Commissioner (Cyprus) - 11.17.001.008.001: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Cyprus |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoCY.jpg |DPA_Abbrevation=Comissioner |DPA_With_Country=Comissioner (Cyprus) |Case_N...") |
mNo edit summary |
||
| Line 56: | Line 56: | ||
}} | }} | ||
Cyprus DPA holds that the inability of the data controller to discover the original contract with the data subject constitutes a violation of the right to access the personal data. | Cyprus DPA holds that the inability of the data controller to discover the original contract with the data subject constitutes a violation of the right to access the personal data. A fine of € 15000 was issued. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
A data subject made an access request to the Bank of Cyprus and the insurance company Eurolife Ltd, requesting a copy of the original insurance agreement. The Bank of Cyprus had the obligation to store the original agreement. The agreement was signed in 2000 and the Bank of Cyprus was not able to locate the original agreement at her storage. Due to this fact, the Bank of Cyprus offered to cancel the agreement and sign a new one with the data subject. | A data subject made an access request to the Bank of Cyprus and the insurance company Eurolife Ltd, requesting a copy of the original insurance agreement. The Bank of Cyprus had the obligation to store the original agreement. The agreement was signed in 2000 and the Bank of Cyprus was not able to locate the original agreement at her storage. Due to this fact, the Bank of Cyprus offered to cancel the agreement and sign a new one with the data subject. | ||
=== Dispute === | ===Dispute=== | ||
Does the unavailability of personal data constitute a data breach? | Does the unavailability of personal data constitute a data breach? | ||
=== Holding === | ===Holding=== | ||
The Cyprus DPA held that unavailability of personal data constitutes a data breach and that this data breach should be reported to the DPA, according to article 33 of the GDPR as it is likely to cause risk to the rights and freedoms of the data subject. The DPA also held that the Bank of Cyprus failed to implement appropriate technical and organisational measures to ensure the security (confidentiality, integrity and availability) of personal data. Due to the fact that the Bank of Cyprus couldn't locate the original agreement, it failed to comply with the data subject's access request, breaching article 15 of the GDPR and demonstrate accountability. | The Cyprus DPA held that unavailability of personal data constitutes a data breach and that this data breach should be reported to the DPA, according to article 33 of the GDPR as it is likely to cause risk to the rights and freedoms of the data subject. The DPA also held that the Bank of Cyprus failed to implement appropriate technical and organisational measures to ensure the security (confidentiality, integrity and availability) of personal data. Due to the fact that the Bank of Cyprus couldn't locate the original agreement, it failed to comply with the data subject's access request, breaching article 15 of the GDPR and demonstrate accountability. | ||
== Comment == | ==Comment== | ||
''Share your comments here!'' | ''Share your comments here!'' | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details. | The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details. | ||
Revision as of 10:01, 4 November 2020
| Comissioner - 11.17.001.008.001 | |
|---|---|
 | |
| Authority: | Comissioner (Cyprus) |
| Jurisdiction: | Cyprus |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 15 GDPR Article 32 GDPR Article 33 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 17.06.2020 |
| Published: | 17.06.2020 |
| Fine: | 15.000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 11.17.001.008.001 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | Commissioner of Cyprus (in EL) |
| Initial Contributor: | Elisavet Dravalou |
Cyprus DPA holds that the inability of the data controller to discover the original contract with the data subject constitutes a violation of the right to access the personal data. A fine of € 15000 was issued.
English Summary
Facts
A data subject made an access request to the Bank of Cyprus and the insurance company Eurolife Ltd, requesting a copy of the original insurance agreement. The Bank of Cyprus had the obligation to store the original agreement. The agreement was signed in 2000 and the Bank of Cyprus was not able to locate the original agreement at her storage. Due to this fact, the Bank of Cyprus offered to cancel the agreement and sign a new one with the data subject.
Dispute
Does the unavailability of personal data constitute a data breach?
Holding
The Cyprus DPA held that unavailability of personal data constitutes a data breach and that this data breach should be reported to the DPA, according to article 33 of the GDPR as it is likely to cause risk to the rights and freedoms of the data subject. The DPA also held that the Bank of Cyprus failed to implement appropriate technical and organisational measures to ensure the security (confidentiality, integrity and availability) of personal data. Due to the fact that the Bank of Cyprus couldn't locate the original agreement, it failed to comply with the data subject's access request, breaching article 15 of the GDPR and demonstrate accountability.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
