On January 29, 2024, the DPA issued a decision concluding that the Ministry of Rural Development and Food had breached GDPR provisions due to its failure to appoint a Data Protection Officer (DPO) and its lack of appropriate cooperation with the Authority. In accordance with its mandate, the DPA imposed two fines totaling €25,000.
Let’s examine the specific GDPR provisions that were violated and the fines imposed, under the DPA’s corrective powers as outlined in Article 58(2) of the GDPR, (“Each supervisory authority shall have all of the following corrective powers: to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case”).
Firstly, the DPA imposed a €5,000 fine because the ministry failed to submit a completed questionnaire on time. The questionnaire, which concerned the designation and role of the DPO—as mandated for all public authorities—had been sent to selected public bodies as part of a broader initiative of the European Data Protection Board (EDPB). The ministry’s failure to respond in a timely manner constituted a violation of Article 31 of the GDPR, which requires data controllers and processors to cooperate with supervisory authorities upon request.
The DPA stated that the Ministry failed to respond despite multiple phone calls to elicit a response, during which it was revealed that at the time, the ministry was either in the process of finding a new DPO or renewing an existing contract.
Secondly, the DPA therefore imposed a €20,000 fine for the failure to appoint a DPO, in violation of Article 37 of the GDPR. This article stipulates, among other things, that:
1.The controller and processor shall designate a data protection officer in any case where the processing is carried out by a public authority or body
3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
6. Τhe data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
The DPA noted that the Ministry had no appointed DPO between August 4, 2022 and June 20, 2023.
Under the rule of law, public authorities are obliged to fully comply with EU and national legislation regarding the protection of citizens’ personal data during lawful processing procedures.
However, the DPA’s investigation clearly established that the Ministry of Rural Development and Food violated GDPR provisions—specifically Articles 31 and 37.
Bank Account number: 1100 0232 0016 560
IBAN: GR56 0140 1100 1100 0232 0016 560
BIC: CRBAGRAA
In a time where the very foundations of democracy are gradually being eroded by the rise of extreme nationalism, alt-right movements, the spread of disinformation and corporate capture, the efforts of organisations such as Vouliwatch are more relevant than ever.
We rely on the generosity of each and every one of you to continue with our efforts for more transparency and accounta
By financially supporting Vouliwatch you support our litigation strategy, our campaigns for transparency and accountability in the political system, the development of new civic tech tools, our research projects and last but not least our impartial and accurate