Criminal processing of personal data – The decision of the Court of Appeal of Athens 384/2025
Privacy
Presentation of the decision EfAth 384/2025, TNP nomos, regarding the key points for the criminal processing of personal data.
Giorgos Nouskalis, Assistant Professor of Law School AUTH-Lawyer at the Supreme Court, pr. Member of the Independent Personal Data Protection Authority.
The above decision accepted the following:
‘At the explanatory statement of this law4624/2019) In paragraph 1 of the above article (38) two independent criminal offenses are standardized. In the first paragraph of par. 1 of article 38 N. 4624/2019 A crime of damage to privacy is standardized, committed in two ways: a) The first consists of ‘without the right to intervene in the archiving system’ of personal data and through this intervention to obtain knowledge of the content of the data. The operation presupposes positive energy, as a form of ‘out of penetration/intervention’, in filing systems, which results in obtaining knowledge of the content of the data, in any way. Given that the receipt of knowledge, as a rule, occurs through previous ‘intervention’ in the data archiving system, it is easily understood why the legislator predicted cumulatively by ‘intervention’ and receiving of knowledge in the new legal form of the offense of article 38 par. 1a’, so that all its conditions are met and not disjunctively as in the case of the previous article 22 par. 4 n. 2472/97 (AP 686/2021 TNP LAW). If such ‘invasion’ or ‘entry’ does not take place and the perpetrator was aware of this data by himself or without arbitrary investigation, intervention or penetration, then the legal form of the offense is not met (AP 686/2021, AP 96/2020, AP 180/2018, AP 474/2016 TNP LAW). It is enough that this intervention has as its material object a personal data archiving system and the culprit does not have the right to process this data, i.e. the data concerns a third natural person and the perpetrator does not fall into one of the Exceptions of articles 21-36 of the4624/2019 and Regulation 2016/679 EU, so that he does not have the right to process and obtain knowledge of the data by law. The term therefore, ‘without the right’ is met in any case, when the described act is carried out in violation of the conditions set by the law (AP 686/2021 TNP LAW). b) The second way (article 38 par.1b) consists of a group of acts of ‘use’ that are considered ‘processing’. These operations are as follows: Copy, removal, alteration, damage, collection, registration, organization, structure, storage, adaptation, change, recovery, information search, correlation, combination, restriction, deletion or destruction of data. The above described behavior can also lead to the acquisition of knowledge of the data, and the above actions do not necessarily constitute an intervention, i.e. they do not necessarily presuppose, for the realization of the objective nature of the offense, a positive action without the right outside intrusion-intrusion, which in any way brings material effect to a data archiving system. This happens because it is also possible to use and process them after the legal possession of the data, without the right, with one of the ones mentioned in article 38 par. 1 b of n. 4624/2019 ways. in paragraph 2 of the above article 38 of the. 4624/2019, a separate crime of harm is standardized, but more undeserved of privacy. In particular, acts of processing of personal data that were included or are to be included in an existing archiving system in the form of disposition/notification to non-entitled persons as a ‘use of use’ of the same data, in the sense of exploitation, are standardized. of the above information by making it available to non-entitled persons. In fact, the above condition works, like the one corresponding to the crime of ‘use’ of the interception product in article 370 par.3 of the Civil Code. So one could have legally collected and possessed data in an archiving system, but either process them illegally within their sphere of power, or dispose of them to third parties illegally, i.e. without a legal basis Permissible processing according to the GDPR (G. Nouskalis Criminal Justice 2022 p. 354).
According to the same explanatory statement, ‘the perpetrator of the offenses of paragraphs 1, 2, 3 without the right acts without the right to do the above acts without a relevant provision of the law permitting him or acting in excess of another legal act (e.g. In this way, the cases of illegal data processing legally owned by the perpetrator of the offense (e.g. due to the consent of the subject them or because of their processing for another purpose), but is processed for a different purpose from the one consented by their subject or in the ignorance of the latter (AP 686/2021 TNP LAW). Moreover, every time someone changes Illegally the purpose of data processing that he either legally or illegally possesses, this act is considered not only as ‘illegal processing’, but also as ‘intervention’ in an archiving system according to article 38 par.1 n. 4624/2019 (AP 505/2020 TNP LAW’, G. Nouskalis op. p. 353).
Furthermore, according to the provision of Article 25 of the. 4624/2019 It is allowed to process personal data by private bodies for a purpose other than the one for which they have been collected, if it is necessary, among other things, (para. b) for the prosecution of criminal offenses, (para. c) for the establishment, exercise or support of legal claims, unless it is the interest of the data subject not to process this data. According to settled jurisprudence, ‘such a case of assistance of a superior legal interest constitutes, in particular, the case in which the elements requested for the recognition, exercise or defense of a right before a court, are absolutely necessary and appropriate for the recognition, exercise or Defense of a right before a court (principle of necessity) and especially in view of the specific trial that is pending. As, repeatedly, the Data Protection Authority has judged – even under the regime of the previous law, which in a similar way defined (articles 5 and 7 of the n. 2472/1997) that ‘exceptionally, processing and without consent are allowed, when, e) processing is absolutely necessary to satisfy the legitimate interest pursued by the controller or the third party or the third parties, to whom the data is announced and subject to the condition That this obviously surpasses the rights and interests of the data subjects and does not affect their fundamental freedoms’ (8/2005, 9/2005 and 57/2009) The use before a court of personal data which have been collected without the prior consent of the interested party is legitimate, if the intended purpose of the defense of rights cannot be achieved by other milder means (Opal 1/2017, by 79/2020, AP 813/2020 TNP LAW)’