Ministry of Education and Religious Affairs – Complaint Upheld (Greece, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Hellenic Data Protection Authority found that the Ministry of Education and Religious Affairs did not fully comply with data protection rules for online learning. The ministry improved its practices by updating security measures and providing clearer information to students and parents. This matters because it shows the importance of protecting personal data in educational settings.
What happened
The Ministry of Education and Religious Affairs failed to fully comply with data protection rules for distance learning.
Who was affected
Students, parents, and teachers involved in distance learning programs were affected.
What the authority found
The authority found that the ministry did not meet GDPR requirements for data processing, transparency, and security in online education.
Why this matters
This case highlights the need for educational institutions to ensure robust data protection measures, especially when handling children's data. It emphasizes the importance of clear communication and security in digital learning environments.
GDPR Articles Cited
National Law Articles
The DPA examined the compliance of the Ministry of Education and Religious Affairs (the controller) with the recommendations of Decision 50/2021 on the compatibility of distant learning in the primary and secondary education sector, with the provisions of the legislation based on the processing of personal data. In the original decision, the DPA had found four different shortcomings. First, no detailed investigation had been carried out into the legality of the purposes of processing on the part of the controller, in particular in relation to consent to access information stored on a user's terminal equipment when this is not necessary for the provision of the service requested by the user. Second, the information provided to data subjects was less than that required by the GDPR, and the information was not provided in an intelligible and easily accessible form with clear and simple wording, especially if it was also addressed to children. Third, the security measures in place, although in the right direction, needed to be made accessible to every teacher, and it must be ensured that all teachers involved in the distance learning process received the minimum required information. Fourth, a proper assessment of the transfer of data to countries outside the EU had not been carried out, especially in light of the CJEU's decision in case C-311/18 (Schrems II). The DPA had issued a reprimand for each of the above discussed shortcomings. As a response to the DPA's decision, the controller adopted a number of supplementary measures in order to comply with the relevant data protection legislation. Among others, it conducted a more detailed analysis on the lawfulness of the purposes of processing. The controller also drafted a new information document regarding the processing activities, in a way that would be comprehensible for pupils, students as well as parents and staff. Moreover, new security measures were introduced next to updated supplementary measures with regards
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Ministry of Education and Religious Affairs in GR
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Ministry of Education and Religious Affairs - Greece (2022). Retrieved from cookiefines.eu
Last updated: