January 30, 2020

Data Protection Update: Cyprus Commissioner’s Decisions (October – December 2019)

On 13 January 2020 the Cyprus Office of the Commissioner for Data Protection (“Commissioner”) announced its Decisions for the period October – December 2019. Key issues and practical considerations arise which impact the majority of organisations and address gaps in compliance with the EU General Data Protection Regulation (“GDPR”).

The GDPR and national legislation substantially changed data privacy rules. By now organisations in the EU or organisations outside the EU which process personal data of EU residents should be in a position to demonstrate that they fulfil the necessary requirements for compliance.

Please find below outline of the Commissioner’s decisions for the period October – December 2019:

1.Financial fines in total amount of EUR82,000 to a travel and tourism Group of companies for breach of obligations under articles 6(1) and 9(2) of the Directive

In assessment of the fines various factors were considered including, the number of data subjects (total number of employees), the nature and the duration of the breach as well as the work cycle of the Group of companies.

The Group of companies used the Bradford Factor as a means for HR to assess employees’ absenteeism due to sickness-related reasons. The main rationale of the automated system using the Bradford Factor is that short, regular and unplanned absences can be more disorganising than larger absences. Following assessment of all data collected by the Commissioner to examine the matter and having heard the data controller, the Commissioner ultimately deemed that the processing in question lacked a legitimate basis and, therefore, must be terminated and the data erased.

For a synopsis of the rationale of the decision please visit the website of the Commissioner: https://bit.ly/2uIaOfg

2.Fine of EUR9,000 for personal data breach by public authority

The Commissioner examined the matter further to publications in the media in relation to public authorities and organisations in their capacity as the data processor of the automated SI system in a matter concerning a breach of personal data of a number of natural persons in their data base. The Commissioner requested confirmation, description of circumstances in relation to the incident, the nature of the breach, the proposed measures to minimise effects, the consequences of the breach and the security measures in force, as well as the reasons for which they did not operate or were not effective, to avoid the incident.

Ultimately, the Commissioner concluded that their was a breach of the Directive given lack of security measures and several reasons including, omission of the authority to provide the Commissioner with a comprehensive report in relation to the relevant security incident. Further details on the matter can be found at the website of the Commissioner at: https://bit.ly/2uIaOfg.

3.The Commissioner examined two complaints filed against a company with main establishment in Cyprus

    1. breach of right to access data
    2. breach of request to erase data

The complainants did not receive a response by the data controller within the timeframe provided by the Directive. Nonetheless, the Commissioner ultimately decided - on the basis of the explanations provided and actions taken by the company in question to address the issues - not to impose an administrative fine to the data controller (without prejudice in the event of future complaints for the same issue).

Please visit the website of the Commissioner at the following link for the full decision of this incident: https://bit.ly/2uIaOfg.

4.Complaint against a company that has its main establishment in Cyprus

The data subject filed a request for erasure at the company where he was previously employed. The company in question responded that certain of the data was erased, whereas other data will be stored for tax and VAT compliance purposes, and in the best interests of the company in the event of legitimate claims in accordance with Law on Limitation of Actions, (66(I)/2012).

The Commissioner ultimately deemed that the purposes of the data controller were indeed legitimate. Please see the website of the Commissioner at the following link for more information on this decision: https://bit.ly/2uIaOfg.

5.Complaints against a doctor member of GESY for registering clients without consent

The doctor claimed that it occurred by omission as a doctor of the relevant football game and team, albeit without consent, and bad communication with the relevant football team.

Despite the final erasure of their data, the Commissioner concluded that there was a breach of article 9(2)(a) of the GDPR and imposed, whereas the doctor was informed that if similar breach occurs in the future, it will be considered as an aggravating factor.

6.Receipt of marketing material without a free toll number for termination of the messages, despite already having complained against the same data controller

In the framework of examining the matter, the data controller claimed amongst other things that the number of the complainant had been removed however for technical reasons the system provider did not operate and that the system provider did not offer a free toll termination number.

Given the various mitigation factors concerned, including that there was no previous complaint at the Commissioner against the same data controller from any other data subject, a fine of EUR1000 was imposed.

7.Receipt of marketing material despite having already complained on the same issue against the same data controller

Upon examination of the matter, the data controller claimed that the dispatch was by omission given the previous responsible officer did not inform management on dispatch of the messages, hence the new responsible officer did not have the informed list of messages dispatched.

The Commissioner concluded that the data controller was obliged to undertake appropriate technical and organisational measures so that the claims of data subjects are respected, regardless if other members of staff had changed.

As a result the data controller was fined EUR1200.

8.Report against a company with main establishment in Cyprus

To participate in a game the data subject created an online account on the website operated by the relevant company. The data subject thereafter attempted to delete the account created. The company however suggested deactivation of the account, without satisfying the request for erasure.

Following examination of the complaint the company responded that it is obliged to maintain certain data for a particular timeframe, to comply with the provisions of relevant legislation. However, it ultimately confirmed the erasure of the data of the data subject, given that such erasure would not breach the provisions of any legislation.

Having examined the company’s Privacy Policy the Commissioner established that the information contained therein was not satisfactory in relation to the rights of data subjects and requested review and notification of the Privacy Policy accordingly.

Our Data Protection practice group helps SMEs and large organisations in a wide range of sectors to comply with the GDPR and national legislation, and the relevant guidelines of the Commissioner for Personal Data Protection.

Our technical associates focus on technology and cybersecurity aspects to cover all angles of the necessary exercise, in line with the rapid shifts in technological disruption.

We advise on the appropriate safeguards that must be implemented in the Digital Age, particularly considering the substantial risks and potential consequences involved.


Please do not hesitate to contact us if you require any related advice or support.

Find out more here.

Copyright © 2020 K. A. Kourtellos & Co LLC
K. A. Kourtellos & Co LLC is regulated by the Cyprus Bar Association
magnifiercrossmenuarrow-up linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram