HDPA (Greece) - 61/2022: Difference between revisions

From GDPRhub
(changed short summary, used DPA instead of Authority, clarified the facts and the holding a bit to make it sound more clear)
(→‎Facts: added more details to the facts - summarised what the 'old' decision was about)
Line 82: Line 82:


=== Facts ===
=== Facts ===
The DPA examined the compliance of the Ministry of Education and Religious Affairs with the recommendations of Decision 50/2021 on the compatibility of remote education in primary and secondary education with the provisions of the legislation on the processing of personal data. The DPA made several points. First, no detailed investigation had been carried out into the legality of the purposes of processing on the part of the Ministry, in particular in relation to consent to access information stored on a user's terminal equipment when this is not necessary for the provision of the service requested by the user. Second, the information provided to data subjects was less than that required by the GDPR, and the information was not provided in an intelligible and easily accessible form with clear and simple wording, especially if it was also addressed to children. Third, the security measures in place, although in the right direction, needed to be made acessible to every teacher, and it must be ensured that all teachers involved in the distance learning process received the minimum required information. Fourth, a proper assessment of the transfer of data to countries outside the EU had not been carried out, especially in light of the CJEU's decision in case [[CJEU - C-311/18 - Schrems II|C-311/18 (Schrems II)]].
The DPA examined the compliance of the Ministry of Education and Religious Affairs (the controller) with the recommendations of Decision 50/2021 on the compatibility of remote education in primary and secondary education with the provisions of the legislation on the processing of personal data.  
 
In the original decision, the DPA had found four different shortcomings. First, no detailed investigation had been carried out into the legality of the purposes of processing on the part of the controller, in particular in relation to consent to access information stored on a user's terminal equipment when this is not necessary for the provision of the service requested by the user. Second, the information provided to data subjects was less than that required by the GDPR, and the information was not provided in an intelligible and easily accessible form with clear and simple wording, especially if it was also addressed to children. Third, the security measures in place, although in the right direction, needed to be made acessible to every teacher, and it must be ensured that all teachers involved in the distance learning process received the minimum required information. Fourth, a proper assessment of the transfer of data to countries outside the EU had not been carried out, especially in light of the CJEU's decision in case [[CJEU - C-311/18 - Schrems II|C-311/18 (Schrems II)]]. The DPA had issued a reprimand for each of the above discussed shortcomings.
 
As a response to the DPA's decision, the controller adopted a number of supplementary measures in order to comply with the relevant data protection legislation. Among others, it conducted a more detailed analysis on the lawfulness of the purposes of processing. The controller also drafted a new information document regarding the processing activities, in a way that would be comprehensible for pupils, students as well as parents and staff. Moreover, new security measures were introduced next to updated supplementary measures with regards to data transfers to third countries, in particular the US.
 
The DPA reviewed the additional measures taken by the controller and issued a new decision on compliance with the GDPR and national data protection law.  


=== Holding ===
=== Holding ===
The DPA considered that no new remedy was required and invited the Ministry to make the necessary amendments to improve transparency. In particular, the information provided to data subjects via the website should follow a multi-level approach and better information on the use of cookies was required.  
The DPA considered that no new remedy was required and invited the controller to make the necessary amendments to improve transparency. In particular, the information provided to data subjects via the website should follow a multi-level approach and better information on the use of cookies was required.  


Additionally, the DPA announced that it would address the more general issue of the application of Chapter V of the GDPR to video-conferencing services of companies belonging to a group controlled by an entity subject to US law with other supervisory authorities through the cooperation and consistency procedures of the GDPR.
Additionally, the DPA announced that it would address the more general issue of the application of Chapter V of the GDPR to video-conferencing services of companies belonging to a group controlled by an entity subject to US law with other supervisory authorities through the cooperation and consistency procedures of the GDPR.

Revision as of 16:14, 7 November 2022

HDPA - 61/202234
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(e) GDPR
Article 12 GDPR
Article 13 GDPR
Article 25(1) GDPR
Article 35 GDPR
Article 46 GDPR
National Law 3471/2006, article 4
National Law 4624/19, article 37
Type: Complaint
Outcome: Upheld
Started:
Decided: 01.11.2022
Published: 01.11.2022
Fine: n/a
Parties: Ministry of Education and Religious Affairs
National Case Number/Name: 61/202234
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: DPA.gr (in EL)
Initial Contributor: Anastasia Tsermenidou

The Greek DPA examined how the Ministry of Education and Religious Affairs complied with the provisions of the legislation on the processing of personal data with regards to remote education.

English Summary

Facts

The DPA examined the compliance of the Ministry of Education and Religious Affairs (the controller) with the recommendations of Decision 50/2021 on the compatibility of remote education in primary and secondary education with the provisions of the legislation on the processing of personal data.

In the original decision, the DPA had found four different shortcomings. First, no detailed investigation had been carried out into the legality of the purposes of processing on the part of the controller, in particular in relation to consent to access information stored on a user's terminal equipment when this is not necessary for the provision of the service requested by the user. Second, the information provided to data subjects was less than that required by the GDPR, and the information was not provided in an intelligible and easily accessible form with clear and simple wording, especially if it was also addressed to children. Third, the security measures in place, although in the right direction, needed to be made acessible to every teacher, and it must be ensured that all teachers involved in the distance learning process received the minimum required information. Fourth, a proper assessment of the transfer of data to countries outside the EU had not been carried out, especially in light of the CJEU's decision in case C-311/18 (Schrems II). The DPA had issued a reprimand for each of the above discussed shortcomings.

As a response to the DPA's decision, the controller adopted a number of supplementary measures in order to comply with the relevant data protection legislation. Among others, it conducted a more detailed analysis on the lawfulness of the purposes of processing. The controller also drafted a new information document regarding the processing activities, in a way that would be comprehensible for pupils, students as well as parents and staff. Moreover, new security measures were introduced next to updated supplementary measures with regards to data transfers to third countries, in particular the US.

The DPA reviewed the additional measures taken by the controller and issued a new decision on compliance with the GDPR and national data protection law.

Holding

The DPA considered that no new remedy was required and invited the controller to make the necessary amendments to improve transparency. In particular, the information provided to data subjects via the website should follow a multi-level approach and better information on the use of cookies was required.

Additionally, the DPA announced that it would address the more general issue of the application of Chapter V of the GDPR to video-conferencing services of companies belonging to a group controlled by an entity subject to US law with other supervisory authorities through the cooperation and consistency procedures of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority examined ex officio the compliance of the Ministry of Education and Religious Affairs with the recommendations of decision 50/2021 on the compatibility of modern distance education in primary and secondary school units with the provisions of the legislation on the processing of personal data. The Authority considers that no new corrective measure is required and calls on the Ministry to make the necessary amendments to improve transparency. In particular, the information provided to data subjects through the website must follow a multi-level approach, while an improvement in the information regarding the use of "cookies" is required. The Authority will consider the broader issue of the application of Chapter V of the GDPR to videoconferencing services of companies that are part of a group controlled by an entity subject to US law. with the other supervisory authorities through the cooperation and coherence procedures of the Regulation.