HDPA (Greece) - 61/2022
| HDPA - 61/202234 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(e) GDPR Article 12 GDPR Article 13 GDPR Article 25(1) GDPR Article 35 GDPR Article 46 GDPR National Law 3471/2006, article 4 National Law 4624/19, article 37 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 01.11.2022 |
| Published: | 01.11.2022 |
| Fine: | n/a |
| Parties: | Ministry of Education and Religious Affairs |
| National Case Number/Name: | 61/202234 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Greek |
| Original Source: | DPA.gr (in EL) |
| Initial Contributor: | Anastasia Tsermenidou |
The Greek DPA examined the Ministry of Education and Religious Affairs compliance with the provisions of the legislation on the processing of personal data with regards to distant learning.
English Summary
Facts
The DPA examined the compliance of the Ministry of Education and Religious Affairs (the controller) with the recommendations of Decision 50/2021 on the compatibility of distant learning in the primary and secondary education sector, with the provisions of the legislation based on the processing of personal data.
In the original decision, the DPA had found four different shortcomings. First, no detailed investigation had been carried out into the legality of the purposes of processing on the part of the controller, in particular in relation to consent to access information stored on a user's terminal equipment when this is not necessary for the provision of the service requested by the user. Second, the information provided to data subjects was less than that required by the GDPR, and the information was not provided in an intelligible and easily accessible form with clear and simple wording, especially if it was also addressed to children. Third, the security measures in place, although in the right direction, needed to be made accessible to every teacher, and it must be ensured that all teachers involved in the distance learning process received the minimum required information. Fourth, a proper assessment of the transfer of data to countries outside the EU had not been carried out, especially in light of the CJEU's decision in case C-311/18 (Schrems II). The DPA had issued a reprimand for each of the above discussed shortcomings.
As a response to the DPA's decision, the controller adopted a number of supplementary measures in order to comply with the relevant data protection legislation. Among others, it conducted a more detailed analysis on the lawfulness of the purposes of processing. The controller also drafted a new information document regarding the processing activities, in a way that would be comprehensible for pupils, students as well as parents and staff. Moreover, new security measures were introduced next to updated supplementary measures with regards to data transfers to third countries, in particular the US.
The DPA reviewed the additional measures taken by the controller and issued a new decision on compliance with the GDPR and national data protection law.
Holding
The DPA considered that no new remedy was required and invited the controller to make the necessary amendments to improve their transparency. In particular, the information provided to data subjects via the website should follow a multi-level approach and better information on the use of cookies was required.
Additionally, the DPA announced that it would address the more general issue of the application of Chapter V of the GDPR to video-conferencing services of companies belonging to a group controlled by an entity subject to US law with other supervisory authorities through the cooperation and consistency procedures of the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary The Authority examined ex officio the compliance of the Ministry of Education and Religious Affairs with the recommendations of decision 50/2021 on the compatibility of modern distance education in primary and secondary school units with the provisions of the legislation on the processing of personal data. The Authority considers that no new corrective measure is required and calls on the Ministry to make the necessary amendments to improve transparency. In particular, the information provided to data subjects through the website must follow a multi-level approach, while an improvement in the information regarding the use of "cookies" is required. The Authority will consider the broader issue of the application of Chapter V of the GDPR to videoconferencing services of companies that are part of a group controlled by an entity subject to US law. with the other supervisory authorities through the cooperation and coherence procedures of the Regulation.
