HDPA (Greece) - 50/2021
|HDPA (Greece) - Decision 50/2021|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 12(1) GDPR
Article 25(1) GDPR
Article 35(9) GDPR
Article 37(7) GDPR
Article 46 GDPR
Article 4(5)National Law 3471/2006
Article 4(5)National Law 3471/2006
|Parties:||Hellenic Ministry of Education and Religions Affairs|
|National Case Number/Name:||Decision 50/2021|
|European Case Law Identifier:||n/a|
|Original Source:||Greek DPA (in EL)|
The Greek DPA issued a reprimand against the Hellenic Ministry of Education and Religious Affairs for not conducting a Data Protection Impact Assessment (DPIA) in an appropriate manner before implementing a method of distance learning after the closure of schools in Greece in the context of the COVID-19 pandemic.
English Summary[edit | edit source]
Facts[edit | edit source]
Due to COVID-19 pandemic period, the Hellenic Ministry of Education and Religions Affairs (the Ministry) decided to promote and implement a method of distance learning by technological means for students in primary and secondary education. The Greek DPA (HDPA) considered this method legal, but found that the Ministry had failed to consider a number of factors and risks in relation to the rights and freedoms of the data subjects when conducting a Data Protection Impact Assessment (DPIA). Recognizing the need for the contemporary distance education, the HDPA provided an opinion to the Ministry to address the flaws and shortcomings. The HDPA called on the Ministry to make the appropriate changes to the DPIA within an exclusive period of three months. After that period, the HDPA analyzed once again the measures taken by the Ministry to assess whether the adopted method of distance learning and the measures that accompanied it complied with the GDPR.
Holding[edit | edit source]
The HDPA examined the updated DPIA, as well as the compliance actions taken by the Ministry. The HDPA identified deficiencies as follows: first of all, the HDPA found that the Ministry never made a detailed investigation on the lawfulness of the processing purposes under Article 6(4) GDPR, in particular with regard to the consent for access to information stored in a user's terminal equipment, when is not necessary to provide the service requested by the user.
Regarding the principle of transparency and the right to access by the data subject, according to Article 12 and 14 GDPR, the information provided by the Ministry to the data subjects was not considered appropriate and sufficient. The HDPA found in particular that the provided information was not easy to understand and (lack of accessibility and of clear and simple wording), especially vis-à-vis children.
The HDPA further found that the applied measures, despite having been improved, still needed to be completed, in order to ensure in particular that all the teachers involved in the distance education process receive minimal information in accordance with Article 13 GDPR.
In addition, the HDPA found that the Ministry violated the obligation of Article 35(9) GDPR in relation to the expression of opinion of the data subjects or their representatives for the processing activity.
Last but not least, no proper evaluation of data transfer to non-EU countries were carried out and in particular in the light of the CJEU judgment in Case C-311/18 (Schrems II).
In view of all the above violations, the HDPA reprimanded the Ministry and instructed the latter to address those deficiencies in the manner analyzed in the decision within a period of two months (four months in relation to the data transfers).
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
update Legislation, Annual reports, Acts of the Authority, Thematic units, Press releases and announcements, News, Events, Young citizens, e-Newsletter