HDPA (Greece) - 50/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA (Greece) |DPA_With_Country=HDPA (Greece) |Case_Number...")
 
No edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 11: Line 11:


|Original_Source_Name_1=Greek DPA
|Original_Source_Name_1=Greek DPA
|Original_Source_Link_1=https://www.dpa.gr/index.php/el
|Original_Source_Link_1=https://www.dpa.gr/el/enimerwtiko/prakseisArxis/diadikasia-syghronis-ex-apostaseos-ekpaideysis-apo-ypoyrgeio-paideias
|Original_Source_Language_1=Greek
|Original_Source_Language_1=Greek
|Original_Source_Language__Code_1=EL
|Original_Source_Language__Code_1=EL
Line 66: Line 66:
}}
}}


The HDPA reprimands the Hellenic Ministry of Education and Religion Affairs for not conducting in an appropriate way a DPIA, the required process activity for building  and demonstrating compliance with the GDPR.  
The Greek DPA issued a reprimand against the Hellenic Ministry of Education and Religious Affairs for not conducting a Data Protection Impact Assessment (DPIA) in an appropriate manner before implementing a method of distance learning after the closure of schools in Greece in the context of the COVID-19 pandemic.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Due to COVID-19 pandemic period, the Hellenic Ministry of Education and Religions Affairs decided to promote and apply the method of distance learning by technological means. The Greek DPA (HDPA) considered this method is legal, but found the conducted Data Protection Impact Assessment (DPIA) has not fully considered a number of factors and risks in relation to the rights and freedoms of the data subjects. Recognizing the need for the contemporary distance education, the HDPA provided an opinion to the Ministry, to address the above flaws and shortcomings and called on it, within an exclusive period of three months to make the appropriate changes to the DPIA.
Due to COVID-19 pandemic period, the Hellenic Ministry of Education and Religions Affairs (the Ministry) decided to promote and implement a method of distance learning by technological means for students in primary and secondary education. The Greek DPA (HDPA) considered this method legal, but found that the Ministry had failed to consider a number of factors and risks in relation to the rights and freedoms of the data subjects when conducting a Data Protection Impact Assessment (DPIA). Recognizing the need for the contemporary distance education, the HDPA provided an opinion to the Ministry to address the flaws and shortcomings. The HDPA called on the Ministry to make the appropriate changes to the DPIA within an exclusive period of three months. After that period, the HDPA analyzed once again the measures taken by the Ministry to assess whether the adopted method of distance learning and the measures that accompanied it complied with the GDPR.  


=== Holding ===
=== Holding ===
The HDPA examined the updated DPIA, as well as the compliance actions of the Ministry. The HDPA identified deficiencies as follows: first of all, the Ministry never had a detailed investigation of the lawfulness of the processing purposes, in particular with regard to the consent for access to information stored in a user's terminal equipment, when is not necessary to provide the service requested by the user, according to [[Article 6 GDPR#4|Article 6(4) GDPR]].
The HDPA examined the updated DPIA, as well as the compliance actions taken by the Ministry. The HDPA identified deficiencies as follows: first of all, the HDPA found that the Ministry never made a detailed investigation on the lawfulness of the processing purposes under [[Article 6 GDPR#4|Article 6(4) GDPR]], in particular with regard to the consent for access to information stored in a user's terminal equipment, when is not necessary to provide the service requested by the user.
Regarding to the principle of transparent information and the right to access by the data subject, according to Article 12 and 14 GDPR, the information provided by the Ministry to the data subjects is not appropriate and sufficient, while this information is not easy to understand and not in an accessible form with clear and simple wording, especially when it comes to information that is also addressed to children.
The applied safety measures, although in the right direction, must be completed, in a way that is available to every teacher, while it must be ensured that all the teachers involved in the distance education process have received minimal information, according to [[Article 13 GDPR|Article 13 GDPR]].
In addition, the Ministry violated the obligation of [[Article 35 GDPR#9|Article 35(9) GDPR]] in relation to the expression of opinion of the data subjects or their representatives for the processing activity.
Last but not least, no proper evaluation of data transfer to non-EU countries has been carried out and in particular in the light of the European’s Courthouse judgment in Case C-311/18 (Schrems II).
For all the above violations, the Authority reprimanded and instructed the Ministry to address the deficiencies in the manner analyzed in the decision within a period of two months (four in relation to the transfers) in order to heal the violations.


Regarding the principle of transparency and the right to access by the data subject, according to Article 12 and 14 GDPR, the information provided by the Ministry to the data subjects was not considered appropriate and sufficient. The HDPA found in particular that the provided information was not easy to understand and (lack of accessibility and of clear and simple wording), especially vis-à-vis children.


The HDPA further found that the applied measures, despite having been improved, still needed to be completed, in order to ensure in particular that all the teachers involved in the distance education process receive minimal information in accordance with [[Article 13 GDPR]].
In addition, the HDPA found that the Ministry violated the obligation of [[Article 35 GDPR#9|Article 35(9) GDPR]] in relation to the expression of opinion of the data subjects or their representatives for the processing activity.
Last but not least, no proper evaluation of data transfer to non-EU countries were carried out and in particular in the light of the CJEU judgment in Case C-311/18 (Schrems II).
In view of all the above violations, the HDPA reprimanded the Ministry and instructed the latter to address those deficiencies in the manner analyzed in the decision within a period of two months (four months in relation to the data transfers).
== Comment ==
== Comment ==
''Share your comments here!''
''Share your comments here!''

Latest revision as of 09:23, 12 October 2022

HDPA (Greece) - Decision 50/2021
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 12(1) GDPR
Article 25(1) GDPR
Article 35(9) GDPR
Article 37(7) GDPR
Article 46 GDPR
Article 4(5)National Law 3471/2006
Article 4(5)National Law 3471/2006
Type: Investigation
Outcome: Violation Found
Started:
Decided: 16.11.2021
Published: 18.11.2021
Fine: None
Parties: Hellenic Ministry of Education and Religions Affairs
National Case Number/Name: Decision 50/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Greek DPA (in EL)
Initial Contributor: Anastasia.tsermenidou

The Greek DPA issued a reprimand against the Hellenic Ministry of Education and Religious Affairs for not conducting a Data Protection Impact Assessment (DPIA) in an appropriate manner before implementing a method of distance learning after the closure of schools in Greece in the context of the COVID-19 pandemic.

English Summary

Facts

Due to COVID-19 pandemic period, the Hellenic Ministry of Education and Religions Affairs (the Ministry) decided to promote and implement a method of distance learning by technological means for students in primary and secondary education. The Greek DPA (HDPA) considered this method legal, but found that the Ministry had failed to consider a number of factors and risks in relation to the rights and freedoms of the data subjects when conducting a Data Protection Impact Assessment (DPIA). Recognizing the need for the contemporary distance education, the HDPA provided an opinion to the Ministry to address the flaws and shortcomings. The HDPA called on the Ministry to make the appropriate changes to the DPIA within an exclusive period of three months. After that period, the HDPA analyzed once again the measures taken by the Ministry to assess whether the adopted method of distance learning and the measures that accompanied it complied with the GDPR.

Holding

The HDPA examined the updated DPIA, as well as the compliance actions taken by the Ministry. The HDPA identified deficiencies as follows: first of all, the HDPA found that the Ministry never made a detailed investigation on the lawfulness of the processing purposes under Article 6(4) GDPR, in particular with regard to the consent for access to information stored in a user's terminal equipment, when is not necessary to provide the service requested by the user.

Regarding the principle of transparency and the right to access by the data subject, according to Article 12 and 14 GDPR, the information provided by the Ministry to the data subjects was not considered appropriate and sufficient. The HDPA found in particular that the provided information was not easy to understand and (lack of accessibility and of clear and simple wording), especially vis-à-vis children.

The HDPA further found that the applied measures, despite having been improved, still needed to be completed, in order to ensure in particular that all the teachers involved in the distance education process receive minimal information in accordance with Article 13 GDPR.

In addition, the HDPA found that the Ministry violated the obligation of Article 35(9) GDPR in relation to the expression of opinion of the data subjects or their representatives for the processing activity.

Last but not least, no proper evaluation of data transfer to non-EU countries were carried out and in particular in the light of the CJEU judgment in Case C-311/18 (Schrems II).

In view of all the above violations, the HDPA reprimanded the Ministry and instructed the latter to address those deficiencies in the manner analyzed in the decision within a period of two months (four months in relation to the data transfers).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.


update
Legislation, Annual reports, Acts of the Authority, Thematic units, Press releases and announcements, News, Events, Young citizens, e-Newsletter