HDPA (Greece) - 55/2021
|HDPA (Greece) - 55/2021|
|Relevant Law:||Article 33 GDPR|
Article 34 GDPR
Article 37(1) GDPR
Article 37(7) GDPR
|Parties:||Ministry of Tourism|
|National Case Number/Name:||55/2021|
|European Case Law Identifier:||n/a|
|Original Source:||Hellenic Data Protection Authority (in EL)|
|Initial Contributor:||Frederick Antonovics|
The Hellenic DPA fined the Ministry of Tourism €75,000 for not appointing a DPO nor reporting a data breach which allowed citizens who entered their credentials on a government platform to view the personal data of other people - including their full name, VAT number, social security number, postal address, telephone number, email, and disability status.
English Summary[edit | edit source]
Facts[edit | edit source]
In July 2020, an individual sent an e-mail to the Hellenic DPA reporting that when they attempted to submit an application on the tourism4all.gov.gr platform, they discovered a personal data breach. Indeed, when they entered their credential the application data of a third party (not related to the complainant) which included his full name, Tax Identification Number, Social Security Number (SSN), postal address, telephone number, e-mail address, and disability status all appeared.
Additionally, when the individual tried to find the Ministry of Tourism's Data Protection Officer to inform them of this issue, they found it did not have one - in contravention of Article 31(1) and (7) GDPR. Thus, the Hellenic DPA launched an investigation to determine whether the Ministry of Tourism contravened Articles 33, 34 and 37 GDPR.
Holding[edit | edit source]
First, the Ministry of Tourism argued that whilst it is the data controller of the platform, its involvement was not of a technical nature because it was the obligation of the contractor it hired to design to ensure the platform's proper functioning and to take all necessary security measures to safeguard users' personal data.
In addition, it argued that because the incident in question was isolated, dealt with immediately, and the personal data was not widely exposed, the affected person was not put at risk. As such, in the Ministry's view, it was not possible to consider that it contravened Articles 33 and 34 GDPR.
Finally, the Ministry of Tourism asserted that it believed that it was actually the Ministry of Digital Governance's responsibility to "operate" the email@example.com email address, as it had not instructed the contractor to use this email address.
However, the Hellenic DPA held that the Ministry of Tourism was responsible for the processing on the platform. This was evidenced in a Joint Ministerial Decision which explicitly stated the Ministry of Tourism was the controller of any users of the platform's personal data. As such, it was liable under the GDPR for the data breach and lack of a DPO.
Further, the DPA determined that an 'ad hoc' incident response procedure was followed following the data breach. This procedure failed to uncover the source of the incident, and even after investigating the different parties questioned could only speculate as to the cause of the incident. The DPA held this constituted "a breach of the fundamental requirements to take appropriate organisational and technical measures to security of processing, in accordance with Article 32 GDPR, in connection with Article 24 GDPR, as the controller did not take into account the risks to the rights and freedoms of natural persons in determining security measures."
Finally, the DPA held that the Ministry of Tourism violated Article 33 GDPR by failing to report the aforementioned data breach, and Article 37(1) GDPR by not appointing a DPO (at the time the breach took place).
In light of all these breaches, the Hellenic DPA fined the Ministry of Tourism €75,000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.