Hellenic Ministry of Education and Religions Affairs – Violation Found (Greece, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Greek Data Protection Authority found that the Hellenic Ministry of Education did not fully assess privacy risks when rolling out online learning during COVID-19. They advised the Ministry to improve their data protection practices. This case highlights the importance of thorough privacy checks, especially when using new technologies.
What happened
The Hellenic Ministry of Education failed to adequately assess privacy risks in their distance learning program.
Who was affected
Students and teachers using the Ministry's distance learning platform were affected by potential privacy oversights.
What the authority found
The Greek Data Protection Authority found that the Ministry's data protection impact assessment was insufficient and needed improvements.
Why this matters
This case underscores the need for thorough privacy assessments when implementing new tech solutions, especially in education. It serves as a reminder for organizations to prioritize privacy from the start.
GDPR Articles Cited
National Law Articles
Due to COVID-19 pandemic period, the Hellenic Ministry of Education and Religions Affairs (the Ministry) decided to promote and implement a method of distance learning by technological means for students in primary and secondary education. The Greek DPA (HDPA) considered this method legal, but found that the Ministry had failed to consider a number of factors and risks in relation to the rights and freedoms of the data subjects when conducting a Data Protection Impact Assessment (DPIA). Recognizing the need for the contemporary distance education, the HDPA provided an opinion to the Ministry to address the flaws and shortcomings. The HDPA called on the Ministry to make the appropriate changes to the DPIA within an exclusive period of three months. After that period, the HDPA analyzed once again the measures taken by the Ministry to assess whether the adopted method of distance learning and the measures that accompanied it complied with the GDPR. The HDPA examined the updated DPIA, as well as the compliance actions taken by the Ministry. The HDPA identified deficiencies as follows: first of all, the HDPA found that the Ministry never made a detailed investigation on the lawfulness of the processing purposes under Article 6(4) GDPR, in particular with regard to the consent for access to information stored in a user's terminal equipment, when is not necessary to provide the service requested by the user. Regarding the principle of transparency and the right to access by the data subject, according to Article 12 and 14 GDPR, the information provided by the Ministry to the data subjects was not considered appropriate and sufficient. The HDPA found in particular that the provided information was not easy to understand and (lack of accessibility and of clear and simple wording), especially vis-à-vis children. The HDPA further found that the applied measures, despite having been improved, still needed to be completed, in order to ensure in particular that all the teacher
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Hellenic Ministry of Education and Religions Affairs in GR
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Hellenic Ministry of Education and Religions Affairs - Greece (2021). Retrieved from cookiefines.eu
Last updated: