Case Summary
In 2021, the Hellenic Data Protection Authority became aware of the Greek Government’s decision to develop and implement the “Centaur” program by the Ministry of Migration and Asylum (MMA). Centaur aimed to monitor the reception and accommodation facilities of third-country nationals on the Aegean islands. Additionally, the Hellenic DPA received inquiries regarding border surveillance technologies from the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee). Civil society organisations also requested an investigation into the procurement and implementation of the “Hyperion” and “Centaur” systems in asylum seekers’ facilities.
In July 2022, the Authority received a letter from the UNHCR Representation in Greece concerning the aforementioned systems. The “Centaur” program involves an integrated digital system managing Electronic and Physical Security in Closed Controlled Access Centers and Reception and Identification Centers (hotspots) on several islands, using motion analysis cameras and algorithms (Artificial Intelligence Behavioral Analytics), managed by the MMA. The program includes the use of CCTV and drones processing personal data, particularly image data. Simultaneously, the “Hyperion” program functions as an integrated entry-exit control system at these facilities, regulating the entry and exit of guests, certified NGO members, and employees through RFID readers and fingerprint authentication, processing personal data, especially biometric data.
The Authority conducted an in-depth examination and found a lack of cooperation from the Ministry of Migration and Asylum, the data controller. It concluded that the Data Protection Impact Assessments conducted by the Ministry were incomplete and limited, and that serious deficiencies existed regarding GDPR compliance concerning the implementation of these systems.
Consequently, the Authority imposed a €175,000 administrative fine (the highest ever imposed against a public body in Greece) on the Ministry of Migration and Asylum for breaches related to cooperation and impact assessments. Additionally, it issued an order for the Ministry to comply with GDPR obligations within three months.
Access to the full judgment
Further notes on contested technology
- → AI Technology
- → The technology is deployed