Commissioner (Cyprus) - 11.17.001.010.172

From GDPRhub
Revision as of 09:42, 31 January 2024 by Sh (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Cyprus |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoCY.jpg |DPA_Abbrevation=Commissioner |DPA_With_Country=Commissioner (Cyprus) |Case_Number_Name=11.17.001.010.172 |ECLI= |Original_Source_Name_1=11.17.001.010.172 |Original_Source_Link_1=https://www.dataprotection.gov.cy/DATAPROTECTION/DATAPROTECTION.NSF/F880C7270072D4E0C2258AAE0049CEAB/$file/%25CE%2591%25CE%25A0%25CE%259F%25CE%25A6%25CE%2591%25CE%25A3%25CE%2597%2520Brivio.pdf |O...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Commissioner - 11.17.001.010.172
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 12(3) GDPR
Article 56 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.10.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 11.17.001.010.172
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: 11.17.001.010.172 (in EN)
Initial Contributor: sh

The Cypriot DPA reprimanded the operator of a website for failing to comply with an access request in a timely manner undre Article 12(3) GDPR.

English Summary

Facts

A complaint was lodged with the Malta DPA against Brivio Limited (the controller) for a failure to respond to an access request under Article 15 GDPR. The data subject was a registered user on the online casino “icecasino.com” and contacted the controller, who is the operator of the website via email. He requested his information regarding all personal data concerning him, payments made and casino games that he had participated in on the website under Article 15 GDPR. Allegedly the controller never responded which led to the submission of his complaint after the expiry of the one month period to reply under Article 12(3) and (4) of the GDPR.

The controller is registered in Cyprus. The complaint was therefore transferred to the Cypriot DPA under Article 56 GDPR with the Cypriot DPA acting as the Lead Authority.

Holding

The Cypriot DPA found a violation of Article 12(3) of the GDPR due to the delayed response to the access request.

First, the DPA considered mitigating factors such as eventual compliance, corrective measures, and cooperation from the controller. The controller had failed to comply with the request because the the customer support team who received the request, failed to inform the Data Protection Team. After the complaint was submitted the controller reached out to the data subject and fulfilled the request. They have internally reviewed their internal procedure and a new technical flow has been adopted in order to facilitate the cooperation between the Customer Support Team and the Data Protection Team. Extra training for staff had also been carried out. This was considered favouribly by the DPA.

Second, the DPA considers that the request could have been satisfied from the first instance if the appropriate organizational and technical measures were in place and the staff was properly trained in dealing with GDPR requests in a timely manner. Moreover. the controller’s data protection team only became aware of the access request after being notified of the complaint by the Cypriot DPA.

Last, the DPA considered that this was not the controllers first offence and that there already existed a previious similar violated by the controller.

For these reasons the Cypriot DPA issued a reprimand to Brivio Limited. The company was reminded of its obligations under Article 12(3) of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.