Sensitive Information, Including National Security Matters, Found in Gmail Account:
A Greek-Japanese NGO employee was involved in a controversy over the use of the term “Greek yogurt” by a Japanese multinational.
This is what a Foreign Ministry diplomatic officer reported to the Hellenic Data Protection Authority in March 2025.
The officer approved a Japanese dairy company’s request to produce “Greek” yogurt in Japan with the Greek flag on its packaging.
By Vangelis Triantis
The Hellenic Data Protection Authority has received unbelievable claims about how the competent departments of the Ministry of Foreign Affairs handle personal data, including sensitive information. According to Data Journalists, a diplomatic officer who previously served in Tokyo reported serious misconduct involving fellow ministry officials. Specifically, from 2016 to August 2018, the then Head of the Economic and Commercial Affairs Office (ECA) in Tokyo allegedly created a Gmail account “without the Service’s approval and without any legal provision as a backup for diverting the ECA Office’s emails,” according to the complaint. The account reportedly contained sensitive information with confidential or classified content, including matters of national significance.
A Greek-Japanese employee with a fixed-term contract who also served as the executive director of a non-governmental organization operating under the name “Hellenic Chamber of Commerce in Japan” allegedly gained illegal access to a Gmail account. According to the whistleblower, this constituted a “clear conflict of interest.” Furthermore, Data Journalists reported that the NGO received sponsorship funds from a Japanese multinational corporation. The corporation was reportedly granted an “authenticity certificate for Greek yogurt” in 2018.
Questions arise over the Japanese multinational’s use of the term “Greek yogurt.” In 2020, the Japanese Trademark Office revoked the trademark for the product “Greek Style Yogurt” following an appeal by the Greek Embassy in Tokyo. However, the company is reportedly still marketing yogurt products labeled “Greek-style yogurt” in countries such as Singapore, even five years later. Now, let us examine the allegations submitted to the Data Protection Authority in detail.
Recent Complaint to the Data Protection Authority
In March 2025, a diplomatic officer from the Ministry of Foreign Affairs filed a complaint with the Hellenic Data Protection Authority. The officer alleged that ministry personnel had subjected her personal data to “unlawful processing” from 2018 to the present.
Specifically, in 2019, the Greek Embassy in Japan allegedly transmitted her personal data to Ministry officials without notifying her or obtaining her consent. This data included documents labeled as confidential by the Ministry of Foreign Affairs, as well as electronic files. The documents reportedly included records related to the officer’s hospitalization in Tokyo following a car accident. From September to October 2019, revelations unfolded regarding the Greek yogurt scandal and the unauthorized use of the Greek trademark and national flag by a Japanese multinational corporation.
A disciplinary inquiry was launched to determine if any disciplinary or criminal offenses were committed when accepting sponsorships from Meiji Co., a Japanese dairy company. Ltd. for events organized by the Greek Embassy in Tokyo, Japan. The inquiry also examined the issuance of a “certificate of authenticity” by the embassy for a product marketed in Japan by the aforementioned company as “The Greek Yogurt.” The inquiry’s findings were submitted to the Secretary General of the Ministry of Foreign Affairs in March 2019. The findings attributed “disciplinary responsibility for breach of duty” to the former Head of Mission, Ambassador Loukas Karatsolis, a career diplomatic officer, and the former Head of the Economic and Commercial Affairs Office (ECA) and ECA Counselor, Dionysios Protopapas. They were found responsible for recognizing the Japanese yogurt as Greek and for handling the sponsorships. These actions violated existing legislation, relevant circulars and directives, and key policy positions of the Greek Ministry of Rural Development & Food concerning the protection of Greek commercial interests from abusive practices”.
According to the diplomatic officer’s complaint and statements, her personal health data was transmitted to Mr. Protopapas in March 2020 without her knowledge.
Then, in June 2020, the Greek Embassy in Tokyo shared her personal data with other recipients without her prior notice or consent.
In her complaint, she states that “the unlawful processing of my personal data and the denial of access to information about numerous files and documents containing such data continued until August 2024.” She further claims that as a result of the unethical and unlawful processing of her data by Ministry of Foreign Affairs personnel, she has suffered immeasurable moral and material harm. This harm has manifested as disciplinary actions, a salary reduction, a degraded career, and hierarchical marginalization over the past six years.
Official email content in the hands of private individuals
The same complaint raises another serious issue. During his tenure as Head of the Economic and Commercial Affairs Office (ECA), Mr. Protopapas allegedly created a Gmail account as an alternate backup for official emails. This was done without the Ministry’s knowledge and is not permitted by law.
According to the complaint, however, Mr. Protopapas allegedly granted access to this Gmail account to a Japanese Embassy employee on a fixed-term contract. Consequently, this person had unauthorized access to personal data, including confidential commercial and national security-related information pertaining to hundreds of email senders and recipients.
This individual held another role as well. Specifically, he was the executive director of a non-governmental organization (NGO) operating under the name Hellenic Chamber of Commerce in Japan. This NGO was headquartered at the Greek Embassy in Tokyo, which was done unlawfully and without the Ministry’s knowledge. According to the complaint, however, this NGO had “no relation whatsoever, nor any formal connection, with the official Athens Chamber of Commerce and Industry (a legal entity under public law), or with any other official Greek chamber.” In fact, the competent authorities at the Athens Chamber were reportedly unaware of the NGO’s existence.
The complaint states that the NGO’s executive director “gained access to embassy computers and files, including personal data and information on the recipients of official emails, with the full knowledge and explicit consent of the commercial counselor at the time, Mr. Protopapas.”
Funds were deposited into the aforementioned NGO’s account from a sponsorship by the Japanese dairy company Meiji. In 2018, the Greek Embassy in Tokyo awarded Meiji a “certificate of authenticity” for yogurt produced in Japan, certifying its Greek origin.
The Gmail account was terminated in August 2018 when the new Head of the Economic and Commercial Affairs Office assumed duties, replacing Dionysios Protopapas. It is unclear what types of personal data and classified information, including matters of national interest, may have been transmitted to third parties.
Furthermore, the Ministry of Foreign Affairs (MFA) has never conducted a Data Protection Impact Assessment (DPIA) or taken other measures to prevent the violation of its personnel’s personal data, despite being obligated to do so since 2018. The complaint to the Data Protection Authority emphasizes that, as of 2025, the risks remain unchanged due to the MFA’s continued absence of measures to mitigate dangers of a personal data breach.
The granting of the Certificate of Authenticity
Now, let us return to the scandal involving Greek yogurt. In 2018, Loukas Karatsolis, the head of the Greek embassy in Tokyo at the time, granted the Japanese multinational dairy company Meiji Co. a certificate of authenticity for Greek yogurt. This effectively allowed the Japanese company to produce and market Greek yogurt as its own original product.
The ambassador took this action without obtaining approval from the Ministry of Foreign Affairs’ central services or notifying the Ministry of Rural Development and Food. According to the report, the ambassador praised the quality of Japanese yogurt at press conferences. In an interview with The Japan Times, the ambassador defended his decision, stating that he was “looking toward future growth through the branding of one of Greece’s most famous food products.” Just a few days later, the political leadership recalled the ambassador from Tokyo—two years before the end of his scheduled term in Japan. This reflected the leadership’s displeasure with his actions.
The Japanese company launched a major marketing campaign for the product, using the slogan, “This yogurt is Greek and approved by the Greek Embassy in Tokyo.” The packaging featured a Greek flag and the phrase “Traditional Greek strained yogurt recipe” in Japanese. The flag was marked as having been approved by the embassy.
In its 2018 annual report, the company mentioned Greek yogurt, stating that it began selling the product in April of that year. Ultimately, the Japanese dairy company produced “Greek” yogurt in Japan that was branded with the Greek flag.
Objection from the Greek Side
Through the Office of Economic and Commercial Affairs (OECA) in Tokyo, the Greek government decided to protect the interests of Greek yogurt. Specifically, the OECA filed a petition with the Japan Patent Office (JPO) to cancel Meiji Co.’s trademark registration for “The Greek Yogurt.”
On May 13, 2020, the JPO ruled in Greece’s favor. The JPO then canceled the trademark for the products “Greek-style yogurt” and “yogurt used primarily in Greek cuisine.”
It uses the term “Greek-style yogurt”
We searched online for Meiji Co.’s yogurt products. As one can see, the company sells yogurt products with this label.
The product is actually “Meiji Greek-style yogurt,” which boasts a rich texture and numerous health benefits. According to the product description, the yogurt is made from high-quality Meiji milk using the traditional Greek method.
Stauroula Tomara, a lawyer, said:
“Personal data of citizens are systematically violated.”
Ms. Tomara handled the complaint submitted by the diplomatic employee. In a statement to Data Journalists, she notably stated:
A data subject’s public disclosure of personal data through a social media post does not imply a waiver of their right to protection of that data. Data subjects are not automatically exempt from the GDPR simply because their personal data is publicly available in documents or social media posts. They must always be informed in advance about how companies, ministries, state services, or media intend to process their data, even when it originates from publicly available sources such as public documents or social media posts.
The data controller must inform the data subject of the intended purposes and legal basis for processing.
When processing is based on the consent of the data subject, the data controller must demonstrate that the data subject has explicitly consented to making the relevant personal data accessible to the public through affirmative action.
Consent must be freely given; therefore, ambiguity or lack of voluntariness invalidates consent as a legal basis for processing personal data.
Disclosing sensitive personal data does not imply consent for a social media platform or online service administrator to process other data relating to that person’s sensitive information.
Decision of the Court of Justice of the European Union (Fourth Chamber) of October 4, 2024, in Case C-446/21, Schrems v. Facebook/Meta Platforms Ireland. Advocate General: A. Rantos.
Unfortunately, the Greek Ministry of Foreign Affairs, like many other ministries and public agencies—including the Hellenic Police (EL.AS), the Athens Bar Association, and even the Greek courts—systematically violates the GDPR without taking proper measures to protect citizens’ (and employees’) personal data. One primary and serious omission is their failure to carry out a Data Protection Impact Assessment (DPIA), as stipulated in Article 35(1) of the GDPR. The situation with respect to the media is also dangerously and persistently unlawful. The media systematically violate the personal data of citizens (except in cases where disclosure is required by prosecutorial order). However, it is suspected that this serves the interests of political parties, ministers, media owners, and certain major business figures.
In a well-governed European society, the Prime Minister should not tolerate this systematic violation of citizens’ personal data, including sensitive data. He should issue strict orders to all his ministers to ensure the immediate and uniform application of the European Regulation (GDPR).
AloJapan.com