Greece: HDPA fines Ministry of Tourism €75,000 for failure to implement sufficient technical and organisational security measures and non-appointment of DPO
The Hellenic Data Protection Authority ('HDPA') published, on 29 December 2021, its decision No. 55/2021, in which it fined the Ministry of Tourism €75,000 for violations of Articles 13, 32, 33, and 37 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following its failure to implement technical and organisational security measures, resulting in a data breach, as well as failure to appoint a data protection officer ('DPO') during the period in question.
Background to the decision
In particular, the HDPA examined a report, according to which, an individual who attempted to make an application via the Ministry's platform travel4all.gov.gr, noticed a problem of leakage of third parties' personal data. Specifically, when the individual entered their credentials, the personal data of another person appeared on the screen, which included tax registration number, social security registration number, postal address, phone number, and email address, as well as fields that could contain evidence of disability.
Findings of the HDPA
Following the HDPA's investigation, it was found that:
- The Ministry had not appointed a DPO, as required by Article 37(1) of the GDPR, although an email address was provided in the platform's privacy notice, which was later found to be inactive. The HDPA noted that this further resulted in a violation of Article 13 of the GDPR.
- There was no data processing agreement between the Ministry of Digital Governance, as the data processor, and Threenitas S.A. Software Systems, as the sub-processor during the time of the incident, and the Ministry of Tourism, as the data controller, and the Ministry of Digital Governance, only entered into an agreement in September 2020, i.e. after the processing in question took place and after the investigation into the data breach. According to the HDPA, this did not only violate Article 28(9) of the GDPR, but also did not permit the determination of clear processes for dealing with data breaches.
- The Ministry of Tourism failed to implement appropriate technical and organisational security measures, in accordance with Article 32 of the GDPR, and failed, as the data controller, to take into account, the risks to the rights and freedoms of data subjects. On that note, the HDPA further highlighted that the lack of determination of data processors can result in high risks, such as with the use of sub-processors, which may not meet all the requirements under the GDPR.
- The Ministry of Tourism did not have a valid justification for its failure to notify the HDPA of the data breach in question, thereby violating Article 33 of the GDPR.
In determining the fine, the HDPA considered, among other things, the fact that:
- the data breach occurred, and sensitive personal data of the affected person was disclosed to a third party;
- the Ministry of Tourism failed to respond to the HDPA's documents in time;
- the Ministry of Tourism did not have a clear picture of the source of the data breach; and
- data subjects' rights were not facilitated.
As a result, the HDPA issued a fine of €75,000 to the Ministry of Tourism.