HDPA (Greece) - 1/2024: Difference between revisions
Inder-kahlon (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=1/2024 |ECLI= |Original_Source_Name_1=HDPA |Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2024-02/1_2024%2520anonym.pdf |Original_Source_Language_1=Greek |Original_Source_Language__Code_1=EL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source...") |
Inder-kahlon (talk | contribs) m (→Holding) |
||
Line 82: | Line 82: | ||
=== Holding === | === Holding === | ||
The Hellenic DPA noted that the controller had an obligation to coperate with the DPA under [[Article 31 GDPR|Article 31 GDPR]] and Article 66 Greek Law 4624/2019, as well as the obligation to designate the DPO under [[Article 37 GDPR|Article 37 GDPR]] and Article 6 Greek Law 4624/2019. Additionally, the position of the DPO under Article 38 and the tasks of the DPO under [[Article 39 GDPR|Article 39 GDPR]]. | The Hellenic DPA noted that the controller had an obligation to coperate with the DPA under [[Article 31 GDPR|Article 31 GDPR]] and Article 66 Greek Law 4624/2019, as well as the obligation to designate the DPO under [[Article 37 GDPR|Article 37 GDPR]] and Article 6 Greek Law 4624/2019. Additionally, the position of the DPO under [[Article 38 GDPR]] and the tasks of the DPO under [[Article 39 GDPR|Article 39 GDPR]]. | ||
After | After investigation, the Hellenic DPA held that the controller did not submit the questionnaire in due time and that the allegations of technical issues were not valid as the link was operational and was deactivated only after the deadline for submission of the questionnaire had expired. It was subsequently reactivated in order to allow the questionnaire to be resubmitted to the controller, but again, no response was received. | ||
The Hellenic | The Hellenic DPA has determined that the controller's actions constitute a breach of their obligations. In response, the DPA had opted to impose a fine that is both proportionate and dissuasive, serving to restore compliance and penalize the unlawful behavior. Consequently, the DPA has levied a fine of €5,000 for the violation of Article 31 of the GDPR. | ||
== Comment == | == Comment == |
Revision as of 17:19, 22 February 2024
HDPA - 1/2024 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 31 GDPR Article 37 GDPR Article 38 GDPR Article 39 GDPR 4624/2019 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 03.05.2023 |
Decided: | 29.01.2024 |
Published: | 22.02.2024 |
Fine: | 5,000 EUR |
Parties: | Δήμος Αθηναίων - Municipality of Athens |
National Case Number/Name: | 1/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | HDPA (in EL) |
Initial Contributor: | inder-kahlon |
The Hellenic DPA imposed an administrative fine of €5,000 on the Municipality of Athens for violation of Article Article 31 GDPR.
English Summary
Facts
In 2023, as part of a wider initiative led by the European Data Protection Board (EDPB), the Hellenic Data Protection Authority (HDPA) like the majority of the members of the EDPS, jointly undertook the examination of the topic "The definition and position of the data protection officer". To facilitate this examination, the EDPB developed a unified questionnaire, which the Hellenic DPA adopted and later, on May 3, 2023, sent to 31 public bodies in Greece, including the Municipality of Athens (hereinafter "Controller"), with a deadline for submission via the EUsurvey link until May 19, 2023.
The DPO of the Controller (hereinafter “DPO") failed to respond to the questionnaire within the set deadline. The Hellenic DPA re-sent the questionnaire on May 26, 2023, with a new deadline of May 31, 2023. Once again, the DPO failed to respond in time. The DPO, past the deadline date, attempted to complete the form without success as the above link had been deactivated by the Hellenic DPA. Upon DPO’s communication with Hellenic DPA, the link was reactivated, and the data controller was informed of a new deadline for submission until June 21, 2023. Once again, the DPO failed to submit the questionnaire in time.
The controller was then summoned by the Hellenic DPA to appear before the plenary on Tuesday, December 19, 2023. Following the receipt of the summons, the DPO contacted HDPA by telephone and informed that he had inadvertently failed to respond due to technical issues and undertook to complete and submit it immediately. After which, the Hellenic DPA reactivated the submission link to the questionnaire, and the controller finally submitted the questionnaire on December 18, 2023. At the plenary meeting, which was held in person, the DPO stated once again that the reason for the delayed response was technical issues with the website where the questionnaire was held, which prevented submission even after several attempts.
Holding
The Hellenic DPA noted that the controller had an obligation to coperate with the DPA under Article 31 GDPR and Article 66 Greek Law 4624/2019, as well as the obligation to designate the DPO under Article 37 GDPR and Article 6 Greek Law 4624/2019. Additionally, the position of the DPO under Article 38 GDPR and the tasks of the DPO under Article 39 GDPR.
After investigation, the Hellenic DPA held that the controller did not submit the questionnaire in due time and that the allegations of technical issues were not valid as the link was operational and was deactivated only after the deadline for submission of the questionnaire had expired. It was subsequently reactivated in order to allow the questionnaire to be resubmitted to the controller, but again, no response was received.
The Hellenic DPA has determined that the controller's actions constitute a breach of their obligations. In response, the DPA had opted to impose a fine that is both proportionate and dissuasive, serving to restore compliance and penalize the unlawful behavior. Consequently, the DPA has levied a fine of €5,000 for the violation of Article 31 of the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
As part of a wider initiative of the EDPS, the Authority, like the majority of the members of the EDPS, jointly undertook the examination of the topic "The definition and position of the data protection officer", and sent as part of this review a single questionnaire on with the definition and position of the Data Protection Officer (DPO) in selected public bodies, such as the Municipality of Athens. The Municipality of Athens did not respond to the Authority in a timely manner and for this reason administrative sanctions were imposed (a fine of 5,000 euros) in accordance with the GDPR and Law 4624/2019. PENALTIES: a fine of 5,000 euros