Greek Ministry of Tourism: Insufficient technical and organisational measures to ensure information security

The Hellenic DPA has imposed a fine of EUR 75,000 on the Greek Ministry of Tourism. A data breach had occurred at the authority. According to the DPA, an attempt by a citizen to enter his or her credentials on the authority's online platform resulted in the display of someone else's credentials, including full name, tax number, social security number, postal address, phone number, email address, and fields indicating a disability. The DPA found that the ministry failed to implement adequate technical and organizational measures to secure personal data. The ministry failed to report the incident to the DPA. The DPA considered this to be a violation of Article 33 of the GDPR. The DPA's investigation also found that the Ministry of Tourism had not appointed a data protection officer, even though an email address of the authority's data protection officer was provided on the above-mentioned platform for communication with users of the platform. This email address, as it turned out, was not active.

GDPR Articles: Art. 13 GDPR, Art. 32 GDPR, Art. 33 GDPR, Art. 37 GDPR
Industry: Public Sector and Education