Commissioner (Cyprus) - 17.05.23: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 88: Line 88:


== Comment ==
== Comment ==
''Share your comments here!''
https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/2B53605103DCE4A4C225826300362211/$file/Law%20125(I)%20of%202018%20ENG%20final.pdf<nowiki/>Link to Law 125(I)/2018.
 
== Further Resources ==
== Further Resources ==
''Share blogs or news articles here!''
''Share blogs or news articles here!''

Revision as of 08:53, 16 October 2023

Comissioner - XXXXXXXXX
[[File:|center|250px]]
Authority: Comissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 5(1)(c) GDPR
Article 6 GDPR
Article 29(1) of Law 125(I)/2018
Type: Complaint
Outcome: Upheld
Started: 17.10.2018
Decided:
Published: 17.05.2023
Fine: 3000 EUR
Parties: Breikot Management Ltd
5 anonymous complainants
National Case Number/Name: XXXXXXXXX
European Case Law Identifier: XXXXXXXXX
Appeal: Appealed - Partly Confirmed
Administrative Court
962/2019
Original Language(s): Greek
Original Source: Commissioner (Cyprus) (in EL) (in EL)
Initial Contributor: Evangelia Tsimpida

The DPA of Cyprus reviewed a fine imposed against a local newspaper for the violations of Articles 5(1)(c) and 6 GDPR and Article 29(1) of Law 125(I)/2018. Following an appeal by the controller to the Administrative Courts, the DPA upheld its initial fine of €3,000.

English Summary

Facts

In September and October 2018, four articles were published in the print edition of the newspaper "24h", owned by Breikot Management Ltd., (the controller). In these articles, the names and photographs of five persons, and a reference to the conviction of one of them were published. A complaint was made to the DPA by the persons concerned on 17 October 2018.

Following the complaint, the DPA issued an initial decision, in which it found violations of Articles 5(1)(c) and 6 GDPR and Article 29(1) of Law 125(I)/2018.

Concerning the violation of Article 29(1) of Law 125(I)/2018, the DPA took into account the public interest and the principle of data minimisation, and found that for the purposes of public interest the mentioning of the names of the complainants and the conviction of one of them outweighed the interests, fundamental rights and freedoms of the complainants. The publication was excessive in relation to the purpose pursued, in violation of Article 29(1) of Law 125(I)/2018. Article 85 GDPR allows for member states to legislate for the reconciliation of data protection and journalistic freedom. Law 125(I)/2018 does this through Article 29(1), which provides that:

"29(1) The processing of personal data or special categories of personal data or personal data relating to criminal convictions and offenses, which is carried out for journalistic or academic purposes or for purposes of artistic or literary expression, is permitted, provided that those purposes are proportionate to the aim pursued and respect the essence of the rights as set out in the Charter of Fundamental Rights of the European Union and in the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), which was ratified by the ratifying law on the European Convention for the Protection of Fundamental Rights and in Part II of the Constitution."

Moreover, the Cypriot DPA found that the publication of the photographs of three (3) of the five (5) complainants in three (3) of the four (4) publications exceeded the principle of data minimisation in violation of Article 5(1)(c) GDPR, and the controller had no legal basis for the processing as required by Article 6 GDPR.

As a result of the violations, The DPA imposed a fine of €3,000 on the controller. This decision was appealed by the controller before the Administrative Court on 24 January 2019. The Administrative Court upheld the DPA's Decision in regard to the infringements found, but annulled the administrative fine imposed. The Administrative Court requested that the DPA review the amount of the fine.

Holding

The DPA upheld the administrative fine of €3,000 for its violation of Articles 5(1)(c) and 6 GDPR and Article 29(1) of Law 125(I)/2018, as there was no differentiation of the burdening and reducing factors compared to the first decision to justify a reduction of the fine.

Comment

https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/2B53605103DCE4A4C225826300362211/$file/Law%20125(I)%20of%202018%20ENG%20final.pdfLink to Law 125(I)/2018.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.