Commissioner (Cyprus) - 11.17.001.010.064: Difference between revisions

From GDPRhub
No edit summary
No edit summary
(4 intermediate revisions by the same user not shown)
Line 63: Line 63:
}}
}}


The DPA of Cyprus fined the Cyprus electricity authority €5000 for violations of [[Article 5 GDPR#1f|Articles 5(1)(f),]] [[Article 24 GDPR#1|24(1)]] and [[Article 32 GDPR|32 GPDR]] for sending a consent form containing personal data to the data subject's neighbour, resulting in an unauthorized disclosure of personal data to a third pary.  
The DPA of Cyprus fined the Cyprus electricity authority €5000 for violations of [[Article 5 GDPR#1f|Articles 5(1)(f),]] [[Article 24 GDPR#1|24(1)]] and [[Article 32 GDPR|32 GPDR]] for delivering a consent form containing personal data to the data subject's neighbour, resulting in an unauthorized disclosure of personal data to a third party.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Cyprus electricity authority (controller) wanted to place a power line on the data subject's land. The controller sent the data subject a consent form for the placement of this power line. However, an officer of the controller delivered the consent form, which contained personal data, to the neighbour of data subject. The officer reported his own error and admitted that this had been a mistake. He also assured the controller that he would undertake training regarding personal data and gathering consent, which he had not undertaken before, and that he would not commit such a mistake again.  
The Cyprus electricity authority (controller) intended to place a power line on the data subject's land. The controller sent the data subject a consent form for the placement of this power line. However, an employee of the controller delivered the consent form, which contained personal data, to the neighbour of data subject. The data subject filed a complaint at the Cyprus DPA (DPA) on 11 April 2022.


The controller acknowledged the violation, apologised for it and stated that is this violation was committed out of negligence and not out of malice. The controller stated that the violation was caused by human error, reliance on the wrong person and the need for quick service. The controller had previously undertaken periodic briefings for its staff and had also organised GDPR related training sessions. However, the controller also acknowledged the need for further training for its staff and had already planned further training sessions. The controller also acknowledged that it had not set out specific procedures and measures which described how staff would conduct service. The controller also admitted that the deliverance of the consent form to the neighbour was legally incorrect looking at Article 31 of the Electricity Law (KEF.170), which states that the consent form can only delivered to the owner of the land.  
The controller also submitted a notice of the violation of this incident to the DPA. The controller stated that the employee had realised his mistake and had apologised. The controller acknowledged the violation, apologised for it and stated that this violation was committed out of negligence and human error, and not out of malice. The controller had previously organised periodic briefings and GDPR related training sessions for its staff (not attended by the employee in question). However, the controller also acknowledged the need for further training for its staff and had already planned further training sessions. The controller also confirmed that it had not set out specific procedures and measures which described how its staff would conduct service and also admitted that the deliverance of the consent form to the neighbour was contrary to Article 31 of the Electricity Law (KEF.170), which stated that the consent form can only delivered to the owner of the land, in this case the data subject.  


=== Holding ===
=== Holding ===
<u>Violation of [[Article 24 GDPR#1|Article 24(1) GDPR]]</u>
<u>Violation of [[Article 24 GDPR#1|Article 24(1) GDPR]]</u>


The DPA determined that the controller violated [[Article 24 GDPR#1|Article 24(1) GDPR]] because the controller did not implement appropriate technical and organizational measures in advance to ensure that its processing was GDPR complaint. The DPA confirmed that the procedure described in KEF.170 was specific and did not enable the possibillity to provide the consent form to another party other than the land owner, in this case the data subject. The controller did not implement measures to enable it to detect and/or verify any breach. The DPA stated that the controller would have been able to the determine whether the consent form was served to the owner or not, if it had established a procedure that would allow it to check this. This procedure was missing, which was the main reason the violation had occurred in the first place. The DPA provided two examples how this could have been avoided. One example was that the controller could have delivered the form in duplicate, with one of the two forms returned to the controller with a signature from the data subject to cofirm the delivery of the consent form. The DPA later confirmed that the controller had adopted this recommendation.   
The DPA determined that the controller violated [[Article 24 GDPR#1|Article 24(1) GDPR]], because the controller did not implement appropriate technical and organizational measures in advance ''to ensure that its processing was GDPR complaint''. The DPA confirmed that the procedure described in Article 31 KEF.170 did not enable the possibility to provide the consent form to another party other than the land owner (data subject). The controller did not implement measures to detect and/or verify any breach. The DPA stated that the controller would have been able to the determine whether the consent form was delivered to the owner, if it had established a procedure that would allow it to check this. The DPA provided two examples how this violation could have been avoided. One example was that the controller could deliver the form in duplicate. This way, one of the two forms could be returned to the controller with a signature from the data subject to confirm the delivery of the consent form. The DPA later confirmed that the controller had adopted this recommendation.   


<u>Violation of [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 32 GDPR|32 GDPR]]</u>
<u>Violation of [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 32 GDPR|32 GDPR]]</u>


The DPA also determined that the controller violated [[Article 32 GDPR]], because the controller did not implement appropriate measures in advance in order to prevent the unautorized disclosure of the consent form. The DPA stated that the controller had the sole responsibility as the controller for training and informing its staff, which was accepted by the controller. The training and periodic briefings that the controller already provided were deemed inadequate by the DPA. The DPA also determined that the controller violated the principle of of integrity and confidentiality ([[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]) because the personal data of the data subject was processed in such a way that allowed unauthorized and/or unlawful processing.
The DPA also determined that the controller violated [[Article 32 GDPR]], because the controller did not implement appropriate measures in advance in order ''to prevent the unauthorized disclosure of the consent form''. The DPA stated that the controller had the sole responsibility as the controller for training and informing its staff. This responsibility was also accepted by the controller. The training and periodic briefings that the controller already provided were deemed inadequate by the DPA.  


After considering several mitigating (8) and aggravating factors (6), the DPA fined the controller €5,000.  
The DPA also determined that the controller violated the principle of integrity and confidentiality ([[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]) because the personal data of the data subject was processed in such a way that allowed unauthorized and/or unlawful processing.
 
After considering several mitigating (8) and aggravating (6) factors, the DPA fined the controller €5,000. For example, The DPA considered the fact that the breach only affected one data subject as a mitigating factor, while it considered the non-participation of all staff in data protection related training as an aggravating factor. 


== Comment ==
== Comment ==

Revision as of 14:01, 29 November 2022

Commissioner - 11.17.001.010.064.
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 5(1)(f) GDPR
Article 24(1) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started: 11.04.2022
Decided: 21.09.2022
Published: 16.11.2022
Fine: 5000 EUR
Parties: n/a
National Case Number/Name: 11.17.001.010.064.
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: dataprotection.gov.cy (in EL)
Initial Contributor: n/a

The DPA of Cyprus fined the Cyprus electricity authority €5000 for violations of Articles 5(1)(f), 24(1) and 32 GPDR for delivering a consent form containing personal data to the data subject's neighbour, resulting in an unauthorized disclosure of personal data to a third party.

English Summary

Facts

The Cyprus electricity authority (controller) intended to place a power line on the data subject's land. The controller sent the data subject a consent form for the placement of this power line. However, an employee of the controller delivered the consent form, which contained personal data, to the neighbour of data subject. The data subject filed a complaint at the Cyprus DPA (DPA) on 11 April 2022.

The controller also submitted a notice of the violation of this incident to the DPA. The controller stated that the employee had realised his mistake and had apologised. The controller acknowledged the violation, apologised for it and stated that this violation was committed out of negligence and human error, and not out of malice. The controller had previously organised periodic briefings and GDPR related training sessions for its staff (not attended by the employee in question). However, the controller also acknowledged the need for further training for its staff and had already planned further training sessions. The controller also confirmed that it had not set out specific procedures and measures which described how its staff would conduct service and also admitted that the deliverance of the consent form to the neighbour was contrary to Article 31 of the Electricity Law (KEF.170), which stated that the consent form can only delivered to the owner of the land, in this case the data subject.

Holding

Violation of Article 24(1) GDPR

The DPA determined that the controller violated Article 24(1) GDPR, because the controller did not implement appropriate technical and organizational measures in advance to ensure that its processing was GDPR complaint. The DPA confirmed that the procedure described in Article 31 KEF.170 did not enable the possibility to provide the consent form to another party other than the land owner (data subject). The controller did not implement measures to detect and/or verify any breach. The DPA stated that the controller would have been able to the determine whether the consent form was delivered to the owner, if it had established a procedure that would allow it to check this. The DPA provided two examples how this violation could have been avoided. One example was that the controller could deliver the form in duplicate. This way, one of the two forms could be returned to the controller with a signature from the data subject to confirm the delivery of the consent form. The DPA later confirmed that the controller had adopted this recommendation.

Violation of Articles 5(1)(f) and 32 GDPR

The DPA also determined that the controller violated Article 32 GDPR, because the controller did not implement appropriate measures in advance in order to prevent the unauthorized disclosure of the consent form. The DPA stated that the controller had the sole responsibility as the controller for training and informing its staff. This responsibility was also accepted by the controller. The training and periodic briefings that the controller already provided were deemed inadequate by the DPA.

The DPA also determined that the controller violated the principle of integrity and confidentiality (Article 5(1)(f) GDPR) because the personal data of the data subject was processed in such a way that allowed unauthorized and/or unlawful processing.

After considering several mitigating (8) and aggravating (6) factors, the DPA fined the controller €5,000. For example, The DPA considered the fact that the breach only affected one data subject as a mitigating factor, while it considered the non-participation of all staff in data protection related training as an aggravating factor.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.