Commissioner (Cyprus) - Α/Π 68/2017

From GDPRhub
Commissioner - Α/Π 68/2017
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 32(1)(d) GDPR
Article 32(1)(b) GDPR
Article 32(4) GDPR
Article 58(2)(i) GDPR
Article 58(2)(a) GDPR
Article 58(2)(b) GDPR
Article 58(2)(e) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 30.09.2020
Published: 22.10.2020
Fine: 6000 EUR
Parties: Cyprus Police
CYTA Telecommunications Company
Social Insurance Services of Cyprus (Ministry of Labour, Welfare and Social Insurance)
National Case Number/Name: Α/Π 68/2017
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Office of the Commissioner for Personal Data Protection (in EL)
Initial Contributor: Zarogianni Fotini

The Cyprus DPA (Commissioner) fined the Cyprus Police €6000 for violating Article 32 GDPR for disclosing personal data to unauthorised persons.

English Summary


A series of media publications (printed and online press) mentioned the telecommunications company CYTA, the Social Insurance Services of the Ministry of the Ministry of Labour, Welfare and Social Insurance of Cyprus, and the Cyprus Police as data processors (due to their role regarding the mechanised system of the Social Insurance Services) involved in a scandal of leakage and/or violation of personal data of natural persons via this database, leading to the initiation of an investigation by the Office of the Commissioner for Personal Data Protection of Cyprus. The publications suggested that a member of the Police proceeded with searching for, printing and forwarding to a non-authorised recipient/third party of documents from the database.

The Commissioner brought the publications to the Police's knowledge and requested a detailed statement on its behalf regarding the alleged violations. In its statement, the Cyprus Police acknowledged that one of its members, whose professional duties included his ability to have access to the Mechanised Database on vehicle owners, acting beyond the orders of the Police, proceeded with specific searches (within the database), located and printed documents (from the database), and then passed them on to a third party (a retired Police Officer).



The Commissioner held that the existing supervising mechanisms of the Police were not operating properly at that time or at least they did not operate as efficiently as they should and, thus, were considered insufficient. The organisational and technical measures that the Police had taken were not effective and they proved themselves insufficient and unable to prevent the non-authorised forwarding of personal data to third-parties. The undertaking of further organisational measures and the frequent undertaking of internal controls of the tracking archives/history was deemed necessary. Thus, the Commissioner concluded that Cyprus Police was responsible for a violation of Article 32 par.1(b) & (d) and par.(4) GDPR, as a result of the acts and/or omissions of the Police, whose member proceeded with a non-authorised forwarding of personal data found within the Police's database of vehicle owners to a third party, thus exceeding their authority and the orders of the Police. The Commissioner then provided a specific time frame for the submitting of all the reasons for which no sanction of the GDPR Article 58 par.2(a), (b), (e) & (i) should be imposed on Cyprus Police. Eventually, the Commissioner decided to impose the proportional and logical administrative fine of € 6000. In order to reach this conclusion, the Commissioner took into account as positive actions of the Cyprus Police the following ones:

- The Police took a number of corrective measures in order to deal with the event and for avoiding similar events in the future.

- The Police proceeded with the informing of the natural persons whose personal data were involved in the incident.

- The Police proceeded with corrective measures regarding its member who perpetrated the already mentioned actions (suspension etc.).

- The Police proceeded with training of new members of its force regarding issues of security and confidentiality and with more intensive supervisory control over the database.

Additionally, to conclude to the imposed the fine, the Commissioner took not of the following events as aggravating circumstances: the fact that the Police initiated the process of investigating the incident only after the publication of said articles in the press.

Lastly, it should be underlined that with the issuance of this Decision, the process of the ex-officio investigation of the Commissioner regarding the leakage of personal data by CYTA (Decision 2017 administrative fine € 10000) and Social Security Services (Decision 2019 administrative fine € 9000) was completed.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.