Ministry of Climate Crisis and Civil Protection – €50,000 Fine (Greece, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 3 May 2023, utilising its investigative powers, the Greek DPA sent a questionnaire to 31 public authorities, including the Ministry of Climate Crisis and Civil Protection (Controller), to assess the appointment and role of their DPO. The Controller failed to respond to the questionnaire on time, prompting the DPA to review its archives. It discovered no records of an appointed DPO and found that the Controller had not disclosed the DPO's contact details, as required under Article 37(1) GDPR and Article 37(7) GDPR. The DPA summoned the Controller to an official hearing, where it admitted that no DPO had been appointed. It argued that this was due to organizational changes between ministries, resource constraints, and reliance on an external consultancy firm to assist with data protection matters. The DPA also determined that the Ministry’s website lacked any information regarding a designated DPO. After its investigation, the DPA concluded that: * The Controller violated Article 31 GDPR by failing to respond to the questionnaire in a timely manner. * No DPO had been appointed since the Ministry's establishment Article 37 GDPR. A DPO was appointed only after the DPA demanded explanations, and this appointment covered the General Administration rather than the Ministry itself. * The Ministry breached the principle of accountability Article 5 GDPR by: # Failing to appoint a DPO as required Article 37 GDPR. # Failing to provide clear and transparent information to data subjects about their rights Article 12 GDPR. # Not implementing measures to ensure GDPR-compliant data processing Article 25 GDPR. # Lacking a Register of Processing Activities Article 30 GDPR. # For failing to take or implement appropriate technical and organizational measures to ensure an adequate level of security against risks Article 32 GDPR These failures resulted in a violation of the GDPR’s principle of lawfulness Article 5(1) GDPR. The DPA considered several factors when determining the pena
GDPR Articles Cited
On 3 May 2023, utilising its investigative powers, the Greek DPA sent a questionnaire to 31 public authorities, including the Ministry of Climate Crisis and Civil Protection (Controller), to assess the appointment and role of their DPO. The Controller failed to respond to the questionnaire on time, prompting the DPA to review its archives. It discovered no records of an appointed DPO and found that the Controller had not disclosed the DPO's contact details, as required under Article 37(1) GDPR and Article 37(7) GDPR. The DPA summoned the Controller to an official hearing, where it admitted that no DPO had been appointed. It argued that this was due to organizational changes between ministries, resource constraints, and reliance on an external consultancy firm to assist with data protection matters. The DPA also determined that the Ministry’s website lacked any information regarding a designated DPO. After its investigation, the DPA concluded that: * The Controller violated Article 31 GDPR by failing to respond to the questionnaire in a timely manner. * No DPO had been appointed since the Ministry's establishment Article 37 GDPR. A DPO was appointed only after the DPA demanded explanations, and this appointment covered the General Administration rather than the Ministry itself. * The Ministry breached the principle of accountability Article 5 GDPR by: # Failing to appoint a DPO as required Article 37 GDPR. # Failing to provide clear and transparent information to data subjects about their rights Article 12 GDPR. # Not implementing measures to ensure GDPR-compliant data processing Article 25 GDPR. # Lacking a Register of Processing Activities Article 30 GDPR. # For failing to take or implement appropriate technical and organizational measures to ensure an adequate level of security against risks Article 32 GDPR These failures resulted in a violation of the GDPR’s principle of lawfulness Article 5(1) GDPR. The DPA considered several factors when determining the pena
Related Enforcement Actions (0)
No other enforcement actions found for Ministry of Climate Crisis and Civil Protection in GR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
26 April 2024
Authority
Hellenic Data Protection Authority
Fine Amount
€50,000
GDPRhub ID
gdprhub-8775About this data
Cite as: Cookie Fines. Ministry of Climate Crisis and Civil Protection - Greece (2024). Retrieved from cookiefines.eu
Last updated: