Commissioner (Cyprus) - 11.17.001.010.172
Commissioner - 11.17.001.010.172 | |
---|---|
Authority: | Commissioner (Cyprus) |
Jurisdiction: | Cyprus |
Relevant Law: | Article 12(3) GDPR Article 56 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 23.10.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 11.17.001.010.172 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | 11.17.001.010.172 (in EN) |
Initial Contributor: | sh |
The Cypriot DPA reprimanded the operator of a website for failing to comply with an access request in a timely manner under Article 12(3) GDPR.
English Summary
Facts
A complaint was lodged with the Maltese DPA against Brivio Limited (the controller) for a failure to respond to an access request under Article 15 GDPR.
The data subject was a registered user on the online casino “icecasino.com” and contacted the controller, who is the operator of the website via email. The data subject requested his information regarding all personal data concerning him, payments made and casino games that he had participated in on the website under Article 15 GDPR. Allegedly the controller never responded, which led to the submission of his complaint after the expiry of the one month period to reply under Article 12(3) and (4) of the GDPR.
The controller is registered in Cyprus. The complaint was therefore transferred to the Cypriot DPA under Article 56 GDPR with the Cypriot DPA acting as the Lead Supervisory Authority (LSA).
Holding
The Cypriot DPA found a violation of Article 12(3) GDPR due to the delayed response to the access request.
First, the DPA considered mitigating factors such as eventual compliance, corrective measures, and cooperation from the controller. The controller had failed to comply with the request because the the customer support team who received the request, failed to inform the data protection team. After the complaint was submitted the controller reached out to the data subject and fulfilled the request. The controller internally reviewed their internal procedure and a new technical flow was adopted in order to facilitate the cooperation between the customer support team and the data protection team. Extra training for staff had also been carried out. This was considered favouribly by the DPA.
The DPA considered that the request could have been satisfied from the first instance if the appropriate organisational and technical measures were in place and the staff was properly trained in dealing with GDPR requests in a timely manner. Moreover. the controller’s data protection team only became aware of the access request after being notified of the complaint by the Cypriot DPA.
Last, the DPA considered aggravating factors. This was not the controllers first offence and that there already existed a previous similar violation by the controller.
Nevertheless, the Cypriot DPA only issued a reprimand to Brivio Limited. The company was reminded of its obligations under Article 12(3) GDPR.
Comment
While the DPA does not mention it in their case file, this decision is part of an Article 60 decision under the GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.