[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1wK0_GvULCU1UHNhv9v600OFzHbs8CZGp4AOO1oJKKE":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"d41c31c3-3875-4bf4-86b4-9f2095e06870","ΣτΕ - 442\u002F2026","442-2026-93ac15","Created page with \"{{COURTdecisionBOX |Jurisdiction=Greece |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=ΣτΕ |Court_Original_Name=Συμβούλιο της Επικρατείας |Court_English_Name=Council of State |Court_With_Country=ΣτΕ (Greece) |Case_Number_Name=442\u002F2026 |ECLI= |Original_Source_Name_1=ΣτΕ |Original_Source_Link_1=https:\u002F\u002Fwww.adjustice.gr\u002Fwebcenter\u002Fportal\u002Fste\u002Fpageste\u002Fepikairotita\u002Fapofaseis?contentID=DECISION-TEMPLATE1775563602910&_afrLoop=43...\" New page {{COURTdecisionBOX |Jurisdiction=Greece |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=ΣτΕ |Court_Original_Name=Συμβούλιο της Επικρατείας |Court_English_Name=Council of State |Court_With_Country=ΣτΕ (Greece) |Case_Number_Name=442\u002F2026 |ECLI= |Original_Source_Name_1=ΣτΕ |Original_Source_Link_1=https:\u002F\u002Fwww.adjustice.gr\u002Fwebcenter\u002Fportal\u002Fste\u002Fpageste\u002Fepikairotita\u002Fapofaseis?contentID=DECISION-TEMPLATE1775563602910&_afrLoop=43866290253866813#!%2540%2540%253F_afrLoop%253D43866290253866813%2526centerWidth%253D65%252525%2526contentID%253DDECISION-TEMPLATE1775563602910%2526leftWidth%253D0%252525%2526rigthWidth%253D35%252525%2526showFooter%253Dfalse%2526showHeader%253Dtrue%2526_adf.ctrl-state%253Ds23o1uw8i_33 |Original_Source_Language_1=Greek |Original_Source_Language__Code_1=EL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2= |Date_Decided= |Date_Published=07.04.2026 |Year= |GDPR_Article_1=Article 5 GDPR |GDPR_Article_Link_1=Article 5 GDPR |GDPR_Article_2=Article 6(1)(b) GDPR |GDPR_Article_Link_2=Article 6 GDPR#1b |GDPR_Article_3=Article 6(1)(c) GDPR |GDPR_Article_Link_3=Article 6 GDPR#1c |GDPR_Article_4=Article 6(1)(f) GDPR |GDPR_Article_Link_4=Article 6 GDPR#1f |GDPR_Article_5=Article 12(3) GDPR |GDPR_Article_Link_5=Article 12 GDPR#3 |GDPR_Article_6=Article 12(4) GDPR |GDPR_Article_Link_6=Article 12 GDPR#4 |GDPR_Article_7=Article 17(1)(d) GDPR |GDPR_Article_Link_7=Article 17 GDPR#1d |GDPR_Article_8=Article 83(7) GDPR |GDPR_Article_Link_8=Article 83 GDPR#7 |GDPR_Article_9= |GDPR_Article_Link_9= |GDPR_Article_10= |GDPR_Article_Link_10= |EU_Law_Name_1= |EU_Law_Link_1= |EU_Law_Name_2= |EU_Law_Link_2= |National_Law_Name_1=Article 39 Law 4624\u002F2019 |National_Law_Link_1=https:\u002F\u002Fwww.dpa.gr\u002Fsites\u002Fdefault\u002Ffiles\u002F2023-06\u002F4624_2019%2520%25CE%25BC%25CE%25B5%2520%25CF%2584%25CF%2581%25CE%25BF%25CF%2580%25CE%25BF%25CF%2580%25CE%25BF%25CE%25B9%25CE%25AE%25CF%2583%25CE%25B5%25CE%25B9%25CF%2582.pdf |National_Law_Name_2= |National_Law_Link_2= |National_Law_Name_3= |National_Law_Link_3= |Party_Name_1= |Party_Link_1= |Party_Name_2= |Party_Link_2= |Appeal_From_Body= |Appeal_From_Case_Number_Name= |Appeal_From_Status= |Appeal_From_Link= |Appeal_To_Body= |Appeal_To_Case_Number_Name= |Appeal_To_Status= |Appeal_To_Link= |Initial_Contributor=ds | }} The Supreme Administrative Court upheld that a municipal body lacked a valid legal basis to publish on an official public transparency portal a decision concerning an employee who could be identified from the details included in it. It further confirmed that the body failed to fulfil the employee’s erasure request. == English Summary == === Facts === A greek municipal body (the controller) had published on the Diavgeia portal, a decision concerning the behaviour of an employee at a kindergarten in one of its municipal communities. The decision did not contain the employee’s full name, but it did include their initials, date of recruitment, job position, fixed-term employment relationship, place of employment, and a written note from the head of the kindergarten describing incidents attributed to them. Diavgeia is the Greek public administration’s official transparency portal (the portal), established under Law 3861\u002F2010. Public bodies publish specific categories of decisions and administrative acts there, for transparency, public accountability and legal traceability purposes. The employee (the data subject) submitted an erasure request to the controller regarding the publishment of this decision on the portal. The controller did not respond. The data subject then lodged a complaint with the Greek DPA. They alleged that the publication of the decision on this portal led to unlawful processing of their personal data. They claimed that the details included in the decision could lead to their identification, due to the small number of employees matching that profile in the relevant day care centres. They stated that the decision remained published on the portal. The controller argued that the published decision had been anonymised in such a way that it was not possible to identify the data subject even indirectly. It further argued that it uploaded the decision on the portal under its legal obligation pursuant to Article 6 (1)(c) GDPR in accordance with Greek Law 3861\u002F2010 providing for the posting of such individual administrative acts. The controller claimed that the publishment was also in accordance with [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], since it served its legitimate interest in safeguarding the municipality’s proper functioning and authority. The DPA held that the reference to the initials of the data subject's name, taken together with the other additional information in the decision, could lead to their identification. It stated that since the data subject was identifiable, the processing had to comply with the data protection principles under [[Article 5 GDPR|Article 5 GDPR]]. It further determined that the controller could not rely on Law 3861\u002F2010 for compliance with a legal obligation under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. This law provided that the posting of an individual administrative act was compulsory only if its publication was provided for in a specific provision of law and the controller had not invoked such a provision to substantiate the lawfulness of the publication. The DPA further held that the controller could not rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] since processing by public authorities in the exercise of their public tasks could not be carried out for the purpose of serving their own legitimate interests. It also stated that the relevant legislation did not include the possibility of posting acts for the satisfaction of a public entity’s legal interests. Moreover, the DPA determined that the controller neither responded to the data subject’s erasure request nor removed the decision from the portal, but kept the decision available on it without a valid legal basis. Therefore, it fined the controller €7,000 for violations of [[Article 5 GDPR|Article 5 GDPR]] and [[Article 6 GDPR|Article 6 GDPR]], since the controller could not rely on [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] as a valid legal basis and €3,000 for the violations of [[Article 12 GDPR#3|Article 12(3) GDPR]], [[Article 12 GDPR#4|Article 12(4) GDPR]] and [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]] and ordered the controller to delete the decision from the portal. The controller appealed the DPA’s decision to the Greek Supreme Administrative Court (Συμβούλιο της Επικρατείας), requesting its annulment. It further argued that the contested processing was necessary for the performance of the contract it had concluded with the data subject, in accordance with [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], in the context of which it lawfully collected their personal data and processed them with their consent. === Holding === The court confirmed that the decision published on the portal contained sufficient information to identify the data subject. It noted that considering the circumstances of the processing (publication on a freely accessible website), this information made it possible for third parties, particularly from the data subject’s professional or social environment, to identify them. Moreover, the court pointed out, that given the posted information on the platform and its technical search capabilities, the identification of the data subject could be achieved by almost any user without disproportionate effort. Furthermore, the court upheld that the controller could not rely on [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. It explained that the controller could not use the existence of a legal obligation to post the decision on the platform as a justification, since Law 3861\u002F2010 specifically listed in an explicit, clear and exhaustive manner the acts that required publication, and the act in question was not among them. Additionally, it assessed that the controller did not invoke any other legal provision that mandated the publication of an act containing the content of the contested decision. The court agreed with the DPA that the controller could also not rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] since, this provision did not apply to public authorities in the performance of their tasks. The court also rejected the controller’s reliance on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] and consent, finding that publication on the portal is established by law and therefore the lawfulness of the specific processing could not be based on a contract but only on law. It noted that no valid consent had been demonstrated for this specific processing. In addition, the court upheld that the controller failed to comply with its information obligations pursuant to [[Article 12 GDPR|Article 12 GDPR]], because it did not respond to the data subject's request to remove the decision from the portal. The court further held that the controller infringed [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]] because it kept the decision published on the portal despite the fact that the processing was unlawful. The court finally examined if the Greek DPA had the authority to impose a fine on Greek public bodies as controllers. It mentioned that according to [[Article 83 GDPR#7|Article 83(7) GDPR]] a Member State could lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State. It stated that Article 39 Law 4624\u002F2019 (which lays down national measures for the implementation of the GDPR in Greece) provided for the Greek DPA to impose fines on public bodies for specific infringements, including, inter alia, infringements of [[Article 5 GDPR|Article 5 GDPR]], [[Article 6 GDPR|Article 6 GDPR]] and [[Article 12 GDPR|Article 12 GDPR]], but the imposition of a fine for the violation of [[Article 17 GDPR|Article 17 GDPR]] was expressly excluded from its sanctioning power. Subsequently, the court ruled that the DPA rightly fined the controller €7,000 for unlawful processing in breach of [[Article 5 GDPR|Article 5 GDPR]] and [[Article 6 GDPR|Article 6 GDPR]]. Moreover, regarding the €3,000 fine for the violations of [[Article 12 GDPR#3|Article 12(3) GDPR]], [[Article 12 GDPR#4|Article 12(4) GDPR]] and [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]], the court noted that the DPA could also impose a fine for breaches of [[Article 12 GDPR|Article 12 GDPR]]. However, concerning [[Article 17 GDPR|Article 17 GDPR]], the court refrained from ruling on whether the DPA had legal authority under Article 39 of Law 4624\u002F2019 to impose an administrative fine on a Greek public-sector controller for violations of [[Article 17 GDPR|Article 17 GDPR]]. The court referred this matter for further examination by a larger panel since it held that this issue had not yet been settled in Greek case law. == Comment == ''Share your comments here!'' == Further Resources == ''Share blogs or news articles here!'' == English Machine Translation of the Decision == The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details. Council of State No. 442\u002F2026 President: H. Mazos, Vice-President Rapporteur: D. Mavropodi, Counsel Decision of the Data Protection Authority ordering the deletion from the \"Diavgeia\" of a decision of the Board of Directors of the applicant legal entity (regarding the granting of authorization to its body to address the behavior of an employee) and imposing fines on it due to illegal processing of personal data of the said employee (art. 6 GDPR), failure to respond to a request (12 GDPR) and failure to satisfy a request to delete the data (17 GDPR). -In the text of the decision posted on Diavgeia, although the complaining employee is not named, additional information is provided that is closely linked to his person, such as the initials of his name and details of his employment status and behavior. This information, considered as a whole and in combination with the circumstances of the processing (publication on a freely accessible website), makes it possible to verify his identity, first of all, by third parties from his professional or social environment. Furthermore, in view of the information contained in Diavgeia regarding employment contracts, as well as the technical possibilities of searching and combining them, the identification of the complaining employee is possible, without disproportionate effort, by an unlimited number of users. It is not required in order to determine whether the data subject is identifiable, to prove that there has actually been identification by specific persons. -The posting of a decision with the above content on the Diavgeia website constitutes fully or partially automated processing of personal data, i.e. information both objective and subjective in the form of an opinion or assessment related to work behavior. -Invocation of art. 6 par. 1 lit. c GDPR as the legal basis for the processing (legal obligation of the controller). -The acts for which an obligation to post on Diavgeia is established are defined in an explicit, clear and exhaustive manner in the cases of art. 2 par. 4 of law 3861\u002F2010. These include fixed-term private law employment contracts, their renewals or terminations. Other acts, even if they are part of the procedure for concluding, renewing or terminating these contracts, are posted on Diavgeia only under the conditions of paragraph 22 of paragraph 4 of article 2, i.e. if their publication is provided for by a specific provision of law, which is not the case in this case. Processing that has as its legal basis article 6 paragraph 1 letter c of the GDPR and not the consent of the data subject must be interpreted narrowly and under the conditions of clarity, precision and predictability of the regulatory provisions. Opinions of the National Administrative Court, according to which, in case of doubt, a presumption is created in favor of posting on Diavgeia (which have been issued based on questions from other bodies and concern different categories of acts), do not constitute a clear, precise and predictable administrative practice, within the meaning of article 6 paragraph 3 of the GDPR, with regard to the obligation to post on Diavgeia. -The existence of an excusable error has no bearing on the establishment of the infringement due to unlawful processing, which is assessed objectively. -The legal basis of Article 6(1)(f) of the GDPR, according to which processing may be justified for the purposes of the legitimate interests pursued by the controller, does not apply to public authorities in the performance of their duties. -Since the obligation to post documents on Diavgeia is regulated by law, the lawfulness of the specific processing cannot be based on the contract (Article 6(1)(b) of the GDPR), but only on the law. -The employee's consent is unprovably invoked, as no evidence was provided to document consent that meets the requirements of the GDPR (free, specific, explicit and fully informed). -The Authority's judgment regarding unlawful processing is correct. -The established violations of articles 6, 12 and 17 of the GDPR took place under the GDPR and before the entry into force of Law 4624\u002F2019, but continued to exist after that date, covered by the provisions of this law. The national legislator, making use of the discretion provided by Article 83(7) of the GDPR regarding “whether and to what extent” fines may be imposed on public sector bodies as controllers, provided in Article 39 for the Authority to impose fines for specific infringements, which include, inter alia, infringements of Articles 5, 6 and 12 of the GDPR, but expressly excludes infringements of Article 17 of the GDPR, without prejudice to the other corrective powers of the supervisory authority, under Article 58(2) of the GDPR, including the order to delete data. The imposition of a fine for infringements of Articles 6 and 12 of the GDPR and the order to delete the decision of the Board of Directors from Diavgeia are lawful. -An ex officio issue of lack of legal basis for the imposition of a fine for violation of Article 17 GDPR is raised. The case is therefore referred to the 7th Court.","The Greek Supreme Administrative Court ruled that a municipal body unlawfully published an employee's decision on a public transparency portal. The court found that the details, including initials and employment information, were sufficient for identification. The body also failed to respond to the employee's erasure request, leading to fines for GDPR violations.","Greek court upholds fine for municipal body publishing identifiable employee data.","Help ΣτΕ - 442\u002F2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 09:06, 9 June 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators79 edits Tag: submission [1.0] (No difference) Latest revision as of 09:06, 9 June 2026 ΣτΕ - 442\u002F2026 Court: ΣτΕ (Greece) Jurisdiction: Greece Relevant Law: Article 5 GDPR Article 6(1)(b) GDPR Article 6(1)(c) GDPR Article 6(1)(f) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 17(1)(d) GDPR Article 83(7) GDPR Article 39 Law 4624\u002F2019 Decided: Published: 07.04.2026 Parties: National Case Number\u002FName: 442\u002F2026 European Case Law Identifier: Appeal from: Appeal to: Original Language(s): Greek Original Source: ΣτΕ (in Greek) Initial Contributor: ds The Supreme Administrative Court upheld that a municipal body lacked a valid legal basis to publish on an official public transparency portal a decision concerning an employee who could be identified from the details included in it. It further confirmed that the body failed to fulfil the employee’s erasure request. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A greek municipal body (the controller) had published on the Diavgeia portal, a decision concerning the behaviour of an employee at a kindergarten in one of its municipal communities. The decision did not contain the employee’s full name, but it did include their initials, date of recruitment, job position, fixed-term employment relationship, place of employment, and a written note from the head of the kindergarten describing incidents attributed to them. Diavgeia is the Greek public administration’s official transparency portal (the portal), established under Law 3861\u002F2010. Public bodies publish specific categories of decisions and administrative acts there, for transparency, public accountability and legal traceability purposes. The employee (the data subject) submitted an erasure request to the controller regarding the publishment of this decision on the portal. The controller did not respond. The data subject then lodged a complaint with the Greek DPA. They alleged that the publication of the decision on this portal led to unlawful processing of their personal data. They claimed that the details included in the decision could lead to their identification, due to the small number of employees matching that profile in the relevant day care centres. They stated that the decision remained published on the portal. The controller argued that the published decision had been anonymised in such a way that it was not possible to identify the data subject even indirectly. It further argued that it uploaded the decision on the portal under its legal obligation pursuant to Article 6 (1)(c) GDPR in accordance with Greek Law 3861\u002F2010 providing for the posting of such individual administrative acts. The controller claimed that the publishment was also in accordance with Article 6(1)(f) GDPR, since it served its legitimate interest in safeguarding the municipality’s proper functioning and authority. The DPA held that the reference to the initials of the data subject's name, taken together with the other additional information in the decision, could lead to their identification. It stated that since the data subject was identifiable, the processing had to comply with the data protection principles under Article 5 GDPR. It further determined that the controller could not rely on Law 3861\u002F2010 for compliance with a legal obligation under Article 6(1)(c) GDPR. This law provided that the posting of an individual administrative act was compulsory only if its publication was provided for in a specific provision of law and the controller had not invoked such a provision to substantiate the lawfulness of the publication. The DPA further held that the controller could not rely on Article 6(1)(f) GDPR since processing by public authorities in the exercise of their public tasks could not be carried out for the purpose of serving their own legitimate interests. It also stated that the relevant legislation did not include the possibility of posting acts for the satisfaction of a public entity’s legal interests. Moreover, the DPA determined that the controller neither responded to the data subject’s erasure request nor removed the decision from the portal, but kept the decision available on it without a valid legal basis. Therefore, it fined the controller €7,000 for violations of Article 5 GDPR and Article 6 GDPR, since the controller could not rely on Article 6(1)(c) GDPR as a valid legal basis and €3,000 for the violations of Article 12(3) GDPR, Article 12(4) GDPR and Article 17(1)(d) GDPR and ordered the controller to delete the decision from the portal. The controller appealed the DPA’s decision to the Greek Supreme Administrative Court (Συμβούλιο της Επικρατείας), requesting its annulment. It further argued that the contested processing was necessary for the performance of the contract it had concluded with the data subject, in accordance with Article 6(1)(b) GDPR, in the context of which it lawfully collected their personal data and processed them with their consent. Holding The court confirmed that the decision published on the portal contained sufficient information to identify the data subject. It noted that considering the circumstances of the processing (publication on a freely accessible website), this information made it possible for third parties, particularly from the data subject’s professional or social environment, to identify them. Moreover, the court pointed out, that given the posted information on the platform and its technical search capabilities, the identification of the data subject could be achieved by almost any user without disproportionate effort. Furthermore, the court upheld that the controller could not rely on Article 6(1)(c) GDPR. It explained that the controller could not use the existence of a legal obligation to post the decision on the platform as a justification, since Law 3861\u002F2010 specifically listed in an explicit, clear and exhaustive manner the acts that required publication, and the act in question was not among them. Additionally, it assessed that the controller did not invoke any other legal provision that mandated the publication of an act containing the content of the contested decision. The court agreed with the DPA that the controller could also not rely on Article 6(1)(f) GDPR since, this provision did not apply to public authorities in the performance of their tasks. The court also rejected the controller’s reliance on Article 6(1)(b) GDPR and consent, finding that publication on the portal is established by law and therefore the lawfulness of the specific processing could not be based on a contract but only on law. It noted that no valid consent had been demonstrated for this specific processing. In addition, the court upheld that the controller failed to comply with its information obligations pursuant to Article 12 GDPR, because it did not respond to the data subject's request to remove the decision from the portal. The court further held that the controller infringed Article 17(1)(d) GDPR because it kept the decision published on the portal despite the fact that the processing was unlawful. The court finally examined if the Greek DPA had the authority to impose a fine on Greek public bodies as controllers. It mentioned that according to Article 83(7) GDPR a Member State could lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State. It stated that Article 39 Law 4624\u002F2019 (which lays down national measures for the implementation of the GDPR in Greece) provided for the Greek DPA to impose fines on public bodies for specific infringements, including, inter alia, infringements of A","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=%CE%A3%CF%84%CE%95_-_442\u002F2026&diff=51842&oldid=0","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-06-09T09:06:02+00:00","2026-06-09T10:00:22.871933+00:00",7,[18],{"name":19,"type":20},"Diavgeia portal","product","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":21,"icon":23,"name":24,"slug":25},null,"Policy","policy",[27,32,37,39],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":33},{"id":34,"icon":23,"name":35,"slug":36},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":38},{"id":21,"icon":23,"name":24,"slug":25},{"category":40},{"id":41,"icon":23,"name":42,"slug":43},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]