Privacy Blog
Hellenic SA: Ex Officio Audit of Processing of Personal Data in the Context of COVID-19 Self-test Result Declaration
The Ηellenic Supervisory Authority (“SA” and/or the “Authority”), in exercising its ex officio competence under the GDPR and the national Law 4624/2019, examined the processing of personal data pursuant to seven Joint Ministerial Decisions concerning the free of charge distribution of self-tests to the eligible persons. The five controllers named in the relevant Joint Ministerial Decisions are IDIKA S.A., the Ministry of Labour and Social Affairs, the Ministry of Interior, the Ministry of Education and Religious Affairs and NAT.
It was found that the Ministry of Education and Religious Affairs was wrongly identified as the controller, by the relevant Joint Ministerial Decision, with regard to the category of religious officials included in the registry of Article 14, National Law 4301/2014 (“Organization of the Legal Form of Religious Communities and their organizations in Greece”).
In addition, the Authority found that IDIKA S.A., the Ministry of Labour and Social Affairs, the Ministry of Interior and NAT, as controllers, did not fully comply with the provisions of Article 13 of the GDPR regarding the information provided to the data subjects and reprimanded them for this infringement. Furthermore, it was considered that IDIKA S.A. violated the principle of the storage period limitation of data.
Also, it ordered NAT to remove the application from its IT system and delete any data of seamen—ship crew members that may exist therein.
Finally, the Ηellenic SA reprimanded IDIKA S.A. and the Ministry of Labour and Social Affairs for the overdue and incomplete drafting of the impact assessment they provided as well as imposed, on the Ministry of Interior and NAT, an administrative fine of EUR 5000 each for not complying with the obligation to carry out an impact assessment at all.
You can reach the full text of the press release here.
Kind regards,
Zumbul Attorneys at Law
info@zumbul.av.tr