We call the Greek DPA to temporarily block the inclusion of the Personal Number on new ID cards until the necessary risk mitigation measures are implemented!
Since June, the Hellenic Police (EL.AS.) has been issuing ID cards that display the Personal Number (P.A). for citizens who already have one. As of tomorrow, June 28, 2025, it will no longer issue an ID card to any citizen who is eligible for a P.A. but has not yet completed the required issuance process.
In its Opinion 1/2025, the Hellenic Data Protection Authority (HDPA) states that displaying the P.A. on ID cards poses risks and must therefore be accompanied by specific mitigation measures.
However, despite the fact that the Greek State proposed certain measures to the HDPA, which were approved as appropriate, it has failed to implement them, thereby exposing citizens to severe risks of identity theft.
For example, one of the proposed measures was the adoption of legal provisions prohibiting private entities from keeping photocopies of ID cards. This legislative step must be paired with coordinated and intensive public awareness campaigns to ensure that citizens know they should not allow copies of their physical ID to be retained.
At the end of its analysis, the HDPA concludes that, since the risks associated with including the P.A. on ID cards remain, once a sufficient period has passed during which mitigation measures are applied and public authorities are equipped with the necessary tools for digital reading of the P.A., the display will no longer be necessary and the obligation to display the P.A. on the ID card should be lifted.
For these reasons, on Friday, June 20, we submitted a formal request (Ref. No. Γ/ΕΙΣ/5621/20-06-2025), urging the HDPA to exercise its powers under Article 58(2)(f) of the GDPR, and impose a temporary restriction on processing, by prohibiting the display of the P.A. on ID cards until the essential mitigation measures are properly in place to address the significant risks arising from this practice.
Our request is available here (only in EL).
Our Joint Action with Reporters United & Vouliwatch: The Cameras at the Polytechnic Threaten Personal Data
On March 29, 2025, the National Technical University of Athens (NTUA) installed surveillance cameras at the Zografou Campus and the Patission Complex without informing the public about its data processing policy for students and staff.
On May 26, 2025, Vouliwatch, Reporters United, and Homo Digitalis jointly submitted a Freedom of Information (FOI) Request to determine whether NTUA complies with the law, the General Data Protection Regulation (GDPR), and other national regulations. A similar request was also submitted by 61 Architecture students.
NTUA may not be fully complying with Articles 12, 13, 35, and 36 of the GDPR, which ensure transparent information for data subjects, data protection impact assessments, and the obligation of prior consultation.
In our request, we explain that NTUA has not responded to student and staff inquiries about how their personal data is being processed, and we request access to the government’s confidential security plan for universities.
In our request to NTUA, we also seek to know who is being recorded by the cameras, where their data is stored, and whether this data is being shared with the Hellenic Police (ELAS).
NTUA has a deadline to respond to our request by June 15, and to the students’ request by June 19. We will continue to monitor the issue and will follow up with further reporting. Our organizations’ FOI request and information provision document is available here.
I HAVE RIGHTS and Homo Digitalis Publish Report on the Situation in the Samos Closed Controlled Access Centre (CCAC) One Year After the Fine Issued by the Hellenic Data Protection Authority for KENTAURUS and HYPERION Systems
The Hellenic Ministry of Migration (MoMA) continues to violate data protection rights of asylum seekers in the Samos Closed Control Access Centre (CCAC), I Have Rights and Homo Digitalis said in a report released today.
The report, titled “They Never Tell Us Anything”: Ongoing Data Rights Violations in the Samos CCAC analyses the implementation of a compliance order issued by the Hellenic Data Protection Authority (HDPA) in April 2024. In this historic ruling, the HDPA had found that MoMA’s use of surveillance technologies in reception facilities across Greece, including biometric access systems and surveillance infrastructure tools violates EU data protection laws (GDPR).
Ten months after the passing of the implementation period in July 2024, the report finds that MoMA has failed to comply with the order. “The ongoing violations of data protection rights in the Samos CCAC are emblematic of a system where control and surveillance are prioritised over the rights of those seeking protection” said Réka Rebeka Rósa, Legal and Team Coordinator at I Have Rights. “The European Union should press Greek authorities to address prevailing rights violations. Otherwise, these violations risk becoming a blueprint for further (digital) rights abuse of people on the move across Europe.”
The Samos CCAC opened in September 2021 as the first of the now existing five facilities in Greece, following an agreement between the European Commission and the Greek Government in 2020. Since its opening, NGOs, international human rights experts and people held in the facility have consistently raised concerns about the facility’s securitised infrastructure, de facto detention practices, and inadequate living conditions.
These concerns are exacerbated by the overall lack of transparency in the Greek asylum procedure and opaque surveillance system in the Samos CCAC.
As one client explained about the intransparency of biometric data collection: “No, no one explains it. They only take fingerprints and take us from one place to another, and we do it without knowing why. There is no person to explain what is happening.”
Greece has legal and moral obligations to uphold fundamental rights and data protection rights of asylum seekers, as enshrined in the European Charter of Fundamental Rights and GDPR. The European Union, in particular the European Commission – given its central role in conceptualising, financing, operating, and monitoring the CCACs in Greece – bears responsibility to ensure that these standards are fully respected. “The continued lack of GDPR compliance, in terms of transparency and accountability in the deployment of the Centaur and Hyperion surveillance systems, at the Samos CCAC reflects a disturbing erosion of the fundamental rights. By failing to meet even the basic requirements of data protection in practice, MoMA is reinforcing a dangerous trend of surveillance-driven border management that dehumanizes people on the move” said Eleftherios Chelioudakis, Executive Director at Homo Digitalis.
We co-sign an CSO Open Letter on the proposed GDPR Procedural Regulation
As the trilateral negotiations at the EU level continue regarding the proposed regulation on additional procedural rules for the enforcement of the GDPR, we, together with European Digital Rights and 34 other Civil Society organizations, join our voices in an open letter to lawmakers!
We urge them to prioritize strong enforcement mechanisms that ensure individuals can effectively exercise their rights while highlighting the systemic weaknesses in the enforcement of GDPR provisions.
Read the open letter here.
Interview of Our President at Women in Digital
Elpida Vamvaká, President of Homo Digitalis and General Legal Counsel at Papaki, spoke to Women in Digital about the need to protect digital rights in Greece, the importance of technology that places people at the center, and the ways in which artificial intelligence can operate responsibly and ethically.
With a focus on the challenges of cybersecurity, the importance of education, and the promotion of gender equality in the tech field, Elpida highlights her vision for a fair, sustainable, and inclusive digital society in her interview. You can read her interview here.
Women In Digital is the editorial and conference initiative of Smarpress. The foundation was laid with the first Women In Digital conference on 8/3/21, where 40 prominent “strong women” from Technology, IT, Startups, and Digital Marketing took the stage. Readers can follow the content through the monthly newsletter or the dedicated website. WID draws its topics from the work of women, both Greek and international, who are active in the STEM sector or apply their digital skills in more traditional fields.
The Hellenic Data Protection Authority Investigates DeepSeek
In a letter addressed to Homo Digitalis on February 5, following our January 30, 2025 request, the Audit and Security Department and the rapporteur auditor, Ms. F. Karvela, informed us that the Authority “has already initiated an ex officio investigation into the companies Hangzhou DeepSeek Artificial Intelligence Co., Ltd. and Beijing DeepSeek Artificial Intelligence Co., Ltd., in accordance with the provisions of Articles 57(1)(a), 58(1)(b) of the GDPR and Articles 13(1)(h) and 15(1) of Law 4624/2019.”
We eagerly await further information regarding the HDPA’s ex officio investigation, the progress of the procedure, and any developments in this case in the near future.
Request of Homo Digitalis before the Hellenic Personal Data Protection Authority (HDPA) to Investigate Deepseek: Our Statements in the Newspaper "Kathimerini"
On Thursday, November 30th, Homo Digitalis submitted a request (reference number 865/30-01-2025) to the Hellenic Personal Data Protection Authority (HDPA), asking for the exercise of its investigative powers regarding the use of the Deepseek platform by data subjects within the Greek territory, in accordance with Article 58 of the General Data Protection Regulation (GDPR). The request is available here (ΕL).
In recent days, the Deepseek platform has become particularly popular among users within the Greek territory due to related media publications. Supervisory authorities from other EU member states, such as the Italian and Irish supervisory authorities, have already taken significant interventions to limit the use of the platform. This is because, based on the data processing practices taking place and the way they are described in its Privacy Policy, serious challenges to the protection of users’ personal data are apparent.
In the request we submitted, we are asking the HDPA, in accordance with Article 58(1)(a) and Article 58(2)(f) of the GDPR, to instruct the data controllers, namely Hangzhou DeepSeek Artificial Intelligence Co., Ltd. and Beijing DeepSeek Artificial Intelligence Co., Ltd., to provide all the information necessary to perform its duties in order to clarify the challenges to the rights of the data subjects we highlight in our submission. Furthermore, we request the HDPA to immediately impose restrictions on the processing of personal data of users within the Greek territory by the Deepseek platform, temporarily prohibiting its availability and use in the Greek market.
Today, Sunday, February 2nd, our statements are also featured in an article by journalist Giannis Papadopoulos in the Sunday edition of the newspaper “Kathimerini,” which provides a detailed description of the related developments, including statements from Professors Thodoris Christakis, Dimitris Papaheliopoulos, Vasilis Vlahos, and security researcher Dimitris Siatiras. We sincerely thank the journalist for his interest in our actions! For Homo Digitalis, comments were provided by Eleftherios Chelioudakis. You can read this press coverage online here.
Homo Digitalis spoke at the Tech & Society Summit in Brussels
Last Tuesday 1/10, Homo Digitalis was in Brussels, participating at the Tech and Society Summit co-organised together with the European Digital Rights and more than other 40 organisations!
This event aimed to bring civil society’s voices to the forefront of EU’s digital policy debates. Together we are building this space to create a bridge between digital rights organisations and new policymakers to achieve accountable, people-focused policies that advance everyone’s digital rights.
Eleftherios Chelioudakis, represented us in the Summit speaking at the session “Visionary Round-table: Building an EU Digital Enforcement Strategy” organised by BEUC – The European Consumer Organisation and moderated by European Digital Rights’ Itxaso Domínguez de Olazábal! It was a unique opportunity for us to share our enforcement actions aiming at facilitating redress of harmed individuals in Greece!
Also, we actively participated in the Round-table Fundamental Rights in focus: Joint efforts for Spyware Regulation in the EU, organised by Centre for Democracy & Technology Europe and Amnesty International, sharing insights from the latest developments of the PREDATOR scandal in Greece and the related legislative initiatives of the Greek State.
We would like to sincerely thank the organizers for inviting Homo Digitalis to participate and share our views and actions on these important topics!
We prepared an explanatory video on the Greek DPA's Decision on the new ID cards
On Monday 23/9 the Hellenic Data Protection Authority (DPA) issued Decision 32/2024, which relates to the new identity cards for Greek citizens.
The Authority found deficiencies regarding the provision of general information to data subjects, and further found that the required data protection impact assessment was carried out late and deficient. For these reasons, it imposed an administrative fine of EUR 150,000 on the Ministry of Citizen Protection, as controller, for the above infringements, while at the same time it issued a compliance order to the Ministry within six months. Finally, the Authority pointed out the obligation to update and codify the legal framework regarding the details of the new type of identity cards for Greek citizens.
The Decision 32/2024 of the Hellenic Data Protection Authority is available here.
The Homo Digitalis team has prepared a short explanatory video in plain language to highlight some important points of this Decision.
The video is available here.