HDPA (Greece) - 2/2024

From GDPRhub
HDPA - 2/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 31 GDPR
Article 37 GDPR
Article 38 GDPR
Article 39 GDPR
Type: Investigation
Outcome: Violation Found
Started: 03.05.2023
Decided: 29.01.2024
Published: 29.02.2024
Fine: 25000 EUR
Parties: the Ministry of Rural Development and Food
National Case Number/Name: 2/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: Data Protection Authority - Greece (in EL)
Initial Contributor: Evangelia Tsimpida

The HDPA, following a questionnaire sent to public sector bodies on the designation and position of the Data Protection Officer (DPO), found that the Ministry of Rural Development and Food violated Articles 31 and 37 GDPR. The authority proceeded to impose an administrative fine.

English Summary

Facts

On 03.05.2023 the HDPA sent a single questionnaire to be completed on the designation and position of the Data Protection Officer (DPO) to selected public bodies, such as the Ministry of Rural Development and Food. The deadline for submission of the questionnaire was set for 19 May 2023. The Ministry of Rural Development and Food did not submit the questionnaire on time and a new closing date of 31.05.2023 was set. Despite being urged by the authority, the questionnaire was not submitted. The authority was informed that during the concerned period, the Ministry of Rural Development and Food was in the process of designating a DPO.

On 28.11.2023, the authority sent a summons to the Ministry of Rural Development and Food to be heard on 19.12.2023. The Ministry of Rural Development and Food in a memorandum clarified that the contract of the DPO of the Ministry had expired on 04. 08.2022, while a new DPO was appointed on 20.06.2023; in the interim period, during which there was no designated DPO, it was stated that a personal data protection and security plan was in place and that the data subjects did not suffer any harm. Further, they claimed that an employee of the Directorate of Administrative Organization and Supervision of Legal Entities of the Ministry after receiving the second letter on 26.05.2023 immediately proceeded to complete and submit the questionnaire, which could not be done due to a technical error.

Holding

The HDPA assessed the above facts and the late submission of the questionnaire, but also the failure to inform the authority about the technical problem faced by the Ministry, as claimed.

Based on the above, the Authority found that the Ministry of Rural Development and Food violated Article 31 GDPR with regard to the cooperation of the controller with the Authority and Article 37 GDPR with regard to non-designation of DPO for the period from 04.08.2022 to 20.06.2023.

Taking into account the above and the fact that no material damage occurred to the data subjects in the interim period when no DPO was appointed, but also the late submission of the questionnaire, the HDPA imposed an administrative fine on the Ministry of Rural Development and Food for a total amount of 5. 000 euros, for violation of Article 31 GDPR, and an administrative fine for a total of 20,000 euros, for violation of Article 37 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
As part of a wider initiative of the EDPS, the Authority, like the majority of the members of the EDPS, jointly undertook the examination of the topic "The definition and position of the data protection officer", and sent as part of this review a single questionnaire on with the definition and position of the Data Protection Officer (DPO) in selected public bodies, such as the Ministry of Rural Development and Food.

The Ministry of Rural Development and Food had not appointed a DPO for a certain period of time, nor did it respond to the Authority in a timely manner, and for these reasons administrative sanctions were imposed in accordance with the GDPR and Law 4624/2019.

PENALTY: fine of 25,000 euros