Hellenic SA: Ex officio audit of processing of personal data in the context of COVID-19 self-test result declaration

12 September 2022

Background information

  • Date of final decision: 8 August 2022
  • Cross-border case or national case: National case
  • Controllers: IDIKA S.A., Ministry of Labour & Social Affairs, Ministry of Interior, Ministry of Education & Religious Affairs, Greek Seamen’s Fund (NAT)
  • Legal Reference: GDPR: Principles relating to processing of personal data (Article 5). Information to be provided where personal data are collected from the data subject (Article 13). Data protection by design and by default (Article 25). Data protection impact assessment (Article 35)
  • Decision: Infringement of the GDPR, Reprimand, Administrative fines
  • Key words: Ex officio audit, COVID-19 self-test electronic declaration, transparency


Summary of the Decision


Origin of the case

The Ηellenic Supervisory Authority (SA), in exercising its ex officio competence under the GDPR and the national Law 4624/2019, examined the processing of personal data pursuant to seven Joint Ministerial Decisions concerning the free of charge distribution of self-tests to the eligible persons, the declaration of the results of the aforementioned tests in the electronic application “self-testing.gov.gr” and the further processing of data which is taking place after the declaration of the results.

The Ηellenic SA examined the compliance of the five controllers named in the relevant Joint Ministerial Decisions: IDIKA S.A., the Ministry of Labour and Social Affairs, the Ministry of Interior, the Ministry of Education and Religious Affairs and NAT,  with the GDPR and the national Law 4624/2019.


Key Findings

It was found that the Ministry of Education and Religious Affairs was wrongly identified as the controller, by the relevant Joint Ministerial Decision, with regard to the category of religious officials included in the registry of Article 14, national Law 4301/2014 (“Organization of the Legal Form of Religious Communities and their organizations in Greece”).

In addition, the Authority found that IDIKA S.A., the Ministry of Labour and Social Affairs, the Ministry of Interior and NAT, as controllers, did not fully comply with the provisions of Article 13 GDPR regarding the information provided to the data subjects and reprimanded them for this infringement.

Furthermore, it was considered that IDIKA S.A. violated the principle of the storage period limitation of data.



The Ηellenic SA judged that it had competence to examine the processing of personal data, as there was extensive and systematic processing of a special category of data, with possible legal effects (wage cut, exemption of the employer from the obligation to pay wages).
The Ηellenic SA imposed an administrative fine of EUR 5000 to IDIKA S.A. for the lack of appropriate organizational and technical security measures. Also, it ordered NAT to remove the application from its IT system and delete any data of seamen — ship crew members that may exist therein.

Finally, the Ηellenic SA reprimanded IDIKA S.A. and the Ministry of Labour and Social Affairs for the overdue and incomplete drafting of the impact assessment they provided as well as imposed, on the Ministry of Interior and NAT, an administrative fine of EUR 5000 each for not complying with the obligation to carry out an impact assessment at all.

For further information: decision 41/2022 (in Greek)


The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.