REPORTS
DPA: Non-compliance of the Ministry of Climate Crisis and Civil Protection with GDPR Standards
On 27 November 2024, the independent authority for Data Protection (DPA) published its finding that the Ministry of Climate Crisis and Civil Protection has violated a number of provisions of the General Data Protection Regulation (GDPR), as a result of which the Authority has imposed three administrative fines totalling EUR 50,000 against the Ministry, a competence that derives from Article 58(2) of the GDPR.
Let’s see in detail which provisions of the GDPR were violated by the Ministry of Climate Crisis and Civil Protection, and what fines were imposed:
Firstly, the DPA imposed a fine of €5,000 as the ministry failed to submit within the deadline a questionnaire that the independent authority was required to complete regarding the Data Protection Officer (DPO) that public services are required to have.
This questionnaire was sent on behalf of the DPA to selected public sector bodies, as part of a wider initiative of the European Data Protection Board (EDPB). However, the ministry’s failure to return the completed document violated Article 31 of the GDPR, which requires cooperation with the supervisory authority.
Secondly, the DPA imposed a fine of 25,000 euros on the basis that the Ministry had failed to appoint a Data Protection Officer (DPO), in violation of Article 37 of the GDPR, which provides, inter alia: “1. The controller and the processor shall designate a data protection officer in any case where: a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;…3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size….5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39…6.The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. 7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.”
Thirdly, the DPA imposed a fine of EUR 20,000 for violations – on the part of the Ministry – of Articles 12 and 32 (1 and 2), in conjunction with Article 5(1), as well as Articles 25 and 30 of the GDPR.
According to the reasoning of the Authority, the violation of the above provisions resulted from the fact that the Ministry of Climate Crisis and Civil Protection did not take the appropriate measures to provide citizens with transparent information regarding their rights, as well as to facilitate the exercise of these rights, as provided for in Article 12 of the GDPR. Furthermore, the ministry did not take appropriate measures to protect personal data, as provided for in Article 25 of the GDPR, and also failed to keep a record of activities ,in breach of Article 30 of the GDPR.
Under the rule of law, public authorities must strictly comply with EU and national legislation on the protection of citizens’ personal data in their data processing procedures.
However, in this case, an investigation by the independent Data Protection Authority (DPA) documented that the Ministry of Climate Crisis and Civil Protection violated several provisions of the General Data Protection Regulation (Articles 31, 37, 12 and 32(1,2) in conjunction with Article 5(1), as well as 25 and 30 of the GDPR).
Bank Account number: 1100 0232 0016 560
IBAN: GR56 0140 1100 1100 0232 0016 560
BIC: CRBAGRAA
In a time where the very foundations of democracy are gradually being eroded by the rise of extreme nationalism, alt-right movements, the spread of disinformation and corporate capture, the efforts of organisations such as Vouliwatch are more relevant than ever.
We rely on the generosity of each and every one of you to continue with our efforts for more transparency and accounta
By financially supporting Vouliwatch you support our litigation strategy, our campaigns for transparency and accountability in the political system, the development of new civic tech tools, our research projects and last but not least our impartial and accurate