HDPA (Greece) - 55/2021: Difference between revisions

From GDPRhub
Line 66: Line 66:


=== Holding ===
=== Holding ===
(in progress)
First, the Ministry of Tourism argued that whilst it is the data controller of the platform, its involvement was not of a technical nature because it was the obligation of the contractor it hired to design to ensure the platform's proper functioning and to take all necessary security measures to safeguard users' personal data.
 
In addition, it argued that because the incident in question was isolated, dealt with immediately, and the personal data was not widely exposed, the affected person was not put at risk. As such, in the Ministry's view, it was not possible to consider that it contravened Articles [[Article 33 GDPR|33]] and [[Article 34 GDPR|34]] GDPR.
 
Finally, the Ministry of Tourism asserted that it believed that it was actually the Ministry of Digital Governance's responsibility to "operate" the dpo@mintour.com email address, as it had not instructed the contractor to use this email address.
 
However, the Hellenic DPA held that the Ministry of Tourism was responsible for the processing on the platform. This was evidenced in a Joint Ministerial Decision which explicitly stated the Ministry was the processor of any users of the platform's personal data. As such, the Ministry was liable under the GDPR for the data breach and lack of DPO.
 
Further, the DPA determined that an 'ad hoc' incident response procedure was followed following the data breach. This procedure failed to uncover the source of the incident, and even after investigating the different parties questioned could only speculate as to the cause of the incident. The DPA held this constituted "a breach of the fundamental requirements to take appropriate organisational and technical measures to security of processing, in accordance with [[Article 32 GDPR]], in connection with [[Article 24 GDPR]], as the controller did not take into account the risks to the rights and freedoms of natural persons in determining security measures."
 
Finally, the DPA held that the Ministry of Tourism violated [[Article 33 GDPR]] by failing to report the aforementioned data breach, and [[Article 37 GDPR|Article 37(1) GDPR]] by not appointing a DPO (at the time the breach took place).
 
In light of all these breaches, the Hellenic DPA fined the Ministry of Tourism €75,000.


== Comment ==
== Comment ==

Revision as of 14:31, 24 January 2022

HDPA (Greece) - 55/2021
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 33 GDPR
Article 34 GDPR
Article 37(1) GDPR
Article 37(7) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 29.12.2021
Fine: 75,000 EUR
Parties: Ministry of Tourism
National Case Number/Name: 55/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: Hellenic Data Protection Authority (in EL)
Initial Contributor: Frederick Antonovics

The Hellenic DPA fined the Ministry of Tourism €75,000 for not appointing a DPO nor reporting a data breach which allowed citizens who entered their credentials on a government platform to view the personal data of other people - including their full name, VAT number, social security number, postal address, telephone number, email, and disability status.

English Summary

Facts

In July 2020, an individual sent an e-mail to the Hellenic DPA reporting that when they attempted to submit an application on the tourism4all.gov.gr platform, they discovered a personal data breach. Indeed, when they entered their credential the application data of a third party (not related to the complainant) which included his full name, Tax Identification Number, Social Security Number (SSN), postal address, telephone number, e-mail address, and disability status all appeared.

Additionally, when the individual tried to find the Ministry of Tourism's Data Protection Officer to inform them of this issue, they found it did not have one - in contravention of Article 31(1) and (7) GDPR.

Thus, the Hellenic DPA launched an investigation to determine whether the Ministry of Tourism contravened Articles 33, 34 and 37 GDPR.

Holding

First, the Ministry of Tourism argued that whilst it is the data controller of the platform, its involvement was not of a technical nature because it was the obligation of the contractor it hired to design to ensure the platform's proper functioning and to take all necessary security measures to safeguard users' personal data.

In addition, it argued that because the incident in question was isolated, dealt with immediately, and the personal data was not widely exposed, the affected person was not put at risk. As such, in the Ministry's view, it was not possible to consider that it contravened Articles 33 and 34 GDPR.

Finally, the Ministry of Tourism asserted that it believed that it was actually the Ministry of Digital Governance's responsibility to "operate" the dpo@mintour.com email address, as it had not instructed the contractor to use this email address.

However, the Hellenic DPA held that the Ministry of Tourism was responsible for the processing on the platform. This was evidenced in a Joint Ministerial Decision which explicitly stated the Ministry was the processor of any users of the platform's personal data. As such, the Ministry was liable under the GDPR for the data breach and lack of DPO.

Further, the DPA determined that an 'ad hoc' incident response procedure was followed following the data breach. This procedure failed to uncover the source of the incident, and even after investigating the different parties questioned could only speculate as to the cause of the incident. The DPA held this constituted "a breach of the fundamental requirements to take appropriate organisational and technical measures to security of processing, in accordance with Article 32 GDPR, in connection with Article 24 GDPR, as the controller did not take into account the risks to the rights and freedoms of natural persons in determining security measures."

Finally, the DPA held that the Ministry of Tourism violated Article 33 GDPR by failing to report the aforementioned data breach, and Article 37(1) GDPR by not appointing a DPO (at the time the breach took place).

In light of all these breaches, the Hellenic DPA fined the Ministry of Tourism €75,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

  Athens, 29-12-2021 No. Prot.3028 DECISION 55/2021 The Personal Data Protection Authority, convened, at the invitation of its President, in a regular meeting by teleconference on 6-10-2021, following the extraordinary meeting of 19-07-2021 and of its meeting from 23-06-2021, in order to examine the case mentioned in the background of the present. Konstantinos Menoudakos, President of the Authority, the regular members Spyridon Vlachopoulos, Konstantinos Lambrinoudakis, as rapporteur, and Charalambos Anthopoulos were present. The meeting, without the right to vote, was attended, by order of the President, by the auditors Konstantinos Limniotis and Georgios Roussopoulos, computer scientists, as assistant speakers, and Irini Papageorgopoulou, an employee of the Department of Administrative Affairs, as secretary. The Authority took into account the following: The Authority submitted the reference no. platform tourism4all.gov.gr, found a problem of leakage of personal data of third parties. In particular, by entering his credentials (TAXISNET codes), third party application data (which has nothing to do with him) appeared on the screen, which included name, Tax Registration Number (TIN), Social Security Registration Number (AMK), postal address, telephone, e-mail address (email), while there were also fields with any details of disability and if it needs care for both the applicant and the wife. A screenshot was attached as proof. 1 en Kifissias 1-3, 11523 Athens T: 210 6475 600 E: contact@dpa.gr www.dpa.gr because of this e-mail was sent to… also to the e-mail address tourism4all@mintour.gr which was listed in en due platform. The Authority, noting that the privacy policy of the platform states that "… you can address all your questions or requests regarding the protection of your Personal Data held by the Ministry of Tourism in its capacity as Processor as above , to the Data Protection Officer of the Ministry of Tourism by sending e-mail: dpo@mintour.gov.gr ... »and as no violation had been reported, he sent στις an e-mail to the said address, which days, returned as unpaid. Furthermore, after a search in the register of Data Protection Officers, the Authority did not find during the period in question an announcement of contact details of the Data Protection Officer by the above Ministry, as required by Article 37 par. 1 and 7 of the EU General Protection Regulation 2016/679 - hereinafter, GCC). Subsequently, the Authority sent the document number C / EX / 4914 / 15-07-2020 to the Ministry of Tourism, informing about all the above and asking for their opinions on what is described in reference A, asking in particular for clarifications regarding the following issues: 1) What exactly did he do when he became aware of the incident, as well as whether these actions were provided for in the context of a more general policy of personal data breach cases, 2) How did he assess the incident based on the risks that may arise from it? to the affected persons, 3) If a Data Protection Officer has been appointed and if the address of communication and exercise of rights mentioned on the website (dpo@mintour.gov.gr) is functional. 2Then, due to the non-receipt of a written response from the Ministry after months, the Authority sent a relevant reminder with the reference number C / EXE / 534 / 01-02-2021. Following this, the Ministry responded to the Authority with a reference number. … Document (prot. No. Authority: Γ / ΕΙΣ / 1080 / 12-02-2021), in which it states the following: Α) The implementation of the digital application for the topography program "Tourism for All" was developed in collaboration with the Ministry of Digital Government, which , through the Interoperability Center of the General Secretariat of Information Systems of Public Administration (hereinafter, GGPSDD), guided the contractor company THREENITAS SA, cooperating with the Ministry of Digital Government. for interoperability planning and development issues. Due to this, the Strategic Planning Department of the Ministry, which has undertaken the implementation of the "Tourism for All" program for the year 2020, provided information to the Ministry of Digital Governance and the GGPSDD supervised by it. More specifically, the above e-mail of A (date… and time…) to the e-mail address tourism4all@mintour.gr was forwarded immediately (on…), with the indication of the urgency and with high importance, to the competent services involved, ie in the General Secretariat of Public Administration Information Systems, at the Ministry of Digital Government, to the contractor company of the Ministry of Digital Government, Threenitas SA and internally in the General Directorate of Tourism Policy and in the Office of the Minister. B) The services involved proceeded with immediate technical investigative actions in order to identify the error in the procedure. In the meantime, with the intervention of the Office of the Minister of Tourism and the necessary explanations, the operation of the application was preventively stopped at… and time… in order to avoid similar incidents. C) Then, and as no error was detected until time…, ie at the level of application by the contractor, it was proposed to add a second level of control during user authentication through the Interoperability of the GAPS2 service (oAuth2 service) and specifically 3 confirmation of IBAN after the introduction of taxisnet codes. The proposal of the contractor company of the Ministry of Digital Government was accepted, with the consent of the Directorate and the Office of the Minister and the implementation returned to normal operation on the same day… and time… and the Ministry of Digital Government undertook further investigation in cooperation the GGPSDD, as the problem appeared to have arisen in the authentication phase of the users. The emails exchanged are attached to the Ministry's response to the Authority. Furthermore, the Ministry of Tourism states in its above response that the electronic application www.tourism4all.gov.gr, according to no. 9126 / 17.06.2020 Public Invitation (ΨΡ73465ΧΘΟ-51Θ), was opened for submission of applications by beneficiaries to… and this incident occurred on the second day of its operation and in fact within the first 24 hours of its operation (…). For the first time, the Interoperability Center of GGPSDD received a huge volume of requests, as the potential beneficiaries of the Program, according to AADE data, were about 5cm. Throughout the operation of the electronic application, the service of the Ministry of Tourism was in constant communication with the involved services, in order to address the problems that arose during the process, as was successfully done - as stated by the Ministry - and in this case. In this regard, the Ministry also states that with no. His document was forwarded the above original document of the Authority to the Ministry of Digital Government for his assistance due to competence. As the response of the competent services involved (Ministry of Digital Governance and GGPSDD) was pending, on October 27, 2020 an e-mail was sent to the Ministry. Digital Governance. The relevant correspondence, including the Authority's second memorandum, was forwarded again to… at the Ministry of Digital Government via e-mail and following a relevant 1 Note: as stated in subsequent documents, but also at the hearing of the Ministry of Tourism, This is the IBAN but the Tax Registration Number (TIN). 4-telephone communication, as well as with no. … Document of the Ministry of Tourism to the Ministry of Digital Government for the provision of information. Finally, regarding the issue of appointing a Data Protection Officer and the functionality of the e-mail address for communication and exercise of rights, which evades - as mentioned in the above letter of the Ministry to the Authority - the responsibilities of the General Directorate of Tourism Policy, it is stated that the draft invitation tenders for the assignment of services for the design and development of a Compliance System with the requirements of the General Regulation of Personal Data Protection (GPD) and the provision of services of a Data Protection Officer are being processed and until the completion of the process the contact address has been replaced by " Terms of Use & Policy Data Protection "of the electronic application with the electronic address tourism4all@mintour.gr. Then, the Authority invited the Ministry of Tourism to a hearing, through a teleconference, at the Plenary Session of 23-06-2021 (see call with reference number G / EXE / 1344 / 31-05-2021). One day before the meeting, the Ministry of Tourism submitted by e-mail (reference no .: Authority: Γ / ΕΙΣ / 4112 / 22-06-2021) its documents no. which will be discussed before the Authority, while with the second he requested the postponement of the forthcoming discussion. In particular, the first document of the Ministry of Tourism states the following: A) With the no. 9022 / 16.06.2020 Joint Ministerial Decision of the Ministers of Finance, Development and Investment, Tourism and State, the preparation of a program was approved in order to strengthen the demand of domestic tourism "Tourism for all" year 2020 through the holiday subsidy (Β '2393). According to paragraph 1 of article 7 of the above joint ministerial decision for inclusion in the program, an application is required, which is submitted by the beneficiaries in the electronic application of the Ministry of Tourism www.tourism4all.gov.gr through the Single Digital Portal of Public Administration.  5The submission of the application requires the prior authentication of the beneficiaries using the codes - credentials of the General Secretariat of Information Systems of Public Administration of the Ministry of Digital Government (taxisnet). According to paragraph 3 of the article, during the electronic submission of the application, internet services are available through the Interoperability Center of the General Secretariat of Information Systems of Public Administration of the Ministry of Digital Government, in order to pump, from the information systems of A. .ΔΙ.Κ.Α. SA and the Citizens' Register of the Ministry of Interior, and provision to the Ministry of Tourism, of the following personal data of the applicant: a) from the information systems of A.A.D.E .: i. Indication of a cleared tax return for the tax year audited for the income criterion (0 or 1), ii. Indication of a cleared tax return for the tax year preceding the tax year of the above indent i (0 or 1), iii. Income according to the forecasts of the above K.Y.A. for the VAT number of the applicant and any other members of his family and b) from the information systems "AMKA-EMAES" of H.D.I.K.A. SA and the Citizens' Register of the Ministry of Interior: i. Current marital status based on the details of the applicant and the spouse or other party to the cohabitation agreement, if any ii. Confirmation of the list of minor dependent children of the applicant. Finally, in article 14 of the above K.Y.A. It is stated that the productive operation of the above internet services starts after the approval of the Secretary General of Information Systems of Public Administration of the Ministry of Digital Government, according to article 47 of law 4623/2019 (AD 134), while the distribution is carried out through the Interoperability Center (hereinafter KED) of the General Secretariat of Information Systems of Public Administration and in accordance with the current Information Systems Security Framework of the General Secretariat of Information Systems of Public Administration of the Ministry of Digital Government and with the data protection provisions. B) The submission of applications started at 21:30 on…, and was scheduled according to the latest number of the AFM of the applicants. The e-mail of A (… -… from the e-mail address: ...) with the subject: "Leakage of data on the tourism4all.gov.gr platform" was communicated to the e-mail address tourism4all@mintour.gr which was created exclusively for the direct management of any kind of communication regarding the TOURISM 2020 program Receipt section of the received e-mail address: complaints@dpa.gr and other notification to another e-mail address (ss. Which is said to be that of the affected person). Although, as the Ministry claims, the authenticity of the message could not be verified, it was nevertheless investigated as a fact, while the Ministry notes that A did not have access to the other person's tax data but to his application data in the said program. . As the implementation of the digital application for the "Tourism for All" program was developed in collaboration with the Ministry of Digital Governance, which guided the Ministry of Tourism to plan and develop interoperability of services through the Interoperability Center of GGPSDD, the Ministry of Digital referred to the cooperating company THREENITAS SA. above document of the Ministry. In particular, the actions that took place are briefly the following:…,… pm. - Incoming report message from… (Α) to tourism4all@mintour.gr…,… pm Outgoing report of the incident to the GIS, Ministry of Digital Government, Contractor, Directorate, General Directorate of Tourism Policy of the Ministry of Tourism, Office of the Minister of Tourism 7…,. Pm. - Question from the contractor to the GIS about the exact time that the authentication requests were made in the Auth2 service of the two VAT numbers that from the recording in the application it seems that they created applications with a difference of 10 minutes…,… pm. - An order was given to stop the implementation of the application by the Office of the Minister until the resolution…,… pm. - Application lock by the contractor until the relevant communication is completed. …,… Pm - Response of the GIS regarding the hours when the authentication requests were made to the Auto2 service of the two AFM…,… pm. - Request of the Service for locating the IP addresses…,… pm. - Response of the contractor that no error has been identified in the implementation and the efforts to locate the bug continue with all those involved. Proposal for the adoption of a double VAT check upon entering the application. …,… Pm - GIS response regarding IP addresses (detailed information is given in the document of the Ministry). …,… Pm Request for opening the application by the service by order of the Office of the Minister of Tourism in accordance with the proposal of double VAT inspection made by the contractor. Furthermore, according to the relevant report dated 18.06.2021 (Α.Π. 10906 / 22.06.2021). B, Data Protection Officer (DPO) of the contractor company THREENITAS A.E. (which was submitted to the Authority together with the said document of the Ministry of Tourism), the first phase of the treatment aimed at assessing the extent and severity of the incident. "As for the extent: It was found that the incident could not be reproduced in the normal flow of use of the application. An analysis of the logs did not reveal any other case, other than the one that led to the relevant report. " In detail, the DPO of the contractor company records the following: “Information was received that 2 It is pointed out that the company has not communicated to the Authority data of the Data Protection Officer based on article 37 par. 8 were requested by the KED regarding the use of the TaxisNet Login service, and data was retrieved from the logging system of the platform. A series of extensive checks were performed in the application code, and the correct treatment of all supported scenarios was confirmed. No implementation problems were detected and the event could not be reproduced. Therefore, any possibility that the event was due to an implementation error concerning the digital platform was ruled out. Then, data related to the implementation of OAuth2.0, on which the TaxisNet Login service of GIS is based, as well as the service infrastructure of the application were examined. However, the implementation of OAuth2.0 was used by a relevant software library, on which other IDIKA service implementations have been based, and the service infrastructure is provided by the AmazononWebServices service, and uses elements that allow support for large volumes of incoming server balances and requests. In any case, both possibilities concern functions and systems that were under the control of the company and the Ministry of Tourism, and could not be further analyzed. The above findings were also reported to the KED in order to make a parallel inspection of the infrastructure supported by the authentication mechanism, but without mentioning any technical problem. It is noted that during μόνο alone the digital platform tourism4all was visited by about 80,000 users, who performed 1,200,000 content views. However, apart from the incident reported by the user, no other similar incident could be detected in the other 1,200,000 content views ". Furthermore, as already mentioned above, an improvement proposal of the contractor company was implemented, ie the addition of a second level of control during the authentication of the user through the Interoperability of the GAPS2 service (oAuth2 service) and specifically confirmation of the TIN after the introduction of taxisnet codes. The citizen, that is, is required to enter his VAT number as this element is part of the information retrieved during authentication. According to the proposed extension, the VAT entered by the user is compared to the VAT returned during TaxisNet Login. In case the two are different, the user disconnects in order to try to reconnect. The proposal of the contractor company of the Ministry of Digital Government was accepted, with the consent of the Directorate of Strategic Planning and the Office of the Minister of Tourism and the implementation returned to normal operation on the same day… and time… while the Ministry of Digital Government took over in cooperation with the GGPSDD, as the problem appeared to have arisen during the authentication phase of the users and in any case did not affect the responsibilities of the Ministry of Tourism due to its technical nature. According to the Ministry of Tourism, according to AADE, the potential beneficiaries of the Program were about 5 million citizens, a fact that was informed to both the contractor and the GGPSDD by the Ministry of Tourism (e-mail…) in order to take all necessary measures. technical level due to competence.  Indeed, the Interoperability Center of GGPSDD received a huge volume of calls and throughout the operation of the electronic application, the Service was in constant communication with both K.E.D. of the GGPSDD as well as the contractor company, in order to address the problems that arose during the process and to ensure the smooth operation of the application during the submission of applications. C) The contractual framework for the cooperation of the Ministry of Tourism with all the involved bodies mentioned above, ie with the Ministry of Digital Government, with the General Secretariat of Information Systems of Public Administration, with the contractor THREENITAS SA. and the contracting authority EDYTE SA, supervised by the Ministry of Digital Government, was formed as follows: 1) By the 01.09.2020 Memorandum of Cooperation of the Ministry of Digital Government with the Ministry of Tourism (attached to the said document to the Ministry) which was forwarded to the Office of the Minister of Tourism for signature on 11.11.2020 (Deputy Minister Του /…) specifies that the object of the contract, namely the creation of an electronic application / platform for the provision of e-vouchers under the program 10 "Tourism for all" year 2020, through the Single Digital Portal of Public Administration, is done by the Ministry of Digital Government, which develops the technical and regulatory framework for its creation in accordance with the guidelines of the Ministry of Tourism, which prepares the program. the Ministry of Digital Government is no longer involved in the management and l nor is it responsible for the processing of personal data, which takes place in the context of the management of the electronic application / platform, while the Ministry of Tourism undertakes its general management, obtains the information contained therein and is responsible for the management, maintenance and upgrade of. Furthermore, the Ministry of Tourism is responsible for the processing of personal data of the platform, whose technical analysis, design and implementation will be carried out by EDYTE SA, a supervised body of the Ministry of Digital Government. With the signing of the Memorandum, the Ministry of Digital Governance delivers all the data and data related to the program "Tourism for All", the website "tourism4all.gov.gr" and the online platform "tourism4all". 2) The with no. 10183 / 14.09.2020 Contract with the object "Creation of a platform for the provision of e-vouchers within the program" Tourism for All "" between the Contracting Authority EDYTE SA and the contractor THRINITAS SOFTWARE SYSTEMS (s.THREENITAS) (attached to the above document of the Ministry of Tourism to the Authority), has as object the technical analysis, the design and the implementation of the platform for the provision of evoucher within the program productive operation through gov.gr. It is also stated that “The connection is made through the TAXISnet codes with the parallel declaration of AMKA. The application is interconnected with webservices that providing a keypads for a user, a parent / child relationship between the beneficiary and the members declared as such, a partner / wife relationship confirming between the beneficiary and the member declared as such, an income recovery of 11 tapes: User Authentication, parent / child relationship control using AMKA, spouse / partner relationship control using AMKA, Income, IBAN / TIN ". With regard to the protection of personal data, this contract states that “the processing of personal data will be carried out in accordance with the terms and agreements of this Contract and the Instructions of the Contracting Authority. The Contractor is committed to the implementation and compliance with the applicable legislation for the protection of personal data (…) "and" The Contractor certifies and guarantees to the Contracting Authority that it will take all necessary organizational and technical measures for the security of information that may be contain personal data, and in general all similar forms of files and IT of the Contracting Authority, as well as for their protection from accidental or unlawful destruction, accidental loss, alteration, prohibited dissemination and any other form of unfair processing, within the framework of its duties from the present ". 3) With the from 12.11.2020 Annex C '"Agreement for the processing of personal data (Data Processing Agreement-DPA), which was attached to with no. 10183 / 14.09.2020 Contract (also attached to the above document of the Authority), stipulates that the Ministry of Tourism is responsible for processing and processing personal data within the program "Tourism for All", as well as that the executor-EDYTEA.E. processes personal data on behalf of and in accordance with the orders of the person in charge (Ministry of Tourism) within the platform for productive operation through gov.gr. The subcontractor (Contractor - Threenitas) must: a) provide its assistance to EDYTE SA and through it to the Ministry of Tourism, regarding the assurance of its compliance with the obligations arising from the GPD and the Law, regarding the exercise of data rights, b) to inform EDYTE SA in writing and without undue delay, and this in turn the Ministry of Tourism, for any questions, complaints, grievances or requests received and related to the exercise of the rights of data subjects, c) to support EDYTE SA, in order to provide the person in charge with the assistance of 12 for the conduct of an impact assessment study of the processing of personal data, if this becomes necessary based on the procedures of processing of personal data and in accordance with the terms of GGPD and the Law d) to provide through EDYTEAE to the Ministry of Tourism for its assistance in consulting the Prost data on the proposed and appropriate risk mitigation measures in cases where impact assessment studies indicate that processing would pose a high risk to the rights and freedoms of data supernatants. Finally, the subcontractor (Contractor - Threenitas) is obliged: apply appropriate measures for the provision of general services: encryption, authorized access, classified access, logging, backup, strong password for logging in and regular change, deactivation of storage media, activation of firewall on computer and secure remote connection only via VPN ". 4) With the with no. 554 / 26.01.2021 contract with the object "Extension of the platform for the provision of e-vouchers in the framework of the program" Tourism for All "-Phase B" between the Contracting Authority EDYTE SA and the contractor THRINITAS SOFTWARE SYSTEMS SA (attached to the above document of the Authority) extends the object of the contract, while the content of its terms remained as it was. C) Regarding the issue of appointing a Data Protection Officer, which is beyond the responsibilities of the General Directorate of Tourism Policy and the Strategic Planning Directorate that prepares the Program, the Ministry of Tourism states that after its publication with no. 5979 / 07.04.2021 call for tenders for the assignment of services for the design and development of a Compliance System with the Requirements of the General Regulation of Personal Data Protection (GKPD) and the provision of 13 services of Personal Data Protection Officer (ΑΔΑ: 631Τ4) relevant tender procedure, was issued with no. 10398 / 14.06.2021 Decision of the Service Secretary of the Ministry of Tourism on the acceptance of from 14.5.2021 (Meetings 26.4.2021 and 10.5.2021), 1.6.2021 (Meetings 28.5.2021 and 1.6.2021) and 9.6.2021 (Meeting 9.6.2021 ) of the minutes of the tender evaluation committee no. 5979 / 07.04.2021 invitation (ΑΔΑ: 93Η9465ΧΘΟ-0ΜΝ). Therefore, the signing of a contract with an external partner-contractor of the Ministry of Tourism is imminent, who will provide the services of Personal Data Protection Officer 4. It is noted that, according to the above invitation, as found by the Authority , the budgeted expenditure is up to amount of € 20,000.00 without VAT (VAT: € 4,800.00, total amount € 24,800.00) and will be charged to the Ministry's Expenditure Budget, financial years 2021 and 2022. Regarding the issue of the functionality of the electronic communication and rights management website Program, this address has been replaced, until the completion of the contract award process in the "Terms of Use & Data Protection Policy" of the electronic application with the email address tourism4all@mintour.gr. D) In conclusion, the Ministry of Tourism states that it considers critical the contribution of the bodies directly involved in the technical development of the application, namely EDYTE, the General Secretariat of Information Systems of Public Administration and the Ministry of Digital Governance. on 22-6-2021 their written response regarding the management of the incident.  It also states that the application was designed by the Ministry of Digital Government and has a productive operation through gov.gr (the 3Budget 24,800 euros 4As it appears from the document number 10398 / 14-06-2021 of the Ministry (ΑΔΑ: 93Η9465ΧΘΟ- 0ΜΝ) for the provision of the service the company INTERACTIVE OE was selected with an offer amount of 21,948.00 € (including VAT) 14 technical analysis, the design and implementation of the platform was assigned to EDYTE SA and from it to an external partner - Contractor / Threenitas ), while the Services of the Ministry of Tourism were not fully aware of the terms of cooperation and when the implementation took place it was already fully operational. It also summarizes by reiterating that the Ministry of Tourism is responsible for data processing of the platform, but its involvement can not be of a technical nature, while ensuring the proper functioning of the platform and taking all necessary personal data security measures is an obligation. of the Contractor. Finally, the incident in question was isolated, dealt with immediately, however the personal data were not widely disclosed / exposed, in order to assess the risk as large and in combination with the uniqueness and absolutely limited extent of the incident and the inability to verify and detect error , it was assessed that the affected person was not put in danger. Therefore, according to the allegations of the Ministry of Tourism, it can not be considered that the provisions of articles 33 and 34 of the General Data Protection Regulation regarding the cases of violation of personal data have been violated. The meeting on 23-06-2021 was attended, through a press conference, by C, Legal Adviser, NSC Office, D, Paredros, NSC Office, E, Advisor to the Office of the Minister, F,… Tourism Policy, G,… Strategic Planning, H, , employee of the Department of Special Forms of Tourism, as representatives of the person in charge of processing, who also submitted orally the request for postponement of the discussion, which was accepted, setting a new date for the discussion of the case on 19-7-2021. The meeting of 19-7-2021 was attended by teleconference by D, Paredros, Office of NSC, E, Advisor to the Office of the Minister, F,… Tourism Policy, G,… Strategic Planning, I, employee of the Department of Special Forms of Tourism, H , Ματος Department of Special Forms of Tourism, as well as I and K on behalf of the contractor company that has undertaken the provision of services of Personal Data Protection Officer at the Ministry of Tourism, as representatives of the 15 processing manager. After the meeting, the person in charge of processing received a deadline for submitting a memorandum, which he submitted, within the set deadline, with the document number C / ΕΙΣ / 5104 / 02-08-2021. Already, before the submission of the memorandum of the Ministry of Tourism, an informative note was submitted to the Authority, by the GGPSDD of the Ministry of Digital Governance (prot. No. Authority: Γ / ΕΙΣ / 4794 / 20-07-2021), which, after describing re-relevant provisions of no. message at… and time…. In connection with the reported incident, her assistance was requested. b) The GGPSDD proceeded to check the internet service and did not find any problem in its operation and in the authentication infrastructure. In addition, check the relevant logs in detail. c) The GGPSDD sent by e-mail the same day and time… the relevant logs kept at the Interoperability Center and related to call reports in oAuth 2.0. d) During the first days of operation of the platform, KED. / GGPSDD informed the Ministry of Tourism with statistics on the use of online services for monitoring the action. e) The oAuth 2.0 authentication service of KED is widely used and used in a number of electronic services of public bodies. Calls to Auth2.0 within 2020 reached 54,185,731, while in the first half of 2021 86,396,905 calls have already been made, without any malfunction in this mechanism being reported or ascertained. Furthermore, the GGPSDD states that in order for a web application to utilize multiple simultaneous users, the application needs to be in control of the sessions that are created, so that in the end each user is served with functionality and data related to it. Note 16 of oAuth2.0 and web services to KED. as well as their responses, are controlled by the respective application that calls them. The separation of information for each individual must be done through the separate management of the session ids from the Web Application ("Tourism for All"). As for the further investigation of the issue, apart from issues exclusively within the competence of KED, the GGPSDD is considered incompetent. The above-mentioned memorandum of the Ministry of Tourism, which was submitted after the hearing before the Authority, repeats the description of the procedures followed to deal with the incident (as they had already been described in previous documents of the Ministry), the content of the above information is attached. note of the GGPSDD, while also repeating the content of the report of the DPO of the Contractor (Threenitas). Furthermore, the Ministry of Tourism states that, after hearing before the Authority, it requested further clarifications from the contractor company, which with the no. … (Ministry of Tourism)'s letter (attached to the Ministry's memorandum to the Authority) states: GSIS Authentication service. The library uses unmodified methods provided by Microsoft to manage multiple sessions. In the case examined, where the appearance of another user's data was observed, the issue was identified in the fact that the data returned by GSIS to the infrastructure after the redirection of authentication, concerned another user than the one for whom the authentication process took place. The authentication process and the session management, ie the management of the sessions that are created in the context of the relevant requests for user service, was performed exclusively using the methods provided by this library. Given that: a) the mechanism for managing multiple connections is made using Microsoft libraries which does not justify the question of their correctness b) its operation was confirmed by performing tests, as well as in artificial 17 load conditions, when they were applied in host) the application, c) operated generally without problems during the heavy load conditions observed in all subsequent phases of system operation we consider as the only possible possibility that this issue is caused by mismanagement in any of the intermediate network infrastructure between of the implementation and the KED. These infrastructures are not under the control of Threenitas and the Ministry of Tourism, and are used as they are. Indicatively, the infrastructure used the services Application Load Balancer and Web Application Firewall, as provided by Amazon Cloud, which could under certain conditions lead to the mismanagement of multiple active connections to the infrastructure of KED. As mentioned proper operation of the application, and after the introduction of additional controls to deal with the phenomenon that was observed, in order to prevent the possibility of malfunction even due to events that are not under the control of the application, the problem was addressed and not observed again ". Furthermore, from the e-mail that took place on the day of the incident, it appears that the User with ΑΦΜΧΧΧΧΧ Λ (Λ) made two (2) connections, namely… Μ ΜΜ (…) and…… ΜΜ from the same IP address…, and the User with VAT ΧΧΧΧΧ… (Α) also in two (2) connections…… ΜΜ and…… ΜΜ, from two different IP addresses,… and… and the Ministry of Tourism speculates that during the first connection the application was submitted and in the second an attempt was made to retrieve it, whenever the incident of retrieving the request of the other user was observed. The reason that the incident was not notified to the Authority, in accordance with Article 33 of the GIP, is that: a) The report was made directly to the Data Protection Authority by the citizen (A) with notification to the affected person, who took any action, b) The controller took action and took appropriate action by entering a additional level of security when logging in and identifying users, who ensured that such an incident did not occur again. The incident was assessed as minor and the risk was negligible to non-existent, ie 18 that is, there is no possibility of endangering the rights and freedoms of natural persons. In its memorandum, the Ministry also states that given that a) the implementation of the digital application for the "Tourism for All" program was developed in collaboration with the Ministry of Digital Governance, which guided the Ministry of Tourism to plan and develop interoperability of services through of the Interoperability Center of the GGPSDD and the sponsoring company THREENITASAE cooperating with the Ministry of Digital Government, and k) in the Cooperation of the Offices of the two Ministers (Tourism and Digital Governance), the Strategic Planning Department of the Ministry of Tourism immediately informed the Ministry of Digital Governance and the GGSDDD supervised by it about this incident.  The Ministry of Tourism did not know the terms of the contract with the contractor. For the above reasons it was also considered - incorrectly - that the e-mail address dpo@mintour.gov.gr included in the terms of use of the application was an e-mail address which would be operated by the Ministry of Digital Government and would not be managed by the Ministry of Tourism . Besides, as mentioned in the Memorandum of Cooperation, the platform in terms of its content was designed according to instructions of the Ministry of Tourism, which, however, never provided this email address for the Program, but only its own email address tourism4all@mintour.gr. Besides, all the electronic addresses of the Ministry of Tourism are in the form xxxxxxx@mintour.gr without being included in these weapons of the Ministry, this electronic address was created on 16.06.2020 in order to receive questions / complaints / complaints, etc. regarding the Program. This complaint was also sent to this e-mail address and there was an immediate reaction, as described in all the documents of the Ministry to the Authority. Finally, the Ministry of Tourism states that with no. 23/2021 (ADMA: 19 21SYMV008841946 2021-06-30) contract assigned the provision of services of Personal Data Protection Officer to the company Interactive OE and submitted it with no. … Announcement to the Data Protection Authority (APD) for the appointment of the Data Protection Officer. Therefore, the Ministry of Tourism has already appointed a Data Protection Officer. On 16.07.2021 the Terms of Use and Data Protection Policy of the application www.tourism4all.gov.gr were updated with the electronic contact address of the DPO, namely: dpo@mintour.gr. The Authority, after examining all the elements of the file and after hearing the rapporteur and the assistant rapporteurs, who (assistants) left after the discussion of the case and before the conference, after a thorough discussion THOUGHT IN ACCORDANCE WITH LAW 1. According to provisions of articles 51 and 55 of the General Regulation of Data Protection (EU) 2016/679 (hereinafter, GCC) and article 9 of law 4624/2019 (Government Gazette A '137), the Authority has the authority to supervise the implementation of its provisions GPA, of this law and other regulations concerning the protection of the individual from the processing of personal data. 2. According to article 4 lit. 7 of the IGC, the controller is defined as "the natural or legal person, public authority, service or other body which, individually or jointly with others, determines the purposes and manner of processing personal data; The procedure for such processing shall be laid down in Union or Member State law, the controller or the specific criteria for his appointment may be laid down in Union or Member State law. 8 is defined as the executor of the processing "the natural or legal person, public authority, service or other body that processes personal data on behalf of the controller". 203. The same article defines the breach of personal data as "breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed". 4. Pursuant to Article 5 (2) of the GIP, the controller is responsible and must be able to demonstrate compliance with the processing principles established in paragraph 1 of the same article, which include legality, objectivity and transparency of the processing according to article 5 par. 1 lit. a ’, and the confidentiality and integrity of the data in accordance with article 5 par. 1 lit. f. As a result of this provision, the FGAP has adopted a central pillar compliance model with this accountability principle, according to which the controller is required to design, implement and generally take the necessary measures and policies to ensure that data processing is consistent with the relevant legislative provisions and, in addition, must prove himself and at all times his compliance with the principles of article 5 par. 1 GKPD. 5. With regard to the principle of transparency of processing, the GCC imposes specific obligations on controllers as to the information they must provide to data subjects. In particular, in accordance with Article 12 (1) of the GPA, the controller shall take appropriate measures to provide the data subject with all information referred to, inter alia, in Article 13 - which states that "when personal data relating to a data subject are collected from the data subject, the controller, upon receiving the personal data, provides the data subject with all the following information: a) the identity and contact details of the controller and, where appropriate, the representative of the controller, b) his contact details (c) the purposes of the processing for which the personal data are intended, as well as the 21 legal bases for the processing, (…) "(see paragraph 1 of Article 13 of the GIP). Furthermore, paragraph 2 of Article 12 of the GCP provides that "the controller shall facilitate the exercise of the rights of data subjects (…)". the processor does not hire another processor without the prior special or general written permission of the controller. In the event of a general written authorization, the controller shall inform the controller of any intended changes concerning the addition or replacement of the other processors, thereby enabling the controller to object to such changes. Furthermore, paragraph 3 of the same article stipulates that the processing resulting from the processing is governed by a contract or other legal act under the law of the Union or the Member State, which binds the processor in relation to the controller and determines the object and duration of the processing. , the nature and purpose of the processing, the nature of the personal data and the categories of the data subjects and the obligations and rights of the controller. In addition, paragraph 4 of the same article stipulates: "When the controller hires another executor to perform specific processing activities on behalf of the controller, the same data protection obligations provided in the contract or other legal act between the controller in accordance with paragraph 3, shall be imposed on the other executor by contract or other legal act under the law of the Union or of the Member State, in particular to provide sufficient assurances that appropriate technical and organizational measures will be Paragraph 9 of the same article clearly states that "the contract or other legal act referred to in paragraphs 3 and 4 shall be in writing, inter alia in electronic form". 227. In accordance with Article 24 (1) of the GIP, the controller, taking into account the nature, scope, context and purposes of the processing, as well as the risks of different probability of occurrence and seriousness for the rights and freedoms of natural persons implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the GIP, and that such measures must be reviewed and updated when necessary. Furthermore, in accordance with Article 32 of the GIP, "taking into account the latest developments, implementation costs and nature, scope, context and purposes of processing, measures to ensure an appropriate level of security against risks, including, inter alia, where appropriate: . In addition, paragraph 2 provides that "in assessing the appropriate level of security, account shall be taken in particular of the risks arising from the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or or otherwise processed ".  8. With regard to incidents of personal data breach, the GCP imposes specific obligations on those responsible for processing. In particular, Article 33 thereof stipulates that in the event of a breach of personal data, the controller shall promptly and impossibly notify the competent supervisory authority of the breach of personal data within 72 hours upon receipt of the breach of personal data, unless the breach Article 55 of the GATT on the responsibilities of the supervisory authorities responsible for this incident is the Personal Data Protection Authority 23 may endanger the rights and freedoms of natural persons. When notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay. Paragraph 3 of Article 33 stipulates that such information must at least be included in such disclosure, including - inter alia - "(b) the name and contact details of the Data Protection Officer or other contact point from which more information can be obtained). (d) μέτρα the measures taken or proposed to be taken by the controller to deal with the breach of personal data and, where appropriate, measures to mitigate any adverse effects. " In case and when it is not possible to provide the information at the same time, they can be provided gradually without undue delay. Furthermore, according to Article 34 of the GIP, when the breach of personal data may endanger the rights and freedoms of individuals, the controller shall promptly notify the breach of personal data to the data subject. This notice shall clearly describe the nature of the breach of personal data and shall contain at least the information and measures referred to in Article 33 (3) (b), (c) and (d). Notification to the data subject is not required if one of the conditions described in this paragraph is met. 9. According to article 37 par. 1 of the GCC, "the controller and the controller designate a data protection officer in each case in which: a) the processing is carried out by a public authority or body (…)". Furthermore, in par. 7 of the same article, it is mentioned that the controller or the processor publishes the contact details of the data protection officer and communicates them to the supervisory authority. 24 In addition, as mentioned above, contact details of a data protection officer must also be made available to data subjects. Regarding the role of the Data Protection Officer, it is pointed out that, inter alia, as provided for in Article 38 (4) of the ICCPR, "data subjects may …) ». 10. In this case, the Ministry of Tourism is responsible for processing, within the meaning of Article 4 (7) of the GCC, for the processing of personal data which takes place within the "tourism4all" platform, according to the above documents of the Ministry and based on the relevant information . This does not follow from the Joint Ministerial Decision No. 9022/2020 "Program" Tourism for all "year 2020" (Government Gazette B '2393). In particular, in article 1 par. 2 of K.Y.A. no. 9022 / 16.06.2020 as amended by no. 12181 / 31-07-2020 Κ.Υ.Α. (Government Gazette B '3155), it is provided that for the inclusion in the program an application is required, which is submitted by the beneficiaries in the electronic application of the Ministry of Tourism www. tourism4all.gov. r through the Single Digital Portal of Public Administration "while in article 7 par. 4 of the same JMC it is provided that" By submitting the application for participation is provided the consent to the Ministry of Tourism for the processing of the above personal data of the applicant and its beneficiary members The above data are maintained by the Ministry of Tourism for two (2) years from the issuance of the Final Register of Beneficiaries and the Final List of Excluded and in any case until the completion of the program ". Therefore, the reference to consent (which can not be used as a legal basis for the processing of personal data for the performance of a duty performed in the public interest in the exercise of public power delegated to the controller) 2511. The Ministry of Digital Governance, through the GGPSDD, is executing the elaboration for the implementation and operation of the platform, since in article 7 of the above K.Y.A. It is defined that, “for the inclusion in the Program an application is required, which is submitted by the beneficiaries in the electronic application of the Ministry of Tourism www.tourism4all.gov.gr through the Unified Digital Portal of the Public Administration. The application requires the prior authentication (verification of identity) of the beneficiaries using the credentials of the General Secretariat of Information Systems of Public Administration of the Ministry of Digital Government (taxisnet) and that "Upon electronic application through the Interoperability of the General Secretariat of Information Systems of Public Administration of the Ministry of Digital Governance internet services, in order to be pumped and provided to the Ministry of Tourism, by the information systems of A.A.D.E., of HDI. Κ.Α. SA and the Citizens' Register of the Ministry of Interior, (…) personal data of the applicant (…) ». The company THREENITAS SA, contractor company, collaborating with the Ministry of Digital Government for this processing, is also the executor of the processing (and if it has contracted with the performer of the processing, it is essentially a sub-executor, as described in article 28 par.2touGKPD). Furthermore, this conclusion also emerges from the facts, as arising from the case file, even in the initial period during which there was no contract and written assignment of the processing, the application was implemented in the manner described above. Furthermore, as it appears from the documents submitted by the controller to the Authority, EDYTE SA, a supervised body of the Ministry of Digital Governance, is also the executor of the processing. 12. With regard to the incident of data breach under consideration, it appears that immediate action was taken by the controller to investigate and deal with it. It is noted that for technical issues of processing security, it appears that the relevant responsibility lies with the processors, ie the Ministry of Digital Government regarding part 26 in particular of user authentication and THREENITAS SA. as to the implementation of the evoucher platform under the program - therefore, the action of the controller to immediately contact the Ministry of Digital Government, but also to temporarily suspend the operation of the platform, is considered appropriate. Also, the additional security measure that was implemented to deal with it, as proposed by THREENITAS SA. (ie the use of a second authentication factor) is in the right direction, although it is not related to the congenital cause of the incident - which in fact could not be determined. The issues raised in relation to this breach are as follows: Specifically, there was no contract of the Ministry of Digital Governance (processing) with THREENITAS SA. (sub-executing the processing), since it was signed in September 2020, while it does not appear that the (even general type) permission of the Ministry of Tourism, as controller, was requested for this assignment (although it appears that the controller was aware of this assignment). Furthermore, the memorandum of cooperation between the Ministry of Tourism, in charge of processing, and the Ministry of Digital Government, performing the processing, in which the role of EDYTE SA is defined, was also drawn up in September 2020, ie after it had initiate such processing and then investigate a breach incident. According to the controller, this delay is due to the urgency of starting this processing, due to the pandemic and in order to strengthen domestic tourism and support the domestic tourism market (a purpose that is clearly in the public interest).  However, the unwritten contract or other legal act, in addition to being a violation of article 28 par. 9 of the GCP, does not allow the definition of a 6 Cf. See also Guidelines 7/2020 of the European Data Protection Council on the concepts of controller and processor, which clearly state: '(…) non-written agreements (regardless of how thorough or effective they are dealing with breaches, with a clear distinction and definition of the role and responsibility of each body (both the controller and the executors). It was not possible for the perpetrators to find out the source of the incident: as it emerged from the case file, the person in charge of the process, of - further views from t the Ministry of Digital Governance, without receiving a response. About a year after the incident (ie June 2021), he requested and received a response from the contractor Threenitas, according to which there was no scope for the incident while the specific error could not be reproduced, and finally, the views of the Ministry , while also after the hearing the views of THREENITAS were requested again and received. In any case, only speculation as to the operative cause of the incident is made, which relates in particular to the possible error of ready-made software libraries used, without clearly identifying the cause. The above constitutes a breach of the fundamental conditions for the taking of appropriate organizational and technical measures for the security of processing, in accordance with Article 32 of the GIP, in conjunction with Article 24, as the controller did not take into account the risks to rights and freedoms. of natural persons to determine security measures. It should also be noted that the lack of identification of processors leads to increased risks, such as the use of subprocessors which may not meet the requirements of the GCP, or appropriate measures have not been taken for use. consideresufficient to meet the requirements laid down by Article 28 GDPR ”(available at the online link https://edpb.europa.eu/system/files/2021- 07 / eppb_guidelines_202007_controllerprocessor_final_en.pdf) 28 of them. Special mention is made of the use of Amazon's cloud computing services, which may mean that personal data has been transferred outside the EU. In any case, the use of this computing cloud adds another processor in the present activity for which, given that Amazon appears to be a group of companies subject to U.S. law, an analysis of legality should have been carried out and NAPincl 7, while the Ministry of Tourism, as the person in charge of processing, did not indicate that it was aware of this during the period when it received a land incident since, apart from the absence of contracts, it does not make any relevant report. B) There was no notification of this incident to the Authority as required by Article 33 of the GCP. It is noted that, according to this article, the notification is made without delay and, if possible, within 72 hours from the moment of becoming aware of the event, unless the violation of personal data may not endanger the rights and freedoms of natural persons. persons. Based on the evidence in the case file, the controller, knowing the information he had within the first 72 hours of becoming aware of it, could not consider that there could be no risk to victims, as he did not a clear picture of the source of the incident, while the incident itself, based on the knowledge of the controller, already involved disclosure of data, including health data, to third parties. Therefore, a notification should be submitted to the Authority, taking into account that, according to paragraph 4 of the same article, "in case and when it is not possible to provide the information at the same time, it can be provided gradually without undue delay". The allegations of the controller as to the fact that he did not notify the Authority because on the one hand the citizen had already informed the Authority and 7Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of personal data protection - https://edpb.europa.eu/our-work-tools/our- documents / recommendations / recommendations-012020-measures-supplement-transfer_en 29 there is no reason for the controller to be released from the obligation to disclose under Article 33. 13. The controller had not appointed a Data Protection Officer during the period concerned by the case, in violation of Article 37 1 1 of the GIP, as his appointment was made in July ie after the lapse of three (3) years from the entry into force of the FGM, while the announcement process has started April 2021. Furthermore, despite the lack of appointment of DPO, there was inaccurate information on the website of this platform about the existence of DPO with its contact details, which - as the Authority found - were not valid. The controller states that this contact information was provided by the executor and considered that it was an email address corresponding to the executor. However, this allegation is irrelevant in relation to the question whether there is a violation of the above provision since, as the controller, he has the obligation to fully and correctly inform the data subjects, as well as the obligation to facilitate the exercise of rights (purpose for which this address could be used, according to article 38 par. 4 of the GCP). In each case, it does not appear that the controller made such an assignment to the controller (see also above for lack of written contract or other legal act). As a result, there has been a breach of the obligations of Article 13 of the GCC regarding the information provided to data subjects. 14. In view of the above, the Authority considers that there is a case to exercise its corrective powers according to article 58 par. 2 of the GCC in relation to the established infringements. 15. The Authority further considers that, based on the circumstances identified, it should be imposed, pursuant to the provision of article 58 par. 2 par. i) of the IGC, an effective, proportionate and dissuasive administrative fine under Article 83 83 of the IGC both for the restoration of compliance and for the punishment of unlawful conduct. 16. Furthermore, the Authority took into account the criteria for measuring the fine set out in Article 83par. of the public sector, and the Guidelines for the implementation and setting of administrative fines for the purposes of Regulation 2016/679 issued on 03-10-2017 by the Working Party of Article 29 (WP 253) 8, as well as the actual data of the case under consideration and in particular (ii) the fact that the controller was late in responding to the Authority's documents; iii) the controller does not yet have a clear picture, nor source of the breach, iv) the fact that the data subjects v) the fact that the appointment of the DPO by the controller was delayed by more than three years, while the relevant procedures, which led to the definition of the as an external company, did not move even after the original document of the Authority which pointed out this issue only after the lapse of two months from the reminder document of the Authority on 01-02-2021, resulting in, among others, the responsible significant financial benefit from the breach of its obligation, 8 See https://ec.europa.eu/newsroom/article29/items/611237 (last accessed: 10/9/2021) vi) the fact that the controller took immediate action to deal with the incident, vii) the fact that no previous corresponding breach has been found by the controller, viii) the fact that brought to the attention of the Authority and on the basis of which it found the above violations of the FGM, it does not appear that the controller caused material damage to the affected person as a result of the data breach, ix) The fact that the regarding the rights of the subjects is subject, in accordance with the provisions of article 83 par. 5 ed. b) GPD, in the higher foreseen category of the system of grading the administrative fines.

17. In view of the above, the Authority decides unanimously that they should be imposed on

   complainant controller referred to in the operative part

   administrative sanctions, which are considered proportionate to their severity

   infringements.

                              FOR THOSE REASONS


  The beginning,

   Imposes on the Ministry of Tourism, as the person in charge of processing, the

  effective, proportionate and dissuasive administrative fine which

  appropriate in this case according to the more specific circumstances

  of this, amounting to seventy-five thousand euros (75,000.00) euros, for the above

  infringements of Articles 13, 32, 33 and 37 of Regulation (EU)
  2016/679, according to article 58 par. 2 i of the GCP in combination with the article

  83 par. 4 and 5 of GKPD and article 39 par. 1 of law 4624/2019.





                                                                               32 The President The Secretary


Konstantinos Menoudakos Irini Papageorgopoulou




















































                                                                 33