ΣτΕ - 442/2026

Summary

The Greek Supreme Administrative Court ruled that a municipal body unlawfully published an employee's decision on a public transparency portal. The court found that the details, including initials and employment information, were sufficient for identification. The body also failed to respond to the employee's erasure request, leading to fines for GDPR violations.

Full text

Help ΣτΕ - 442/2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 09:06, 9 June 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators79 edits Tag: submission [1.0] (No difference) Latest revision as of 09:06, 9 June 2026 ΣτΕ - 442/2026 Court: ΣτΕ (Greece) Jurisdiction: Greece Relevant Law: Article 5 GDPR Article 6(1)(b) GDPR Article 6(1)(c) GDPR Article 6(1)(f) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 17(1)(d) GDPR Article 83(7) GDPR Article 39 Law 4624/2019 Decided: Published: 07.04.2026 Parties: National Case Number/Name: 442/2026 European Case Law Identifier: Appeal from: Appeal to: Original Language(s): Greek Original Source: ΣτΕ (in Greek) Initial Contributor: ds The Supreme Administrative Court upheld that a municipal body lacked a valid legal basis to publish on an official public transparency portal a decision concerning an employee who could be identified from the details included in it. It further confirmed that the body failed to fulfil the employee’s erasure request. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A greek municipal body (the controller) had published on the Diavgeia portal, a decision concerning the behaviour of an employee at a kindergarten in one of its municipal communities. The decision did not contain the employee’s full name, but it did include their initials, date of recruitment, job position, fixed-term employment relationship, place of employment, and a written note from the head of the kindergarten describing incidents attributed to them. Diavgeia is the Greek public administration’s official transparency portal (the portal), established under Law 3861/2010. Public bodies publish specific categories of decisions and administrative acts there, for transparency, public accountability and legal traceability purposes. The employee (the data subject) submitted an erasure request to the controller regarding the publishment of this decision on the portal. The controller did not respond. The data subject then lodged a complaint with the Greek DPA. They alleged that the publication of the decision on this portal led to unlawful processing of their personal data. They claimed that the details included in the decision could lead to their identification, due to the small number of employees matching that profile in the relevant day care centres. They stated that the decision remained published on the portal. The controller argued that the published decision had been anonymised in such a way that it was not possible to identify the data subject even indirectly. It further argued that it uploaded the decision on the portal under its legal obligation pursuant to Article 6 (1)(c) GDPR in accordance with Greek Law 3861/2010 providing for the posting of such individual administrative acts. The controller claimed that the publishment was also in accordance with Article 6(1)(f) GDPR, since it served its legitimate interest in safeguarding the municipality’s proper functioning and authority. The DPA held that the reference to the initials of the data subject's name, taken together with the other additional information in the decision, could lead to their identification. It stated that since the data subject was identifiable, the processing had to comply with the data protection principles under Article 5 GDPR. It further determined that the controller could not rely on Law 3861/2010 for compliance with a legal obligation under Article 6(1)(c) GDPR. This law provided that the posting of an individual administrative act was compulsory only if its publication was provided for in a specific provision of law and the controller had not invoked such a provision to substantiate the lawfulness of the publication. The DPA further held that the controller could not rely on Article 6(1)(f) GDPR since processing by public authorities in the exercise of their public tasks could not be carried out for the purpose of serving their own legitimate interests. It also stated that the relevant legislation did not include the possibility of posting acts for the satisfaction of a public entity’s legal interests. Moreover, the DPA determined that the controller neither responded to the data subject’s erasure request nor removed the decision from the portal, but kept the decision available on it without a valid legal basis. Therefore, it fined the controller €7,000 for violations of Article 5 GDPR and Article 6 GDPR, since the controller could not rely on Article 6(1)(c) GDPR as a valid legal basis and €3,000 for the violations of Article 12(3) GDPR, Article 12(4) GDPR and Article 17(1)(d) GDPR and ordered the controller to delete the decision from the portal. The controller appealed the DPA’s decision to the Greek Supreme Administrative Court (Συμβούλιο της Επικρατείας), requesting its annulment. It further argued that the contested processing was necessary for the performance of the contract it had concluded with the data subject, in accordance with Article 6(1)(b) GDPR, in the context of which it lawfully collected their personal data and processed them with their consent. Holding The court confirmed that the decision published on the portal contained sufficient information to identify the data subject. It noted that considering the circumstances of the processing (publication on a freely accessible website), this information made it possible for third parties, particularly from the data subject’s professional or social environment, to identify them. Moreover, the court pointed out, that given the posted information on the platform and its technical search capabilities, the identification of the data subject could be achieved by almost any user without disproportionate effort. Furthermore, the court upheld that the controller could not rely on Article 6(1)(c) GDPR. It explained that the controller could not use the existence of a legal obligation to post the decision on the platform as a justification, since Law 3861/2010 specifically listed in an explicit, clear and exhaustive manner the acts that required publication, and the act in question was not among them. Additionally, it assessed that the controller did not invoke any other legal provision that mandated the publication of an act containing the content of the contested decision. The court agreed with the DPA that the controller could also not rely on Article 6(1)(f) GDPR since, this provision did not apply to public authorities in the performance of their tasks. The court also rejected the controller’s reliance on Article 6(1)(b) GDPR and consent, finding that publication on the portal is established by law and therefore the lawfulness of the specific processing could not be based on a contract but only on law. It noted that no valid consent had been demonstrated for this specific processing. In addition, the court upheld that the controller failed to comply with its information obligations pursuant to Article 12 GDPR, because it did not respond to the data subject's request to remove the decision from the portal. The court further held that the controller infringed Article 17(1)(d) GDPR because it kept the decision published on the portal despite the fact that the processing was unlawful. The court finally examined if the Greek DPA had the authority to impose a fine on Greek public bodies as controllers. It mentioned that according to Article 83(7) GDPR a Member State could lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State. It stated that Article 39 Law 4624/2019 (which lays down national measures for the implementation of the GDPR in Greece) provided for the Greek DPA to impose fines on public bodies for specific infringements, including, inter alia, infringements of A

Entities