RGPD
In the HDPA (Greece) - 13/2025 case, crucial questions are raised regarding the right of access to personal data within public institutions. Under the GDPR, every individual has the right to consult their personal information, which is essential to maintaining the co
Reading time:
6 min
In the HDPA (Greece) - 13/2025 case, crucial questions concerning the right of access to personal data within public institutions are raised. Under the GDPR, every individual has the right to consult their personal information, which is essential to maintaining data confidentiality and ensuring transparency within public administrations. This decision by the Greek Data Protection Authority illustrates the stakes associated with data protection and the importance of complying with legal obligations relating to data access and management. The case also highlights the responsibility of public authorities in appointing a data protection officer, thereby underscoring the need for effective data governance. To better understand the implications of this decision, in this article we will examine the various dimensions of this issue within the framework of European law.
If you wish to engage a lawyer specialising in personal data law, contact me!
The HDPA (Greece) - 13/2025 case reveals the crucial importance of the right of access to personal data, a right that is fundamental under the GDPR. Indeed, this regulation, and more specifically Article 15, provides that any individual must be able to access their personal data. This accessibility is not only a means for individuals to learn what data organisations hold about them, but is also essential to the protection of their rights.
In this specific case, an employee of the Athens Administrative Court filed a complaint against their employer for refusing access to their personal files. The refusal opposed by the controller was justified by the need to redistribute computers following a flood, but this in no way excuses the violation of the complainant's right of access. The Data Protection Authority (DPA) thus reaffirmed the importance of guaranteeing every individual the right to consult their personal information, particularly where it is critical to their defence in disciplinary proceedings.
This ruling highlights the legal order's commitment to data protection, by reaffirming that authorities must establish mechanisms that facilitate access to information. Beyond the mere recognition of this right, institutions must exercise due diligence in managing their employees' personal data. A lawyer specialising in software and database law can assist you in setting up management systems that comply with the requirements of the GDPR.
The lessons drawn from this case are not limited to the recognition of the right of access, but also underscore the importance of an effective data governance structure within public bodies.
In the remainder of our analysis, we will explore the responsibility of public authorities regarding the appointment of a data protection officer, another key point addressed by this decision.
Let's discuss your needs for 15 minutes!
The HDPA (Greece) - 13/2025 case also raises crucial questions about the responsibility of public authorities in appointing a data protection officer. Under the GDPR, every public body is required to designate an Officer with in-depth skills and knowledge in the field of personal data protection, which is a fundamental element in ensuring compliance.
It is established that the Data Protection Officer (DPO) plays a key role within the framework of the GDPR, in particular through:
However, decision 13/2025 highlights the failure of certain authorities to appoint a competent DPO. In the case examined, the court found that the lack of vigilance in this appointment contributed to the violation of the rights of access to personal data. Indeed, without a DPO, bodies lack leadership in data protection, which can expose them to sanctions.
Beyond legal compliance, it is essential to consider the human implications associated with data management. An effective DPO not only safeguards individuals' rights, but also fosters a climate of trust between the public body and citizens. This is particularly important in sensitive areas where data confidentiality is often put to the test.
As we delve deeper into this analysis, it is relevant to assess in particular how a personal data breach is defined and analysed within the framework of this decision, thereby revealing the stakes for the future of data protection in Europe.
I want reliable legal documents!
The HDPA (Greece) - 13/2025 case raises fundamental questions about how to assess a personal data breach in light of the GDPR. The assessment of a breach does not rest solely on the inaccessibility of data, but also involves an understanding of the potential risks in terms of confidentiality, integrity and availability of data.
In this case, the main point in dispute was the Athens court's decision to remove the employee's computer, which resulted in a lack of access to their personal data. However, the Data Protection Authority (DPA) concluded that:
The DPA's response thus provides a framework for interpreting notification obligations, underscoring that not all events that do not involve access to data necessarily translate into a data breach. This appears as a warning to authorities and organisations on the need to distinguish between events with no immediate consequences for the protection of personal data and a genuine breach requiring notification.
Consequently, this ruling illustrates not only the importance of respecting individuals' rights relating to access to their personal data, but also the need to establish clear risk-assessment procedures that dictate the appropriate response to such incidents.
In an era where confidentiality issues are increasingly scrutinised, the lessons drawn from this case can be applied to strengthen data protection governance structures and ensure effective compliance with the legal requirements of the GDPR.
To learn more
The GDPR guarantees every individual the right to consult their personal information. This right of access is essential to ensuring transparency within public administrations and enabling individuals to monitor how their data is used by public institutions.
The HDPA 13/2025 case, decided by the Greek data protection authority, raises questions about the right of access to personal data within public institutions. It illustrates the stakes of data protection and compliance with the legal obligations of access and management.
Yes. The right of access guaranteed by the GDPR applies to public administrations and institutions. Any individual may request to consult the data concerning them, and the institution must respond in compliance with its legal obligations, as the Greek authority's decision reaffirms.
Yes. Public institutions are required to appoint a data protection officer. The HDPA 13/2025 case highlights this responsibility and underscores the need for effective data governance within public administrations.
Administrative transparency and data protection come together in the right of access: individuals can consult their data while benefiting from safeguards regarding its processing. Institutions must strike this balance in compliance with the obligations of the GDPR.
Public authorities must respect the right of access, ensure compliant data management, appoint a data protection officer and guarantee effective governance. The Greek case reaffirms the importance of these obligations for the protection of citizens' data.
An institution that fails to comply with the right of access or its data governance obligations exposes itself to intervention by the data protection authority and to corrective measures. The HDPA 13/2025 decision illustrates the consequences of such failures.
A lawyer specialising in personal data law helps public institutions comply with the right of access, structure data governance and appoint a data protection officer. This support secures GDPR compliance and administrative transparency.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin