At the end of 2021, the Hellenic Data Protection Authority became aware of a decision of the Greek Government regarding the development and implementation of the “Centaur” programme by the Ministry of Migration and Asylum (hereinafter referred to as the MMA) in order to control the reception and accommodation facilities of third country nationals on the Aegean islands.
The Authority also received a request for information on border surveillance technologies from the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee), while a request for investigation and opinion on the procurement and implementation of the “Hyperion” and “Centaur” systems in reception and accommodation facilities for asylum seekers was submitted to the Authority by civil society organizations in February 2022.
In July 2022, the Authority also received a letter from the UNHCR Representation in Greece with regard to the above systems.
- The “Centaur” programme is reported to be an integrated digital system for the management of Electronic and Physical Security around and within the facilities of the Closed Controlled Access Centers and Reception and Identification Centers (hotspots) of third country nationals on the islands of Lesvos, Chios, Samos, Leros and Kos, using motion analysis cameras and algorithms (Artificial Intelligence Behavioral Analytics), which will be managed by the MMA. The “Centaur” programme includes, inter alia, the use of CCTV and drones, which will process personal data, at least image data.
- At the same time, the “Hyperion” programme is described as an integrated entry-exit control system at the premises of the above-mentioned facilities, in order to control the entry and exit of both the guests and the certified members of the certified non-governmental organizations (NGOs), by presenting the asylum seeker card or an NGO member/employee card, on the one hand, and the employees of the facilities on the other, by means of an RFID reader in combination with a fingerprint (two-factor authentication), through which personal data, in particular biometric data, are processed.
Having learned of the development and implementation of the “Centaur” and “Hyperion” programmes by the Ministry of Migration and Asylum in the premises of the Closed Controlled Access Centers and the Reception and Identification Centers for third-country nationals, the Authority proceeded to examine in-depth the integrated digital system for managing electronic and physical security (“Centaur”) and the integrated entry-exit control system with reader in combination with fingerprint ‒i.e. biometric data processing‒ (“Hyperion”) in the premises of the above-mentioned facilities for guests as well as employees and certified members of non-governmental organizations.
The Authority found a lack of cooperation on the part of the Ministry of Migration and Asylum, as data controller, and further considered that the required Data Protection Impact Assessments carried out by the Ministry were substantially incomplete and limited in scope, and that serious shortcomings remain as regards the Ministry’s compliance with certain provisions of the GDPR in relation to the implementation of the systems in question.
For these reasons, the Authority imposed an administrative fine of € 175,000 on the Ministry of Migration and Asylum for the breaches found in relation to the cooperation with the Authority and the impact assessments, while at the same time it sent the Ministry an order to comply within three months with its obligations under the GDPR.
- Decision 13/2024 is available at https://www.dpa.gr/el/enimerwtiko/prakseisArxis/aytepaggelti-ereyna-gia-tin-anaptyxi-kai-egkatastasi-ton-programmaton in Greek.
Communications Department
