On October 11th, 2019, the Commissioner for personal data protection (the Commissioner) announced the results of an assessment conducted on the level of compliance with the provisions of the Regulation (EU) 2016/679 (the Regulation) and the Law 125(I)/2018 (the Law) in the Public Sector.
The Purpose of the Assessment
With this assessment, the Commissioner’s objective was to determine whether the Public Sector had, so far, adequately met the general obligations arising from the Regulation and the obligations concerning the Data Protection Officer (the DPO). Within a time limit of one year, since 25th of May 2018, all data controllers were required to begin taking the first steps towards compliance including the designation and training of a DPO. The Commissioner initiated the process of evaluating the Public Sector’s compliance with the Regulation by issuing a questionnaire in July 2019 to be distributed and answered by all public Departments and Services.
The Commissioner’s Findings
As mentioned previously, the Commissioner’s current inquiry focused closely on how effectively the Public Sector had implemented the obligations concerning the DPO and also to what degree measures such as employee training on matters of data protection, preparation and adoption of data protection policies, appropriate response procedures to enquiries and requests by data subjects etc., had been applied. Below follow the main findings of the Commissioner:
- Despite the fact that participation in the Commissioner’s inquiry was mandatory for the entire Public Sector, only 89 of the Public Services have provided relevant answers since July 2019.
- Even though 97% of the Public Services who answered the questionnaire had designated a DPO, most of them failed to provide their DPO appropriate resources for effective execution of his/her duties. More particularly, the DPO would often lack ample time and the necessary education to be able to perform the required tasks.
- 86% had made an official announcement regarding the DPO’s appointment by the Public Service to the rest of the staff.
- 65% had published their DPO’s information on their website for the data subjects.
- 80% keep records of processing activities, while the remaining 20% have made no effort to keep any.
- Only 63% have provided training for their staff on matters regarding data protection.
- Only 52% have enforced response procedures to data subjects’ requests.
In conclusion, it is observed that the Public Sector has indeed taken its first steps towards compliance with the Regulation, although more persistent and intensive efforts are required in order to establish a higher quality of protection for the data subjects.
Furthermore, it should be mentioned that, Article 58(1)(b) of the Regulation accords investigative powers to the Commissioner to conduct regular inspections on the overall adherence to the measures for data protection. Consequently, the Commissioner is planning on conducting more frequent on-the-spot inspections across the Public Sector to examine the progress of compliance and application of the provisions of the Regulation. The results of those inspections, will determine whether administrative fines will be imposed on the Public Services, according to how sufficiently they have applied the Regulation’s provisions.
It is therefore advised that Public Services should promptly take all required steps to be in compliance with the Regulation, beginning with the creation of the necessary GDPR policies, providing the necessary education for all employees regarding the processing of data and the proper designation and training of a DPO.