Commissioner (Cyprus) - Decision of 27 November 2023

From GDPRhub
Commissioner - Decision of 27 November 2023
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 5(2) GDPR
Article 32 GDPR
Article 83 GDPR
Type: Complaint
Outcome: Upheld
Started: 30.03.2023
Decided: 27.11.2023
Published: 24.01.2024
Fine: 45,000 EUR
Parties: Open University of Cyprus
National Case Number/Name: Decision of 27 November 2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Office of the Commissioner for Personal Data Protection (in EL)
Initial Contributor: co

The Cypriot DPA imposed a fine in the amount of €45,000 on the Open University of Cyprus for failing to put in place appropriate security measures according to Article 32 GDPR.

English Summary

Facts

On 30 March 2023, the Open University of Cyprus, the controller, notified a personal data breach to the Cypriot DPA (Commissioner for Personal Data Protection, DPC) in accordance with Article 33 GDPR. In addition to this, 11 complaints were filed with the DPC by data subjects stating that their data had been leaked following the incident.

Accordingly, the DPC started investigating the case and asserted that the leaked data related to students, alumni and other partners of the controller and it was cached on the controller's servers and generally processed by its employees.

In its submissions, the controller sent to the DPC a list of actions it intends to implement by 2026 in order to improve the security of its processing operations.

Holding

After further investigations, the DPC concluded that the controller had failed to implement appropriate technical and security measures, thereby violating Article 32 GDPR and the principle of accountability under Article 5(2) GDPR.

In light of Article 83 GDPR and taking all the above into account and also the fact that the controller is part of the wider public sector, the DPC considered it appropriate to impose a fine in the amount of €45,000 on the controller.

Comment

The full decision is not available online, only a press release.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Breach of Personal Data on the network of the Open University of Cyprus

On March 30, 2023, a Personal Data Breach Notification was submitted to my Office on behalf of the Open University of Cyprus (hereinafter the "University"). A group of "hackers" (hereafter "invader") claimed via the social networking platform Twitter that they were responsible for the attack and the University was given a deadline to pay a ransom for the return / non-disclosure of the files leaked by the attack. When the time frame for paying the ransom had passed, the stolen data was published by the attacker and made available on the dark web.

After a full investigation of the incident, it was found that the leaked data pertains to students, graduates and other subjects (contractors of the University) which were temporarily stored on an affected server and were used to process tasks by employees.

For the incident, 11 complaints have been submitted to my Office by data subjects complaining that their personal data has been leaked due to the incident under review, which have been taken into account when examining the incident.

The University also sent me a list of actions it will take to strengthen the security of its systems. These actions will be implemented gradually based on a program that has been drawn up, starting from now, with a time point of completion in 2026, depending on the criticality, cost and prerequisites for their implementation.

After a legal and technical examination of all of the above, a violation of the General Data Protection Regulation (EU) 2016/679 was found by not applying the appropriate security measures and a violation of the principle of "accountability".

Having considered all the facts of the case, the technical and organizational measures taken by the University prior to the attack and the mitigating factors cited by the University, as well as the fact that the University is part of the wider public sector, it was imposed on the University Administrative Fine of forty-five thousand (€45,000) euros.

A Mandate was also given to the University, within six months:

(a) appoint a system security officer, even temporary / substitute, who will supervise the implementation of the measures that the University intends to take,

(b) to inform me about the progress of the implementation of the measures that it has informed me that it intends to take.