On October 11th, 2019, the Commissioner for personal data protection (the Commissioner) announced the results of an assessment conducted on the level of compliance with the provisions of the Regulation (EU) 2016/679 (the Regulation) and the Law 125(I)/2018 (the Law) in the Public Sector.
The Purpose of the Assessment
With this assessment, the Commissioner’s objective was to determine whether the Public Sector had, so far, adequately met the general obligations arising from the Regulation and the obligations concerning the Data Protection Officer (the DPO). Within a time limit of one year, since 25th of May 2018, all data controllers were required to begin taking the first steps towards compliance including the designation and training of a DPO. The Commissioner initiated the process of evaluating the Public Sector’s compliance with the Regulation by issuing a questionnaire in July 2019 to be distributed and answered by all public Departments and Services.
The Commissioner’s Findings
As mentioned previously, the Commissioner’s current inquiry focused closely on how effectively the Public Sector had implemented the obligations concerning the DPO and also to what degree measures such as employee training on matters of data protection, preparation and adoption of data protection policies, appropriate response procedures to enquiries and requests by data subjects etc., had been applied. Below follow the main findings of the Commissioner:
In conclusion, it is observed that the Public Sector has indeed taken its first steps towards compliance with the Regulation, although more persistent and intensive efforts are required in order to establish a higher quality of protection for the data subjects.
Furthermore, it should be mentioned that, Article 58(1)(b) of the Regulation accords investigative powers to the Commissioner to conduct regular inspections on the overall adherence to the measures for data protection. Consequently, the Commissioner is planning on conducting more frequent on-the-spot inspections across the Public Sector to examine the progress of compliance and application of the provisions of the Regulation. The results of those inspections, will determine whether administrative fines will be imposed on the Public Services, according to how sufficiently they have applied the Regulation’s provisions.
It is therefore advised that Public Services should promptly take all required steps to be in compliance with the Regulation, beginning with the creation of the necessary GDPR policies, providing the necessary education for all employees regarding the processing of data and the proper designation and training of a DPO.