On 23 June 2021, the Plenary of the Personal Data Protection Authority met to examine the appeals of 5 citizens against the General Secretariat for Civil Protection. The appeals relate to the failure to satisfy the right of access to personal data, as provided for by Greek and European legislation.
Homo Digitalis represented the 5 applicants at the meeting and subsequently submitted a memorandum to the Data Protection Authority. According to European legislation the threatened fine for the GDPR is up to 20 million euros per breach.
The decision of the Data Protection Authority on the case is expected soon.
Brief Background
On 23.11.2020, the applicants proceeded to exercise their right of access to the Controller, General Secretariat for Civil Protection (GSCP), on the basis of Article 15 of the GDPR, by means of an email to the Controller’s address info@gscp.gr, as stated in the GSCP’s Privacy Policy for the use of 13033.
As set out in the GDPR (Article 12(3)), and noted in the 13033 Privacy Policy, the controller must comply with this right without delay and at the latest within one month of the request.
The GGP as controller in breach of the provisions of Article 12(1)(a) of the GDPR shall, in its capacity as controller, ensure that the data are made available to the data subject without undue delay and without undue delay and in full knowledge of the facts. 3 and 4 of the GDPR, failed to reply to the complainants within one month of receipt of the request and failed to inform them, as it was required to do, within one month of the possible impossibility of responding immediately and satisfying their request and of the reasons for the delay, requesting a further extension of the time limit, in breach of the provisions of Article 12(3) and (4) of the GDPR. Moreover, it failed to inform the applicant within one month of the reasons for its failure to act and of the possibility of lodging a complaint and bringing a legal action (Article 12(4) of the GDPR).
In view of the above, two and a half months after exercising the right of access and having received no response from the GGPD, the applicants proceeded on 8/2/2021 to lodge the complaints under consideration before the Personal Data Protection Authority (the Authority).
The Authority invited the GDPR to submit the views on 16-02-2021. The GPO did not respond to this request of the Authority either.
To date (7 months later) the applicants have not received any response to the access requests. A copy of the views of the GSC was first communicated to them on 29 June 2021 following their request to the Authority.
It is noted that the views of the GPO were submitted to the Authority on 18 June 2021 after a significant delay of more than four months. At the first meeting, the GGP submitted a request for postponement of the discussion on the sole ground that the Secretary General for Civil Protection wished to represent the GGP in person, without having presented its views on the appeals up to that point. The request was granted, but the Secretary General did not even attend the adjourned debate.
The subject matter of the appeals is the failure to provide full and correct information and the failure to satisfy the right of access under Articles 15 and 12 of the GDPR.