Data Protection Authority: 40,000 euro fine against New Democracy for Anna Michelle Asimakopoulou’s email leak

The data protection authority has imposed fines of 10,000 and 30,000 euros on New Democracy (ND) after investigating the email leak related to former ND MP Anna Michelle Asimakopoulou. Although the agency concluded that ND was not directly involved in the leak, it penalized the party for failing to take adequate measures to protect personal data.

Sources within the ND announced plans to appeal the fine to the State Council. The authority concluded that although ND was not implicated in the revelation, it still imposed a total fine of 40,000 euros because the security measures were inadequate (30,000 euros) and the corresponding list was provided by a former party employee, Nikos Theodoropoulos, who was in the Office was leaked as ND secretary for foreign citizens (€10,000).

At the same time, the agency absolved then Interior Ministry Secretary General Michalis Stavrianoudakis of any responsibility, noting that the actual leaker from within the ministry could not be identified, although he resigned as soon as the matter came to light.

According to the majority of the authority’s members (5 to 2), the file was sent to Nikos Theodoropoulos by Menios Koromilas, then the organizing secretary for local government and crisis management of the ND. Koromilas admitted this and claimed that he received it from the ministry’s resigned secretary general. However, apart from Koromilas, there was no supporting evidence for this claim, leading to the exoneration of Stavrianoudakis.

Ultimately, the authority concluded that Menios Koromilas transmitted the file to Nikos Theodoropoulos as a private individual and not in his capacity as an ND official, and fined him €10,000. The authority did not accept that he was acting on behalf of ND.

After Koromilas forwarded the file to Theodoropoulos, the latter used it for statistical purposes related to the May 2023 elections. The majority ruled that the statistical processing was carried out on behalf of the party, meaning that Theodoropoulos was acting as an ND employee. A fine of €10,000 was then imposed on ND because the employee had processed the file.

However, Theodoropoulos kept the file for six months, despite the obligation to immediately delete it, and then transmitted it to Anna Michelle Asimakopoulou as a private individual. Therefore, the fine imposed on him related to his actions as a private individual, which absolved ND of responsibility as the authority accepted that the party had used the data for statistical purposes and was not responsible for the leak.

Two dissenting members of the authority expressed the view that all parties should be exonerated based on doubt, claiming that although there was a violation, it was not clear who was responsible.