Commissioner (Cyprus) - 11.17.001.008.001: Difference between revisions
m (Panayotis.Yannakas moved page Comissioner - 11.17.001.008.001 to Commissioner - 11.17.001.008.001) |
m (Typo) |
||
| Line 4: | Line 4: | ||
|DPA-BG-Color=background-color:#ffffff; | |DPA-BG-Color=background-color:#ffffff; | ||
|DPAlogo=LogoCY.jpg | |DPAlogo=LogoCY.jpg | ||
|DPA_Abbrevation= | |DPA_Abbrevation=Commissioner | ||
|DPA_With_Country= | |DPA_With_Country=Commissioner (Cyprus) | ||
|Case_Number_Name=11.17.001.008.001 | |Case_Number_Name=11.17.001.008.001 | ||
Revision as of 07:11, 6 November 2020
| Commissioner - 11.17.001.008.001 | |
|---|---|
 | |
| Authority: | Commissioner (Cyprus) |
| Jurisdiction: | Cyprus |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 15 GDPR Article 32 GDPR Article 33 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 17.06.2020 |
| Published: | 17.06.2020 |
| Fine: | 15.000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 11.17.001.008.001 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | Commissioner of Cyprus (in EL) |
| Initial Contributor: | Elisavet Dravalou |
Cyprus DPA holds that the inability of the data controller to discover the original contract with the data subject constitutes a violation of the right to access the personal data. A fine of € 15000 was issued.
English Summary
Facts
A data subject made an access request to the Bank of Cyprus and the insurance company Eurolife Ltd, requesting a copy of the original insurance agreement. The Bank of Cyprus had the obligation to store the original agreement. The agreement was signed in 2000 and the Bank of Cyprus was not able to locate the original agreement at her storage. Due to this fact, the Bank of Cyprus offered to cancel the agreement and sign a new one with the data subject.
Dispute
Does the unavailability of personal data constitute a data breach?
Holding
The Cyprus DPA held that unavailability of personal data constitutes a data breach and that this data breach should be reported to the DPA, according to article 33 of the GDPR as it is likely to cause risk to the rights and freedoms of the data subject. The DPA also held that the Bank of Cyprus failed to implement appropriate technical and organisational measures to ensure the security (confidentiality, integrity and availability) of personal data. Due to the fact that the Bank of Cyprus couldn't locate the original agreement, it failed to comply with the data subject's access request, breaching article 15 of the GDPR and demonstrate accountability.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
