Personal Data Protection Fines in Cyprus from July to September 2019

In 2019 the office of Cyprus Commissioner for the protection of personal data has received several complaints about the processing of personal data. After investigation of these complaints, administrative fines have been imposed in some cases while in others, only warnings and reprimands to the relevant Organisations and/or persons have been issued. Below is a summary of the Commissioner’s decisions during the period from July to September 2019:    
 

• Complaints about the sending of messages in the run-up to the European elections against political parties and/or candidates for Europeans elections

 

• A member of a political party had informed them that he did not wish anymore to receive any commercial/political promotional messages from them. Despite the withdrawal of his consent, the political party kept sending him messages and calling him in relation to the European elections. After taking into account that the messages sent to that person enabled him to withdraw his consent in an easy way and for free, Commissioner decided to just issue a warning to the political party and recommended taking all the necessary measures so that all their archives are updated at the same time once a consent is withdrawn.
• A candidate for European elections was sending sms messages to a person without having his consent and without enabling him to stop receiving these messages. A severe reprimand to the candidate was issued.
• Another candidate for European elections was also sending sms messages to the complainants without having their consent and without enabling them to stop receiving these messages. In this case, a fine of €2000 against the candidate has been imposed.
• Four persons have complaint about receiving phone calls from a political party for promotional purposes. The Commissioner found that the political party had legitimate interests for sending these messages to two of them as members of political party. However, they did not have the consent of the other two persons who were not members of the party and thus a fine of €3000 was imposed.
• Two persons received messages for wishes from an individual without giving their consent and without having the opportunity to stop receiving these messages. After investigation, the Commissioner ascertained that this individual was sending such messages to thousands of persons and as a result, this could be considered to take place for marketing purposes. A fine of €2000 has been imposed.

 

• Complaint against the Cyprus Bar Association about the publication of a Court decision on the Cylaw website

 

• A person involved in court proceedings as a defendant complained about the publication of the court decision on the Cylaw website. This decision revealed personal information about him which had an impact both on him and his family. The Commissioner called the Cyprus Bar Association to review the way in which courts’ judgments are published within the Cylaw website and inform her for the progress of the compliance.
• Complaint about data breach by an auctioneer

 
A person received a phone call from an auctioneer who suggested her to find a buyer for a property which had already started a process of selling it by auction. It was noted that the auctioneer was not the designated auctioneer to hold the auction. The Commissioner decided to impose a fine of €2000 on the auctioneer because he used the complainant’s phone number for purposes other than those it was collected and without having her consent.
 

• Complaint about data protection rights against the Cyprus Police

 
A person submitted a complaint to the Cyprus police and asked them not to publish the complaint’s content and his personal data. However, the Cyprus police published his complaint and information that could identify him. The police declined the allegations, and following an investigation that took place, it showed the opposite as the relevant information were published in the media the day after the complaint was made to the police. The Commissioner found that the information published in the media had the same content as his complaint and asked the Police to take organizational and technical measures to prevent the unauthorized disclosure of personal data to third parties.
 

• Complaint about failure to satisfy the right of deletion against a Company

 
A Company did not satisfy a data subject request for deletion of personal data. Following an investigation conducted by the Commissioner, there was no breach of GDPR because the Company had a legal obligation to retain his personal data in order to comply with the applicable legislation.
 

• Complaint about the processing of personal data against the Municipality of Aradippou

 
Employees working for the Municipality of Aradippou complained that their personal information had been disclosed and/or made available without their prior consent. The Commissioner ascertained that the Municipality had taken all the necessary measures. However, a member of the Municipal Council was responsible for the further processing of the personal data. The Commissioner imposed a fine of €2000 on the member of the Municipal Council and recommended that the Municipality repeat the GDPR training seminars for the personnel.
 

• Complaint against a doctor for the publication of personal data on Instagram

 
A patient complained that her doctor published her personal data (images and videos) on Instagram by showing ‘before and after’ results of a surgery without having her consent. The Commissioner imposed a fee of €14.000 on the doctor as it was found out that the disclosure of her personal data was not in accordance with the purpose of the consent given by the patient before the surgery since her full identity was revealed.
In conclusion, the abovementioned complaints and Commissioner’s decisions show that there is a need for further information and sensibilization in relation to the GDPR provisions and obligations. Unauthorized disclosure of personal data, publication of personal data without having consent, lack of GDPR trainings for the personnel and communication with individuals for marketing purposes without having their consent are still issues that concern a lot both the Organisations and individuals. Cyprus Organisations both in private and public sector must take more steps in order to comply with the data protection legislation and not to face administrative fines.