Ministry of Climate Crisis and Civil Protection – €50,000 Fine (Greece, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Greek Ministry of Climate Crisis and Civil Protection failed to appoint a Data Protection Officer (DPO) and did not respond to a data protection authority's questionnaire. As a result, the authority fined the ministry €50,000 for multiple GDPR violations. This case underscores the necessity for public organizations to comply with data protection regulations and appoint a DPO.
What happened
The Ministry failed to appoint a Data Protection Officer and did not respond to a data protection authority's request for information.
Who was affected
The Ministry of Climate Crisis and Civil Protection and the public it serves.
What the authority found
The authority found that the Ministry violated several GDPR articles by not appointing a DPO and failing to provide necessary information about data protection.
Why this matters
This ruling stresses the importance of accountability and compliance with data protection laws for public organizations. It serves as a warning that failure to appoint a DPO can lead to significant penalties.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 3 May 2023, utilising its investigative powers, the Greek DPA sent a questionnaire to 31 public authorities, including the Ministry of Climate Crisis and Civil Protection (Controller), to assess the appointment and role of their DPO. The Controller failed to respond to the questionnaire on time, prompting the DPA to review its archives. It discovered no records of an appointed DPO and found that the Controller had not disclosed the DPO's contact details, as required under Article 37(1) GDPR and Article 37(7) GDPR. The DPA summoned the Controller to an official hearing, where it admitted that no DPO had been appointed. It argued that this was due to organizational changes between ministries, resource constraints, and reliance on an external consultancy firm to assist with data protection matters. The DPA also determined that the Ministry’s website lacked any information regarding a designated DPO. After its investigation, the DPA concluded that: * The Controller violated Article 31 GDPR by failing to respond to the questionnaire in a timely manner. * No DPO had been appointed since the Ministry's establishment Article 37 GDPR. A DPO was appointed only after the DPA demanded explanations, and this appointment covered the General Administration rather than the Ministry itself. * The Ministry breached the principle of accountability Article 5 GDPR by: # Failing to appoint a DPO as required Article 37 GDPR. # Failing to provide clear and transparent information to data subjects about their rights Article 12 GDPR. # Not implementing measures to ensure GDPR-compliant data processing Article 25 GDPR. # Lacking a Register of Processing Activities Article 30 GDPR. # For failing to take or implement appropriate technical and organizational measures to ensure an adequate level of security against risks Article 32 GDPR These failures resulted in a violation of the GDPR’s principle of lawfulness Article 5(1) GDPR. The DPA considered several factors when determining the pena
Related Enforcement Actions (0)
No other enforcement actions found for Ministry of Climate Crisis and Civil Protection in GR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
26 April 2024
Authority
Hellenic Data Protection Authority
Fine Amount
€50,000
GDPRhub ID
gdprhub-8775About this data
Cite as: Cookie Fines. Ministry of Climate Crisis and Civil Protection - Greece (2024). Retrieved from cookiefines.eu
Last updated: