HDPA (Greece) - 61/2022: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=61/...") |
(changed short summary, used DPA instead of Authority, clarified the facts and the holding a bit to make it sound more clear) |
||
Line 77: | Line 77: | ||
}} | }} | ||
The | The Greek DPA examined how the Ministry of Education and Religious Affairs complied with the provisions of the legislation on the processing of personal data with regards to remote education. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The DPA examined the compliance of the Ministry of Education and Religious Affairs with the recommendations of Decision 50/2021 on the compatibility of | The DPA examined the compliance of the Ministry of Education and Religious Affairs with the recommendations of Decision 50/2021 on the compatibility of remote education in primary and secondary education with the provisions of the legislation on the processing of personal data. The DPA made several points. First, no detailed investigation had been carried out into the legality of the purposes of processing on the part of the Ministry, in particular in relation to consent to access information stored on a user's terminal equipment when this is not necessary for the provision of the service requested by the user. Second, the information provided to data subjects was less than that required by the GDPR, and the information was not provided in an intelligible and easily accessible form with clear and simple wording, especially if it was also addressed to children. Third, the security measures in place, although in the right direction, needed to be made acessible to every teacher, and it must be ensured that all teachers involved in the distance learning process received the minimum required information. Fourth, a proper assessment of the transfer of data to countries outside the EU had not been carried out, especially in light of the CJEU's decision in case [[CJEU - C-311/18 - Schrems II|C-311/18 (Schrems II)]]. | ||
=== Holding === | === Holding === | ||
The DPA considered that no new remedy | The DPA considered that no new remedy was required and invited the Ministry to make the necessary amendments to improve transparency. In particular, the information provided to data subjects via the website should follow a multi-level approach and better information on the use of cookies was required. | ||
Additionally, the DPA announced that it would address the more general issue of the application of Chapter V of the GDPR to video-conferencing services of companies belonging to a group controlled by an entity subject to US law with other supervisory authorities through the cooperation and consistency procedures of the GDPR. | |||
== Comment == | == Comment == |
Revision as of 15:47, 7 November 2022
HDPA - 61/202234 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(e) GDPR Article 12 GDPR Article 13 GDPR Article 25(1) GDPR Article 35 GDPR Article 46 GDPR National Law 3471/2006, article 4 National Law 4624/19, article 37 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 01.11.2022 |
Published: | 01.11.2022 |
Fine: | n/a |
Parties: | Ministry of Education and Religious Affairs |
National Case Number/Name: | 61/202234 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | DPA.gr (in EL) |
Initial Contributor: | Anastasia Tsermenidou |
The Greek DPA examined how the Ministry of Education and Religious Affairs complied with the provisions of the legislation on the processing of personal data with regards to remote education.
English Summary
Facts
The DPA examined the compliance of the Ministry of Education and Religious Affairs with the recommendations of Decision 50/2021 on the compatibility of remote education in primary and secondary education with the provisions of the legislation on the processing of personal data. The DPA made several points. First, no detailed investigation had been carried out into the legality of the purposes of processing on the part of the Ministry, in particular in relation to consent to access information stored on a user's terminal equipment when this is not necessary for the provision of the service requested by the user. Second, the information provided to data subjects was less than that required by the GDPR, and the information was not provided in an intelligible and easily accessible form with clear and simple wording, especially if it was also addressed to children. Third, the security measures in place, although in the right direction, needed to be made acessible to every teacher, and it must be ensured that all teachers involved in the distance learning process received the minimum required information. Fourth, a proper assessment of the transfer of data to countries outside the EU had not been carried out, especially in light of the CJEU's decision in case C-311/18 (Schrems II).
Holding
The DPA considered that no new remedy was required and invited the Ministry to make the necessary amendments to improve transparency. In particular, the information provided to data subjects via the website should follow a multi-level approach and better information on the use of cookies was required.
Additionally, the DPA announced that it would address the more general issue of the application of Chapter V of the GDPR to video-conferencing services of companies belonging to a group controlled by an entity subject to US law with other supervisory authorities through the cooperation and consistency procedures of the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary The Authority examined ex officio the compliance of the Ministry of Education and Religious Affairs with the recommendations of decision 50/2021 on the compatibility of modern distance education in primary and secondary school units with the provisions of the legislation on the processing of personal data. The Authority considers that no new corrective measure is required and calls on the Ministry to make the necessary amendments to improve transparency. In particular, the information provided to data subjects through the website must follow a multi-level approach, while an improvement in the information regarding the use of "cookies" is required. The Authority will consider the broader issue of the application of Chapter V of the GDPR to videoconferencing services of companies that are part of a group controlled by an entity subject to US law. with the other supervisory authorities through the cooperation and coherence procedures of the Regulation.