Data Protection Authority fines Ministry of Migration and Asylum 175,000 euros for breaching data protection rules at reception centres on the Aegean islands.
The Greek Ministry of Migration and Asylum has been fined 175,000 euros for developing and installing the Centaur surveillance system to control reception and hospitality structures for third-country citizens on the Aegean islands. This is the biggest fine ever imposed on a Greek public body to date.
The Greek Data Protection Authority, DPA, announced that it had imposed the fine “for violations found in relation to cooperation with the Authority and … at the same time, addressed to the Ministry a compliance order within three months regarding with its obligations arising from the GDPR.”
The DPA said at the end of 2021 it became aware of the government’s decision to install a Centaur surveillance system at reception and hospitality structures for refugees and migrants on the islands of Lesbos, Chios, Samos, Leros and Kos.
Besides this, the DPA received a request to provide information on use of border surveillance technologies from the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee).
In February 2022 civil society organisations filed a request about the supply and installation of the Hyperion and Centaur systems.
Homo Digitalis, a Greek digital rights organisation, in collaboration with the Hellenic League for Human Rights and HIAS Greece, as well as the academic Niovi Vavoula, filed a complaint against the ministry about the use of surveillance systems at asylum seekers’ centres.
The DPA in July 2022 also received a letter about the surveillance systems from the UN High Commissioner for Refugees, UNHCR, in Greece.
The Centaur System is described as an integrated digital Electronic and Physical Security management system, using cameras and motion analysis algorithms (Artificial Intelligence Behavioral Analytics). Among other things, it includes using a CCTV system and unmanned aircraft – drones – by which personal data, or at least images, will be processed.
The Hyperion system is described as an integrated entry-exit control system. Asylum seekers, certified members of NGOs and other guests present cards read by an RFID [Radio Frequency Identification] reader combined with a fingerprint through which personal data and biometric data are processed.
But the DPA found that there was deficient cooperation on the part of the ministry as the Controller. It further considered that the required Data Protection Impact Assessments carried out by the ministry were incomplete and remain serious omissions regarding the ministry’s compliance with specific provisions of the GDPR regarding implementation of disputed systems.
“Despite the fact that DPA remains understaffed, with a reduced budget … it figths tooths and nails to fulfill its mission and maintain citizens’ trust [but] it remains to be seen how long it will last, if the state does not support its work,” a Homo Digitalis press release issued on Tuesday said.
The staff union of the DPA is seeking more financial support, noting that between 2020 and 2024 the government reduced its budget as its tasks grow. The DPA said it had repeatedly urged the state “to ensure that it has the necessary means in the application of the relevant provisions of the General Data Protection Regulation.”
