HDPA (Greece) - 1/2024

From GDPRhub
HDPA - 1/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 31 GDPR
Article 37 GDPR
Article 38 GDPR
Article 39 GDPR
4624/2019
Type: Investigation
Outcome: Violation Found
Started: 03.05.2023
Decided: 29.01.2024
Published: 22.02.2024
Fine: 5,000 EUR
Parties: Δήμος Αθηναίων - Municipality of Athens
National Case Number/Name: 1/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: inder-kahlon

The Hellenic DPA imposed an administrative fine of €5,000 on the Municipality of Athens for its failure to cooperate, a violation under Article 31 GDPR.

English Summary

Facts

In 2023, as part of a wider initiative led by the European Data Protection Board (EDPB), the Hellenic Data Protection Authority (HDPA) like the majority of the members of the EDPS, jointly undertook the examination of the topic "The definition and position of the data protection officer". To facilitate this examination, the EDPB developed a unified questionnaire, which the Hellenic DPA adopted. Later on May 3, 2023, Hellenic DPA exercising its investigative powers sent the questionnaire to 31 public bodies in Greece, including the Municipality of Athens (hereinafter "Controller"), with a deadline for submission via the EUsurvey link until May 19, 2023.

The DPO of the Controller (hereinafter “DPO") failed to respond to the questionnaire within the set deadline. The Hellenic DPA re-sent the questionnaire on May 26, 2023, with a new deadline of May 31, 2023. Once again, the DPO failed to respond in time. The DPO, past the deadline date, attempted to complete the form without success as the above link had been deactivated by the Hellenic DPA. Upon DPO’s communication with Hellenic DPA, the link was reactivated, and the data controller was informed of a new deadline for submission until June 21, 2023. Once again, the DPO failed to submit the questionnaire in time.

The controller was then summoned by the Hellenic DPA to appear before the plenary on Tuesday, December 19, 2023. Following the receipt of the summons, the DPO contacted HDPA by telephone and informed that he had inadvertently failed to respond due to technical issues and undertook to complete and submit it immediately. After which, the Hellenic DPA reactivated the submission link to the questionnaire, and the controller finally submitted the questionnaire on December 18, 2023. At the plenary meeting, which was held in person, the DPO stated once again that the reason for the delayed response was technical issues with the website where the questionnaire was held, which prevented submission even after several attempts.

Holding

The Hellenic DPA noted that the controller had an obligation to cooperate with the DPA under Article 31 GDPR and Article 66 Greek Law 4624/2019, as well as the obligation to designate the DPO under Article 37 GDPR and Article 6 Greek Law 4624/2019. Additionally, the position of the DPO under Article 38 GDPR and the tasks of the DPO under Article 39 GDPR.

After investigation, the Hellenic DPA held that the controller did not submit the questionnaire in due time and that the allegations of technical issues were not valid as the link was operational and was deactivated only after the deadline for submission of the questionnaire had expired. It was subsequently reactivated in order to allow the questionnaire to be resubmitted to the controller, but again, no response was received.

The Hellenic DPA determined that the controller's actions constitute a breach of their obligations. In response, the Hellenic DPA had decided in favour to impose a fine that is both proportionate and dissuasive, serving to restore compliance and penalise the unlawful behaviour. Consequently, the Hellenic DPA issued a fine of €5,000 for the violation of Article 31 GDPR.

Comment

It is important to note that the deadline for submission in reality was only 2-3 working days. The Hellenic DPA on 2nd attempt sent the questionnaire on Friday, May 26. The controller might have received it on Monday, the next working day, which leaves only 2 working days in between the deadline of Wednesday, May 31st. Short time In which the controller has to inform the DPO, and then the DPO must understand the tasks and submit a response. This was a very short deadline compared to the regular deadline of 15 days in many other cases.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

As part of a wider initiative of the EDPS, the Authority, like the majority of the members of the EDPS, jointly undertook the examination of the topic "The definition and position of the data protection officer", and sent as part of this review a single questionnaire on with the definition and position of the Data Protection Officer (DPO) in selected public bodies, such as the Municipality of Athens.

The Municipality of Athens did not respond to the Authority in a timely manner and for this reason administrative sanctions were imposed (a fine of 5,000 euros) in accordance with the GDPR and Law 4624/2019.

PENALTIES: a fine of 5,000 euros