Commissioner (Cyprus) - 11.17.001.011.218

From GDPRhub
Revision as of 16:27, 17 December 2024 by La (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Cyprus |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoCY.jpg |DPA_Abbrevation=Commissioner |DPA_With_Country=Commissioner (Cyprus) |Case_Number_Name=11.17.001.011.218 |ECLI= |Original_Source_Name_1=Commissioner |Original_Source_Link_1=https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/9D51EA60B8CB6E33C2258BF2004C7F8F/$file/Senira%202024%20(an).pdf |Original_Source_Language_1=English |Original_Source_Language__Code_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Commissioner - 11.17.001.011.218
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 6(1)(f) GDPR
Article 12(3) GDPR
Article 17 GDPR
Article 31 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 04.09.2024
Published:
Fine: 3000 EUR
Parties: Senira Ltd.
National Case Number/Name: 11.17.001.011.218
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Commissioner (in EN)
Initial Contributor: la

The Cypriot DPA issued a €3,000 fine controller did not comply with requests for erasure by data subjects and did not comply with a request by the DPA on time under Article 31 GDPR.

English Summary

Facts

The decision of the Cyprus DPA was based on two complaints regarding the platform nicelocal.com (the controller).

Data subject 1 is from Germany and runs a local single business. An entry on the controller’s platform containing personal data was published without her knowledge. Data subject 1 then contacted the controller requesting the immediate removal of the entry under Article 17 GDPR. Upon receiving no feedback from the controller the data subject 1 then filed a complaint with the Sachsen-Anhalt DPA in Germany.

Data subject 2 is from Poland and also runs a local business. The controller created an unsolicited profile containing personal data such as his name, photos of premises, as well as unverified reviews. Data subject 2 as well requested the deletion of that profile as well as the erasure of all personal data that it contained. He received an automated message that his request was in progress. However, only the photos of the premises were removed and the profile remained online. The data subject 2 also claimed that the controller’s platform falsely indicated that his business was closed. The data subject 2 then filed a complaint with the Polish DPA.

After the initiated proceedings by the Cyprus DPA the controller failed to meet a deadline the DPA had set for a reply.

Subsequently, the controller complied with the requests for the erasure of data.

Holding

The Cypriot DPA held that information regarding one-person businesses can also be personal data where they allow the identification of a natural person. This was the case in the present two complaints as the information was referring to the data subjects as individuals. The collection and publication of the said information constituted processing activities.

The controller did not take action within the one-month period under Article 12(3) GDPR. Furthermore, it failed to comply with a request by the DPA to provide information on, inter alia, how exactly the system dealing with the requests worked in detail and safeguards applied. Thus, the controller also violated Article 31 GDPR.

Regarding the processing itself, the DPA held that the controller could rely on Article 6(1)(f) GDPR because, inter alia, the personal data in question was originally made public by the data subjects themselves and therefore there could be no harm to the data subjects as the data was already public before.

Therefore, the DPA issued a reprimand for the infringement of Article 12(3) GDPR and a fine of €3,000 under Article 83 GDPR for the infringement of Article 31 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Our ref.: 11.17.001.011.218                                   4 September 2024
         11.17.001.012.012



                                    Decision

 Investigation of complaints against the company Senira Limited under the

                 General Data Protection Regulation (GDPR)



I refer to the investigation of two complaints against the company SENIRA
LIMITED    (hereinafter,  the   “Controller”), which    operates   the   website
www.nicelocal.com (hereinafter, the “website”).


Description of the complaints

2.1.   The first complaint was lodged in Germany, and is related to the Controller’s

failure to respond to a data subject request to erase their personal data. More
specifically, the complaint concerns an entry published on the website
www.nicelocal.com.de. The said entry contains personal data about the

complainant (complainant 1) running a clothing tailoring service as a natural
person ( https://nicelocal.com.de/sachsen-anhalt/utility_service/n_design_nancy),eer/
and was published without the complainant’s knowledge and against her will.


2.2.   Complainant 1 contacted the Controller on 22/08/2023, by sending an email
to the email addresses legal@nicelocal.com and content@nicelocal.com,
requesting the immediate deletion of her personal data, as her legal right to

erasure under Article 17 of the GDPR. On 11/09/2023 the complainant repeated
her request by sending an email to privacy@nicelocal.com, which is the email
address provided by the Controller to the public for matters related to personal

data protection.

2.3.   On 12/10/2023, complainant 1 informed the Supervisory Authority in

Germany that she received no feedback from the Controller. Moreover, she
claimed that the option “Request Removal of Content” which is available on the
homepage of the website was not working.


3.1.   The second complaint was lodged in Poland. The complainant (complainant
2) is a natural person, with a sole proprietorship under the name: XXX. Accordingto complainant 2, a profile of his business was created in the website
nicelocal.co.pl, containing his name, photos of premises (most likely taken from

google maps) and unverified reviews. The profile was created without his consent
or knowledge.


3.2.   On   21/06/2023,    complainant    2   requested    the  deletion   of  the
aforementioned profile from the website (via content@nicelocal.com) and erasure
of all the data contained therein. On the same day, he received an automated
message informing him that his request was in progress. Despite the above, the

entire profile remained, and only photos of the premises were removed. Also, the
complainant claims that the following false information was contained in the profile:
"Unfortunately, this place has been closed", which worked to his detriment as a

businessman.

3.3.   On 9/12/2023 complainant 2 repeated his request and received again the

same automated massage, without however any success, since the relevant
profile and all his personal data remained in the website.


4.     On the basis of the Registrar of Companies in Cyprus, the Controller is
registered in Cyprus, under registration no. ΗΕ 429529, and the address stated at
the Registrar of Companies is Floor 3&4 M. KYPRIANOU HOUSE, Gladstonos,

116, 3032, Lemesos, Cyprus. On the basis of the above, the Commissioner for
Personal Data Protection in Cyprus (hereinafter, the “Commissioner”) is acting as
the lead authority in this matter.


Investigation by the Commissioner


5.1.   On 30/11/2023 the Commissioner’s Office contacted the Controller as
regards to the first complaint, requesting the latter’s views and position on the
same, the reason why the automated option “Request Removal of Content” was

not working, and where was the personal data collected from and what is the legal
basis and purpose for the relevant processing.

5.2.   In its reply, dated 20/12/2023, the Controller stated the following:


   i.     They use a specially designed software to handle requests of this type
          received via email at privacy@nicelocal.com and legal@nicelocal.com.


   ii.    The option “Request Removal of Content” is placed at the bottom of
          each page and their team process requests after receiving them through

          a feedback form. They confirm that the said form works as expected.

   iii.   Data regarding the business “N/Design Nancy Beer” were collected from
          an open public source, namely Google. The Controller stated that the


                                         2          ground of processing is the fact that data comes from a publiclyavailable
          source. Moreover, they stated that the data in question includes no

          special categories of data, stands for the public interest and helps
          business to grow by obtaining new clients on the web.

   iv.    Upon receipt of the Commissioner’s letter, the Controller initiated a

          thorough investigation into the matter. They carefully reviewed the
          evidence provided, and they confirmed that they deleted the webpage
          https://en.nicelocal.com.de/sachsen-

          anhalt/utility_service/n_design_nancy_beer/.

   v.     The controller informed the Commissioner that they would carry out
          additional work to analyze the causes of what happened with the

          software algorithms.

5.3.   The Commissioner confirmed through a relevant check that the personal

data of complainant 1 had been deleted. Notwithstanding the above, the
Commissioner considered that further information was required as regards to the
way the system that handles the relevant request operates, and the safeguards

and actions/measure taken by the controller in line with the GDPR. Moreover, the
controller in its response failed to provide a valid legal basis, and the relevant
purpose as to the processing of personal data. To that end, and as part of the

investigation of the first complaint, a second letter was sent to the controller on
05/01/2024.


5.4.   The controller failed to respond within the deadline specified in the
aforementioned letter of the Commissioner, i.e. by the 25 of January 2024. In the
meantime, the Commissioner’s Office received the second complaint described in

paragraphs 3.1.-3.3. above.

5.5.   On 05/02/2024 the Commissioner sent another letter to the Controller,
requesting a respond to the letter dated 05/01/2024, informing them about the

second complaint and requesting their views on the same.

5.6.   The Controller once again missed the deadline, and a reminder was sent

by the Commissioner’s Office on 06/03/2024. The Controller’s response dated
07/03/2024 was the following:


“First and foremost, I would like to express my utmost respect as we value the
importance of maintaining a positive business environment, and we strive to
ensure that our client’s and user’s data are under protection and control.

Therefore, we appreciate your bringing this matter to our attention so that we may
address it appropriately.



                                        3We use a specially designed software to handle these types of requests.
Unfortunately, this case shows that we still have room for an improvement.


Upon receipt of your letter, we initiated a thorough investigation into the matter.
We have carefully reviewed the evidence provided, and we can confirm that at the

date of this letter the webpage has been deleted.
We will carry out additional work to analyze the causes of what happened with the
software algorithms and assure you that we are always attentive to the rights of
personal data subjects in accordance with the requirements of the GDPR.”


5.7.   On 12 April 2024, the Commissioner issued a Preliminary Decision against
the Controller where the following was identified:


(a) infringement of the Article 12(3) of the GDPR since the controller did not satisfy
the complainants’ requests for erasure of their personal data, in accordance with
the provisions of the said Article.


(b) infringement of the Article 31 of the GDPR, since it failed to cooperate with the
Commissioner’s Office and provide the requested information.


5.8. Following the above, the Commissioner ordered the Controller to respond to
the Commissioner’s Office letter dated 05/01/2024, and particularly to provide the

information requested in paragraphs 3.2. and 4.4.

5.9.   In their response, on 12 May 2024, the controller stated the following:


  i.   The relevant processing is lawful for the purposes of the legitimate interests
       pursued by the Controller in accordance with Article 6(1)(f) GDPR. This is

       confirmed by the fact that the information collected regarding the business,
       including name, address or contact information, was manifestly made public
       by the data subjects on public sources such as Google.


  ii.  In the case of the first complaint, the erasure request was processed by the
       automated system, however, an error occurred as a result of which the said
       page was not deleted. In any case, the relevant information was removed

       on 19 December 2023, after the notification from the Commissioner’s
       Office.


 iii.  In the case of the second complaint, the relevant information was removed
       on 6 March 2024, again after the notification from the Commissioner’s
       Office.


 iv.   The Controller uses an automatic inquiry processing system that processes
       incoming inquiries, analyzes their content and takes appropriate actions,


                                          4       sending automatic notifications of the actions taken. If the system is unable
       to recognize a request, it sends it to the processing center for manual

       processing.

Legal framework


6.1.   According to article 4 of the GDPR:

“(1) ‘personal data’ means any information relating to an identified or identifiable
natural person (‘data subject’); an identifiable natural person is one who can be

identified, directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural

or social identity of that natural person;
(2) ‘processing’ means any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by automated means,

such as collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination
or otherwise making available, alignment or combination, restriction, erasure or

destruction;
(7) ‘controller’ means the natural or legal person, public authority, agency or other
body which, alone or jointly with others, determines the purposes and means of

the processing of personal data; where the purposes and means of such
processing are determined by Union or Member State law, the controller or the
specific criteria for its nomination may be provided for by Union or Member State

law;”.

6.2.   Article 5 of the GDPR sets out the principles according to which personal

data shall be processed:

“1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data
subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes; further
processing for archiving purposes in the public interest, scientific or historical

research purposes or statistical purposes shall, in accordance with Article 89(1),
not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes

for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must
be taken to ensure that personal data that are inaccurate, having regard to the

purposes for which they are processed, are erased or rectified without delay
(‘accuracy’);


                                          5(e) kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed; personal

data may be stored for longer periods insofar as the personal data will be
processed solely for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes in accordance with Article 89(1) subject

to implementation of the appropriate technical and organisational measures
required by this Regulation in order to safeguard the rights and freedoms of the
data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data,

including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or
organisational measures (‘integrity and confidentiality’).”.


2. The controller shall be responsible for, and be able to demonstrate compliance
with, paragraph 1 (‘accountability’).”.


6.3.   For a processing to be lawful, one of the following conditions set out in
article 6 of the GDPR must be applied:


“(a) the data subject has given consent to the processing of his or her personal
data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data

subject is party or in order to take steps at the request of the data subject prior to
entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the

controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject
or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by
the controller or by a third party, except where such interests are overridden by

the interests or fundamental rights and freedoms of the data subject which require
protection of personal data, in particular where the data subject is a child.”.


6.4.   Paragraphs 2 and 3 of article 12, which is related to the obligations of a
controller as regards to data subject requests under Articles 15 to 22, state the
following:


“2. The controller shall facilitate the exercise of data subject rights under
Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not
refuse to act on the request of the data subject for exercising his or her rights under

Articles 15 to 22, unless the controller demonstrates that it is not in a position to
identify the data subject.


                                           63. The controller shall provide information on action taken on a request under
Articles 15 to 22 to the data subject without undue delay and in any event within

one month of receipt of the request. That period may be extended by two further
months where necessary, taking into account the complexity and number of the
requests. The controller shall inform the data subject of any such extension within

one month of receipt of the request, together with the reasons for the delay. Where
the data subject makes the request by electronic form means, the information shall
be provided by electronic means where possible, unless otherwise requested by

the data subject.”.

6.5.   The right of a data subject to erasure (‘right to be forgotten’) is stipulated in

Article 17 of the GDPR.

6.6.   Article 24(1) of the GDPR is related to the responsibility of the controller to

implement appropriate technical and organisational measures to safeguard the
rights and freedoms of data subjects, in accordance with the GPDR:

 “Taking into account the nature, scope, context and purposes of processing as

well as the risks of varying likelihood and severity for the rights and freedoms of
natural persons, the controller shall implement appropriate technical and
organisational measures to ensure and to be able to demonstrate that processing
is performed in accordance with this Regulation. Those measures shall be

reviewed and updated where necessary.”.

6.7.   Further to the above, article 32(1) states the following:


“Taking into account the state of the art, the costs of implementation and the
nature, scope, context and purposes of processing as well as the risk of varying
likelihood and severity for the rights and freedoms of natural persons, the controller

and the processor shall implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk, including inter alia
as appropriate: …”.


6.8.   Article 31 of the GDPR refers to the obligation of a controller to cooperate
with the Supervisory Authority, upon a relevant request:


“The controller and the processor and, where applicable, their representatives,
shall cooperate, on request, with the supervisory authority in the performance of
its tasks.”


6.9. Pursuant to Article 58(1) of the GDPR, the Commissioner has, amongst other,
the investigative powers:





                                         7“(a) to order the controller and the processor, and, where applicable, the
controller's or the processor's representative to provide any information it requires

for the performance of its tasks;
(b) to obtain, from the controller and the processor, access to all personal data and

to all information necessary for the performance of its tasks;”.


6.10. Moreover, according to Article 58(2) the Commissioner has the following
corrective powers:

“(a) to issue warnings to a controller or processor that intended processing

operations are likely to infringe provisions of this Regulation;
(b) to issue reprimands to a controller or a processor where processing operations
have infringed provisions of this Regulation;

(c) to order the controller or the processor to comply with the data subject's
requests to exercise his or her rights pursuant to this Regulation;
(d) to order the controller or processor to bring processing operations into

compliance with the provisions of this Regulation, where appropriate, in a specified
manner and within a specified period;
(e) to order the controller to communicate a personal data breach to the data

subject;
(f) to impose a temporary or definitive limitation including a ban on processing;
(g) to order the rectification or erasure of personal data or restriction of processing

pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients
to whom the personal data have been disclosed pursuant to Article 17(2) and
Article 19;

(h) to withdraw a certification or to order the certification body to withdraw a
certification issued pursuant to Articles 42 and 43, or to order the certification body
not to issue certification if the requirements for the certification are not or are no

longer met;
(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead
of measures referred to in this paragraph, depending on the circumstances of each
individual case;

(j) to order the suspension of data flows to a recipient in a third country or to an
international organization.”


6.11. As regards to the administrative fines that may be imposed by the
Commissioner, Article 83(2)-(6) states the following:

“(2) Administrative fines shall, depending on the circumstances of each individual

case, be imposed in addition to, or instead of, measures referred to in points (a)
to (h) and (j) of Article 58(2). When deciding whether to impose an administrative
fine and deciding on the amount of the administrative fine in each individual case

due regard shall be given to the following:


                                           8(a)    the nature, gravity and duration of the infringement taking into account the
nature scope or purpose of the processing concerned as well as the number of

data subjects affected and the level of damage suffered by them;
(b)    the intentional or negligent character of the infringement;
(c)    any action taken by the controller or processor to mitigate the damage

suffered by data subjects;
(d)    the degree of responsibility of the controller or processor taking into account
technical and organisational measures implemented by them pursuant to Articles
25 and 32;

(e)    any relevant previous infringements by the controller or processor;
(f)    the degree of cooperation with the supervisory authority, in order to remedy
the infringement and mitigate the possible adverse effects of the infringement;

(g)    the categories of personal data affected by the infringement;
(h)    the manner in which the infringement became known to the supervisory
authority, in particular whether, and if so to what extent, the controller or processor

notified the infringement;
(i)    where measures referred to in Article 58(2) have previously been ordered
against the controller or processor concerned with regard to the same subject-

matter, compliance with those measures;
(j)    adherence to approved codes of conduct pursuant to Article 40 or approved
certification mechanisms pursuant to Article 42; and

(k)    any other aggravating or mitigating factor applicable to the circumstances
of the case, such as financial benefits gained, or losses avoided, directly or
indirectly, from the infringement.”.


3. If a controller or processor intentionally or negligently, for the same or linked
processing operations, infringes several provisions of this Regulation, the total

amount of the administrative fine shall not exceed the amount specified for the
gravest infringement.


4. Infringements of the following provisions shall, in accordance with paragraph
2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an
undertaking, up to 2 % of the total worldwide annual turnover of the preceding
financial year, whichever is higher:

(a)    the obligations of the controller and the processor pursuant to Articles 8,
11, 25 to 39 and 42 and 43;
(b)    the obligations of the certification body pursuant to Articles 42 and 43;

(c)    the obligations of the monitoring body pursuant to Article 41(4).

5. Infringements of the following provisions shall, in accordance with

paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the
case of an undertaking, up to 4 % of the total worldwide annual turnover of the
preceding financial year, whichever is higher:



                                           9(a)    the basic principles for processing, including conditions for consent,
pursuant to Articles 5, 6, 7 and 9;

(b)    the data subjects' rights pursuant to Articles 12 to 22;
(c)    the transfers of personal data to a recipient in a third country or an
international organisation pursuant to Articles 44 to 49;

(d)    any obligations pursuant to Member State law adopted under Chapter IX;
(e)    non-compliance with an order or a temporary or definitive limitation on
processing or the suspension of data flows by the supervisory authority pursuant
to Article 58(2) or failure to provide access in violation of Article 58(1).


6.  Non-compliance with an order by the supervisory authority as referred to in
Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to

administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to
4 % of the total worldwide annual turnover of the preceding financial year,
whichever is higher.”.



Commissioner’s Views

7.1.    The Controller’s website provides information about organizations/
professionals/ individuals providing services, along with clients’ reviews. The

GDPR applies only to natural persons and does not cover the processing of
personal data which concerns legal persons and in particular undertakings
established as legal persons. However, information in relation to one-person

companies may constitute personal data where it allows the identification of a
natural person. The same applies to all personal data relating to natural persons
in the course of a professional activity, such as the employees of a

company/organization, business email addresses which reveals the individual’s
name etc.


7.2.   The complaints in question concern information published in the
Controller’s website, referring to the complainants as individuals providing
services. To that end, this information constitutes personal data and the GDPR

applies. The collection and publication of the said information constitutes
processing activities.


7.3.   The Controller did not take actions within the one-month period specified
by the GDPR as regard to the complainants’ request made under article 17 of the
GDPR, for erasure of the aforementioned information, in violation of the provisions

of the Article 12(3). The complainants’ requests had been fulfilled bythe Controller,
only after the intervention of my Office.


7.4.   It should be noted that the aforementioned complaints were not the first
time my Office dealt with the Controller, since it had previously investigated a


                                         10similar complaint against the Controller regarding an unsatisfied erasure request,
lodged by an Italian citizen.


7.5. According to the information provided by the Controller as regard to the
investigation of all the above complaints, all emails sent to legal@nicelocal.com,

privacy@nicelocal.com and content@nicelocal.com are collected in a single
cluster for their primary processing by a special AI system that recognizes the type
of request and passes it on to the correspondent specialist for further
consideration. As it seems, the failure of the Controller to respond/fulfil the relevant

requests, is a result of a system failure to properly recognize the requests and
pass them to the relevant department.


7.6.1. Due to the repeated nature of the Controller’s failure to fulfill data subjects’
requests for erasure of their personal data, my Office proceeded with further
investigation of the matter. To that end, it requested additional information as

regards to the operation of the said system and the technical measures taken in
this regard (paragraph 3.2 of letter dated 5/1/2024). Despite my Office repeated
efforts, the Controller failed to provide a response in this regard. It should be noted

that the relevant questions were deliberately ignored by the Controller, since in
their latest response, the Controller addressed other matters, avoiding to refer to
the above.


7.6.2. The information requested in paragraph 3.2. of the aforementioned letter is
of outmost importance. The absence of clear and specific information, as regard

to the operation of the automated system used to recognise and forward the said
requests to the relevant department to be handled, prevents proper evaluation of
the risks involved. Systematic failures of the system in question, which

consequently lead to mishandling of data subjects’ requests, may be considered
as failure of the Controller to facilitate the exercise of data subject rights under
Articles 15 to 22, in violation of article 12(2) GDPR. Moreover, possible lack of

appropriate technical measures implemented by the Controller to safeguard data
subject’s rights and freedoms, may constitute violation of article 24(1) and 32(1)
GDPR.


7.6.3. In the Preliminary Decision, I ordered the controller to provide the
information requested by my office in paragraphs 3.2. and 4.4. of the email dated
5/1/2024. Although a response was provided for paragraph 4.4., which referred to

the legal basis of the processing, it was noted that the controller did not provide:
(a) detailed description of how this system operates,
(b) safeguards applied by the company to ensure that the system will properly

handle all the requests,
(c) actions/measures taken by the company after our Office brought to its attention,
through the first complaint, that the system does not works as it should,



                                         11(d) whether the company carried out a data processing impact assessment in
accordance with article 35 of GDPR

as requested in paragraph 3.2. if the above email. The lack of response to these
constitutes a violation of Article 31 GDPR.


7.7.   As regards the legal basis for the collection and publication of personal data
of individuals in the websites, the controller considered that the processing is
lawful the achievement of the legitimate interests pursued by them. In that end,
considering the following facts:

   i.   the personal data in question were originally made public on widely known
        public sources by the complainants themselves,
  ii.   the purpose of the processing of the data by the controller has not changed

        from the original purpose, i.e. the publication of the contact details of their
        businesses,
  iii.  there is no indication that the controller has used the data for any purposes

        other than the initial purpose and
  iv.   no harm can come to the data subjects from the further publication of their
        data since they were already published on a public source.


I find that the relevant processing is lawful and necessary for the purposes of the
legitimate interests pursued by the controller as per paragraph 1(f) of Article 6

GDPR. This is enhanced by considering the exception for allowing the processing
of special categories of personal data as it is stated in paragraph 2(e) Article 9
GDPR:

[the prohibition in] “Paragraph 1 shall not apply if one of the following applies: …

(e) processing relates to personal data which are manifestly made public by the

data subject…”

According to the GDPR special categories of data are to be held at a higher level

of protection, therefore the above exception can be proportionally applied on the
processing of non-special categories of personal data.

7.8. In addition to the above, the controller is still obligated to “take appropriate

measures to provide any information referred to in Articles 13 and 14 and any
communication under Articles 15 to 22 and 34 relating to processing to the data
subject in a concise, transparent, intelligible and easily accessible form, using

clear and plain language” as per Article 12 GDPR. Moreover, the privacy policy on
the controller’s website should also include the sources used to collect the
personal data in compliance with Article 14 GDPR and the transparency principle.


7.9. The failure of the Controller to respond all the Commissioner’s questions and
provide sufficient and conclusive information as explained above in paragraphs

7.6.1, 7.6.2 and 7.6.3, is in violation of article 31 GDPR.

                                         12Conclusion


8. Having regard to all the above information, and based on the powers vested in
me by Articles 58 and 83 of Regulation (EU) 2016/679 and article 24(b) of National

Law 125(I)/2018, I conclude that there is an infringement of Articles 12(3) and
31 GDPR on behalf of Senira Limited for the reasons mentioned above.

9. Moreover, following an infringement of Article 12(3) and 31 GDPR, as explained
above, under the provisions of Article 83 of the GDPR, the following mitigating (1-

3) and aggravating (4-6) factors are taken into account:

(1) The complainants’ erasure requests were all satisfied eventually
(2) No harm has occurred to the data subjects from the further processing.

(3) The relevant processing does not involve sensitive data.
(4) The increasing number of complaints regarding the unsatisfied erasure
requests

(5) The lack of appropriate procedures and measures for handling data subject
rights.
(6) The lack of response to the Order issued on the Preliminary Decision



10. In view of the above, I have decided to issue to Senira Limited:
   a. a reprimand for the infringement of Article 12(3) GDPR and

   b. an administrative fine of €3,000 (three thousand euro) pursuant to
       Article 83 for the infringement of Article 31 on the basis of Article 58 (2)(i)
       GDPR.


11. In addition to the above I have decided to order Senira Limited to bring
processing operations into compliance on the basis of Article 58 (2)(d) GDPR,
specifically review the procedure for handling data subjects request so that no data

subject requests are lost and inform the Commissioner’s Office of relevant action
within 2 months.






Irene Loizidou Nicolaidou
Commissioner

For Personal Data Protection







                                         13