RGPD

Administrative Transparency and the GDPR: What Are the Stakes for Public Institutions?

In the HDPA (Greece) - 13/2025 case, crucial questions are raised regarding the right of access to personal data within public institutions. Under the GDPR, every individual has the right to consult their personal information, which is essential to maintaining the co

Contents
Schedule a discussion

Reading time:

6 min

In the HDPA (Greece) - 13/2025 case, crucial questions concerning the right of access to personal data within public institutions are raised. Under the GDPR, every individual has the right to consult their personal information, which is essential to maintaining data confidentiality and ensuring transparency within public administrations. This decision by the Greek Data Protection Authority illustrates the stakes associated with data protection and the importance of complying with legal obligations relating to data access and management. The case also highlights the responsibility of public authorities in appointing a data protection officer, thereby underscoring the need for effective data governance. To better understand the implications of this decision, in this article we will examine the various dimensions of this issue within the framework of European law.

If you wish to engage a lawyer specialising in personal data law, contact me!

How important is the right of access to personal data under the GDPR?

The HDPA (Greece) - 13/2025 case reveals the crucial importance of the right of access to personal data, a right that is fundamental under the GDPR. Indeed, this regulation, and more specifically Article 15, provides that any individual must be able to access their personal data. This accessibility is not only a means for individuals to learn what data organisations hold about them, but is also essential to the protection of their rights.

In this specific case, an employee of the Athens Administrative Court filed a complaint against their employer for refusing access to their personal files. The refusal opposed by the controller was justified by the need to redistribute computers following a flood, but this in no way excuses the violation of the complainant's right of access. The Data Protection Authority (DPA) thus reaffirmed the importance of guaranteeing every individual the right to consult their personal information, particularly where it is critical to their defence in disciplinary proceedings.

Right of access and the GDPR
How important is the right of access to personal data under the GDPR?
ElementDetail
Reminder of rightsThe right to access personal data ensures the transparency and accountability of public bodies.
Impact on proceedingsBy allowing access to data, individuals are able to act and defend themselves properly.
Legal obligationsFailure to comply with this right constitutes an infringement of individual rights and a breach of the GDPR.
Provided for information purposes only; does not constitute legal advice.

This ruling highlights the legal order's commitment to data protection, by reaffirming that authorities must establish mechanisms that facilitate access to information. Beyond the mere recognition of this right, institutions must exercise due diligence in managing their employees' personal data. A lawyer specialising in software and database law can assist you in setting up management systems that comply with the requirements of the GDPR.

The lessons drawn from this case are not limited to the recognition of the right of access, but also underscore the importance of an effective data governance structure within public bodies.

In the remainder of our analysis, we will explore the responsibility of public authorities regarding the appointment of a data protection officer, another key point addressed by this decision.

Let's discuss your needs for 15 minutes!

What is the responsibility of public authorities regarding the appointment of a Data Protection Officer?

The HDPA (Greece) - 13/2025 case also raises crucial questions about the responsibility of public authorities in appointing a data protection officer. Under the GDPR, every public body is required to designate an Officer with in-depth skills and knowledge in the field of personal data protection, which is a fundamental element in ensuring compliance.

It is established that the Data Protection Officer (DPO) plays a key role within the framework of the GDPR, in particular through:

  • Ensuring compliance: The DPO must ensure that the body complies with all the obligations laid down by the regulation, including the right of access to information.
  • Awareness-raising: They must also educate staff on good practices in data protection.
  • Point of contact: As the main point of contact between the body and the Data Protection Authority, they facilitate exchanges concerning compliance matters.

However, decision 13/2025 highlights the failure of certain authorities to appoint a competent DPO. In the case examined, the court found that the lack of vigilance in this appointment contributed to the violation of the rights of access to personal data. Indeed, without a DPO, bodies lack leadership in data protection, which can expose them to sanctions.

Beyond legal compliance, it is essential to consider the human implications associated with data management. An effective DPO not only safeguards individuals' rights, but also fosters a climate of trust between the public body and citizens. This is particularly important in sensitive areas where data confidentiality is often put to the test.

As we delve deeper into this analysis, it is relevant to assess in particular how a personal data breach is defined and analysed within the framework of this decision, thereby revealing the stakes for the future of data protection in Europe.

I want reliable legal documents!

How should a personal data breach be assessed within the framework of this decision?

The HDPA (Greece) - 13/2025 case raises fundamental questions about how to assess a personal data breach in light of the GDPR. The assessment of a breach does not rest solely on the inaccessibility of data, but also involves an understanding of the potential risks in terms of confidentiality, integrity and availability of data.

In this case, the main point in dispute was the Athens court's decision to remove the employee's computer, which resulted in a lack of access to their personal data. However, the Data Protection Authority (DPA) concluded that:

  • No substantial breach: The DPA determined that the employee's situation did not constitute a personal data breach within the meaning of the GDPR, since the actions taken by the court compromised neither the confidentiality nor the integrity of the data.
  • Notification unnecessary: Given this absence of an established breach, the body was not required to notify an incident under the notification obligations laid down by Article 33 of the GDPR.
  • Caution required: This decision indicates that bodies must pay attention to the legal implications of data incidents and assess each situation rigorously in order to determine whether it requires notification.

The DPA's response thus provides a framework for interpreting notification obligations, underscoring that not all events that do not involve access to data necessarily translate into a data breach. This appears as a warning to authorities and organisations on the need to distinguish between events with no immediate consequences for the protection of personal data and a genuine breach requiring notification.

Consequently, this ruling illustrates not only the importance of respecting individuals' rights relating to access to their personal data, but also the need to establish clear risk-assessment procedures that dictate the appropriate response to such incidents.

In an era where confidentiality issues are increasingly scrutinised, the lessons drawn from this case can be applied to strengthen data protection governance structures and ensure effective compliance with the legal requirements of the GDPR.

To learn more

What right does the GDPR guarantee regarding access to data?

The GDPR guarantees every individual the right to consult their personal information. This right of access is essential to ensuring transparency within public administrations and enabling individuals to monitor how their data is used by public institutions.

What does the HDPA (Greece) 13/2025 case raise?

The HDPA 13/2025 case, decided by the Greek data protection authority, raises questions about the right of access to personal data within public institutions. It illustrates the stakes of data protection and compliance with the legal obligations of access and management.

Does the right of access apply to public institutions?

Yes. The right of access guaranteed by the GDPR applies to public administrations and institutions. Any individual may request to consult the data concerning them, and the institution must respond in compliance with its legal obligations, as the Greek authority's decision reaffirms.

Must a public administration appoint a data protection officer?

Yes. Public institutions are required to appoint a data protection officer. The HDPA 13/2025 case highlights this responsibility and underscores the need for effective data governance within public administrations.

How can administrative transparency and data protection be reconciled?

Administrative transparency and data protection come together in the right of access: individuals can consult their data while benefiting from safeguards regarding its processing. Institutions must strike this balance in compliance with the obligations of the GDPR.

What obligations rest on public authorities under the GDPR?

Public authorities must respect the right of access, ensure compliant data management, appoint a data protection officer and guarantee effective governance. The Greek case reaffirms the importance of these obligations for the protection of citizens' data.

What does a public institution risk in the event of a failure to comply with the right of access?

An institution that fails to comply with the right of access or its data governance obligations exposes itself to intervention by the data protection authority and to corrective measures. The HDPA 13/2025 decision illustrates the consequences of such failures.

Is a lawyer useful for GDPR compliance in the public sector?

A lawyer specialising in personal data law helps public institutions comply with the right of access, structure data governance and appoint a data protection officer. This support secures GDPR compliance and administrative transparency.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

7 min

Which web maintenance plan is best suited to your business?
Which web maintenance plan is best suited to your business? This article guides you in making an informed choice.

3 min

Website SEO contract drafted by a lawyer - Romain Mirabile
In a constantly evolving digital world, visibility on search engines is a major challenge for any business. Setting up a website SEO contract is one way to ensure your online visibility.

15 min

Open source legal risks and best practices
Open source has become an essential pillar of software development in business. JavaScript libraries, web frameworks, operating systems, databases...

7 min

What is the real cost of an external DPO for an SME?
What DPO cost must SMEs bear to ensure the protection of their business and compliance with the GDPR?

6 min

Online gambling: main legal risks and how to guard against them in 2025
The online gambling sector is undergoing constant change, both technologically and from a regulatory standpoint. In France, the legislation governing this activity has been considerably strengthened, in particular with the entry into force of the SREN law of May 2024.

6 min

GDPR and marketing targeting: can legitimate interest be invoked without consent?
In a context where the protection of personal data has become a major concern, the case BGH VI ZR 109/23 raises crucial questions about the implications of the GDPR and of consent. Indeed, the recent case law of the German Federal Court of Justice could redefine
Prendre rendez-vous
Book an appointment