Greece’s Council of State, the Supreme Administrative Court, is set to rule on the fines imposed on the ruling New Democracy party, former MEP Anna-Michelle Asimakopoulou and two other party officials for the unlawful use of electoral roll data of expatriate voters and failure to take appropriate measures to protect personal data.
The court will examine, among others, whether there is a gap in national legislation regarding the balance between the right to personal data protection and the right to freedom of expression and information in the realm of political communication. It will also determine whether such a gap hinders the authority responsible for enforcing the General Data Protection Regulation (GDPR) from exercising its duties effectively.
Anna-Michelle Asimakopoulou’s legal team raised objections to interventions made by Greek expatriates whose personal data had been leaked. They also argued that the case had been handled inconsistently by the data protection authority, which initially fined Asimakopoulou but conducted a separate investigation and issued a later ruling on other implicated individuals.
Regarding the €40,000 fine imposed on the former MEP, the authority noted that several factors, including the number of individuals affected, were considered in determining the penalty amount.
A key individual in the case, former Secretary for Expatriate Greeks in New Democracy, Nikos Theodoropoulos, was described as fully integrated into the party’s structure.
“He was instructed to process the data for statistical purposes. He received the file and forwarded it to Ms. Asimakopoulou. He kept the file on his phone because it was sent via WhatsApp, where files are stored. He does not meet the criteria to be sanctioned as a ‘data controller.’ He simply forwarded what he received; he did not process it,” his legal team argued.
They described the Data Protection Authority’s decision as “extremely unfortunate,” stating, “A data controller is clearly defined by regulation. The argument against him is baseless. His role was purely administrative—he received the file and passed it on.”
The case also involved Menios Koromilas, then Organizational Secretary for Local Government and Crisis Management in New Democracy. His legal team argued that he merely acted as a “messenger”
“Mr. Koromilas was told he would receive a file and should forward it to Theodoropoulos. He was not informed of the purpose. He was just a ‘messenger.’ He did not know the contents of the file. He never opened it and forwarded it the same day. There is no legal basis to classify him as a data controller,” his lawyer argued.
The Authority countered that merely transmitting a file containing personal data constitutes data processing.
New Democracy also presented its defense, challenging the €40,000 fine imposed for inadequate data protection measures.
“Ms. Asimakopoulou requested a list of New Democracy party officials abroad—1,113 individuals. She did not request expatriate voter lists.”
Nine expatriate Greeks, supporting the data protection authority’s ruling, expressed concerns over the whereabouts of their personal data.
The authority reinforced this stance, stating, “If the party allows communication involving personal data through private electronic means, it must also take the necessary protective measures.”
