HDPA (Greece) - 41/2022: Difference between revisions
m (hyperlink fix) |
mNo edit summary |
||
Line 75: | Line 75: | ||
}} | }} | ||
Greek DPA imposed a €5,000 fine on the Ministry of the Interior for violating [[Article 35 GDPR#1|Article 35(1) GDPR]] due to lack of a data protection impact assessment when processing health data | Greek DPA imposed a €5,000 fine on the Ministry of the Interior for violating [[Article 35 GDPR#1|Article 35(1) GDPR]] due to lack of a data protection impact assessment when processing health data. | ||
== English Summary == | == English Summary == |
Revision as of 13:13, 20 September 2022
HDPA - 41/2022 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1) GDPR Article 13(2) GDPR Article 25(1) GDPR Article 35(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 08.08.2022 |
Fine: | 5000 EUR |
Parties: | IDIKA S.A Ministry of the Interior Ministry of Health Ministry of Labour and Social Affairs Naval Defense Fund |
National Case Number/Name: | 41/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | HDPA (in EL) |
Initial Contributor: | n/a |
Greek DPA imposed a €5,000 fine on the Ministry of the Interior for violating Article 35(1) GDPR due to lack of a data protection impact assessment when processing health data.
English Summary
Facts
The Greek DPA initiated an investigation regarding the processing of health data in accordance with its ex officio competences under Articles 51 and 55 GDPR and Article 9 of National Law 4624/2019. The DPA examined the legal compliance of the Ministry of the Interior, the Ministry of Labor and of Social Affairs, the Naval Defense Fund, the Ministry of Health and IDIKA S.A. (the controllers) with regards to the processing of personal data on the COVID-19 self-test distribution platform.
Holding
The Greek DPA started by pointing out that certain restrictive measures, such as the obligation to use self-testing to control the spread of a virus, are justified by objectives of public interest, specifically the need to protect public health and, therefore, are permissible under Article 8(2) ECHR as well as Articles 9 and 25 of the Greek Constitution.
Further, the DPA examined whether the controllers possessed a valid legal basis for their processing activities, including the processing of special categories of personal data. In the present case, processing took place under Articles 6(1)(c) and (e) GDPR as well as Articles 9(2)(g) and (i) GDPR for sensitive data.
The DPA also assessed the compliance with transparency obligations under Articles 5(1) and 13 GDPR. It concluded that the information provided by the Ministry of the Interior regarding data retention periods was incomplete and opaque thereby violating Article 13(2) GDPR. The investigated controllers did not comply with the storage limitation principle under Article 5(1) GDPR because the data retention period was not specified in relation to the purpose for which the personal data was collected. For IDIKA S.A., the violation of this principle happened because the controller did not implement appropriate technical and organisational measures as provided in Article 25(1) GDPR. Specifically, the controller did not undertake a risk analysis and assessment with regards to the storage period of students’ personal data on the self-test platform. Moreover, the controller did not provide documentation about the operation of a special application for the declaration of the self-test results for ship crew members. As a consequence, the DPA imposed a €5,000 fine on IDIKA S.A..
Additionally, the Greek DPA concluded that IDIKA S.A. and the Ministry of Labour and Social Affairs only prepared a data protection impact assessment after the start of processing against the provision of Article 35(1) GDPR. Despite a high risk to the rights and freedoms of individual persons, including extensive processing of sensitive data, the Ministry of the Interior and the Naval Defense Fund did not carry out a data protection impact assessment at all. Hence, the DPA imposed on the controllers a fine of €5,000.
Finally, the DPA reprimanded the controllers for the above-discussed violations.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 08-08-2022 Prot. No.: 1984 DECISION 41/2022 The Personal Data Protection Authority met after invitation of its President to a conference call on Thursday 23.06.2022 at 10:00, postponed from 07.06.2022 and 14.06.2022, in order to examine the case referred to in the present history. The President of the Authority, Konstantinos Menoudakos, and the regular members were present of the Spyridon Vlachopoulos Authority, as rapporteur, Konstantinos Lambrinoudakis, Charalambos Anthopoulos, Christos Kalloniatis, as rapporteur and Ekaterini Iliadou, as well as Maria Psalla, substitute member in his place regular member Grigorio Tsolias, who although he was legally summoned, did not attend due to obstruction. Present, without the right to vote, were Anastasia Kaniklidou, Eleni Kapralou, Chariklia Latsiu, Ioannis Lykotrafitis, Anastasia Tritaki and Panagiotis Tsopelas, auditors, as assistant speakers and Georgia Palaiologou, employee of the administrative affairs department, as secretary. The Authority took into account the following: The Authority, taking into account the fact that in the context of dealing with it pandemic crisis due to the covid-19 coronavirus and for its containment of its dissemination in the community systematic data processing took place personal data of natural persons of minors (students) and adults v the implementation of the mandatory measure of diagnostic disease control by the coronavirus in a wide range of professional, social and economic activity, furthermore that questions were submitted to the Authority by data subjects regarding the implementation of the mandatory measure of the self-diagnostic control (self test), issued the no. first C/EXE/1278/21.05.2021 announcement 1. With this announcement, the Authority, between others, informed the interested data subjects (students, teachers, employed in the private and public sector, sailors, judicial and prosecutorial officers, students, teaching staff and so on HEI staff and religious ministers) by virtue of the relevant Commons Ministerial Decisions [under no. D1a/GP.oc. 24525/18-04-2021 (Official Gazette B' 1588), D1a/GP.oc. 26390/24-04-2021 (Government Gazette B' 1686), D1a/GP.ok. 27707 /04-05-2021 (Government Gazette B' 1825), D1a/GP.oik. 26389 /24-04-2021 (Government Gazette B' 1685), D1a/G.P.ok. 24527 /18-04- 2021 (Government Gazette B' 1582), D1a/G.P.Oik. 28259 /07-05-2021 (Government Gazette B' 1866), D1a/G.P.ok 26394 /25-04-2021 (Government Gazette B' 1688) KYA] that they can during data processing of a personal nature in the context of the declaration of the result of self-diagnostic checks carried out through the platform https://self-testing.gov.gr to be addressed to those referred to in the respective Data Controllers2, for the exercise of their rights, such as these derive from GDPR 2016/679 and Law 4624/2019. In addition, the Authority he emphasized that merely demonstrating the negative effect of self-diagnostic tests by students and teachers, according to the article 2 par. 3 of the KYA under no. D1a/GP.oc. 27707/04-05-2021 (Government Gazette B ́ 1825), in insofar as this result is not included in a filing system, nor subject to automated processing, does not constitute in principle processing of personal data falling within the regulatory scope of the GDPR and of Law 4624/2019. Subsequently, the Authority called under no. first C/EX/1307/26-05-2021, C/EX/1308/26-05-2021, C/EX/1309/26-05-2021, C/EX/1310/26-05-2021 and C/EX/1320/27-05-2021 documents the Ministry of the Interior, the Ministry of Education 1 Posted on the link https://www.dpa.gr/el/enimerwtiko/deltia/epexergasia-dedomenon- prosopikoy-haraktira-sto-plaisio-tis-dienergeias 2 Namely, IDIKA S.A. and the Ministry of Labor and Social Affairs independently for them employees of the private sector (article 7), IDIKA S.A. and the Ministry of Interior independently for those employed in the public sector (article 6), IDIKA S.A. for the students and teachers (article 7), IDIKA S.A. and the Naval Defense Fund independently for them seafarers (article 7), IDIKA S.A. for judicial and prosecutorial officers (article 6), h EDIKA S.A. for students, teaching and other university staff (article 6), and IDIKA S.A., the Ministry of Interior and the Ministry of Education and Religious Affairs independently for them religious ministers (article 6). and Religious Affairs (hereafter YPAITH), the Ministry of Labor and Social Affairs Affairs, the Naval Defense Fund (hereinafter NAT) and IDIKA S.A. respectively, as data controllers based on the aforementioned General Terms and Conditions, to provide specific clarifications regarding their processing of data carried out pursuant to the aforementioned General Terms and Conditions on declaration of the results of the self-diagnostic checks on the platform https://self-testing.gov.gr and the further processing of their data after statement of results. In response to the above documents of the Authority, the Ministry of Interior sent to the Authority the letter no. prot. ... (and with prot. no. APD C/EIS/4689/15-07- 2021) response and IDIKA S.A. submitted the under no. prot. ... (and with no. prot. APD C/EIS/4274/29-06-2021) her answer. Due to non-receipt of timely response from the Ministry of Health, the Authority sent it with no. prot. C/EXE/2564/11-11-2021 reminder document for providing explanations, on which the Ministry of Health, with me No. of the Authority C/EIS/7663/23-11-2021 his message to the Authority, requested extension for submitting an answer until 29.11.2021, and finally on 10.12.2021 was submitted to the Authority under no. prot. ... (and with no. prot. APD C/EIS/8118/13.12.2021) response of the Data Protection Officer of MINISTRY OF Furthermore, the NAT submitted to the Authority under no. first ... (and with first no. APD C/EIS/3688/04-06-2021) document, with which he submitted a request for an extension of as above deadline for fifteen (15) days, which was accepted (with the no. prot. APD C/EXE/1414/17-06-2021 document), and subsequently, sent it with no. prot. ... (and with no. prot. APD C/ EIS/4633/13-07-2021) response. Finally, the Ministry of Labor and Social Affairs requested with from 10.06.2021 email message (also with prot. no. APD C/EIS/3828/10-06-2021) extension of the 15-day deadline until 18 June 2021, and thereafter sent to the Authority with no. prot. ... (and with prot. no. C/EIS/4327/01-07-2021) his answer. In addition, the above Ministry with from 14.07.2021 (with no. prot. APD C/EIS/4688/15-07-2021) email message brought to her attention Authority draft legislative regulation for the amendment of paragraph d of paragraph 6 thereof of article 27 of Law 2792/2021, to which the Authority responded with the no. first C/EXE/1785/27-07-2021 document. Subsequently, the Authority called, with the under no. prot. C/EX/40/07 -01-2022, C/EX/41/07-01-2022, C/EX/42/07-01-2022, C/EX/43/07-01-2022 and C/EX/44/07-01- 2022 documents, IDIKA S.A., the Ministry of the Interior, the Ministry of Labor and of Social Affairs, the NAT and the Ministry of Health respectively, as they attend meeting of the Plenary of the Authority on Tuesday 18-01-2022, in order to discuss the aforementioned case. Attendance was discussed at this meeting of all those invited under no. ... (and with prot. no. APD C/EIS/326/17.01.2022) request of the Ministry of Labor and Social Affairs to postpone the debate of the case and a new meeting date was set for February 15, 2022. According to meeting of 15.02.2022 the following attended: (a) on behalf of the Ministry of the Interior, Paraskevi Charalambogianni, Secretary General of Antriminos Personnel of the Ministry of the Interior, A, Head of Directorate ... of Ministry of the Interior, B, Head of the Department ... of the Ministry of the Interior, C, Head of the Department ... of the Ministry of the Interior, then upon invitation (summons) by the Ministry of the Interior, he was also present Governor of the National Transparency Authority, Angelos Binis, (b) on behalf of the Ministry of Health, D, President of the Legal Council of the State and E, Protection Officer According to the Ministry of Education and Religious Affairs, (c) on behalf of NAT, o Georgios Yiannopoulos, lawyer (...) and Areti Oikonomou, lawyer, (...), both NAT attorneys, (d) on behalf of the Ministry of Labor and Social Affairs, Grigoris Lazarakos, lawyer (...), attorney lawyer of the said Ministry, Anna Stratinaki, General Secretary of Labor Relations, and ST, Data Protection Officer of the Ministry of Labor and Social Affairs, and (e) on behalf of IDIKA SA, Niki Tsouma, Chairman of the Board of Directors and Managing Director of IDIKA SA, Iulia Konstantinou, lawyer (...), and Hera Chioni, lawyer (...) on his behalf Office of the Data Protection Officer of IDIKA S.A., George Stathakos lawyer (...), head of the Legal Service of IDIKA S.A., Melina Tsiuma, lawyer (...), and on behalf of the Directorate and Support of Special Applications