Banner1.jpg

HDPA (Greece) - 43/2024

From GDPRhub
Revision as of 21:04, 26 January 2025 by Sofiapapadopoulou (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=43/2024 |ECLI= |Original_Source_Name_1=Website of HDPA |Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2024-12/43_2024%20anonym.pdf |Original_Source_Language_1=Greek |Original_Source_Language__Code_1=EL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Ori...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HDPA - 43/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 12 GDPR
Article 31 GDPR
Article 32 GDPR
Article 37 GDPR
Article 58 GDPR
Type: Investigation
Outcome: Violation Found
Started: 03.05.2023
Decided: 26.04.2024
Published: 27.11.2024
Fine: 50,000 EUR
Parties: Ministry of Climate Crisis and Civil Protection
National Case Number/Name: 43/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Website of HDPA (in EL)
Initial Contributor: n/a

The Greek Data Protection Authority imposed a fine of €50,000 on the Ministry of Climate Crisis and Civil Protection for failing to appoint a Data Protection Officer (DPO), thus violating Article 12 GDPR, 31, 32, and 37 GDPR.

English Summary

Facts

On 03 May 2023, utilizing its investigative powers, the Greek Data Protection Authority (DPA) sent a questionnaire to 31 public authorities, including the Ministry of Climate Crisis and Civil Protection (Controller), to assess the appointment and role of their Data Protection Officers (hereinafter, DPO). The Controller failed to respond to the questionnaire on time, prompting the DPA to review its archives. It discovered no records of an appointed DPO and found that the Controller had not disclosed the DPO's contact details, as required under Articles 37(1) and 37(7) of the GDPR.

The DPA summoned the Controller to an official hearing, where it admitted that no DPO had been appointed. It argued that this was due to organizational changes between ministries, resource constraints, and reliance on an external consultancy firm to assist with data protection matters. The DPA also determined that the Ministry’s website lacked any information regarding a designated DPO.

After its investigation, the DPA concluded that:

- The Controller violated Article 31 GDPR by failing to respond to the questionnaire in a timely manner. - No DPO had been appointed since the Ministry's establishment (Article 37 GDPR). A DPO was appointed only after the DPA demanded explanations, and this appointment covered the General Administration rather than the Ministry itself. - The Ministry breached the principle of accountability (Article 5 GDPR) by: 1. Failing to appoint a DPO as required. 2. Failing to provide clear and transparent information to data subjects about their rights (Article 12 GDPR). 3. Not implementing measures to ensure GDPR-compliant data processing (Article 25 GDPR). 4. Lacking a Register of Processing Activities (Article 30 GDPR). 5. For failing to take or implement appropriate technical and organizational measures to ensure an adequate level of security against risks (Article 32 GDPR). These failures resulted in a violation of the GDPR’s principle of lawfulness [Article 5 GDPR#1] .

Holding

The DPA considered several factors when determining the penalty, including the number of violations, their duration (dating back to the Ministry's establishment in 2021), the Controller’s failure to self-disclose these violations, and the fact that the Controller operates at a national level. As a result, the DPA imposed a total fine of €50,000.

Comment

This decision serves as a clear example of how the investigative powers granted to Data Protection Authorities can be highly effective in uncovering violations while simultaneously promoting the enforcement and implementation of the GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

1 Athens, 27-11-2024 No. Prot.: 3364 DECISION 43/2024 The Personal Data Protection Authority met at the invitation of its President via teleconference, on 26/04/2024, in order to examine the case, which is mentioned below in the history of this decision. The President of the Authority, Konstantinos Menudakos, and the regular members of the Authority, Konstantinos Lambrinoudakis, Spyridon Vlachopoulos, Christos Kalloniatis, Charalambos Anthopoulos, Grigorios Tsolias, and the substitute member Nikolaos Faldamis in place of the regular member Aikaterinis Iliadou, who, although legally summoned in writing, did not appear the substitute member Nikolaos Livos also attended due to disability as a rapporteur without the right to vote based on article 8 par. 2 of the Regulation of Operation of the Authority. Present without the right to vote were Eleni Maragou, specialist legal scientist, Georgia Panagopoulou and Aikaterini Hatzidiakou, specialist scientists - informatics, as assistant rapporteurs and Irini Papageorgopoulou, employee of the administrative affairs department, as secretary. The Authority took into account the following: In the context of a broader initiative of the European Data Protection Board (hereinafter, the EDPB), the Personal Data Protection Authority (hereinafter, the Authority), as well as the majority of the members of the EDPB, jointly undertakes the examination of a subject in a coordinated manner. For 2023, the EDPS decided to prioritize the topic "The definition and position of the data protection officer". For this purpose, the EDPS developed a single questionnaire regarding the definition and position of the Data Protection Officer (hereinafter, DPO), which the Authority adopted and sent to selected public bodies. 2 The Authority, as a participating member in this action, has also chosen to exercise its powers of investigation, which it has under Article 58 of the GDPR, in order to check the definition and position of the DPO in the public sector in view of the relevant obligation existing by law (articles 37-39 GDPR and articles 6-8 of Law 4624/2019). The Authority's coordinated action team consisting of the specialist scientists E. Maragou, G. Panagopoulou and A. Hatzidiakou sent the questionnaire to 31 public bodies on 05-03-2023. Among them was the Ministry of Climate Crisis and Civil Protection (hereinafter, controller), to which the coordinated action group sent the questionnaire with the sub. no. first C/EXE/1124/03-05-2023 document with a deadline for submission via the EUsurvey link on 19-05-2023. The controller did not respond to the above document. The Authority re-sent the questionnaire to the controller with the sub. no. first C/EXE/1350/29-05-2023 document, to which the data controller was asked to respond by 31-05-2023. The controller did not respond to the above reminder. From a search on the controller's website, it emerged that there were no posted DPA data. In addition, based on the DPO register maintained by the Authority, it was confirmed that the data controller has not announced DPO contact details, as required according to article 37 par. 1 and 7. Then and after the Authority examined the elements of the file, it sent the sub. no. first C/EXE/3018/28-11-2023 summons to the controller in order to discuss the said case before the Plenary of the Authority on Tuesday 19 December 2023. During the meeting the discussion of the case was postponed at the request of the controller for the meeting of 09-01-2024. After receiving the above call to the Plenary of the Authority, the data controller sent the Authority the sub. no. first C/EIS/9143/22-12-2023 memorandum, with which he forwarded the questionnaire in which he confirms through his answers that he had not designated a DPO even though its designation is mandatory. At the said meeting of 09-01-2024, which took place via video conference, A, ... of the Ministry of Climate Crisis and Civil Protection and Panagioula Makri, Legal Advisor at the Minister's Office with AMDSP, attended on behalf of the data controller. Subsequently, the controller 3 sent, within the deadline set by the Authority at the above meeting following his request, the no. first Authority C/EIS/654/26-01-2024 memorandum, with which he essentially repeated the allegations he had made before the Authority. With his memorandum, he points out that a) a draft P.D. has been sent. which includes organizational changes covering the field of personal data protection and which is pending for processing by the General Accounting Office of the State, b) the delay in compliance is due to changes in the structure and composition of the Ministry and in particular to the addition of the General Secretariat of Assistance , c) the Ministry was established in September 2021, services were transferred to it from the Ministry of Citizen Protection, while a transitional period was foreseen in terms of the time of final of employees and transfer of funds until 31.12.2022, d) a work assignment contract has been concluded with an external consultant to support compliance with the GDPR, as well as a support working group has been set up with representation of all those critical to the observance of data protection procedures, individual departments of the Ministry, and in addition, a DPO will be appointed. In addition, with the above memorandum, the controller sent the project contract (01/2024) with the contracting company under the name "ODYSSEY CONSULTANTS LTD - ALLODAPIS BRANCH" for the provision of GDPR compliance consulting services. Finally, the data controller through the memorandum sent the electronic communication between the head of the Administration and Support Department, who finally completed the questionnaire in question (which was submitted to the Authority by the data controller with the above reference no. C/EIS/9143 /22-12-2023 memorandum) and other representatives of the Ministry, which took place on 06-06-2023, i.e. after 31-05-2023 which was set as the final date for submitting the questionnaire, and while the platform link was disabled by the Authority, as foreseen in the context of the audit process. The Authority, after examining the elements of the file, decided that new elements emerged, which needed further examination and issued the sub. no. first 4/2024 Decision and sent a new call with no. first C/EXE/555/14-02-2024 to the controller in order to re-discuss the case in its entirety before the Plenary Session of the Authority on 23-02-2024. During the meeting, this case was postponed 4 at the request of the controller for the meeting of 12-03-2024, for which the Authority again sent the sub. no. first C/EXE/647/23-02-2024 call to discuss before the Plenary of the Authority in addition to the controller's compliance with article 31 and 37 of the GDPR, his compliance and obligations as derived from the GDPR in relation to rights of the data subjects according to the provisions of Chapter 3, as well as with the obligations of the data controller according to the provisions of Chapter 4. In the latter meeting, which took place via teleconference, was attended by the controller, A, ... of the Ministry of Climate Crisis and Civil Protection. Subsequently, the data controller sent, within the deadline set by the Authority at the above meeting following his request, the no. first Authority C/EIS/2962/29-03-2024 memorandum in which he essentially repeated the allegations he had made before the Authority regarding the establishment of the Ministry, the lack of resources, and the conclusion of a contract to comply with the GDPR. With his memorandum, he points out that from 12-02-2024, the no. first ... decision assigning DPO duties for the General Secretariat of Civil Protection of the Ministry of Climate Crisis and Civil Protection. In addition, in the above memorandum it is mentioned that there is already a DPO with responsibility for the data protection issues of the Fire Brigade. However, from a search on the controller's website, it was found that there were no PYD data posted either for the entire General Secretariat, or for the Fire Brigade. In addition, based on the PYD register maintained by the Authority, it was confirmed that the data controller has not communicated PYD contact information as required according to article 37 par. 1 and 7. Finally, in relation to the compliance issues, the data controller stated that the delay in complying with the GDPR is due to changes in the structure and composition of the Ministry, as the Ministry is newly established and a set of responsibilities have been transferred to it, positions and personnel. In addition, he stated that the addition of the General Secretariat for Natural Disaster Recovery and State Aid to the Ministry was recently carried out, and the transfer of responsibilities and personnel will be ongoing until 12-31-2024, while the administrative affiliation of personnel and financial support of the above of the added General 5 Secretariat are still the responsibilities of the Ministry of Finance from which it originated. The Authority, after examining the elements of the file and what emerged from the hearing before it and the memoranda of the data controller, with their supplementary documents, after hearing the rapporteur and the clarifications from the assistant rapporteurs, who were present without the right to vote , after thorough discussion, CONSIDERED ACCORDING TO THE LAW 1. Because, from the provisions of articles 51 and 55 of the GDPR and article 9 of the law 4624/2019 (Government Gazette A΄ 137) it follows that the Authority has the authority to supervise the implementation of the provisions of the GDPR, this law and other regulations concerning the protection of individuals from processing personal data and to exercise the powers assigned to them in accordance with the above regulation.  2. Because according to the definitions of article 58 GDPR: "1. Each supervisory authority shall have all of the following investigative powers: a) to order the controller and the processor and, where applicable, the representative of the controller or the processor to provide any information it requires in order to carry out the of its duties, b) to carry out investigations in the form of data protection audits,... d) to notify the controller or processor of an alleged violation of this regulation, e) to obtain, from the controller and the processor, access to all personal data and all information required for the performance of its duties...". 3. Because according to the definitions of articles 13 and 15 of n. 4624/2019 respectively: "1. In addition to its duties pursuant to article 57 of the GDPR, the Authority: ...h) conducts ex officio or following a complaint investigations or controls for the implementation of this law and other regulations concerning the protection of the individual against the processing of personal data, among other things and based on information from another public authority..." and "1. In addition to the powers provided for in Article 58 of the GDPR, the Authority carries out ex officio or following a complaint 6 investigations and audits regarding compliance with this law in the context of which the technological infrastructure and other automated or non-automated means that support the processing of the personal data. When carrying out investigations and audits, the Authority has the authority to obtain from the controller and the processor, access to all personal data that is the subject of processing and all the information required for the purposes of the relevant audit and the execution of her duties, without any kind of confidentiality being able to oppose her...". 4. Because according to the definitions of article 5 of the GDPR "1. Personal data: a) are processed lawfully and legitimately in a transparent manner in relation to the data subject ("legality, objectivity and transparency"),..., c) are appropriate, relevant and limited to what is necessary for the purposes for the which are processed ("data minimization"),..., f) are processed in a way that guarantees the appropriate security of personal data, including their protection against unauthorized or illegal processing and accidental loss, destruction or damage, using appropriate technical or organizational measures ("integrity and confidentiality"). 2. The controller is responsible and able to demonstrate compliance with paragraph 1 ("accountability"). 5. Because according to the definitions of Article 31 of the GDPR: "The controller and the processor and, where applicable, their representatives shall cooperate, upon request, with the supervisory authority in the exercise of its duties." 6. Because according to the definitions of Article 37 of the GDPR: "1. The controller and the processor appoint a data protection officer in every case in which: a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity,... 3. If the controller or processing is a public authority or a public body, a single data protection officer may be designated for several such authorities or several such bodies, taking into account their organizational structure and size,... 5. The data protection officer is appointed 7 on the basis of professional qualifications and in particular on the basis of his expertise in the field of data protection law and practices, as well as on the basis of the ability to fulfill the duties referred to in article 39. 6. The data protection officer may be a member of the controller or processor's staff or perform his duties under a service contract. 7. The data controller or processor shall publish the contact details of the data protection officer and notify the supervisory authority.' 7. Because according to the definitions of article 38 of the GDPR "1. The controller and the processor ensure that the data protection officer is involved, properly and in a timely manner, in all matters related to the protection of personal data. 2. The controller and the processor shall support the data protection officer in the exercise of the tasks referred to in article 39 by providing necessary resources for the exercise of said tasks and access to personal data and processing operations, as well as resources necessary for maintaining his expertise. 3. The controller and the processor shall ensure that the data protection officer does not receive orders to carry out the tasks in question. He is not dismissed or penalized by the controller or processor for performing his duties. The data protection officer reports directly to the highest management level of the controller or processor. 4. Data subjects may contact the data protection officer for any issue related to the processing of their personal data and the exercise of their rights under this regulation. 5. The data protection officer is bound by the observance of secrecy or confidentiality regarding the performance of his duties, in accordance with Union or Member State law. 6. The data protection officer may perform other duties and obligations. The controller or processor shall ensure that such duties and obligations do not entail a conflict of interest.' 8 8. Because according to the definitions of article 39 of the GDPR: "1. The data protection officer has at least the following tasks: a) informs and advises the data controller or the processor and the processing employees of their obligations arising from this regulation and from other provisions of the Union or the Member State regarding the data protection, b) monitors compliance with this regulation, with other provisions of the Union or the Member State on data protection and with the policies of the controller or processor in relation to the protection of personal data, including delegation of responsibilities, awareness-raising and training of employees involved in processing operations, and related controls, c) provide advice, when requested, regarding the data protection impact assessment and monitor its implementation in accordance with article 35, d) cooperates with the supervisory authority, e) acts as a point of contact for the supervisory authority for issues related to processing, including the prior consultation referred to in art. 36, and holds consultations, as the case may be, on any other matter. 2. In the performance of his duties, the data protection officer shall take due account of the risk associated with the processing operations, taking into account the nature, scope, context and purposes of the processing.' 9. Because according to the definitions of article 12 of the GDPR: "1. The controller shall take appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and Article 34 regarding the processing in a concise, transparent, comprehensible and easily accessible manner format, using clear and simple wording, especially when it comes to information aimed specifically at children. The information is provided in writing or by other means, including, if appropriate, electronically. When requested by the data subject, the information may be given verbally, provided that the identity of the data subject is proven by other means. 2. The data controller facilitates the exercise of the rights of data subjects 9 provided for in articles 15 to 22. In the cases provided for in Article 11(2), the controller shall not refuse to act at the request of the data subject to exercise his rights under Articles 15 to 22, unless the controller demonstrates that he is unable to ascertain the identity of the data subject. 3. The controller shall provide the data subject with information on the action taken upon request pursuant to articles 15 to 22 without delay and in any case within one month of receipt of the request. This deadline may be extended by a further two months if necessary, taking into account the complexity of the request and the number of requests. The data controller shall inform the data subject of said extension within one month of receipt of the request, as well as of the reasons for the delay. If the data subject makes the request by electronic means, the information shall be provided, if possible, by electronic means, unless the data subject requests otherwise. 4. If the data controller does not act on the data subject's request, the data controller shall inform the data subject, without delay and at the latest within one month of receipt of the request, of the reasons for not acting and of the possibility filing a complaint with a supervisory authority and taking legal action.  5. The information provided in accordance with Articles 13 and 14 and any communication as well as all actions taken in accordance with Articles 15 to 22 and Article 34 shall be provided free of charge. If the data subject's requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the controller may either: a) impose the payment of a reasonable fee, taking into account the administrative costs of providing the information or communication or perform the requested action, or b) refuse to act on the request. The controller bears the burden of proving the manifestly unfounded or excessive nature of the request. 6. Without prejudice to Article 11, where the controller has reasonable doubts about the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional 10 information necessary for confirmation of the identity of the data subject. 7. The information to be provided to data subjects in accordance with Articles 13 and 14 may be provided in combination with standardized icons in order to give a clear, understandable and legible overview of the intended processing. If the icons are available electronically, they are machine-readable. 8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 to determine the information to be presented with the icons and the procedures for providing standardized icons.' 10. Because according to the definitions of article 25 of the GDPR: "...2. The data controller implements appropriate technical and organizational measures to ensure that, by default, only the personal data necessary for the purpose of the processing are processed. This obligation applies to the scope of personal data collected, the extent of their processing, their storage period and their accessibility. In particular, the said measures ensure that, by definition, personal data is not made accessible without the intervention of the natural person to an indefinite number of natural persons..." 11. Because according to the definitions of article 30 of the GDPR: "1. Each data controller and, where applicable, its representative, shall keep a record of the processing activities for which it is responsible. This file shall include all of the following information: a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer, b) the purposes of the processing, c) description of the categories of data subjects and the categories of personal data, d) the categories of recipients to whom the personal data is to be disclosed or has been disclosed, including recipients in third countries or international organizations, e) where appropriate, transfers of personal data to a third country or international organization, including the identification of said third country or international organization and, in the case of transfers referred to in Article 49 11 paragraph 1 second subparagraph, the documentation of the appropriate guarantees, f) where possible, the prescribed deadlines for the deletion of the various categories of data, g) where possible, a general description of the techniques and organizational security measures referred to in article 32 paragraph 1.,..., 3. The records referred to in paragraphs 1 and 2 exist in writing, including in electronic form. 4. The controller or the processor and, where appropriate, the representative of the controller or the processor shall make the file available to the supervisory authority upon request....' 12. Because according to the definitions of Article 32 of the GDPR: "1. Taking into account the latest developments, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of different probability of occurrence and severity for the rights and freedoms of natural persons, the controller and the executor the processing implements appropriate technical and organizational measures in order to ensure the appropriate level of security against risks, including, among others, where appropriate: a) pseudonymization and encryption of personnel data nature, b) the ability to ensure the confidentiality, integrity, availability and reliability of processing systems and services on a continuous basis, c) the ability to restore the availability and access to personal data in a timely manner in case of physical or technical event, d) procedure for the regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the security of the processing. 2. When assessing the appropriate level of security, particular account shall be taken of the risks arising from the processing, in particular of accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise submitted to processing.,..." 13. Because in this case, from the data in the case file, it initially appears that the data controller did not timely proceed with the submission of the above questionnaire in violation of article 31 of the GDPR. 14. Because in addition, it was found that the controller had not set a DPO 12 since its establishment. Following the call to the Authority, the data controller appointed a DPO for the entire General Secretariat, mentioning at the same time the existence of the designated DPO for the PS, without, however, having disclosed their details to the Authority, nor having posted the relevant necessary information on the website communication, while no DPO has been designated for the Ministry as a whole as a data controller. During the calls and also in his memos, the controller referred to issues of resources and coverage of functional positions1. 15. Because the data controller had not, since its establishment, complied with the GDPR, and in particular with the provisions of Chapters 3 and 4 of the GDPR, as it had an obligation based on the principle of accountability, while as can be seen from the history of the present, the controller simply invoked the fact that it is a newly established Ministry and therefore had not had time to comply with the requirements of the GDPR, and proceeded to conclude contract with an external partner for the purpose of the above compliance following the call from the Authority. In particular, the data controller had not taken the appropriate measures to provide the subjects with transparent information regarding their rights, as well as a facility for exercising them, as provided for in Article 12 of the GDPR. In addition, the data controller had not taken and implemented appropriate organizational measures for the protection of personal data and in particular to ensure the processing of personal data during planning and by definition for the personal data that are necessary for the respective purpose of processing, as provided for in Article 25 of the GDPR. Besides, the data controller had not proceeded to maintain the record of activities as provided for by article 30 of the GDPR. In addition, the controller had not taken and implemented appropriate technical and organizational measures in order to ensure the appropriate level of security against risks, in accordance with the requirements of Article 32 of the GDPR. 16. Since, as can be seen from the above, violations of articles 12, 32, 25 and 30 were found, a violation of the principles of legality such as those 1 See recent CJEU decision in case C-184/20 - Vyriausioji tarnybinės etikos komisij (Dec. 89): "However, it must be emphasized that the lack of resources available to public authorities cannot under any circumstances constitute a legitimate reason capable of justifying an infringement of the fundamental rights guaranteed by the Charter" 13 are described in article 5 par. 1 pc. a', 5 par. 1 paragraph 3 and 5 par. 1 pc. f, given that the violation of the controller's obligations for transparent information, for data protection by design and by default and for security as well as for keeping records of activities derive from the above principles of Article 5 and document a violation of these. 17. Because, based on the above, the Authority finds the following: a. Violation of article 31 regarding the cooperation of the controller with the Authority. b. Violation of article 37 regarding the non-appointment of a DPO. c. Violation of article 12 regarding transparent information, announcement and arrangements for the exercise of the data subject's rights and article 32 par. 1 and par. 2 regarding the security of processing in conjunction with article 5 par. 1 pc. a', 5 par. 1 pc. c and 5 par. 1 pc. f regarding transparency, minimization, integrity and confidentiality of data. d. Violation of Article 25 regarding data protection by design and by default. e. Violation of article 30 regarding keeping a record of activities. 18. Because based on the above, the Authority considers that there is a case of exercise of the Article 58 par. 2 GDPR of its corrective powers and the imposition of administrative sanctions in relation to the identified violations. 19. Because the Authority further judges that, based on the violations found, it should be imposed, pursuant to the provision of article 58 par. 2 pcs. i GDPR, effective, proportionate and dissuasive administrative fine, in accordance with articles 83 GDPR and 39 of Law 4624/2019, to the controller.
20. Because the Authority further took into account the criteria for measuring the fine which
are defined in article 83, par. 2 of the GDPR, paragraphs 4 and 5 of the same article
that apply to the present case, article 39 par. 1 and 2 of n. 4624 where
concerns the imposition of administrative sanctions on public sector bodies and
Guidelines 04/2022 of the European Protection Council
14
Data2 for the calculation of administrative fines under the GDPR which
approved on 5/24/2023 and its facts/data
of the case under consideration and in particular the following:
i) The fact that the controller, as a public body, did not have
designate a DPO from its constitution despite the obligation it has, with
resulting in the violation lasting a long time, even with the recent one
DPO definition in the General Secretariat remains the lack of a DPO definition for
the Ministry as controller.
ii) The fact that the controller has not complied with the GDPR
from its establishment, despite the obligation it has, as a result of
offense to have a long duration.
iii) The fact that the controller did not notify the
above violations to the Authority, but instead the Authority was informed
through the control it carried out in the context of the coordinated
action.
iv) The fact that the controller operates nationally
level increases the severity of the processing extent.
v) The fact that it cannot be ascertained whether material damage has occurred for the
data subjects, as well as the number of possibly
affected data subjects.
vi) The fact that the controller has shown reluctance to
cooperation with the Authority, failing to provide them in time
information requested of him.
vii) The fact that, although late, the controller submitted
finally the above questionnaire.
viii) The fact that no previous corresponding violation has been established
cooperation with the Authority by the controller.
The Authority considers that, based on the violations found, the sanction that
referred to in the operative part of the decision is the effective, proportional and
preventive measure to restore compliance,
2 https://www.edpb.europa.eu/system/files/2024-
01/edpb_guidelines_042022_calculationofadministrativefines_en_0.pdf
15
FOR THESE REASONS
The Authority taking into account the above:
a) Enforces based on article 58 par. 2 pcs. i' of the GDPR, administrative fine to the Ministry
Climate Crisis and Civil Protection in the total amount of 5,000 euros, for the
violation of article 31 of Regulation (EU) 2016/679.
b) Enforces based on article 58 par. 2 pcs. i' of the GDPR, administrative fine to the Ministry
Climate Crisis and Civil Protection in the total amount of 25,000 euros, for the
violation of article 37 of Regulation (EU) 2016/679.
c) Enforces based on article 58 par. 2 pcs. i' of the GDPR, administrative fine to the Ministry
Climate Crisis and Civil Protection totaling 20,000 euros, for
violations of articles 12 and 32 par. 1 and 2, in conjunction with article 5 par. 1 pc.
a', c', and f', as well as articles 25 and 30 of Regulation (EU) 2016/679.
The President The Secretary
Konstantinos Menudakos Irini Papageorgopoulou