Commissioner (Cyprus) - 17.05.23: Difference between revisions
(Well done! Great summary overall, I just moved all of the facts into the "holding section" and changed the dates to align with our style guide, which you can access here :) : https://gdprhub.eu/index.php?title=GDPRhub_style_guide) |
m (Aa moved page Comissioner (Cyprus) - XXXXXXXXX to Comissioner (Cyprus) - 17.05.23 (Breikot Management Ltd)) |
Revision as of 08:18, 17 October 2023
Comissioner - XXXXXXXXX | |
---|---|
[[File:|center|250px]] | |
Authority: | Comissioner (Cyprus) |
Jurisdiction: | Cyprus |
Relevant Law: | Article 5(1)(c) GDPR Article 6 GDPR Article 29(1) of Law 125(I)/2018 |
Type: | Complaint |
Outcome: | Upheld |
Started: | 17.10.2018 |
Decided: | |
Published: | 17.05.2023 |
Fine: | 3000 EUR |
Parties: | Breikot Management Ltd 5 anonymous complainants |
National Case Number/Name: | XXXXXXXXX |
European Case Law Identifier: | XXXXXXXXX |
Appeal: | Appealed - Partly Confirmed Administrative Court 962/2019 |
Original Language(s): | Greek |
Original Source: | Commissioner (Cyprus) (in EL) (in EL) |
Initial Contributor: | Evangelia Tsimpida |
The DPA of Cyprus reviewed a fine imposed against a local newspaper for the violations of Articles 5(1)(c) and 6 GDPR and Article 29(1) of Law 125(I)/2018. Following an appeal by the controller to the Administrative Courts, the DPA upheld its initial fine of €3,000.
English Summary
Facts
In September and October 2018, four articles were published in the print edition of the newspaper "24h", owned by Breikot Management Ltd., (the controller). In these articles, the names and photographs of five persons, and a reference to the conviction of one of them were published. A complaint was made to the DPA by the persons concerned on 17 October 2018.
Following the complaint, the DPA issued an initial decision, in which it found violations of Articles 5(1)(c) and 6 GDPR and Article 29(1) of Law 125(I)/2018.
Concerning the violation of Article 29(1) of Law 125(I)/2018, the DPA took into account the public interest and the principle of data minimisation, and found that for the purposes of public interest the mentioning of the names of the complainants and the conviction of one of them outweighed the interests, fundamental rights and freedoms of the complainants. The publication was excessive in relation to the purpose pursued, in violation of Article 29(1) of Law 125(I)/2018. Article 85 GDPR allows for member states to legislate for the reconciliation of data protection and journalistic freedom. Law 125(I)/2018 does this through Article 29(1), which provides that:
"29(1) The processing of personal data or special categories of personal data or personal data relating to criminal convictions and offenses, which is carried out for journalistic or academic purposes or for purposes of artistic or literary expression, is permitted, provided that those purposes are proportionate to the aim pursued and respect the essence of the rights as set out in the Charter of Fundamental Rights of the European Union and in the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), which was ratified by the ratifying law on the European Convention for the Protection of Fundamental Rights and in Part II of the Constitution."
Moreover, the Cypriot DPA found that the publication of the photographs of three (3) of the five (5) complainants in three (3) of the four (4) publications exceeded the principle of data minimisation in violation of Article 5(1)(c) GDPR, and the controller had no legal basis for the processing as required by Article 6 GDPR.
As a result of the violations, The DPA imposed a fine of €3,000 on the controller. This decision was appealed by the controller before the Administrative Court on 24 January 2019. The Administrative Court upheld the DPA's Decision in regard to the infringements found, but annulled the administrative fine imposed. The Administrative Court requested that the DPA review the amount of the fine.
Holding
The DPA upheld the administrative fine of €3,000 for its violation of Articles 5(1)(c) and 6 GDPR and Article 29(1) of Law 125(I)/2018, as there was no differentiation of the burdening and reducing factors compared to the first decision to justify a reduction of the fine.
Comment
https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/2B53605103DCE4A4C225826300362211/$file/Law%20125(I)%20of%202018%20ENG%20final.pdfLink to Law 125(I)/2018.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
No. File No: XXXXXXXXXXXXX BY ELECTRONIC MAIL XXXXXXXXXXXXX@XXXXXXXXXX Breikot Management Ltd. Member of Nikodea Media Group 67 Vassilios Voulgarokctonou Street, 1010, Nicosia (Attention XXXXXXXXXXXXXXX, Director of Breikot Management Ltd) May 17, 2023 Decision to review in relation to the amount of the fine imposed On the basis of the duties and powers conferred on me by Article 57(1)(f) of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of personal data of such data, I have examined five (5) separate complaints (complaints) that submitted to my Office on October 17, 2018, by the law firm Athos Demetriou Associates LLC, on behalf of their clients XXXXXXXXXXXXX (at "Complainants") against Breikot Management Ltd, a member of the Nikodea Media Group, (hereinafter the Complainant), regarding four (4) publications, concerning the Complainants in the print newspaper 24h and were signed XXXXXXXX. Based on the investigation, I found a violation of the Rules by the Respondent the Complaint and I issued a decision on April 12, 2019, based on the following briefly stated facts set forth below. 2. Brief facts of the complaint 2.1 On October 17, 2018 a complaint was submitted by the complainants to the Office (complaint), concerning the publication of (a) the full name of the complainant of all the complainants, b) photographs of three of them, and c) a report (c) a reference to the conviction of one of them in articles published in a publication owned by the Respondent's complaint. Having considered the facts of the case, I have, as follows I have proceeded to weigh the right to freedom of expression and information, with the right to privacy and family life and the protection of personal data. Taking into account both the Principle of Data Minimisation, I have adopted a Decision of 14 December 2004. 12 April, 2019. The conclusion of my decision was as follows: 2 "...The four (4) publications in the print edition of the newspaper "24h" the which is owned by the Respondent the Complainant, were made for information purposes the public and the mention of the name of the complainants and the of one of them, outweighs the interests, fundamental rights and freedoms of the complainants. Therefore, I find that, I do not there has been any violation of the provisions of the Rules by the Respondent's complaint, for the publication of the name of the name of the complainants in the publications at issue. However, the publication of the photographs of three (3) of the five (5) in three (3) of the four (4) publications, namely the 28-30/9/2018, 5-7/10/2018 and 12-14/10/2018, I consider that it has exceeded the principle of minimization of data and that in any in any case, it is excessive in relation to the objective pursued in breach of Articles 5(1)(c) and 6 of the Regulation and Article 29(1) of Law 125(I)/2018, given that, the news could published without their photographs, since the subject of interest from journalistic interest is the fact that the architectural firm of family of the complainants, continues to undertake public works while one of them has been convicted of a fatal industrial accident. Η the publication of the photographs is not in the best interests of the of informing public opinion and is not considered necessary in the context of the principle of minimisation, nor does it confer any additional value to the public's right to information. 2.2 The complaint was submitted to my Office on 17/10/2018, i.e. approximately one month after the Respondent first published the complaint. The Respondent the Complaint, in no stage of the process, did not mention the time when she deleted the publications from her website. All she did mention was in her letter dated. 12/3/2019, "...that as soon as we were informed of their complaint all articles were "taken down" without the your suggestion..." 2.3 My Office Officer, on 29/10/2018, informed the Respondent in writing the grievance, of the grievance submitted. Given that the Respondent's Complaint, states that all articles were "taken down" once they were updated without the suggestion of my Office, it appears that the four (4) publications were deleted from the website on or about 10/29/2018, i.e., approximately one (1) plus month after the first publication, which was 28-30/9/2018. However, the printed versions of the 24h newspaper, which also published the photos of the three (3) complainants, were never withdrawn and still exist to this day. 2.4 The number of readers, i.e. the extent cannot be calculated since the printed newspaper can be read by countless persons. If the circulation of the of a newspaper is X hundreds/thousands, this does not mean that it is not read by X+1 hundreds/thousands. Let alone when the newspaper can be found in cafes and entertainment venues where a lot of people gather every day. 2.5 Nor can the number of people who read the articles in the electronic version of 24h, the period of one month or so that they were posted. 3 2.6 Weighing up all the mitigating and aggravating factors, I imposed on the person legally responsible for the Respondent's actions the complaint, namely Breikot Management Ltd, in its capacity as controller of the file, a monetary penalty of €3,000 (three thousand euros) for breach of his obligation under the Articles 5(1)(c) and 6 of the Regulation. 2.6 Against the decision dated. 12 April 2009, the Respondent's complaint filed before the Administrative Court on January 24, 2019 the application no. No. XXXXXX Complaint. 2.7 On December 16, 2022, the Administrative Tribunal issued a decision on the Complaint No. 962/2019, upholding the Decision of my Office Date. April 12, 2019, to the extent of the violation, but annulling it to the extent that it relates to the amount of the administrative fine imposed. The Court inter alia stated the following: "I find the decision of the defendant reasonable in its finding of I do not consider it to be justified in relation to the finding of infringement, but I do consider it to be justified in relation to the administrative fine the administrative fine imposed and, in particular, the amount of that fine. That is because of the same the text of the decision, while the reasons supporting the extremely short duration of the infringement, it does not appear that account was taken of the the amount of the fine without, in fact, adequately recording the degree of damage which the three persons may have suffered'. 2.8 In the context of the above, partially annulled judgment of the Court of Justice and in in conjunction with the provisions of Article 57 of the General Principles of Administrative Law Law of 1999 (158(I)/1999), but also the relevant recommendation received from the Office the Office of the Attorney General, it has been decided to review the case against Respondent's complaint, only to the extent that it relates to the amount of the administrative fine imposed. 3. Legal aspect 3.1 In accordance with Article 57(1)(f) of Regulation (EU) 2016/679, the Office of Office of the Data Protection Commissioner shall, as a matter of duty, handle complaints submitted by data subjects, while according to the Article 57(1)(a) it monitors and enforces the application of the Regulation. 3.1.1 Article 57 of the General Principles of Administrative Law Act 1999 (158(I)/1999), provides that: 57. 57. The court shall be obliged to restore the things to the position in which they were before before the issuance of the annulled act. 3.1.2 Article 47 of the General Principles of Administrative Law Act 1999 (158(I)/1999), provides that: 4 47. The elements which the administration must take into account in the exercise of its The factors to be taken into account by the administration in exercising its discretionary power must be lawful and relevant to the objective pursued. purpose intended by the law. 3.2 In the cases of Vnukovo Airlines (V.A.) and Others v. v. Vnukovo Airlines (V.A.) et al. Attorney General (2001) A.A.D. 969 and Kyriakides v. Republic (2013) 3 A.A.D. 629, it was held that the administration the administration is obliged to restore the situation to the state of affairs that existed before the annulment, to arrange for the procedure for the review of the disputed administrative matter and decide in a lawful manner and in accordance with the findings of the administrative court. In the review, the administrative procedure shall be resumed from the point at which it was found to be unlawful. 3.3 More specifically, in Kyriakidis n. Republic (2013) 3 A.A.D. 629 it was mentioned in this regard: "... we consider that in every case of an annulment decision it is a duty In each case, in all cases, the Administration has the duty to review - or, where grounds are found, to review - the decision of the Court of Appeal. (see, in any case, where there is reason to do so, a review or, where there is reason to do so, a re-investigation (cf. Naziris v. Naziris, n. 1. R.I.K. (2007) 3 A.A.D. 38) - for to restore the damaged legality, as established in the the reviewing annulment decision. This is, in our view, a duty which is emphasized by consistent and clear case law over time (see Englezaki et al. Attorney General (1992) 1(A) A.A.D. 697, which refers to earlier case law on the subject, as well as Attorney General's v. Holy Archdiocese of Cyprus (1999) 1(A) A.A.D. 342), which case law does not seem to recognise that it gives way even in cases where it does not (in natura) restoration of things to their former state can be made their original state..." 3.4 It should also be noted that under Article 58(2), the Commissioner has the following remedial powers: "(a) to issue warnings to the controller or processor processor that intended processing operations are likely to the controller or the data controller or the processor may be likely to infringe provisions of this Regulation, (b) to admonish the controller or the processor the controller or the processor where processing operations have infringed provisions of this Regulation Regulation, (c) to instruct the controller or the processor to comply with requests by the data subject to the data controller or processor to comply with the data subject's requests for the processing of data exercise his or her rights in accordance with this Regulation, (d) to instruct the controller or the processor to comply with the rights of the data subject in accordance with the data subject's rights to make the processing operations comply with the provisions of this Regulation the processing operations in accordance with the provisions of this Regulation, if necessary, in a specified manner and within a specified time limit time limit, (e) instruct the controller to notify the breach personal data to the data subject, (f) to impose a temporary or definitive restriction, including the imposition of a temporary or definitive restriction impose a temporary or temporary restriction, including prohibition of processing, (g) to order the rectification or erasure of personal data; or order the erasure or deletion of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and order the restriction of processing pursuant to Articles 16, 17 and 18 the notification of such actions to recipients to whom the data are disclosed personal data have been disclosed pursuant to Article 17(2) and Article 19, 5 (h) withdraw certification or order the certification body to withdraw a certificate issued in accordance with Articles 42 and 43 or order the certification body to withdraw a certificate issued in accordance with Articles 42 and 43 the certification body not to issue a certification where the requirements certification requirements are not or are no longer fulfilled, (i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the in addition to or in addition to the measures referred to in or in addition to the above measures, depending on the circumstances of each individual case, (j) to order the suspension of the release of data to a recipient in a third country a third country or an international organisation. 3.5 Article 83 of the Regulation, which concerns the general conditions of enforcement administrative fines, inter alia, provides for the following: "1. Each supervisory authority shall ensure that the imposition of administrative fines in accordance with this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 are, for each individual effective, proportionate and dissuasive for each individual case. 2. Administrative fines shall, depending on the circumstances of each individual case, be circumstances of each individual case, shall be imposed in addition to or instead of the measures referred to points (a) to (h) of Article 58(2) and Article 58(2)(a) to (h) paragraph 2(j). When deciding on the imposition of administrative fine, as well as on the amount of the administrative fine for each individual case, due account shall be taken of the following: (a) the nature, gravity and duration of the infringement, taking into account the the nature, extent or purpose of the processing in question, and the number of processing operations, the gravity and duration of the infringement data subjects affected by the breach and the degree of damage they have suffered, (b) the fraudulent or negligent nature of the breach, (c) any actions taken by the controller or the processor to mitigate the damage suffered by the data subjects data subjects, (d) the degree of liability of the controller or processor the degree of responsibility of the controller or processor, taking into account the technical and organisational measures taken the technical and technical measures they apply pursuant to Articles 25 and 32, (e) any relevant previous infringements by the controller or the data controller; or the processor, (f) the degree of cooperation with the supervisory authority in remedying the infringement the degree of cooperation with the supervisory authority to remedy the infringement and mitigate its possible adverse effects, (g) the categories of personal data affected by the the infringement, (h) the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the controller or processor the controller or processor notified the breach, (i) where the measures were ordered beforehand, where the measures were referred to in Article 58(2) against the controller involved the controller or processor in relation to the same subject matter, compliance with those measures, (j) compliance with approved codes of conduct in accordance with Article 40; or approved certification mechanisms in accordance with Article 42; and 6 (k) any other aggravating or mitigating circumstance arising from circumstances of the particular case, such as financial benefits gained or losses avoided, directly or indirectly, by the infringement. 3. Where the controller or processor, for the purpose of the processing, directly or indirectly. the same or related processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the most serious infringement. 4. Infringements of the following provisions shall, in accordance with the paragraph 2, administrative fines of up to EUR 10 000 000 or, in the case of in the case of undertakings, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is the higher: (a) the obligations of the controller and the processor (a) the obligations of the controller and the processor in accordance with Articles 8, 11, 25 to 39, 42 and 43, (b) the obligations of the certification body in accordance with Articles 42 and 43, (c) the obligations of the monitoring body in accordance with Article 41 paragraph 4. 5. Infringements of the following provisions shall, in accordance with paragraph 2, administrative fines of up to EUR 20 000 000 or, in the case of in the case of undertakings, up to 4 % of the total worldwide annual turnover turnover in the preceding financial year, whichever is the greater whichever is the higher: (a) the basic principles for processing, including the conditions that the basic principles for processing, including the conditions applicable to authorisation, in accordance with Articles 5, 6, 7 and 9, (b) the rights of data subjects in accordance with Articles 12 to 12 22, (c) the transfer of personal data to a recipient in a third country; or an international organisation in accordance with Articles 44 to 49; (d) any obligations under the law of the Member State which are established (e) failure to comply with an order or interim measure failure to comply with a temporary or definitive restriction of processing or suspension of movement data suspension or restriction of processing or suspension of the processing of data imposed by the supervisory authority pursuant to Article 58 (2) or failure to provide access in breach of Article 58(2) paragraph 1." 3.5.1 Recital (148) of the Regulation further clarifies that: "(148) In order to strengthen the enforcement of the rules of this Regulation, sanctions, including administrative fines, shall should be imposed for any infringement of this Regulation, In addition to or instead of appropriate measures imposed by the supervisory authority authority in accordance with this Regulation. In the case of a minor infringement infringement of minor importance or where the fine likely to be imposed would be disproportionate to the a disproportionate burden on a natural person, a reprimand could be imposed instead of instead of a fine. Due account should, however, be taken of the nature, the seriousness and duration of the infringement, the intentional nature of the infringement infringement, the actions taken to mitigate the damage, the degree of of liability or any other relevant previous infringements, the manner in which 7 the manner in which the supervisory authority became aware of the breach, compliance with the compliance with measures against the controller or processor, the compliance with a code of conduct and any other aggravating or mitigating circumstances. Η the imposition of sanctions, including administrative fines, should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including the effective judicial protection and due process." 3.5.2 In the introductory note to Guideline 4/2022 on the calculation of administrative sanctions on the basis of the GDPR 2016/679, which it issued the European Data Protection Board (EDPS) on 12 May, 2022 (the which are currently under public consultation), the following are noted: "The calculation of the amount of the fine is at the discretion of the the supervisory authority, subject to the rules provided for in the GDPR. In that context, the GDPR requires that the amount of the fine shall in each individual case be effective, proportionate and dissuasive (Article 83(1) GDPR). Moreover, when setting the amount of the fine, supervisory authorities shall give due regard to a list of circumstances that refer to features of the infringement (its seriousness) or of the character of the perpetrator (Article 83(2) GDPR). Lastly, the amount of the fine shall not exceed the maximum amounts provided for in Articles 83(4) (5) and (6) GDPR. The quantification of the amount of the fine is therefore based on a specific evaluation carried out in each case, within the parameters provided for by the GDPR." 4. Screenshot 4.1 Complying, in accordance with the provisions of Law 158(I)/1999, the directions of the Court, the relevant case law (see e.g. Kyriakidis v. Republic, above) and recommendation of the Legal Service, my Office had a duty to review the present complaint from the point raised by the Court in its annulment judgment and namely to the extent that it relates to the amount of the administrative fine which imposed. 4.2 The facts of the complaint do not differ from the original decision date. 12 April 2009 and are adopted in their entirety as stated, and in any event, they are adopted in full. in any event, they were upheld by the decision of the Administrative Court, dated 16/12/2022, in Appeal No. 962/2019. 4.3 To note that, the Supreme Court, upheld the decision of my Office, In Appeal No. 32/2013, dated 16 December 2013. 1/3/2019, between the Cyprus Republic of Cyprus and the Republic of Cyprus. Republic of Cyprus, through the Commissioner for Personal Data Protection and Publishing House Dias Ltd, which also concerned a breach of the Principle of Proportionality Principle and I had imposed a fine of €3.000. This amount had been fixed, by maximum amount imposed at that time was €30,000. After the implementation of the GDPR 2016/679 on May 25, 2018, for the same violation (principle of minimisation principle, as in the present case) a maximum administrative sanction of €20,000,000. 4.5 In addition, on 16/1/2023, I issued a decision, following a review complaint, against Arktinos Publications Ltd and imposed an administrative penalty of 8 fine of €7,000, for its violation of Articles 5(1)(c) and 6(1)(f) of the GDPR, by publishing more personal data publication of more personal data than was necessary in order to serve its right right to information of the public. 5. Ending 5.1 Taking into account all of the above elements as set out above, and based on the the powers conferred on me by Articles 58 and 83 of Regulation (EU) 2016/679, Article 24(b) of Law 125(I)/2018, and given that there was a breach of the provisions of the Regulation, as upheld by the Administrative Court, I will proceed to impose a penalty. 5.2 Under the provisions of Article 83 of the Rules, to the extent that applicable in this case, I take into account the following mitigating (a)-(d) and aggravating (e)-(i) factors, on the basis of the facts as they are before me today: (a) the Respondent's position that through negligence and not on purpose, it published in the newspaper the photographs of the three (3) complainants, (b) the fact that the Respondent the Complainant, proceeded to delete the said four (4) articles from the electronic version of the 24h newspaper, as soon as became aware of the complaint, i.e. by the letter sent by the my Office on 29/10/2018, and before receiving any written objection from my Office, (c) the fact that the Respondent, in the course of the investigation, cooperated with my Office to remedy the violation and mitigate the its potential adverse effects; and (d) the fact that this is the first complaint submitted to my Office against the Respondent the complaint, (e) the nature of the violation, which affects the professional life of complainant, although the European Court of Human Rights has held in relation to the provision of Article 8 ECHR that the protection of "private life', which is founded on that article, does not exclude the professional life of and is not limited to life within the place of residence, (f) the extent of the infringement: the four (4) publications were (4) four of the four articles were posted on the Internet for at least one (1) month prior to their deletion, with an unspecified number of readers, the print editions of the 24h newspaper did not have not been withdrawn to date and the number of readers remains unknown, (h) the number of data subjects affected by the breach, directly the three (3) complainants whose photographs were published are directly affected, indirectly the family environment of all five (5) complainants, (i) the categories of personal data affected by the breach: it concerns simply data, namely the photographs of three (3) of the five (5) complainants. 5.3 In my previous Decision dated April 12, 2019, I imposed on Respondent the Complainant an administrative fine of €3,000, for on her behalf violation of her obligations under Articles 5(1)(c) and 6 of the GDPR, having taken into account various aggravating and mitigating factors, both positive and negative respectively and with varying degrees of severity, depending on the gravity of the of the severity of the mitigating or aggravating factor in each case. 9 5.4 I also note that in Revision Appeal No. 32/2013, in which upheld a Decision of my Office, also upheld the administrative sanction imposed on the appellant in the amount of €3,000. This amount had been fixed, by maximum amount imposed at that time was €30,000. Following the application of the GDPR 2016/679 on 25 May 2018, for the same violation (principle of minimisation principle, as in the present case) a maximum administrative sanction of €20,000,000. 5.5 Taking into account the aggravating and mitigating factors that set out in paragraph 5.2 of this Decision, as they have developed during the the review of the case, as well as the fact that photographs were posted of three (3) of the five (5) Complainants, I hereby impose the Complaint on the Respondent, an administrative fine of €3,000, for her violation of Articles 5(1)(c) and 6 of the GDPR. 5.6 There has not been any reduction of the administrative fine and no variation of the from the first Decision of my Office, since there was no variation of the aggravating and mitigating factors which were taken taken into account during the review. The infringement found and confirmed by the Administrative Court, related specifically to the publication of the photographs, of three (3) of the five (5) complainants. The report of the two cases, with similar incidents, in which fines were imposed and in particular this of the Review Appeal, I consider that it strengthens and justifies the amount of the fine penalty. Irene Loizidou Nicolaidou Data Protection Commissioner Personal Data Protection Commissioner