We call the Greek DPA to temporarily block the inclusion of the Personal Number on new ID cards until the necessary risk mitigation measures are implemented!
Since June, the Hellenic Police (EL.AS.) has been issuing ID cards that display the Personal Number (P.A). for citizens who already have one. As of tomorrow, June 28, 2025, it will no longer issue an ID card to any citizen who is eligible for a P.A. but has not yet completed the required issuance process.
In its Opinion 1/2025, the Hellenic Data Protection Authority (HDPA) states that displaying the P.A. on ID cards poses risks and must therefore be accompanied by specific mitigation measures.
However, despite the fact that the Greek State proposed certain measures to the HDPA, which were approved as appropriate, it has failed to implement them, thereby exposing citizens to severe risks of identity theft.
For example, one of the proposed measures was the adoption of legal provisions prohibiting private entities from keeping photocopies of ID cards. This legislative step must be paired with coordinated and intensive public awareness campaigns to ensure that citizens know they should not allow copies of their physical ID to be retained.
At the end of its analysis, the HDPA concludes that, since the risks associated with including the P.A. on ID cards remain, once a sufficient period has passed during which mitigation measures are applied and public authorities are equipped with the necessary tools for digital reading of the P.A., the display will no longer be necessary and the obligation to display the P.A. on the ID card should be lifted.
For these reasons, on Friday, June 20, we submitted a formal request (Ref. No. Γ/ΕΙΣ/5621/20-06-2025), urging the HDPA to exercise its powers under Article 58(2)(f) of the GDPR, and impose a temporary restriction on processing, by prohibiting the display of the P.A. on ID cards until the essential mitigation measures are properly in place to address the significant risks arising from this practice.
Our request is available here (only in EL).
Our Joint Action with Reporters United & Vouliwatch: The Cameras at the Polytechnic Threaten Personal Data
On March 29, 2025, the National Technical University of Athens (NTUA) installed surveillance cameras at the Zografou Campus and the Patission Complex without informing the public about its data processing policy for students and staff.
On May 26, 2025, Vouliwatch, Reporters United, and Homo Digitalis jointly submitted a Freedom of Information (FOI) Request to determine whether NTUA complies with the law, the General Data Protection Regulation (GDPR), and other national regulations. A similar request was also submitted by 61 Architecture students.
NTUA may not be fully complying with Articles 12, 13, 35, and 36 of the GDPR, which ensure transparent information for data subjects, data protection impact assessments, and the obligation of prior consultation.
In our request, we explain that NTUA has not responded to student and staff inquiries about how their personal data is being processed, and we request access to the government’s confidential security plan for universities.
In our request to NTUA, we also seek to know who is being recorded by the cameras, where their data is stored, and whether this data is being shared with the Hellenic Police (ELAS).
NTUA has a deadline to respond to our request by June 15, and to the students’ request by June 19. We will continue to monitor the issue and will follow up with further reporting. Our organizations’ FOI request and information provision document is available here.
Developments Regarding the Programmatic Agreement Between the Ministry of Health and Private Entities Concerning the Provision of Newborns’ Genetic Material
There are new developments concerning the significant revelations published by Reporters United in early April, regarding the programmatic agreement between the Ministry of Health and private entities, which involves the provision of newborns’ genetic material for testing purposes and the potential creation of a biobank—as well as the complaint submitted by Homo Digitalis to the Hellenic Data Protection Authority (HDPA) on the matter.
On Friday, May 9, the HDPA issued a press release, stating that it has taken up the case and is awaiting the Ministry of Health’s response to a relevant official document it has sent.
On the same day, the Advisory and Compliance Tools Department of the HDPA, following up on our communication on April 25, informed Homo Digitalis that the case is currently under preliminary investigation, based on Article 57(1)(a) and (h) of the GDPR.
According to these provisions, the HDPA monitors and enforces the application of the GDPR in Greece and may conduct investigations, including those based on information received from other supervisory or public authorities.
To further raise awareness about the challenges arising from the processing of genetic data, our member Anastasios Arampatzis has prepared an article on the 23andMe case in the U.S., describing the events surrounding a major data breach affecting approximately 6.9 million users.
We Submitted a Request to the Hellenic Data Protection Authority (HDPA) to Investigate the Programmatic Agreement Between the Ministry of Health and the Company Real Genix and the NGO Beginnings - Newborn Sequencing Initiative
On Friday, April 11, the newspaper Efimerida ton Syntakton and the network Reporters United revealed the programmatic agreement between the Ministry of Health and the company Real Genix along with the NGO Beginnings – Newborn Sequencing Initiative.
The agreement concerns the privatization of neonatal screening and involves the processing of special categories of personal data, specifically genetic data.
Based on the content of the programmatic agreement, there appears to be insufficient reference to compliance with data protection legislation. The roles of the involved parties are not clearly defined, and there is no information provided to inspire public trust regarding the seriousness with which research projects involving special categories of personal data should be handled.
For this reason, on April 14, we submitted a request before the Hellenic Data Protection Authority (HDPA) to investigate the matter, as significant challenges arise regarding the protection of sensitive personal data under this agreement. You can read our full submission here.
Furthermore, following our request to the Data Protection Authority, on April 15, we sent an electronic letter to the DPO (Data Protection Officer) of the Ministry of Health, in which we call on him to:
A) Inform us of the actions taken in the context of their duties as DPO of the Ministry of Health, specifically regarding this programmatic agreement:
-
Let us know whether they have issued guidance or provided information to the Minister of Health or other relevant departments of the Ministry concerning this agreement;
-
Inform us whether they have provided advice regarding the need for a Data Protection Impact Assessment (DPIA) in relation to this project, either to the Minister or other competent services within the Ministry;
-
Inform us whether they have contacted the HDPA about this programmatic agreement and the associated project.
Additionally, if the DPO has issued any written guidance or communications to the Minister or other Ministry departments in relation to points A1 and A2, we respectfully request access to these documents, in accordance with our right as Greek citizens to access public records, as defined in Article 5(5) of the Code of Administrative Procedure (Law 2690/1999, A’ 45), as currently in force, taking into account the relevant Ministerial Decision of the Minister of the Interior (No. 21797/31-12-2024).
We look forward to receiving the relevant responses.
From Secrecy to Transparency: The Five-Year Battle for the Publication of Police Camera Operation Decisions
Strategic legal action takes time, but its outcomes benefit society as a whole, strengthening public trust in institutions.
In December 2020, Homo Digitalis, in collaboration with Reporters United and The Press Project, formally requested access to the Hellenic Police’s decisions regarding the operation of drones and other portable cameras in public spaces, as stipulated in Article 12 of Presidential Decree 75/2020. Despite the legal obligation to publish these decisions publicly, the police refused access, disregarding the transparency required by law.
A few months later, in May 2021, we filed a joint complaint before the Hellenic Data Protection Authority (HDPA), citing repeated non-compliance by the police—at least 67 times over a short period. The HDPA launched an investigation into the legality of these practices.
In early 2024, we submitted a request for access to HDPA documents to better understand the progress of the investigation. Correspondence between the Hellenic Police and the HDPA revealed that, even as of March 2024, the police continued to argue that Presidential Decree 75/2020 did not require them to publish camera operation decisions, despite the HDPA’s opposing view.
Yesterday, through a report by journalist Giannis Bazaios in Efimerida ton Syntakton, we learned that such a decision had been published on the Hellenic Police’s website. Indeed, upon verification, we found that as of February 17, 2025, the police had changed their practice and begun publishing these decisions as required by law. The report was published today online here.
From the initial refusal in 2020, it took five years for this change to be implemented. We now eagerly await the final decision of the HDPA and the conclusion of its investigation, which will establish a definitive framework for transparency and accountability within law enforcement.
What’s Happening with the 1,000 Smart Policing Devices of the Hellenic Police, Five Years After Our Complaint to the Hellenic Data Protection Authority ?
What is the status of the 1,000 portable smart policing devices used by the Hellenic Police as part of the Smart Policing program, which incorporate artificial intelligence technologies and cost €4 million? (Spoiler alert: the news is not good!)
Journalist Eftychia Soufleri has written a detailed article for NEWS247.gr (THE MAGAZINE) shedding light on the case and highlighting the key actions taken by Homo Digitalis since 2019. Our Executive Director, Eleftherios Chelioudakis, provided statements on behalf of our organization.
Significant Revelations Emerge for the First Time!
According to the report, despite the absence of any legal framework allowing their use, the Hellenic Police:
-
Claims to have been using the devices operationally since 2021, even though the Hellenic Data Protection Authority (HDPA) has been investigating the matter since August 2020 and continues to do so today.
-
Confirms that it fully utilizes the biometric processing capabilities of these devices (facial recognition, fingerprint identification).
-
Validates what was outlined in the 2018 technical specifications document, namely that the devices are used for “preventive policing”, with the collected data potentially being used in the future to establish correlations, conclusions, and predictive analytics.
Awaiting the HDPA’s Decision
We are still awaiting the Hellenic Data Protection Authority’s decision, as its investigation has now lasted over 4 years and 7 months (initiated in August 2020). The situation is escalating rapidly, and the risks to democracy and human rights protection are extremely high.
A big thank you to the journalist for her interest in our work!
You can read the full article here.
4 million euros were spent by the Greek Police to issue fines related to violations of the Road Traffic Code
Back in 2019, we started one of our first actions in the field of artificial intelligence by bringing to light the Smart Policing program of the Greek Police in collaboration with Intracom-Telecom.
The purpose of this project? The purchase of 1,000 portable devices that would enable functions like facial recognition, fingerprint scanning, document identification, and license plate recognition in urban centers during police checks.
We acted promptly and, in March 2020, requested the Data Protection Authority to investigate the matter, as, according to our legal analysis, processing biometric data in the context of using these devices would not be legal.
Since August 2020, the Authority has been investigating the case. The State paid the 4 million euros, and the company delivered the devices to the Hellenic Police. The latest development was in October 2024, when the Hellenic Police decided, starting from the first quarter of 2025, to use the document/license plate recognition functions of the devices to issue fines for violations of the Road Traffic Code.
We are glad that our swift action and the investigation by the Data Protection Authority froze the use of the invasive facial recognition and fingerprint scanning functions of these devices. However, the relevant decision by the Authority must be published immediately.
The 4.5 years of investigation by the Data Protection Authority also reveal that the state must support the Data Protection Authority, as the high level of expertise of its inspectors is not enough, and more human and financial resources are needed. And all this without considering the increased workload expected in the coming years with the AI Act.
You can read more about this in our latest study on the AI Act, pages 51-54 here.
We call on the Greek DPA to investigate the Ministry of Interior for the use of artificial intelligence algorithms for the reallocation of employees in the public sector
On 9 July Homo Digitalis filed a request (no. 5812/9.7.2024) before the Greek Data Protection Authority, in order for the latter to exercise its investigative powers against the Ministry of Interior.
In particular, following the Authority’s Decision 16/2024 in April 2024, by which it had imposed a record fine of 400,000 euros on the Ministry of Interior for significant breaches of data protection legislation, the Ministry is again in the spotlight, this time for the artificial intelligence tool it is developing for strategic staffing planning in the public sector.
The tool concerns the reallocation of existing staff and the estimation of the needs for new staff, while it will be piloted in 9 public sector institutions, namely the Development Programmes Organisation and Management Unit, the Independent Public Expenditure Authority, the Public Employment Service, the Athens General Hospital “G. Gennimatas Hospital, the Municipality of Thessaloniki, the Region of Attica, the Ministry of Education and Religious Affairs, the Ministry of Environment and Energy and the Ministry of Culture and Sports.
The project is expected to be completed in December 2025, at a cost of €11,708,543.
Because the tool needs to include functionalities for the collection, management and analysis of personal data, Homo Digitalis had filed a letter on 15 April 2024 before the then Minister of Interior Ms.Kerameos and the Data Protection Officer of the Ministry, in which it raised key questions regarding both the compliance required with the legislation on the protection of personal data and the legislation on the use of artificial intelligence and other emerging technologies in the public sector (Law 4961/2022). However, the Ministry did not provide any response, even after a written reminder of our request on 30 May, forcing us to address the DPA to investigate thoroughly the development, implementation and piloting of this tool and the implications for the rights of public sector employees.
You can see our request here (EL).
We submitted important questions to the Minister of Interior, Ms Kerameos, on the project "Development and operation of a tool for the strategic planning of public sector staffing in terms of artificial intelligence" and its pilot application in 9 institutions
On April 15, Homo Digitalis submitted an electronic letter to the Minister of Interior, Ms Kerameos, regarding the Ministry’s project entitled “Development and operation of a tool for strategic planning of public sector staffing in terms of artificial intelligence”.
Our letter was communicated to the President of the Personal Data Protection Authority, Mr. Menoudakos, and to the Data Protection Officer of the Ministry of Interior, Mr. Theocharis.
More specifically, this project relates to the development and operation of a tool for the strategic planning of human resources in the public sector in terms of artificial intelligence and concerns the following axes:
– Creation of an integrated framework for strategic staffing planning (optimal allocation of existing and new staff) in the public sector (including technical specifications for the implementation and revision of existing frameworks)
– Pilot implementation in 9 Public Sector Entities and more specifically in MOD SA, AADE, OAED, Athens General Hospital “G. Municipality of Thessaloniki, Region of Attica, Ministry of Education and Religious Affairs, Ministry of Environment and Energy and Ministry of Culture and Sports,
– Design of training programmes for (a) users and (b) upgrading the skills of civil servants, and
– Development of the knowledge repository of civil servants.
According to relevant information posted on the website of the Ministry of Interior and articles in various media, the Ministry of Interior is the project manager and has already contracted with Deloitte for its preparation. In fact, according to the timetable, the work has made significant progress.
In its letter, Homo Digitalis requests information from the Minister on a number of questions regarding both the legal framework for the protection of personal data (Law 4624/2019 – GDPR), and the legal framework for the use of artificial intelligence systems by the public sector (Law 4961/2022), as the pilot implementation of the project is expected to take place immediately in the 9 institutions mentioned above.
Specifically, we put the following questions to the Minister in our letter:
-Has the Ministry of Interior carried out a data protection impact assessment before the project was announced, in accordance with the principles of data protection “already by design” and “by default”?
-Has a relevant Data Protection Impact Assessment been carried out specifically in relation to the pilot implementation of the platform in the 9 public bodies?
-If the relevant Assessments have been prepared, has the Ministry considered it necessary to consult the Data Protection Authority in this respect?
-Does the Ministry consider the 9 public bodies as joint controllers and if so, has the Ministry proceeded with the relevant obligations as set out in Article 26 GDPR?
-Can the Ministry inform us of the relevant categories of personal data, the purposes of the processing for which such data are intended, and the legal basis for the processing you intend to use?
-Can the Ministry point us to the exact website where the Ministry of Interior’s contract with Deloitte is posted so that we can study the relevant provisions contained therein, especially with regard to the processing of personal data?
-Finally, has the Ministry of Interior proceeded to comply with the obligations arising from the provisions of Law 4961/2022, and in particular has an algorithmic impact assessment been carried out (Article 5), has it taken the necessary transparency measures (Article 6), has the project contractor fulfilled their obligations in this respect (Article 7), and has the Ministry kept a register (Article 8) in view of the forthcoming pilot use of the system?