevitably lead to negative results!
Dealing with risk in the digital world
Risks similar to a random bear encounter exist in the digital and online space, only instead of hungry four-legged friends, we encounter hackers, abused platforms, the use of artificial intelligence that violates human rights and defective hardware. And with the same logic as our trip to the forest, these risks require special treatment, taking into account the following basic principles:
- Risk management is not a single event, but a cycle. You identify, assess, act, and regularly review. The digital world is constantly changing, which means that the risk landscape is also changing. What was secure in the morning may be vulnerable by evening. Technology waits for no one - and the associated risks must be constantly recorded and addressed.
- A holistic approach to risk is crucial. One gap is enough to cause radical damage to citizens, users, and businesses. Partial protection creates a false sense of security. In the digital space, the weak point is often not the most obvious. It can be the forgotten file, the inadequate password, the external partner using a fragile application. Therefore, a holistic view is required.
- It is also necessary to understand that risk is not only technical, but also organizational, human, or procedural. In practice, most damage results from mistakes, omissions, or misunderstandings. Technology simply exacerbates the consequences. Therefore, it is necessary to address it from many different angles.
- Awareness and education on information and data protection issues are key to reducing risks. No matter how organized you are, there will always be someone who will write their passwords in plain sight, open the wrong file, or accidentally press “delete.” The human element cannot be eliminated.
- Prevention is always cheaper than recovery. For the average user, risk management may seem like a chore, but the reality is that the world of technology has grown so much that ignorance of risk is costly. Just as no one waits to install an alarm system after a break-in, risk management works best before bad things happen.
The essence of risk management is targeted clarity: although absolute security is not possible, we strive for stability while trying to avoid major mistakes. When you understand this, risk management ceases to be a burden. It becomes an organized and coordinated effort, and then a habit. A kind of mental exercise where you ask: “What could go wrong? How much do I care? What do I do about it?” Not as an exercise in fear, but as an exercise in pure reasoning and protection. Risk will always be there. Managing it is a conscious choice, and awareness is a tool.
*Ioannis Ntokos is an IT risk management, information security and third party risk management specialist, with expertise in data protection. He specializes in ISO27001, NIST, NIS2 and the General Data Protection Regulation (GDPR). In his spare time, he offers career advice on IT governance, risk and compliance through his YouTube channel
The speech of Homo Digitalis was successfully completed at the Annual Conference of Transparency International Greece and EELLAK.
The participation of Homo Digitalis in the Annual Conference, organized by Transparency International Greece and EELLAK on January 21, was successfully completed. The conference was titled “Open Data and Artificial Intelligence: New Opportunities & Challenges in Transparency, Public Procurement and Budgets.”
Our organization was dynamically represented by our member, Tania Skrapaliοri, who took part in the 3rd panel of the conference entitled “Transparency in Practice: Proposals and Innovation Transforming Governance.”
We would like to warmly thank the organizers for this excellent event and for the opportunity for Homo Digitalis to participate.
Another important victory! The Hellenic Data Protection Authority rules the operation of the Hellenic Police’s Smart Policing system unlawful
In 2019, the Hellenic Police signed a contract with Intracom Telecom for the implementation of the Smart Policing programme, with a total value of €4 million. The project concerned the procurement of 1,000 “smart” portable devices, intended to enable facial recognition, fingerprint recognition, as well as the scanning of documents and vehicle licence plates.
Homo Digitalis was the first organisation to publicly bring this case to light, through a joint investigative publication with AlgorithmWatch in December 2019. In the same month, we submitted an access-to-documents request to the Ministry of Citizen Protection in order to clarify critical issues of legality and data protection. The response we received failed to provide substantive answers to our questions.
As a result, in March 2020 we filed a complaint with the Hellenic Data Protection Authority (HDPA), requesting that the case be investigated. The Authority accepted our complaint and launched an official investigation in August 2020. In the meantime, the Greek State paid the full amount of €4 million (75% of which was financed through EU funds), while the company duly delivered the devices to the Hellenic Police.
Ultimately, on 31 December 2025, the HDPA issued Decision 45/2025, warning the Hellenic Police not to activate the Smart Policing system, since, under the applicable legal framework, any productive operation of the system would constitute unlawful processing of personal data. The Authority found that there was no legal basis for the intended processing through the system and that the required data protection impact assessment had not been carried out in a timely manner during the pilot phase of the project.
This development gives rise to a strong sense of vindication, as it confirms—six years later—that the serious concerns we raised from the very beginning were fully justified. At the same time, it starkly highlights the waste of public resources on the development and procurement of technologies that could never lawfully operate. Four million euros of taxpayers’ money were spent on a system that, under the existing legal framework, was deemed unlawful before it was ever put into productive use.
This case demonstrates the urgent need for meaningful legality checks, transparency, and accountability before adopting high-risk technological solutions, especially when they affect fundamental rights and are financed with public funds.
You can read Decision 45/2025 of the HDPA here (EL).
Our GAIN event with the supervisory authorities of Article 77 of the AI Act was successfully concluded
Yesterday’s event, which we co-organized with the civil society network Greek AI Network – GAIN at the offices of network member WHEN Hub, was successfully completed.
The event opened with a welcoming address by our Co-founder and Treasurer of the Board, Konstantinos Kakavoulis. This was followed by educational presentations from representatives of two fundamental rights authorities under Article 77 of the AI Act, namely Dr. Efrosyni Siougle from the Hellenic Data Protection Authority and Dr. Christos Tsevas from the Greek National Commission for Human Rights.
Finally, during the Members in the Spotlight Session, our member and DPO Executive / GDPR Expert, Dimos Kostoulas, delivered an educational presentation on the processing of personal data in the healthcare sector and the use of Artificial Intelligence systems in this field.
We warmly thank the speakers, the members of the GAIN network, and the members of Homo Digitalis who joined us both online and in person, as well as the other organizations that honored us with their presence.
The event was held within the framework of the GAIN program, with the support of the European AI & Society Fund.
Only a few spots left for GAIN’s new event! Meet the supervisory authorities of Article 77 of the AI Act
Are you a Civil Society Organization (CSO) interested in the protection of human rights in the age of artificial intelligence?
Only a few free in-person participation spots remain for the event we are co-organizing tomorrow with the CSO network Greek AI Network – GAIN at WHEN Hub!
At the event, representatives from two fundamental rights authorities under Article 77 of the AI Act—namely Efrosini Siougle from the Hellenic Data Protection Authority and Christos Tsevas from the Greek National Commission for Human Rights—will deliver two informative presentations on Artificial Intelligence and will be available to answer questions about the mission and role of their respective bodies.
In addition, during the Members in the Spotlight Session, we will have the honor of hosting our member and DPO Executive / GDPR Expert, Dimos Kostoulas, who will give an educational presentation on the processing of personal data in the healthcare sector and the use of AI systems in this field.
The registration link for the limited number of free participation spots for civil society organizations can be found here.
The event is held within the framework of the GAIN program, with the support of the European AI & Society Fund.
We presented our Study on the Digital Omnibus package at the Privacy & Data Protection Conference
Last Friday, Homo Digitalis was invited to the Privacy & Data Protection Conference, organized by BOUSSIAS.
There, our Executive Director, Eleftherios Chelioudakis, presented our Study on the Digital Omnibus reform packages, highlighting the challenges that the proposed changes pose to our rights in the contemporary digital era.
You can read our Study here.
We would like to warmly thank the conference organizers, and especially Alexandra Varla, for the very honorable invitation. Congratulations as well to all the speakers for their insightful contributions.
.