Commissioner (Cyprus) - 11.17.001.010.064: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 63: Line 63:
}}
}}


The DPA of Cyprus fined the Cyprus electricity authority €5000 for violations of [[Article 5 GDPR#1f|Articles 5(1)(f),]] [[Article 24 GDPR#1|24(1)]] and [[Article 32 GDPR|32 GPDR]] for sending a consent form containing personal data to the data subject's neighbour, resulting in an unauthorized disclosure of personal data.
The DPA of Cyprus fined the Cyprus electricity authority €5000 for violations of [[Article 5 GDPR#1f|Articles 5(1)(f),]] [[Article 24 GDPR#1|24(1)]] and [[Article 32 GDPR|32 GPDR]] for sending a consent form containing personal data to the data subject's neighbour, resulting in an unauthorized disclosure of personal data to a third pary.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Cyprus electricity authority (controller) wanted to place a power line on the data subject's land. The controller sent the data subject a consent form for the placement of this power line. However, an officer of the controller delivered the consent form, which contained personal data, to the neighbour of data subject by accident. The officer was the one who discovered his own error and admitted that this had been a mistake. He also assured the controller that he would undertake training regarding personal data, which he had not undertaken before, and that he would not commit such a mistake again.  
The Cyprus electricity authority (controller) wanted to place a power line on the data subject's land. The controller sent the data subject a consent form for the placement of this power line. However, an officer of the controller delivered the consent form, which contained personal data, to the neighbour of data subject. The officer reported his own error and admitted that this had been a mistake. He also assured the controller that he would undertake training regarding personal data and gathering consent, which he had not undertaken before, and that he would not commit such a mistake again.  


The controller apologised and stated that is the violation was committed out of negligence and not out of malice. It had previously undertaken periodic briefings for Its staff and had also organised GDPR related training sessions. However, the controller also acknowledged the need for further training for its staff and had already planned further training sessions. The controller also acknowledged that it had not set out specific procedures and measures by which staff would conduct service. The controller admitted that the deliverance of the consent form to the neighbour was legally incorrect looking at Article 31 of the Electricity Law (KEF.170), which states that the consent form can only delivered to the data subject.  
The controller acknowledged the violation, apologised for it and stated that is this violation was committed out of negligence and not out of malice. The controller stated that the violation was caused by human error, reliance on the wrong person and the need for quick service. The controller had previously undertaken periodic briefings for its staff and had also organised GDPR related training sessions. However, the controller also acknowledged the need for further training for its staff and had already planned further training sessions. The controller also acknowledged that it had not set out specific procedures and measures which described how staff would conduct service. The controller also admitted that the deliverance of the consent form to the neighbour was legally incorrect looking at Article 31 of the Electricity Law (KEF.170), which states that the consent form can only delivered to the owner of the land.  


=== Holding ===
=== Holding ===
<u>Violation of [[Article 24 GDPR#1|Article 24(1) GDPR]]</u>
<u>Violation of [[Article 24 GDPR#1|Article 24(1) GDPR]]</u>


The DPA determined that the controller violated [[Article 24 GDPR#1|Article 24(1) GDPR]] because the controller did not implement appropriate technical and organizational measures in advance to ensure that its processing was GDPR complaint. Nor did the controller implement measures to enable it to detect and/or verify any breach. The DPA stated that the controller would have been able to the determine whether the consent form was served to the owner or not, if it had established a procedure that would allow it to check this. This procedure was missing, which was the main reason the violation had occurred in the first place, according to the DPA. The controller had not taken the appropriate steps in order to ascertain and prove if its processing was GDPR compliant.  
The DPA determined that the controller violated [[Article 24 GDPR#1|Article 24(1) GDPR]] because the controller did not implement appropriate technical and organizational measures in advance to ensure that its processing was GDPR complaint. The DPA confirmed that the procedure described in KEF.170 was specific and did not enable the possibillity to provide the consent form to another party other than the land owner, in this case the data subject. The controller did not implement measures to enable it to detect and/or verify any breach. The DPA stated that the controller would have been able to the determine whether the consent form was served to the owner or not, if it had established a procedure that would allow it to check this. This procedure was missing, which was the main reason the violation had occurred in the first place. The DPA provided two examples how this could have been avoided. One example was that the controller could have delivered the form in duplicate, with one of the two forms returned to the controller with a signature from the data subject to cofirm the delivery of the consent form. The DPA later confirmed that the controller had adopted this recommendation.  


<u>Violation of [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 32 GDPR|32 GDPR]]</u>
<u>Violation of [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 32 GDPR|32 GDPR]]</u>


The DPA also determined that the controller violated  [[Article 32 GDPR]], because the controller did not implement appropriate measures in advance in order to prevent the unautorized disclosure of the consent form. The DPA stated that the controller had the sole responsibility for training and informing its staff. The training and periodic briefings that the controller already provided were deemed inadequate by the DPA. The controller had been unable to prevent this unauthorized disclosure of personal data in the consent form.
The DPA also determined that the controller violated  [[Article 32 GDPR]], because the controller did not implement appropriate measures in advance in order to prevent the unautorized disclosure of the consent form. The DPA stated that the controller had the sole responsibility as the controller for training and informing its staff, which was accepted by the controller. The training and periodic briefings that the controller already provided were deemed inadequate by the DPA. The DPA also determined that the controller violated the principle of of integrity and confidentiality ([[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]) because the personal data of the data subject was processed in such a way that allowed unauthorized and/or unlawful processing.
 
The DPA also determined that the controller violated the principle of of integrity and confidentiality ([[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]) because the personal data of the data subject was processed in such a way that allowed unauthorized and/or unlawful processing.  


After considering several mitigating (8) and aggravating factors (6), the DPA fined the controller €5,000.  
After considering several mitigating (8) and aggravating factors (6), the DPA fined the controller €5,000.  

Revision as of 14:45, 28 November 2022

Commissioner - 11.17.001.010.064.
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 5(1)(f) GDPR
Article 24(1) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started: 11.04.2022
Decided: 21.09.2022
Published: 16.11.2022
Fine: 5000 EUR
Parties: n/a
National Case Number/Name: 11.17.001.010.064.
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: dataprotection.gov.cy (in EL)
Initial Contributor: n/a

The DPA of Cyprus fined the Cyprus electricity authority €5000 for violations of Articles 5(1)(f), 24(1) and 32 GPDR for sending a consent form containing personal data to the data subject's neighbour, resulting in an unauthorized disclosure of personal data to a third pary.

English Summary

Facts

The Cyprus electricity authority (controller) wanted to place a power line on the data subject's land. The controller sent the data subject a consent form for the placement of this power line. However, an officer of the controller delivered the consent form, which contained personal data, to the neighbour of data subject. The officer reported his own error and admitted that this had been a mistake. He also assured the controller that he would undertake training regarding personal data and gathering consent, which he had not undertaken before, and that he would not commit such a mistake again.

The controller acknowledged the violation, apologised for it and stated that is this violation was committed out of negligence and not out of malice. The controller stated that the violation was caused by human error, reliance on the wrong person and the need for quick service. The controller had previously undertaken periodic briefings for its staff and had also organised GDPR related training sessions. However, the controller also acknowledged the need for further training for its staff and had already planned further training sessions. The controller also acknowledged that it had not set out specific procedures and measures which described how staff would conduct service. The controller also admitted that the deliverance of the consent form to the neighbour was legally incorrect looking at Article 31 of the Electricity Law (KEF.170), which states that the consent form can only delivered to the owner of the land.

Holding

Violation of Article 24(1) GDPR

The DPA determined that the controller violated Article 24(1) GDPR because the controller did not implement appropriate technical and organizational measures in advance to ensure that its processing was GDPR complaint. The DPA confirmed that the procedure described in KEF.170 was specific and did not enable the possibillity to provide the consent form to another party other than the land owner, in this case the data subject. The controller did not implement measures to enable it to detect and/or verify any breach. The DPA stated that the controller would have been able to the determine whether the consent form was served to the owner or not, if it had established a procedure that would allow it to check this. This procedure was missing, which was the main reason the violation had occurred in the first place. The DPA provided two examples how this could have been avoided. One example was that the controller could have delivered the form in duplicate, with one of the two forms returned to the controller with a signature from the data subject to cofirm the delivery of the consent form. The DPA later confirmed that the controller had adopted this recommendation.

Violation of Articles 5(1)(f) and 32 GDPR

The DPA also determined that the controller violated Article 32 GDPR, because the controller did not implement appropriate measures in advance in order to prevent the unautorized disclosure of the consent form. The DPA stated that the controller had the sole responsibility as the controller for training and informing its staff, which was accepted by the controller. The training and periodic briefings that the controller already provided were deemed inadequate by the DPA. The DPA also determined that the controller violated the principle of of integrity and confidentiality (Article 5(1)(f) GDPR) because the personal data of the data subject was processed in such a way that allowed unauthorized and/or unlawful processing.

After considering several mitigating (8) and aggravating factors (6), the DPA fined the controller €5,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.