A state governed by the rule of law must effectively protect the personal data of its citizens against technology giants and multinational companies that may use or process them in violation of the law, in order to serve their own interests.
However, this did not happen in the Greek government’s cooperation with Cisco for the e-learning system. The Hellenic Data Protection Authority (HDPA) identified significant violations of legislation on personal data protection, raising serious questions about the Ministry of Education and Religion’s handling of the data of hundreds of thousands of members of the educational community.
On 16 November 2021 the Authority made public its decision (50/2021) on the compliance of the e-learning system – implemented by the ministry during the pandemic – with a series of legislative provisions of the General Data Protection Regulation (GDPR) and Law 3471/2006 on the protection of personal data and privacy in the field of electronic communications.
The HDPA’s involvement in the case did not begin with the above decision, though, nor did the problems with Cisco first appear in 2021. In September 2020, the Authority issued an opinion (4/2020), in which it made recommendations to the Ministry of Education so that e-learning for schools fully complies with the provisions of the legislation on the processing of personal data. In fact, the Authority had spoken about the dangers regarding the personal data of students and teachers. These risks included, inter alia, the transfer of personal data outside the EU, the terms of the contract with Cisco (since its study showed that some data is kept by the private company), as well as the use of personal email addresses of teachers and their electronic transmission to Cisco, even if a teacher had not activated e-learning.
After a period of 14 months, the HDPA has published its decision, where it essentially examined whether the ministry complied with the above mentioned opinion, but also with the legislation on personal data. Not only did they not find compliance, but the Authority identified serious deficiencies and infringements in the following five areas:
Point 1: The Ministry of Education, in violation of GDPR, did not examine in detail the legality of the purposes of processing users’ personal data, in particular in relation to their consent to access information stored on a user’s terminal, when such access is not necessary for the provision of the service.
Point 2: They also identified serious issues around transparency, since the information provided to those who participate in the educational process regarding their personal data does not meet the standards identified by the GDPR as providing full information to users. In fact, what is provided is not easily accessible, nor is it simply and clearly worded, even though this is information aimed at students and children.
Regarding this violation by the Ministry of Education, the HDPA notes that, among other failures, the information provided “lacks the contact details of the data protection officer” and “there is no clarification regarding the maintenance of metadata, therefore the information is incomplete in terms of the categories of data, the purposes and the retention times associated with the processing of that data.” Also, “the text (with the information for informing the users) is written in an unstructured way” and “is not easily accessible, as it is contained in FAQs.”
Point 3: The Ministry of Education did not provide teachers and students with the appropriate training, nor the necessary security measures, in order to know how to effectively protect their personal data. This is because, according to the HDPA, “the Ministry of Education as the party in charge of processing […] did not apply at the time of processing appropriate technical and organizational measures for the application of data protection principles and the incorporation of the necessary guarantees. The measures implemented thus far are in the right direction and must be supplemented so as to make them available to every teacher, while it must also be ensured that all teachers involved in the distance learning process have received some basic information to ensure the reduction of risks,” reasons the Authority.
Point 4: The Ministry of Education did not fulfill its GDPR obligations in relation to the expression of the opinion of the subjects or their representatives, i.e. it did not give the opportunity to students and their guardians to express their opinion about the processing of their personal data in order to ensure the “legal basis for the processing of their personal data.”
Point 5: Data transfer to non-EU countries was not properly assessed. The HDPA notes that Cisco (in this case the group and its companies) is subject to US law and therefore effective complementary measures had to be taken to ensure an adequate level of personal data protection, commensurate with that enshrined in EU and national law. However, such measures were not adopted.
After identifying the violations of the legislation, the Authority proceeded to reprimand the Ministry and ordered that the shortcomings be addressed within two months (four for the transmission of data).
The Ministry of Education reacts with surprise
Two days later, on November 18, the ministry issued a statement reacting to these accusations. The ministry referred to “incorrect assumptions,” and the leadership claimed that the decision was surprising “due to the sudden change of direction by the Authority and the bypassing of its ongoing dialogue with the Ministry of Education and Religion.”
“The HDPA, with its 4/2020 opinion, had in principle considered e-learning legal, making some recommendations which were adopted by the Ministry within the stipulated three-month deadline. Since then, while the Ministry has been in constant contact with the Authority and provided additional requested information, no deviations from the privacy policy are noted, nor was there any mention of the points the HDPA have now invoked to justify its new decision,” noted the ministry.
The announcement shows that the ministry disputes not only the rationale of the decision, but also the integrity of the Authority, accusing it of suddenly and misleadingly changing course.
This case presents as particularly problematic in the context of a proper and lawful functioning of government within the rule of law, as the Ministry of Education didn’t only violate GDPR and the legislation on personal data protection, but also the Rules of Procedure of the Parliament in the context of parliamentary scrutiny, as well as transparency legislation.
One of the modern requirements of the rule of law is the effective protection of citizens’ personal data.
However, in this case, according to the HDPA, the Ministry of Education and Religion failed to fulfill this requirement, violating both the General Regulation on Data Protection (GDPR) and Law 3471/2006 on the protection of personal data and privacy in the field of electronic communications.
Bank Account number: 1100 0232 0016 560
IBAN: GR56 0140 1100 1100 0232 0016 560
BIC: CRBAGRAA
In a time where the very foundations of democracy are gradually being eroded by the rise of extreme nationalism, alt-right movements, the spread of disinformation and corporate capture, the efforts of organisations such as Vouliwatch are more relevant than ever.
We rely on the generosity of each and every one of you to continue with our efforts for more transparency and accounta
By financially supporting Vouliwatch you support our litigation strategy, our campaigns for transparency and accountability in the political system, the development of new civic tech tools, our research projects and last but not least our impartial and accurate
