Commissioner (Cyprus) -

From GDPRhub
Commissioner -
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 4(2) GDPR
Article 5(1)(a) GDPR
Type: Complaint
Outcome: Upheld
Started: 28.04.2021
Decided: 21.12.2023
Fine: 1,500 EUR
Parties: n/a
National Case Number/Name:
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: Office of the Commissioner for Personal Data Protection (in EL)
Initial Contributor: im

The DPA fined a doctor €1,500 for unauthorized access to a data subject’s medical records and for failing to explain her legal basis.

English Summary


The data subject filed a complaint with the DPA for an unauthorized access to her personal data through a General Health System (‘GHS’) portal. The data subject provided a screenshot of a notification showing that on 9 March 2021 a doctor specialised in endocrinology, the controller, accessed their medical records without any referral in force. The notification stated that the data subject provided consent for the access to her records. ´However, the doctor never examined the data subject.

The doctor ('controller') replied to the complaint claiming that they did not visit the GHS portal concerning the data subject. As she did not know the data subject, she stated that it was impossible for her to know their personal data such as name, date of birth and ID number needed to access their records. She indicated a possible mistake in entering details in the portal while trying to locate another patient, however, no processing of the patient’s data took place. Further, she stated that there was no malicious intent on her part and she was continued being guided by medical confidentiality.


The DPA took into the consideration the important element that both data subject and the controller did not know each other and that the controller never examined the data subject.

The DPA specified that the possession of the data as well as the access to the patient’s file constitute acts of processing under Article 4(2) GDPR. For that reason, the controller had to prove how the data subject’s personal data such as name, date of birth and ID number came into her possession and demonstrate the legal basis for its processing. The controller indicated the possibility of an error. However, the DPA considers this argument extremely unlikely, if not impossible.

Taking into account all of the above, the DPA decided that the controller failed to process the data lawfully, fairly and in a transparent manner in accordance with Article 5(1)(a) GDPR. The DPA imposed an administrative fine of €1,500.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.