The Personal Data Protection Authority has imposed fines of €10,000 and €30,000 on New Democracy (ND) following its investigation into the email leak involving former ND MEP Anna Michelle Asimakopoulou. While the Authority concluded that ND was not directly involved in the leak, it penalized the party for failing to take adequate measures to protect personal data.

Sources within ND announced plans to appeal the fine to the Council of State. The Authority determined that while ND was not implicated in the leak, it still issued a total fine of €40,000 due to insufficient safeguards (€30,000) and the fact that the related list was leaked by a former party employee, Nikos Theodoropoulos, who served as ND’s Secretary for Overseas Citizens (€10,000).

Simultaneously, the Authority cleared the then-General Secretary of the Interior Ministry, Michalis Stavrianoudakis, of any responsibility, noting that the actual leaker from the ministry could not be identified, although he resigned as soon as the issue was revealed.

According to the majority of the Authority’s members (5-2), the file was sent to Nikos Theodoropoulos by Menios Koromilas, then the Organizational Secretary for Local Government and Crisis Management of ND. Koromilas admitted to this, claiming that he received it from the resigned General Secretary of the ministry. However, apart from Koromilas, there was no supporting evidence for this assertion, leading to the exoneration of Stavrianoudakis.

Ultimately, the Authority concluded that Menios Koromilas sent the file to Nikos Theodoropoulos as a private individual rather than in his capacity as an ND official, imposing a €10,000 fine on him. The Authority did not accept that he acted on behalf of ND.

After Koromilas forwarded the file to Theodoropoulos, the latter used it for statistical purposes related to the May 2023 elections. The majority ruled that the statistical processing was conducted on behalf of the party, meaning Theodoropoulos acted as an ND employee. Consequently, a fine of €10,000 was imposed on ND because the employee processed the file.

However, Theodoropoulos retained the file for six months, despite the obligation to delete it immediately, and subsequently sent it to Anna Michelle Asimakopoulou as a private citizen. Therefore, the fine imposed on him was for his actions as a private individual, which absolves ND from responsibility, as the Authority accepted that the party used the data for statistical purposes and was not responsible for the leak.

Two dissenting members of the Authority expressed the view that all parties should be exonerated due to doubts, asserting that while a violation occurred, it was not clear who was responsible.