HDPA (Greece) - 50/2021
| HDPA (Greece) - Decision 50/2021 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(c) GDPR Article 6(1)(e) GDPR Article 12(1) GDPR Article 25(1) GDPR Article 35(9) GDPR Article 37(7) GDPR Article 46 GDPR Article 4(5)National Law 3471/2006 Article 4(5)National Law 3471/2006 |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 16.11.2021 |
| Published: | 18.11.2021 |
| Fine: | None |
| Parties: | Hellenic Ministry of Education and Religions Affairs |
| National Case Number/Name: | Decision 50/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | Greek DPA (in EL) |
| Initial Contributor: | Anastasia.tsermenidou |
The HDPA reprimands the Hellenic Ministry of Education and Religion Affairs for not conducting in an appropriate way a DPIA, the required process activity for building and demonstrating compliance with the GDPR.
English Summary
Facts
Due to COVID-19 pandemic period, the Hellenic Ministry of Education and Religions Affairs decided to promote and apply the method of distance learning by technological means. The Greek DPA (HDPA) considered this method is legal, but found the conducted Data Protection Impact Assessment (DPIA) has not fully considered a number of factors and risks in relation to the rights and freedoms of the data subjects. Recognizing the need for the contemporary distance education, the HDPA provided an opinion to the Ministry, to address the above flaws and shortcomings and called on it, within an exclusive period of three months to make the appropriate changes to the DPIA.
Holding
The HDPA examined the updated DPIA, as well as the compliance actions of the Ministry. The HDPA identified deficiencies as follows: first of all, the Ministry never had a detailed investigation of the lawfulness of the processing purposes, in particular with regard to the consent for access to information stored in a user's terminal equipment, when is not necessary to provide the service requested by the user, according to Article 6(4) GDPR. Regarding to the principle of transparent information and the right to access by the data subject, according to Article 12 and 14 GDPR, the information provided by the Ministry to the data subjects is not appropriate and sufficient, while this information is not easy to understand and not in an accessible form with clear and simple wording, especially when it comes to information that is also addressed to children. The applied safety measures, although in the right direction, must be completed, in a way that is available to every teacher, while it must be ensured that all the teachers involved in the distance education process have received minimal information, according to Article 13 GDPR. In addition, the Ministry violated the obligation of Article 35(9) GDPR in relation to the expression of opinion of the data subjects or their representatives for the processing activity. Last but not least, no proper evaluation of data transfer to non-EU countries has been carried out and in particular in the light of the European’s Courthouse judgment in Case C-311/18 (Schrems II). For all the above violations, the Authority reprimanded and instructed the Ministry to address the deficiencies in the manner analyzed in the decision within a period of two months (four in relation to the transfers) in order to heal the violations.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
update Legislation, Annual reports, Acts of the Authority, Thematic units, Press releases and announcements, News, Events, Young citizens, e-Newsletter
