HomeCase Law DatabaseGreece, Hellenic Data Protection Authority, 2 April 2024, Centaur and Hyperion Programme

Greece, Hellenic Data Protection Authority, 2 April 2024, Centaur and Hyperion Programme

Case Overview

Share via:

CountryGreece

Deciding BodyData Protection Authority

AreaAsylum

UserPublic

Case NameCentaur and Hyperion Programme

Authority (English)Hellenic Data Protection Authority

TechnologyData Extraction and Analysis

ProviderPublic

Decision Date2 April 2024

Authority (Original) Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα

Grounds for DecisionEU Law

Legal RequirementProcedural Fairness, Unlawfulness

Case Summary

In 2021, the Hellenic Data Protection Authority became aware of the Greek Government’s decision to develop and implement the “Centaur” program by the Ministry of Migration and Asylum (MMA). Centaur aimed to monitor the reception and accommodation facilities of third-country nationals on the Aegean islands. Additionally, the Hellenic DPA received inquiries regarding border surveillance technologies from the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee). Civil society organisations also requested an investigation into the procurement and implementation of the “Hyperion” and “Centaur” systems in asylum seekers’ facilities.

In July 2022, the Authority received a letter from the UNHCR Representation in Greece concerning the aforementioned systems. The “Centaur” program involves an integrated digital system managing Electronic and Physical Security in Closed Controlled Access Centers and Reception and Identification Centers (hotspots) on several islands, using motion analysis cameras and algorithms (Artificial Intelligence Behavioral Analytics), managed by the MMA. The program includes the use of CCTV and drones processing personal data, particularly image data. Simultaneously, the “Hyperion” program functions as an integrated entry-exit control system at these facilities, regulating the entry and exit of guests, certified NGO members, and employees through RFID readers and fingerprint authentication, processing personal data, especially biometric data.

The Authority conducted an in-depth examination and found a lack of cooperation from the Ministry of Migration and Asylum, the data controller. It concluded that the Data Protection Impact Assessments conducted by the Ministry were incomplete and limited, and that serious deficiencies existed regarding GDPR compliance concerning the implementation of these systems.

Consequently, the Authority imposed a €175,000 administrative fine (the highest ever imposed against a public body in Greece) on the Ministry of Migration and Asylum for breaches related to cooperation and impact assessments. Additionally, it issued an order for the Ministry to comply with GDPR obligations within three months.

Access to the full judgment

Full Judgment

Further notes on contested technology

  • → AI Technology
  • → The technology is deployed

Author of the case note

Francesca Palmiotto

Similar cases

Germany, Berlin Administrative Court, 1 June 2021, VG 9 K 135/20 A

Country Germany

Deciding Body Lower National Court

Area Asylum

Decision Date 1 June 2021

US, District Court for the Southern District of California, 27 July 2023, AOL v. Mayorkas II

Country United States

Deciding Body Lower National Court

Area Asylum

Decision Date 27 July 2023

Germany, German Federal Administrative Court, 16 February 2023, BVerwG 1 C 19.21

Country Germany

Deciding Body Higher National Court

Area Asylum

Decision Date 16 February 2023
See more cases