HDPA (Greece) - 41/2022: Difference between revisions

From GDPRhub
m (hyperlink fix)
mNo edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 75: Line 75:
}}
}}


Greek DPA imposed a €5,000 fine on the Ministry of the Interior for violating [[Article 35 GDPR#1|Article 35(1) GDPR]] due to lack of a data protection impact assessment when processing health data  
The Greek DPA imposed a €5,000 fine on the Ministry of the Interior for violating [[Article 35 GDPR#1|Article 35(1) GDPR]] due to the lack of a data protection impact assessment when processing health data.


== English Summary ==
== English Summary ==
Line 85: Line 85:
The Greek DPA started by pointing out that certain restrictive measures, such as the obligation to use self-testing to control the spread of a virus, are justified by objectives of public interest, specifically the need to protect public health and, therefore, are permissible under Article 8(2) ECHR as well as Articles 9 and 25 of the Greek Constitution.  
The Greek DPA started by pointing out that certain restrictive measures, such as the obligation to use self-testing to control the spread of a virus, are justified by objectives of public interest, specifically the need to protect public health and, therefore, are permissible under Article 8(2) ECHR as well as Articles 9 and 25 of the Greek Constitution.  


Further, the DPA examined whether the controllers possessed a valid legal basis for their processing activities, including the processing of special categories of personal data. In the present case, processing took place under Articles 6(1)(c) and (e) GDPR as well as Articles 9(2)(g) and (i) GDPR for sensitive data.  
Further, the DPA examined whether the controllers possessed a valid legal basis for their processing activities, including the processing of special categories of personal data. In the present case, processing took place under [[Article 6 GDPR|Articles 6(1)(c)]] and [[Article 6 GDPR|(e) GDPR]] as well as [[Article 9 GDPR|Articles 9(2)(g)]] and [[Article 9 GDPR|(i) GDPR]] for sensitive data.  


The DPA also assessed the compliance with transparency obligations under Articles 5(1) and 13 GDPR. It concluded that the information provided by the Ministry of the Interior regarding data retention periods was incomplete and opaque thereby violating [[Article 13 GDPR#2|Article 13(2) GDPR]]. The investigated controllers did not comply with the storage limitation principle under [[Article 5 GDPR#1|Article 5(1) GDPR]] because the data retention period was not specified in relation to the purpose for which the personal data was collected. For IDIKA S.A., the violation of this principle happened because the controller did not implement appropriate technical and organisational measures as provided in [[Article 25 GDPR#1|Article 25(1) GDPR]]. Specifically, the controller did not undertake a risk analysis and assessment with regards to the storage period of students’ personal data on the self-test platform. Moreover, the controller did not provide documentation about the operation of a special application for the declaration of the self-test results for ship crew members. As a consequence, the DPA imposed a €5,000 fine on IDIKA S.A..
The DPA also assessed the compliance with transparency obligations under [[Article 5 GDPR|Articles 5(1)]] and [[Article 13 GDPR|13 GDPR]]. It concluded that the information provided by the Ministry of the Interior regarding data retention periods was incomplete and opaque thereby violating [[Article 13 GDPR#2|Article 13(2) GDPR]]. The investigated controllers did not comply with the storage limitation principle under [[Article 5 GDPR#1|Article 5(1) GDPR]] because the data retention period was not specified in relation to the purpose for which the personal data was collected. For IDIKA S.A., the violation of this principle happened because the controller did not implement appropriate technical and organisational measures as provided in [[Article 25 GDPR#1|Article 25(1) GDPR]]. Specifically, the controller did not undertake a risk analysis and assessment with regards to the storage period of students’ personal data on the self-test platform. Moreover, the controller did not provide documentation about the operation of a special application for the declaration of the self-test results for ship crew members. As a consequence, the DPA imposed a €5,000 fine on IDIKA S.A..


Additionally, the Greek DPA concluded that IDIKA S.A. and the Ministry of Labour and Social Affairs only prepared a data protection impact assessment after the start of processing against the provision of [[Article 35 GDPR#1|Article 35(1) GDPR]]. Despite a high risk to the rights and freedoms of individual persons, including extensive processing of sensitive data, the Ministry of the Interior and the Naval Defense Fund did not carry out a data protection impact assessment at all. Hence, the DPA imposed on the controllers a fine of €5,000.
Additionally, the Greek DPA concluded that IDIKA S.A. and the Ministry of Labour and Social Affairs only prepared a data protection impact assessment after the start of processing against the provision of [[Article 35 GDPR#1|Article 35(1) GDPR]]. Despite a high risk to the rights and freedoms of individual persons, including extensive processing of sensitive data, the Ministry of the Interior and the Naval Defense Fund did not carry out a data protection impact assessment at all. Hence, the DPA imposed on the controllers a fine of €5,000.

Latest revision as of 19:00, 21 September 2022

HDPA - 41/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1) GDPR
Article 13(2) GDPR
Article 25(1) GDPR
Article 35(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 08.08.2022
Fine: 5000 EUR
Parties: IDIKA S.A
Ministry of the Interior
Ministry of Health
Ministry of Labour and Social Affairs
Naval Defense Fund
National Case Number/Name: 41/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: n/a

The Greek DPA imposed a €5,000 fine on the Ministry of the Interior for violating Article 35(1) GDPR due to the lack of a data protection impact assessment when processing health data.

English Summary

Facts

The Greek DPA initiated an investigation regarding the processing of health data in accordance with its ex officio competences under Articles 51 and 55 GDPR and Article 9 of National Law 4624/2019. The DPA examined the legal compliance of the Ministry of the Interior, the Ministry of Labor and of Social Affairs, the Naval Defense Fund, the Ministry of Health and IDIKA S.A. (the controllers) with regards to the processing of personal data on the COVID-19 self-test distribution platform.

Holding

The Greek DPA started by pointing out that certain restrictive measures, such as the obligation to use self-testing to control the spread of a virus, are justified by objectives of public interest, specifically the need to protect public health and, therefore, are permissible under Article 8(2) ECHR as well as Articles 9 and 25 of the Greek Constitution.

Further, the DPA examined whether the controllers possessed a valid legal basis for their processing activities, including the processing of special categories of personal data. In the present case, processing took place under Articles 6(1)(c) and (e) GDPR as well as Articles 9(2)(g) and (i) GDPR for sensitive data.

The DPA also assessed the compliance with transparency obligations under Articles 5(1) and 13 GDPR. It concluded that the information provided by the Ministry of the Interior regarding data retention periods was incomplete and opaque thereby violating Article 13(2) GDPR. The investigated controllers did not comply with the storage limitation principle under Article 5(1) GDPR because the data retention period was not specified in relation to the purpose for which the personal data was collected. For IDIKA S.A., the violation of this principle happened because the controller did not implement appropriate technical and organisational measures as provided in Article 25(1) GDPR. Specifically, the controller did not undertake a risk analysis and assessment with regards to the storage period of students’ personal data on the self-test platform. Moreover, the controller did not provide documentation about the operation of a special application for the declaration of the self-test results for ship crew members. As a consequence, the DPA imposed a €5,000 fine on IDIKA S.A..

Additionally, the Greek DPA concluded that IDIKA S.A. and the Ministry of Labour and Social Affairs only prepared a data protection impact assessment after the start of processing against the provision of Article 35(1) GDPR. Despite a high risk to the rights and freedoms of individual persons, including extensive processing of sensitive data, the Ministry of the Interior and the Naval Defense Fund did not carry out a data protection impact assessment at all. Hence, the DPA imposed on the controllers a fine of €5,000.

Finally, the DPA reprimanded the controllers for the above-discussed violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.


Athens, 08-08-2022
Prot. No.: 1984
DECISION 41/2022
The Personal Data Protection Authority met after
invitation of its President to a conference call on Thursday
23.06.2022 at 10:00, postponed from 07.06.2022 and 14.06.2022,
in order to examine the case referred to in the present history.
The President of the Authority, Konstantinos Menoudakos, and the regular members were present
of the Spyridon Vlachopoulos Authority, as rapporteur, Konstantinos Lambrinoudakis,
Charalambos Anthopoulos, Christos Kalloniatis, as rapporteur and Ekaterini
Iliadou, as well as Maria Psalla, substitute member in his place
regular member Grigorio Tsolias, who although he was legally summoned, did not attend
due to obstruction. Present, without the right to vote, were Anastasia Kaniklidou,
Eleni Kapralou, Chariklia Latsiu, Ioannis Lykotrafitis, Anastasia Tritaki and
Panagiotis Tsopelas, auditors, as assistant speakers and Georgia Palaiologou,
employee of the administrative affairs department, as secretary.
The Authority took into account the following:
The Authority, taking into account the fact that in the context of dealing with it
pandemic crisis due to the covid-19 coronavirus and for its containment
of its dissemination in the community systematic data processing took place
personal data of natural persons of minors (students) and adults v
the implementation of the mandatory measure of diagnostic disease control by
the coronavirus in a wide range of professional, social and economic
activity, furthermore that questions were submitted to the Authority by
data subjects regarding the implementation of the mandatory measure
of the self-diagnostic control (self test), issued the no. first
C/EXE/1278/21.05.2021 announcement 1. With this announcement, the Authority, between
others, informed the interested data subjects (students,
teachers, employed in the private and public sector, sailors,
judicial and prosecutorial officers, students, teaching staff and so on
HEI staff and religious ministers) by virtue of the relevant Commons
Ministerial Decisions [under no. D1a/GP.oc. 24525/18-04-2021 (Official Gazette B' 1588),
D1a/GP.oc. 26390/24-04-2021 (Government Gazette B' 1686), D1a/GP.ok. 27707 /04-05-2021 (Government Gazette
B' 1825), D1a/GP.oik. 26389 /24-04-2021 (Government Gazette B' 1685), D1a/G.P.ok. 24527 /18-04-
2021 (Government Gazette B' 1582), D1a/G.P.Oik. 28259 /07-05-2021 (Government Gazette B' 1866), D1a/G.P.ok
26394 /25-04-2021 (Government Gazette B' 1688) KYA] that they can during data processing
of a personal nature in the context of the declaration of the result of
self-diagnostic checks carried out through the platform
https://self-testing.gov.gr to be addressed to those referred to in the respective
Data Controllers2, for the exercise of their rights, such as these
derive from GDPR 2016/679 and Law 4624/2019. In addition, the Authority
he emphasized that merely demonstrating the negative effect of
self-diagnostic tests by students and teachers, according to
the article 2 par. 3 of the KYA under no. D1a/GP.oc. 27707/04-05-2021 (Government Gazette B ́ 1825), in
insofar as this result is not included in a filing system,
nor subject to automated processing, does not constitute in principle
processing of personal data falling within the regulatory scope of the GDPR
and of Law 4624/2019.
Subsequently, the Authority called under no. first C/EX/1307/26-05-2021,
C/EX/1308/26-05-2021, C/EX/1309/26-05-2021, C/EX/1310/26-05-2021 and
C/EX/1320/27-05-2021 documents the Ministry of the Interior, the Ministry of Education
1 Posted on the link https://www.dpa.gr/el/enimerwtiko/deltia/epexergasia-dedomenon-
prosopikoy-haraktira-sto-plaisio-tis-dienergeias
2 Namely, IDIKA S.A. and the Ministry of Labor and Social Affairs independently for them
employees of the private sector (article 7), IDIKA S.A. and the Ministry of Interior independently
for those employed in the public sector (article 6), IDIKA S.A. for the students and
teachers (article 7), IDIKA S.A. and the Naval Defense Fund independently for them
seafarers (article 7), IDIKA S.A. for judicial and prosecutorial officers (article 6), h
EDIKA S.A. for students, teaching and other university staff (article 6), and IDIKA S.A., the
Ministry of Interior and the Ministry of Education and Religious Affairs independently for them
religious ministers (article 6).
and Religious Affairs (hereafter YPAITH), the Ministry of Labor and Social Affairs
Affairs, the Naval Defense Fund (hereinafter NAT) and IDIKA S.A.
respectively, as data controllers based on the aforementioned General Terms and Conditions,
to provide specific clarifications regarding their processing
of data carried out pursuant to the aforementioned General Terms and Conditions on
declaration of the results of the self-diagnostic checks on the platform
https://self-testing.gov.gr and the further processing of their data after
statement of results.
In response to the above documents of the Authority, the Ministry of Interior
sent to the Authority the letter no. prot. ... (and with prot. no. APD C/EIS/4689/15-07-
2021) response and IDIKA S.A. submitted the under no. prot. ... (and with no. prot. APD
C/EIS/4274/29-06-2021) her answer. Due to non-receipt of timely response
from the Ministry of Health, the Authority sent it with no. prot. C/EXE/2564/11-11-2021
reminder document for providing explanations, on which the Ministry of Health, with me
No. of the Authority C/EIS/7663/23-11-2021 his message to the Authority, requested
extension for submitting an answer until 29.11.2021, and finally on
10.12.2021 was submitted to the Authority under no. prot. ... (and with no. prot. APD
C/EIS/8118/13.12.2021) response of the Data Protection Officer of
MINISTRY OF Furthermore, the NAT submitted to the Authority under no. first ... (and with first no.
APD C/EIS/3688/04-06-2021) document, with which he submitted a request for an extension of
as above deadline for fifteen (15) days, which was accepted (with the no.
prot. APD C/EXE/1414/17-06-2021 document), and subsequently, sent it with no.
prot. ... (and with no. prot. APD C/ EIS/4633/13-07-2021) response. Finally, the
Ministry of Labor and Social Affairs requested with from 10.06.2021
email message (also with prot. no. APD C/EIS/3828/10-06-2021)
extension of the 15-day deadline until 18 June 2021, and thereafter
sent to the Authority with no. prot. ... (and with prot. no. C/EIS/4327/01-07-2021)
his answer. In addition, the above Ministry with from 14.07.2021 (with no. prot.
APD C/EIS/4688/15-07-2021) email message brought to her attention
Authority draft legislative regulation for the amendment of paragraph d of paragraph 6 thereof
of article 27 of Law 2792/2021, to which the Authority responded with the no. first
C/EXE/1785/27-07-2021 document.
Subsequently, the Authority called, with the under no. prot. C/EX/40/07 -01-2022,
C/EX/41/07-01-2022, C/EX/42/07-01-2022, C/EX/43/07-01-2022 and C/EX/44/07-01-
2022 documents, IDIKA S.A., the Ministry of the Interior, the Ministry of Labor and
of Social Affairs, the NAT and the Ministry of Health respectively, as they attend
meeting of the Plenary of the Authority on Tuesday 18-01-2022, in order to
discuss the aforementioned case. Attendance was discussed at this meeting
of all those invited under no. ... (and with prot. no. APD C/EIS/326/17.01.2022)
request of the Ministry of Labor and Social Affairs to postpone the debate
of the case and a new meeting date was set for February 15, 2022. According to
meeting of 15.02.2022 the following attended: (a) on behalf of the Ministry
of the Interior, Paraskevi Charalambogianni, Secretary General of Antriminos
Personnel of the Ministry of the Interior, A, Head of Directorate ... of
Ministry of the Interior, B, Head of the Department ... of the Ministry
of the Interior, C, Head of the Department ... of the Ministry of the Interior, then
upon invitation (summons) by the Ministry of the Interior, he was also present
Governor of the National Transparency Authority, Angelos Binis, (b) on behalf of the Ministry of Health,
D, President of the Legal Council of the State and E, Protection Officer
According to the Ministry of Education and Religious Affairs, (c) on behalf of NAT, o
Georgios Yiannopoulos, lawyer (...) and Areti Oikonomou, lawyer, (...),
both NAT attorneys, (d) on behalf of the Ministry of Labor
and Social Affairs, Grigoris Lazarakos, lawyer (...), attorney
lawyer of the said Ministry, Anna Stratinaki, General Secretary
of Labor Relations, and ST, Data Protection Officer of the Ministry
of Labor and Social Affairs, and (e) on behalf of IDIKA SA, Niki
Tsouma, Chairman of the Board of Directors and Managing Director of IDIKA SA, Iulia
Konstantinou, lawyer (...), and Hera Chioni, lawyer (...) on his behalf
Office of the Data Protection Officer of IDIKA S.A., George Stathakos
lawyer (...), head of the Legal Service of IDIKA S.A., Melina Tsiuma,
lawyer (...), and on behalf of the Directorate and Support of Special Applications