HDPA (Greece) - 50/2021: Difference between revisions
(Great summary! I added a bit of context and shortened the intro. I made sure that the name of the parties where used in a consistent manner (e.g. the Ministry; the HDPA). I changed some verbs to the past tense, as required by our Style Guide. I corrected or simplified some sentences here and there :) Thank you again!) |
No edit summary |
||
(4 intermediate revisions by 3 users not shown) | |||
Line 11: | Line 11: | ||
|Original_Source_Name_1=Greek DPA | |Original_Source_Name_1=Greek DPA | ||
|Original_Source_Link_1=https://www.dpa.gr/ | |Original_Source_Link_1=https://www.dpa.gr/el/enimerwtiko/prakseisArxis/diadikasia-syghronis-ex-apostaseos-ekpaideysis-apo-ypoyrgeio-paideias | ||
|Original_Source_Language_1=Greek | |Original_Source_Language_1=Greek | ||
|Original_Source_Language__Code_1=EL | |Original_Source_Language__Code_1=EL | ||
Line 66: | Line 66: | ||
}} | }} | ||
The Greek DPA | The Greek DPA issued a reprimand against the Hellenic Ministry of Education and Religious Affairs for not conducting a Data Protection Impact Assessment (DPIA) in an appropriate manner before implementing a method of distance learning after the closure of schools in Greece in the context of the COVID-19 pandemic. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Due to COVID-19 pandemic period, the Hellenic Ministry of Education and Religions Affairs (the Ministry) decided to promote and implement a method of distance learning by technological means for students in primary and secondary education. The Greek DPA (HDPA) considered this method legal, but found that the Ministry had failed to consider a number of factors and risks in relation to the rights and freedoms of the data subjects when conducting a Data Protection Impact Assessment (DPIA). Recognizing the need for the contemporary distance education, the HDPA provided an opinion to the Ministry to address the flaws and shortcomings. The HDPA called on the Ministry to make the appropriate changes to the DPIA within an exclusive period of three months. After that period, the HDPA analyzed once again the measures taken by the Ministry to assess whether the distance learning complied with the GDPR. | Due to COVID-19 pandemic period, the Hellenic Ministry of Education and Religions Affairs (the Ministry) decided to promote and implement a method of distance learning by technological means for students in primary and secondary education. The Greek DPA (HDPA) considered this method legal, but found that the Ministry had failed to consider a number of factors and risks in relation to the rights and freedoms of the data subjects when conducting a Data Protection Impact Assessment (DPIA). Recognizing the need for the contemporary distance education, the HDPA provided an opinion to the Ministry to address the flaws and shortcomings. The HDPA called on the Ministry to make the appropriate changes to the DPIA within an exclusive period of three months. After that period, the HDPA analyzed once again the measures taken by the Ministry to assess whether the adopted method of distance learning and the measures that accompanied it complied with the GDPR. | ||
=== Holding === | === Holding === | ||
The HDPA examined the updated DPIA, as well as the compliance actions | The HDPA examined the updated DPIA, as well as the compliance actions taken by the Ministry. The HDPA identified deficiencies as follows: first of all, the HDPA found that the Ministry never made a detailed investigation on the lawfulness of the processing purposes under [[Article 6 GDPR#4|Article 6(4) GDPR]], in particular with regard to the consent for access to information stored in a user's terminal equipment, when is not necessary to provide the service requested by the user. | ||
Regarding the principle of transparency and the right to access by the data subject, according to Article 12 and 14 GDPR, the information provided by the Ministry to the data subjects was not considered appropriate and sufficient. The HDPA found in particular that the provided information was not easy to understand and (lack of accessibility and of clear and simple wording), especially vis-à-vis children. | Regarding the principle of transparency and the right to access by the data subject, according to Article 12 and 14 GDPR, the information provided by the Ministry to the data subjects was not considered appropriate and sufficient. The HDPA found in particular that the provided information was not easy to understand and (lack of accessibility and of clear and simple wording), especially vis-à-vis children. |
Latest revision as of 09:23, 12 October 2022
HDPA (Greece) - Decision 50/2021 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(c) GDPR Article 6(1)(e) GDPR Article 12(1) GDPR Article 25(1) GDPR Article 35(9) GDPR Article 37(7) GDPR Article 46 GDPR Article 4(5)National Law 3471/2006 Article 4(5)National Law 3471/2006 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 16.11.2021 |
Published: | 18.11.2021 |
Fine: | None |
Parties: | Hellenic Ministry of Education and Religions Affairs |
National Case Number/Name: | Decision 50/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Greek |
Original Source: | Greek DPA (in EL) |
Initial Contributor: | Anastasia.tsermenidou |
The Greek DPA issued a reprimand against the Hellenic Ministry of Education and Religious Affairs for not conducting a Data Protection Impact Assessment (DPIA) in an appropriate manner before implementing a method of distance learning after the closure of schools in Greece in the context of the COVID-19 pandemic.
English Summary
Facts
Due to COVID-19 pandemic period, the Hellenic Ministry of Education and Religions Affairs (the Ministry) decided to promote and implement a method of distance learning by technological means for students in primary and secondary education. The Greek DPA (HDPA) considered this method legal, but found that the Ministry had failed to consider a number of factors and risks in relation to the rights and freedoms of the data subjects when conducting a Data Protection Impact Assessment (DPIA). Recognizing the need for the contemporary distance education, the HDPA provided an opinion to the Ministry to address the flaws and shortcomings. The HDPA called on the Ministry to make the appropriate changes to the DPIA within an exclusive period of three months. After that period, the HDPA analyzed once again the measures taken by the Ministry to assess whether the adopted method of distance learning and the measures that accompanied it complied with the GDPR.
Holding
The HDPA examined the updated DPIA, as well as the compliance actions taken by the Ministry. The HDPA identified deficiencies as follows: first of all, the HDPA found that the Ministry never made a detailed investigation on the lawfulness of the processing purposes under Article 6(4) GDPR, in particular with regard to the consent for access to information stored in a user's terminal equipment, when is not necessary to provide the service requested by the user.
Regarding the principle of transparency and the right to access by the data subject, according to Article 12 and 14 GDPR, the information provided by the Ministry to the data subjects was not considered appropriate and sufficient. The HDPA found in particular that the provided information was not easy to understand and (lack of accessibility and of clear and simple wording), especially vis-à-vis children.
The HDPA further found that the applied measures, despite having been improved, still needed to be completed, in order to ensure in particular that all the teachers involved in the distance education process receive minimal information in accordance with Article 13 GDPR.
In addition, the HDPA found that the Ministry violated the obligation of Article 35(9) GDPR in relation to the expression of opinion of the data subjects or their representatives for the processing activity.
Last but not least, no proper evaluation of data transfer to non-EU countries were carried out and in particular in the light of the CJEU judgment in Case C-311/18 (Schrems II).
In view of all the above violations, the HDPA reprimanded the Ministry and instructed the latter to address those deficiencies in the manner analyzed in the decision within a period of two months (four months in relation to the data transfers).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
update Legislation, Annual reports, Acts of the Authority, Thematic units, Press releases and announcements, News, Events, Young citizens, e-Newsletter