Commissioner (Cyprus) - 11.17.001.010.064

From GDPRhub
Revision as of 14:00, 25 November 2022 by Kv (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Cyprus |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoCY.jpg |DPA_Abbrevation=Commissioner |DPA_With_Country=Commissioner (Cyprus) |Case...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Commissioner - 11.17.001.010.064.
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 5(1)(f) GDPR
Article 24(1) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started: 11.04.2022
Decided: 21.09.2022
Published: 16.11.2022
Fine: 5000 EUR
Parties: n/a
National Case Number/Name: 11.17.001.010.064.
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: dataprotection.gov.cy (in EL)
Initial Contributor: n/a

The DPA of Cyprus fined the Cyprus electricity authority €5000 for violations of Articles 5(1)(f) 24(1) and 32 GPDR for sending a consent form to the neighbour of the data subject, who complained about unauthorized disclosure of personal data.

English Summary

Facts

The data subject was a land owner. The Cyprus electricity authority (controller) wanted to place an overhead or underground power line on the land of the data subject. The controller sent the data subject a consent form for the placement of this power line. However, an officer of the controller delivered the consent form, which contained personal data, to the neighbour of data subject by accident. The officer was the one who discovered his own error and admitted that it had been a mistake. The controller apologised and stated that is the violation was committed out of negligence and not out of malice. The controller admitted that the deliverance of the consent form to the neighbour was incorrect looking at Article 31 of the Electricity Law (KEF.170), which states that the consent form can only delivered to the data subject.

Holding

Violation of Article 24(1) GDPR The DPA determined that the controller violated Article 24(1) GDPR because the controller did not implement appropriate technical and organizational measures in advance to ensure that its processing was GDPR complaint. Nor did it implement measures to enable it to detect and/or verify any breach. The DPA stated that the controller would have been able to the determine whether the consent form was served to the owner, if it had established a procedure that would allow it to check this. This procedure was missing, which was the main reason the violation had occurred in the first place, according to the DPA. The controller had not taken the appropriate steps in order to ascertain and prove if its processing was GDPR compliant. Violation of Articles 5(1)(f) and 32 GDPR

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.