Commissioner (Cyprus) - 11.17.001.008.147
From GDPRhub
| Commissioner - 11.17.001.008.147 | |
|---|---|
 | |
| Authority: | Commissioner (Cyprus) |
| Jurisdiction: | Cyprus |
| Relevant Law: | Article 4 GDPR Article 28 GDPR Article 36(4) GDPR Article 13 of 125(Ι)/2018 Law |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 05.12.2023 |
| Published: | 25.01.2024 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 11.17.001.008.147 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Greek |
| Original Source: | Office of the Commissioner for Personal Data Protection (in EL) |
| Initial Contributor: | Nikolaos. Konstantis |
The DPA held a violation of the Regulation and its Protection of Natural Persons Against Data Processing of a Personal Character and the Free Circulation of this Data Law of 2018, Law 125(I)/2018, by the Examinations Service of Directorate of Higher Education of the Ministry of Education, Sports and Youth in relation to Statistical Processing Methods of the scores of the candidates who took part in the 2019 Written Examinations for Registration and Ranking in the Appointment Tables.
English Summary
Facts
The Examinations Service of the Directorate of Higher Education of the Ministry of Education, Sports and Youth is the controller for the processing of personal data which is carried out in the context of the statistical processing of the results of the Examinations.In order to be registered in the list of appointments, it is necessary to record the qualifications of the candidates themselves and to submit certificates / proofs, so that they receive a relevant score. In order for a candidate to be included in the appointment list, success in the Examinations is required. In each specialty, a list of appointments is created, which includes successful Exams of various years. In specified periods, the appointment table of each specialty is renewed, by adding the successful candidates of the new Examinations and/or by differentiating the scoring of the qualifications and/or the score of each successful candidate. Comparability of Exam scores from different years is therefore required. Therefore, statistical processing is applied for the purposes of uniform ranking of candidates. The application of statistical processing methods aims to create an index that reflects the degree of difficulty of the 2019 Exam in relation to the degree of difficulty of the corresponding Exam of 2017. These methods include methods that require the processing of personal data. Apart from the existence of a relevant legal basis, since the statistical processing is provided for in the relevant Regulations, the DPA judged that the application of such methods does not come out, but instead is part of actions to achieve the intended purpose, namely the ranking of candidates in the appointment tables.
Holding
The DPA held that the Service assigned the application of the statistical processing to processors, without the execution of a relevant contract of assignment, as provided for in article 28(3) of the GDPR.Furthermore , the Service did not conduct a prior consultation with the DPA for Registration and Ranking in the Appointment Tables in violation of Article 36(4) of the Regulation and Article 13(1) of Law 125(I)/2018. Hence the DPA reprimanded the Service for these two violations.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
REPUBLIC OF CYPRUS OFFICE OF THE COMMISSIONER FOR PROTECTION OF PERSONAL DATA Kypranoros 15, 1061 NICOSIA / PO Box 23378, 1682 NICOSIA. Tel: 22818456, Fax: 22304565 E-mail: commissioner@dataprotection.gov.cy, Website: http://www.dataprotection.gov.cy No. Fac.: 11.17.001.008.147 DECISION Complaint regarding the Statistical Processing Methods of the scores of the candidates who took part in the 2019 Written Examinations for Registration and Ranking in the Appointment Tables Based on the duties and powers conferred on me by Article 57(1) (f) of Regulation (EU) 2016/679 on the protection of natural persons against the processing of personal data and on the free movement of such data (hereinafter the "Regulation"), I examined a complaint submitted to my Office regarding the processing of personal data during the application of statistical processing methods of the scores of the candidates who took part in the 2019 written exams for registration and ranking in the appointment tables. Based on the investigation, I found a violation of the Regulation and the Law on the Protection of Natural Persons Against the Processing of Personal Data and the Free Circulation of such Data of 2018, Law 125(I)/2018, by the Examinations Service (hereinafter the "Service") of the Directorate of Higher Education of the Ministry of Education, Sports and Youth (hereinafter the "Ministry"). A. Incident Positions of the complainant 2. In the complaint it is requested that the use, during the processing of the results of the written examinations for registration and classification in the appointment tables of the New Appointment System in Education (hereinafter the "Exams"), be investigated, of personal data which , form the index which reflects the degree of difficulty of the 2019 Exam in relation to the degree of difficulty of the corresponding Exam of 2017, i.e. the Exam which is the reference point. 2.1. Also, other elements are listed in the complaint, such as, for example, the statistical processing methods used when processing the results of the Examinations, comments on the scoring system, positions which, as stated, show the unreliability of the results, as well as the 2 position that the necessity of statistical processing of Examination scores should be reconsidered. Positions of the Examinations Service 3. On 1 September 2021, I sent a letter to the Service, asking, inter alia, questions about the role of the Service, the role of the Education Service Committee and the role of the Tripartite Supervisory Body, the legal basis of the processing, carrying out an impact assessment and due prior consultation with my Office. In addition, questions were raised regarding the existence of a processing outsourcing contract with the contracting company that undertook the statistical processing, the terms of the mandate, instructions and/or directions given to it, as well as questions related to the processing methods used. 3.1. I note that the above letter was communicated to the Education Service Committee, without however receiving any official response. 4. The Service, in a letter dated December 27, 2021, stated, among other things, the following: 4.1. the conduct of the Examinations is provided for in the Public Education Service Law of 1969, Law 10/1969, as amended. The application of statistical processing on the scores of the candidates appearing in the Examinations is provided for in the 2017 Regulations on Written Examinations for Registration and Ranking in the Appointment Tables and in the 2019 Amending Regulations on Written Examinations for Registration and Ranking in the Appointment Tables, which were issued pursuant to article 76 of Law 10/1969. Specifically, the application of statistical processing is foreseen based on the relevant amendments that occurred, in 2019, to Regulations 4 and 8 of the above Regulations of 2017, 4.2. my Office was not consulted, because the application of statistical processing, in the context of the Examinations, does not involve the handling of personal data. The data provided by the Service, for the implementation of statistical processing, are characterized by pseudo codes and no personal data is shared, 4.3. the Ministry carried out an "impact assessment" ("impact analysis questionnaire") both during the submission to the House of Representatives of the Draft Regulations for the 2017 Regulations, and during the submission of the Draft Regulations for the 2019 Amending Regulations. The " impact assessments' were attached with the said letter to my Office, 4.4. during the 2019 Examinations, the sponsoring company, namely CITO, used the following methods to apply statistical processing: 4.4.1. common persons method, 4.4.2. propensity score matching method, 4.4.3. method omens of common questions (pseudo anchor method), 4.4.4. Angoff weighting method (Angoff standard setting), and 4.4.5. 3DC weighting method (3DC standard setting). 3 No personal data was used for the implementation of the methods, only pseudocodes. The copy of the agreement with the contracting company is attached to the letter, 4.5. the role of the Service and the role of the Three-member Supervisory Body is defined in the 2017 and 2019 Regulations on Written Examinations for Registration and Ranking in the Appointment Tables. Also, according to these Regulations, the results of the respective Examinations are approved by the Minister of Education, of Sports and Youth, and the Three-member Supervisory Body. 5. Despite the fact that the letter of the Service, dated December 27, 2021, did not answer all the questions of my Office's letter, dated September 1, 2021, I considered it necessary to focus on the essence of the processing carried out, in order to properly ensure the legitimacy of it. Therefore, in my letter dated June 1, 2022, I requested that the Service enter into a processing outsourcing contract with the contracting company, as provided for in article 28 of the Regulation, and an impact assessment, as provided for in article 35 of the Regulation. 6. On August 30, 2022, I received a response from the Service, which stated the following: 6.1. given that the contracting company, which undertook the implementation of the statistical processing of the scores of the candidates who took part in the Examinations in the years 2019 and 2021, has already completed its work, on the basis of a relevant contract, it is not possible to prepare, retrospectively, "new processing contract with her". The sponsoring company is not going to undertake the implementation of the statistical processing of the scores of the candidates for the Examinations for the year 2023 or for future Examinations. In the future, the statistical processing of the scores of the candidates in the Examinations will be carried out by the Service, which has been trained by the sponsoring company on how to apply the processing, 6.2. an impact assessment has been carried out, as requested in my letter dated 1 June 2022. As mentioned, the said assessment constitutes a personal data impact assessment for the process, in general, of the weighting of the Examinations, which are conducted every two years, in accordance with the relevant Legislation and the 2017 and 2019 Regulations on Written Examinations for Registration and Ranking in the Appointment Tables. The impact assessment includes, among others, the following: 6.2.1. the processing concerns the use of candidates' personal data in the process of weighting the difficulty of the Exams, 6.2.2. the "Ministry of Education, Sports and Youth (Ministry of Education, Sports and Youth) through the Directorate of Higher Education, through the Examinations Service (HE) (Head of HE: XXX)" is defined as the controller. 6.2.3. those performing the processing are employees of the Service and/or other employees of the Ministry of Internal Affairs (processing team and processing execution team), 4 6.2.4. the weighting of the difficulty of the papers is a process that includes five statistical methods of a quantitative and qualitative nature, 6.2.5. the propensity score matching method uses information such as degree grade (good, very good and excellent), additional academic qualifications (e.g. MA, PhD) and teaching experience of candidates, 6.2.6 . the remaining four methods are published on the website of the Service (https://diorisimoi.moec.gov.cy/index.php/el/) and do not concern impact assessment as they do not use personal data, 6.2.7. data provided by the Education Service Commission. The transfer of the data will be done by usb and all the files will be locked with codes handled only by the above Committee and the Service. The data remain within Cyprus, for use / processing exclusively by the competent officers of the Service, and are kept exclusively in the systems of the Service, 6.2.8. the data will be stored, meeting all insurance requirements according to the Regulation. The data will then be pseudonymised with a double coding system developed by the Service's staff and delivered to its team of staff, who will carry out the processing. The aim of this process is that the team performing the statistical processing cannot link the data to the candidates, 6.2.9. in order to establish the necessity of carrying out the impact assessment, it was a criterion that the relevant data is processed on a large scale, since the processing will be done on the data of all the candidates who will participate in the Examinations. Also, the fact that the process includes data sets was a criterion which have been matched or combined, since the data is compared with the data of participants in previous examination periods to determine the difficulty of the papers of different examination periods. It is not a criterion that the process includes evaluation or grading, 6.2.10. for the legality of the processing it is valid that the data subject has consented to the processing of his personal data for one or more specific purposes, since the candidates during the submission of an application to participate in the Exams, they will be informed about the provision of their data by the Educational Service Committee and about the purpose of using this data and their consent will then be requested. It is also true that the processing is necessary for the fulfillment of a task carried out in the public interest or in the exercise of a public authority delegated to the controller, since the processing is part of a wider process of weighting the difficulty of the documents and contributes to the optimization of the process according to the existing literature, 6.2.11. reference is made to the technical and organizational security measures, such as for example the way the data is transferred by the Education Service Committee, the coding with a double coding process, the data storage process which will be carried out after the weighting of the documents, the keeping of backup copies and the physical access control, 5 6.2.12. the following risks have been identified: 6.2.12.1. the incomplete information of the data subjects regarding the processing of personal data involved in the conduct of this procedure (low risk), 6.2.12.2. the transmission of personal data (within and outside Europe) without the necessary security measures (low risk), 6.2.12.3. unauthorized access to personal data (low risk), 6.2.12.4. the identification of data with data subjects (low risk), 6.12.2.5. the disappearance of personal data (low risk); 7. On the special website of the Ministry, which concerns the Examinations and which refers to the impact assessment carried out by the Service, there is the document "Methods of Statistical Processing of the scores of the candidates who took part in the 2019 Written Examinations for Registration and Ranking in the Appointment Tables ». The statistical processing methods applied are recorded in this document. As mentioned, it was not practically possible to utilize all weighting methods for all specialties due to practical difficulties. However, every effort was made to combine as many methods as possible for each specialty, to have multiple sources of information and to minimize error through triangulation of results. The methods recorded in this document are: 7.1. "common persons method" method in which for each candidate who participated in the Examinations in 2017 and in the Examinations in 2019, the difference of his score was calculated separately, 7.2. propensity score matching method, in which the performance of candidates with the same profile is compared in the 2017 Exams and in the 2019 Exams. Additional information was used to create the profiles, such as gender, degree grade (good, very good and excellent), additional academic qualifications (e.g. MA, PhD), teaching experience, etc., 7.3. method of quasi-common questions (pseudo anchor method), in which any difference in the degree of difficulty of the essays of the 2017 Exams and the 2019 Exams can be attributed, mainly, to the difference in the overall degree of difficulty of the questions, which have not characterized as common (i.e. questions of the Exams in the years 2017 and 2019 which have similar characteristics, such as for example examining the same content, receiving the same number of credits, having approximately the same degree of difficulty, having the same way of presentation etc.), 7.4. Angoff weighting method (Angoff standard setting), in which the panel of experts estimates the expected score of "inexperienced" candidates on each of the questions of an examination paper and it is assumed that the differences in the expected performance of an "inexperienced" candidate in the two examination periods can attributed to the different degree of difficulty of each exam, 7.5. 3DC weighting method (3DC standard setting), in which experts estimate the expected performance of "infinite" candidates on groups of questions. 6 8. On April 5, 2023, I sent the Service a prima facie Decision, after finding that there is a prima facie violation of: (a) Article 24(1) of the Regulation, since as the data controller he did not prove that the processing was carried out in accordance with Regulation, (b) of article 28(1) of the Regulation, since no processor was used, which provides sufficient assurances for the application of appropriate technical and organizational measures, and (c) of article 36(4) of the Regulation and of article 13(1) of Law 125(I)/2018, since no prior consultation was carried out with my Office, before the adoption of the Regulations which include provisions for statistical processing. 8.1. Also, before taking a Decision on the possible imposition of an administrative fine, the Service was invited to submit within four weeks, from the taking of the prima facie Decision, the reasons and circumstances that should be taken into account in the context and for the purposes imposing an administrative sanction, pursuant to Article 58(2) of the Regulation and Article 32(1) and (3) of Law 125(I)/2018. 9. In the context of the right to a hearing provided for the reasons and circumstances that should be taken into account for the purposes of imposing an administrative sanction, pursuant to article 58(2) of the Regulation and article 32(1) and (3) of the Law 125(I)/2018, and after the Service requested that the right to be heard be satisfied orally, the Service submitted the following positions on September 28, 2023: 9.1. the Service acknowledges the fact that there has been processing of the candidates' personal data. However, at the material time, it considered that there was no transfer of personal data, because pseudo-codes were used, 9.2. due to the above position of the Service, no prior consultation was carried out with my Office. Furthermore, due to the tight timetables that had to be met for the conduct of the Examinations, it would not have been feasible to have a prior consultation with my Office, 9.3. despite the fact that no personal data assignment contract was signed with the contracting company, provisions for data protection are included in the initial agreement - contract of the Service with the contracting company. I note that during the oral hearing, the Service submitted to my Office, the special terms of the agreement, as well as an extract from Part A "Instructions to Economic Operators", as well as Annex I "General Conditions of Contract" of the agreement with the contractor company. 9.3.1. In section 10.6. Handling of Data, of Part A' Instructions to Economic Operators, of the agreement with the contracting company, the following text is mentioned: "1. All data given to the Contractor should be handled with all due diligence, specifically regarding confidentiality. The data will be consisted (amongst others) with the personal 7 data of the examinees and thus all steps should be taken by the Contractor in order to protect them and adhere to all relevant clauses of the REGULATION (EU) 2016/679 of the European Parliament and of the Council as of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)." 9.3.2. In article 7 - Compliance Obligations and Legal Liability, of the section Obligations of the contractor, of Appendix I "General Conditions of Contract" of the agreement with the contracting company, the following text is included: "2. In the case of Contracts relating to matters relevant to the processing of personal data, the Contractor warrants that it will respect and comply with all applicable laws and regulations on the protection of individuals with regard to the processing of personal data and that it will assume responsibility and will be able to prove compliance to such laws and regulations. In addition, it will ensure that its personnel and any subcontractors of affiliates and persons under its control will also respect and comply with these laws and regulations. (Relevant is EU Regulation 2016/679 of 27 April 2016 of the European Parliament and of the Council)." 9.4. regarding the Examinations which will be conducted in the month of November of this year, the foreseen statistical processing will be assigned again to the contracting company. Also, the Service referred to the expertise of the contracting company and assured that it will comply with all its obligations as a data controller, provided by the Regulation and Law 125(I)/2018. B. Legal Framework 10. According to Article 4 of the Regulation, personal data is interpreted as "any information concerning an identified or identifiable natural person ("data subject"); an identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as a name, an identity number, location data, an online identifier or one or more factors that characterize the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person person". Pursuant to the same article, processing is defined as "any act or series of acts carried out with or without the use of automated means, on personal data or sets of personal data, such as the collection, registration, organization, structuring , the storage, adaptation or alteration, retrieval, retrieval of information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction”. In the same article, the controller is defined as "the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of personal data processing; when the purposes and manner of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State". 8 Also, the processor in the same article is defined as "the natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller". 11. Regarding the delegation of processing of personal data to processors, article 28 of the Regulation provides, among other things, that: "1. Where the processing is to be carried out on behalf of a controller, the controller shall only use processors who provide sufficient assurances for the implementation of appropriate technical and organizational measures, in such a way that the processing meets the requirements of this Regulation and ensures the protection of the rights of the data subject. 2. The processor does not hire another processor without the prior specific or general written permission of the controller. In the case of general written consent, the processor informs the controller of any intended changes concerning the addition or replacement of other processors, thus providing the controller with the possibility to object to these changes. 3. The processing by the processor is governed by a contract or other legal act governed by Union or Member State law, which binds the processor in relation to the controller and determines the object and duration of the processing, the nature and the purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller. The contract or other legal act in question provides in particular that the processor: a) processes the personal data only on the basis of recorded instructions of the controller, including with regard to the transfer of personal data to a third country or international organization, unless obliged to to this end on the basis of Union law or the law of the Member State to which the processor is subject; in this case, the processor shall inform the controller of such legal requirement prior to processing, unless such law prohibits this type of information for serious reasons of public interest, b) ensures that the persons authorized to process the personal data have undertaken an obligation of confidentiality or are subject to the appropriate regulatory obligation of confidentiality, c) takes all the necessary measures pursuant to article 32, d) observes the conditions referred to in paragraphs 2 and 4 for the employment of another processor, e) takes into account the nature of the processing and assists the controller with the appropriate technical and organizational measures, to the extent that this it is possible, for the fulfillment of the controller's obligation to 9 respond to requests to exercise the data subject's rights provided for in chapter III, f) assist the controller in ensuring compliance with the obligations arising from articles 32 to 36 , taking into account the nature of the processing and the information available to the processor, g) at the option of the controller, delete or return all personal data to the controller after the end of the provision of processing services and delete existing copies, unless the law of the Union or the Member State requires the storage of personal data, h) makes available to the data controller any necessary information to demonstrate compliance with the obligations established in this article and allows and facilitates controls, including inspections, carried out by the controller or by another controller commissioned by the controller. With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, any order infringes this Regulation or other Union or national data protection provisions.' 12. Pursuant to Article 36(4) of the Regulation, it is provided that: "36(4) Member States request the opinion of the supervisory authority when preparing proposals for legislative measures to be adopted by national parliaments or regulatory measures based on such legislative measures, which concern the processing." 13. Additionally, article 13 of Law 125(I)/2018, mandates that: "13.-(1) Before the enactment of a law or Regulations issued pursuant to a law, which provide for a specific act or series of processing acts, it is required that impact assessment and prior consultation with the Commissioner.' 14. Pursuant to Article 58(2) of the Regulation, the Personal Data Protection Commissioner has the following corrective powers: "a) to issue warnings to the data controller or processor that intended processing operations are likely to violate the provisions of this Regulation . of his rights in accordance with this regulation, d) to instruct the data controller or the processor to make the processing operations comply with the provisions of this regulation, if necessary, in a specific way and within a certain period, 10 e) to give order the controller to notify the personal data breach to the data subject, f) to impose a temporary or definitive restriction, including the prohibition of processing, g) to order the correction or deletion of personal data or the restriction of processing pursuant to articles 16 . articles 42 and 43 or to order the certification body not to issue certification if the certification requirements are not met or are no longer met, i) to impose an administrative fine under article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of each individual case, j) to give an order to suspend the flow of data to a recipient in a third country or an international organization." 15. Article 83 of the Regulation, regarding the general conditions for imposing administrative fines, provides that: "1. Each supervisory authority shall ensure that the imposition of administrative fines in accordance with this article against violations of this regulation referred to in paragraphs 4, 5 and 6 is effective, proportionate and dissuasive in each individual case. 2. Administrative fines, depending on the circumstances of each individual case, are imposed in addition to or instead of the measures referred to in Article 58 paragraph 2 points a) to h) and Article 58 paragraph 2 point j). When deciding on the imposition of an administrative fine, as well as on the amount of the administrative fine for each individual case, the following shall be duly taken into account: a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the relevant processing, as well as the number of data subjects affected by the breach and the degree of damage they suffered, b) the fraud or negligence that caused the breach, c) any actions taken by the controller or the processor to mitigate the damage suffered by the data subjects, d) the degree of responsibility of the controller or the processor, taking into account the technical and organizational measures they apply pursuant to articles 25 and 32, e) any relevant previous violations of the controller or processor, f) the degree of cooperation with the control authority to remedy the violation and limit its possible adverse effects, g) the categories of personal data affected by the violation, 11 h) the the manner in which the supervisory authority was informed of the breach, in particular whether and to what extent the data controller or processor notified the breach, i) in the event that the measures referred to in Article 58 paragraph 2 were previously ordered to be taken against the data controller involved processing or of the processor in relation to the same object, compliance with said measures, j) compliance with approved codes of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 and k) any other aggravating or mitigating factor arising from the circumstances of the particular case, such as the financial benefits obtained or losses avoided, directly or indirectly, from the infringement. 3. In the event that the controller or processor, for the same or related processing operations, violates several provisions of this regulation, the total amount of the administrative fine does not exceed the amount set for the most serious violation." 16. Regarding the imposition of an administrative fine, article 32 of Law 125(I)/2018 provides that: "(1) In compliance with the provisions of article 83 of the Regulation, the Commissioner shall impose an administrative fine. (…) (3) An administrative fine imposed on a public authority or public body and related to activities of a non-profit nature may not exceed two hundred thousand euros (€200,000). 17. In the Public Education Service Law of 1969, Law 10/1969, as amended, regarding the Examinations Service, the following are mentioned: "2. In this Law, unless otherwise provided in the text, "Commission" means the Education Service Commission; (...) 23. For the purposes of this Part, unless otherwise provided in the text, "Commission Ex tension" has the meaning attributed to this term in article 2 of the 2006 and 2007 Laws on the Conduct of All-Cypriot Examinations." 18. Regarding the compilation of the list of appointments, i.e. the compilation of the list for which the Examinations are conducted, article 28BB of Law 10/1969 provides, among other things, that: "28BB.-(1) The lists of appointments are drawn up by registration to those of the candidates, in order of priority and based on the following criteria- 12 (a) Success in a written examination and its grading, as provided for in paragraph (a) of subsection (3), (b) the grade of the first degree and its limitation, as provided for in paragraph (b) of subsection (3), (c) the possession and degree of additional academic qualifications which are relevant to the training or specialty of the candidate or the duties of the position and their limitation, as provided for in paragraph (c) of subsection (3), (d) the educational experience of the candidate and its classification, as provided for in paragraph (d) of subsection (3), (e) the date and year of submission of the first degree is submitted together with the candidate's application and his qualification, as provided for in paragraph (e) of subsection (3), (f) the service in the National Guard or the armed forces of a member state and its limitation, as provided for in paragraph (f) of subsection (3). (…) (3) The scoring in each of the criteria provided for in subsection (1) based on the weight of each one as provided for in subsection (2) is calculated as follows: (…) (vi) a candidate who is registered in a list of appointees , if he wishes to be registered on the appointment list, he must submit an expression of interest and also submit an application together with the relevant fee for participation in a written examination: Provided that, the Commission posts on its official website the relevant expression of interest form and the form submitting an application for participation in a written examination; (…) (ix) the Examination Service is responsible for preparing the examination essays, conducting the examinations, extracting the results and forwarding them to the Committee; (…) (5) The Committee accepts applications or expressions of interest, as the case may be, for registration in the appointment list, from the date of entry into force of the Public Education Service (Amendment) (No. 2) Law of 2015." 19. According to the Law of 2006 on the Conduct of Pan-Cypriot Examinations, Law 22(I)/2006, as amended, Examination Service means "the department of the Ministry of Education and Culture which is responsible for the conduct of Pan-Cypriot Examinations" . 13 20. The 2017 Regulations on Written Examinations for Registration and Ranking in Appointment Tables, as amended, provide in the first and third proviso respectively of Regulation 4 that: of a statistically processed score of at least 50% in each of the three (3) examination subjects during the same examination period:", and that: "It is further understood that, in the above branches/specialties, for registration and ranking of candidates in appointment lists it is required to secure a statistically processed score of at least 50% in each of the individual academic subjects." 20.1. Also, Regulation 8 provides that: "For the purposes of uniform ranking of candidates participating in the written examinations in different examination periods, statistical processing is applied." C. Rationale 21. I must point out that the investigation I am carrying out concerns exclusively personal data protection issues. Therefore, based on the duties with which I am charged, I cannot investigate issues concerning, among other things, the reliability or otherwise of the results, the appropriateness of the statistical processing methods that were applied, the correctness of the scoring system as well as whether the necessity of statistical processing must be considered. 22. Taking into account that, by virtue of Law 10/1969, the Service is responsible for "the preparation of the examination papers, the conduct of the examinations, the extraction of the results and their transmission to the Commission", I consider that the Service is the data controller for the processing of personal data which is carried out in the context of statistical processing of the results of the Examinations. 22.1. The fact that the agreement with the contracting company was made between the latter and the Ministry does not affect the above conclusion. 23. On the website of the Education Service Committee (EYS), which concerns the application for registration on a list, i.e. the list of appointees and/or the list of appointees, it is stated that: "Along with the application, you MUST present all the necessary certificates/ supporting documents as indicated in the instructions of the form. You must present both the originals and the copies so that the relevant certification of the copies can be done by an employee of the EIF upon receipt of the EIF01X application, at the EIF Office." 14 23.1. On this website, the necessary certificates / evidence, which must be accompanied by the application, are listed. In particular, the following are mentioned: birth certificate, political identity card or passport, high school diploma, degree/s, proof of studies, photocopy of the Study Guide of the educational institution where the applicant attended, full certificate of enlistment status type "A" , certificate of clean criminal record, certificate of educational experience and certificate of technical experience (for technology instructors and teachers only). In addition to these, which are explained in detail on the relevant website, a recent original medical certificate must be presented for applications for registration in the special lists for people with disabilities. 24. Based on the above, it follows that applicants must record their qualifications and relevant information, such as degree level, possession or not of additional academic qualifications (postgraduate degrees, including doctorate degrees) and their teaching experience. They must also present the relevant certificates/evidence to the Educational Service Committee themselves. By submitting the specific certificates / proofs, the applicants receive, as expected, a relevant score. It is, therefore, self-evident that the fulfillment of the above obligations is a necessary condition for registration in the list of appointments and receiving the relevant points. 25. The sole purpose of conducting the Examinations is to draw up the list of appointments. In order for a candidate to be included in the appointment list, success in the Examinations is required. In each specialty, a list of appointments is created, which includes successful Exams of various years. At specified periods, the list of appointments of each specialty is renewed, with the addition of the successful candidates of the new Examinations and/or with the differentiation of the scoring of the qualifications and/or the score of each successful candidate. Comparability of Exam scores from different years is therefore required. Therefore, as stated in Regulation 8 of the 2017 Regulations on Written Examinations for Registration and Ranking in the Appointment Tables, as amended, statistical processing is applied for the purposes of uniform ranking of candidates. 26. The statistical processing methods, which were applied, include methods that require the processing of personal data. Apart from the existence of a relevant legal basis since the statistical processing is provided for in the relevant Regulations, I consider that the application of such methods does not arise, but instead is part of actions to achieve the intended purpose, namely the ranking of candidates in the appointment lists. After all, the submission of the certificates/evidence was carried out by the candidates themselves, for their registration in the list of appointments of the relevant specialty or for their grading. Therefore, I consider that the application of the relevant statistical methods, which include the processing of personal data, specifically include the processing of data that the candidates themselves supplied to the Education Service Committee and/or data that resulted from the Examination process. 27. However, I have to point out that the processing of personal data does not only require the trend score matching method, as mentioned in the impact assessment carried out by the Service. Processing of personal data 15 is also carried out in other methods that were applied. By studying the document "Methods of Statistical Processing of the scores of the candidates who took part in the Written Examinations in 2019 for Registration and Ranking in the Appointment Tables", it appears that in the "common candidates" method (common persons method), for each candidate, the overall score received in the Exams in 2017 and 2019 is processed, while in the quasi-common questions method (pseudo anchor method), the scores received in specific questions in the 2017 and 2019 Exams. 27.1. However, the above conclusion, i.e. the processing of personal data beyond the propensity score matching method, does not affect the framework of legality of the application of the relevant statistical methods. 28. As provided in article 28 of the Regulation, the data controller "uses only processors who provide sufficient assurances for the implementation of appropriate technical and organizational measures, in such a way that the processing meets the requirements of this regulation and ensures the protection of rights of the data subject". The delegated processing is governed by a contract or other legal act and determines "the object and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller processing". Article 28(3) of the Regulation mentions all the elements that are required to be included in the contract in question. It is further provided that this contract must precede the communication of the data by the controller to the processor and/or any processing of such data by the processor. 29. In this case, the Service assigned to the company CITO, the application of the statistical processing of the scores of the candidates who took part in the Examinations in the years 2019 and 2021. Therefore, the contracting company CITO is the processor for the processing in question data. 30. Pseudonymization, or as the Service mentioned, the use of pseudo codes, is a security measure for personal data, and does not change the nature of such data into non-personal data. That is, personal data that has been pseudonymized continues to be classified as personal data. 31. It follows, therefore, that the communication of the data to the contracting company constitutes an act of processing and, therefore, the position of the Service that personal data is not shared is not valid since the information, which is given by it, is characterized by pseudo codes, as formulated in a letter dated December 27, 2021. I remind you that the Service, when exercising the right to be heard, on September 28, 2023, reversed the above position and acknowledged the fact that there was processing of the candidates' personal data. 32. Studying the copy of the agreement, which was carried out between the Ministry and the contracting company, which was submitted to my Office with the letter of the Service dated December 27, 2021, it appears that this agreement does not constitute a processing outsourcing contract, as provided for in article 28(3) 16 of the Regulation. Therefore, the reason why the Service, in the letter dated August 29, 2022, stated that it is not possible to prepare, retroactively, a "new processing outsourcing agreement" with the contracting company. 33. Despite the fact that no contract of assignment was signed with the contracting company, as finally the admission of the Service, I recognize the fact that in the initial agreement - contract of the Service with the contracting company, provisions for data protection were included, as they are presented in paragraph 9.3.1. herein, and which were submitted to my Office in the context of the exercise of the right to be heard. 34. The non-existence of a signed contract of assignment between the Service and the contracting company, as provided for in article 28(3) of the Regulation, shows that the Service, as the controller, cannot prove that the processor, i.e. the contracting company, provided sufficient assurances for the implementation of appropriate technical and organizational measures, in such a way that the processing meets the requirements of the Regulation and ensures the protection of the rights of the data subjects, as provided for in article 28(1) of the Regulation. 35. Additionally, the non-existence of an assignment contract, as provided for in article 28(3) of the Regulation, shows that the Service cannot prove that the processing was carried out in accordance with the Regulation, as provided for in article 24(1) of the Regulation. 36. As follows from article 36(4) of the Regulation, there is the obligation of prior consultation with the Personal Data Protection Commissioner, when preparing proposals for legislative measures or regulatory measures based on such legislative measures, which concern processing. The same obligation is imposed by article 13(1) of Law 125(I)/2018. The consultation must take place in order to ensure that the planned processing is compliant with the Regulation and, in particular, to mitigate the risks to the data subjects. 37. Therefore, taking into account that the 2017 Regulations on Written Examinations for Registration and Ranking in the Appointment Tables, as amended, provide for statistical processing for the purposes of uniform classification of candidates, which requires the processing of personal data, the Service was obliged to carry out in prior consultation with my Office, before including the relevant provision. 38. It cannot be considered that the previous consultation is related in any way to the impact assessments ("impact analysis questionnaire") carried out by the Ministry both when submitting to the House of Representatives the Draft Regulations for the 2017 Regulations, and the filing of the Draft Regulations for the Amending Regulations of 2019. 39. As analyzed in paragraph 30 hereof, the use of pseudo codes does not change the nature of the data. Therefore, I do not accept the Service's position that my Office was not consulted due to the fact that the application of statistical processing does not involve the processing of personal data. I remind you that this position was mentioned in a letter from the Service, dated December 27, 2021, 17 while, in the context of the exercise of the right to be heard, on September 28, 2023, the Service acknowledged the processing of personal data that was carried out. 40. I also do not accept the Service's position that prior consultation with my Office would not have been feasible because of the tight timescales that had to be met. I consider that there was sufficient time for consultation, since the relevant amendments to Regulations 4 and 8 of the 2017 Written Examinations for Registration and Ranking in the Boards of Appointment Regulations were published in the Government Gazette on 30 July 2019, i.e. at least three months before the Examinations were held , the grading of the answers and the communication of the data to the sponsoring company. 41. Regarding the impact assessment that the Service carried out, following my instructions, and sent to my Office on August 30, 2022, I consider it appropriate to mention the following: 41.1. the assessment does not assess whether there is an impact based on the use of statistical methods, but is mainly devoted to the reception, implementation of technical measures and the maintenance of data by the Service, 41.2. the role of controller is held by the Service and not, as mentioned, the "Ministry of Education, Sports and Youth (YPAN) through the Directorate of Higher Education, through the Examinations Service (HE) (Head of HE: XXX)", 41.3. the statement that the role of processing is held by the Service's officials and/or other officials of the Ministry is not valid. The employees of the Service are part of the controller and, in any case, perform processing under his supervision, 41.4. as analyzed in paragraph 27 hereof, processing of personal data exists not only with the application of the data trend matching method, but also in other methods used, 41.5. bearing in mind that the statistical processing is provided for in the 2017 Regulations on Written Examinations for Registration and Ranking in the Appointment Tables, as amended, the legal obligation of the Service must be considered as the legal basis, i.e. article 6(1)(c) of the Regulation , and not, as mentioned, the fulfillment of a duty performed in the public interest or in the exercise of a public authority delegated to the controller, i.e. Article 6(1)(e) of the Regulation. For the same reason, the consent of the candidates, i.e. Article 6(1)(a) of the Regulation, should not be considered as a legal basis. However, I point out that candidates should be fully and transparently informed about the processing of their data. D. Conclusion 42. Taking into account all the above elements, as they have been set, and based on the powers granted to me by virtue of articles 33(5) and 57(1)(f) of Regulation 18, I find that there is a violation by the Examination Service of the Higher Directorate of Education of the Ministry of Education, Sports and Youth: (a) of article 24(1) of the Regulation, since as a data controller he did not prove that the processing was carried out in accordance with the Regulation, (b) of article 28(1) of the Regulation, since he did not was used by the processor, who provides sufficient assurances for the application of appropriate technical and organizational measures, and (c) Article 36(4) of the Regulation and Article 13(1) of Law 125(I)/2018, since no a prior consultation was carried out with my Office, prior to the adoption of the Regulations which include provisions for statistical processing. 43. Based on the provisions of article 83 of the Regulation, regarding the conditions for imposing administrative fines, insofar as they are applied in this particular case, when measuring the administrative fine, I took into account the following mitigating factors (a) - (c) and aggravating ( d) factor: (a) the taking of technical measures, specifically the pseudonymization, which the Service carried out before sending the personal data of the candidates to the contracting company, (b) the absence of fraud on the part of the Service, (c) the categories of data that were processed, which do not include special categories of data, (d) the fact that the detection of the violations in question arose after a complaint was submitted to my Office, and not after a relevant communication and/or information from the Service . 44. After taking into account and taking into account: (a) the current legislative basis regarding the administrative sanctions provided for in the provisions of article 58(2) and article 83 of the Regulation, (b) all the circumstances and factors that the complainant and Service placed before me based on all existing correspondence, (c) the above mitigating and aggravating factors, I consider that, under the circumstances, the imposition of an administrative fine is not justified. 45. Nevertheless, having regard to the aforementioned facts, the legal aspect on which this Decision is based and the analysis as explained above, and exercising the powers granted to me by Article 58(2)(b) of the Regulation, I have decided against my judgment and in compliance with the above provisions, to direct the Examination Service of the Directorate of Higher Education of the Ministry of Education, Sports and Youth a reprimand for the violation of articles 28(1) and 24(1) of Regulation (EU) 2016/679, and 19 Reprimand for the violation of Article 36(4) of Regulation (EU) 2016/679 and Article 13(1) of Law 125(I)/2018. Irini Loizidou Nikolaidou Commissioner for Personal Data Protection
