Commissioner (Cyprus) - 11.17.001.008.001

From GDPRhub
Commissioner - 11.17.001.008.001
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 15 GDPR
Article 32 GDPR
Article 33 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 17.06.2020
Published: 17.06.2020
Fine: 15.000 EUR
Parties: n/a
National Case Number/Name: 11.17.001.008.001
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Commissioner of Cyprus (in EL)
Initial Contributor: Elisavet Dravalou

The Cyprus DPA held that the inability of the data controller to discover the original contract with the data subject constitutes a violation of the right to access the personal data. A fine of € 15000 was issued.

English Summary

Facts

A data subject made an access request to the Bank of Cyprus and the insurance company Eurolife Ltd, requesting a copy of the original insurance agreement. The Bank of Cyprus had the obligation to store the original agreement. The agreement was signed in 2000 and the Bank of Cyprus was not able to locate the original agreement at her storage. Due to this fact, the Bank of Cyprus offered to cancel the agreement and sign a new one with the data subject.

Dispute

Does the unavailability of personal data constitute a data breach?

Holding

The Cyprus DPA held that unavailability of personal data constitutes a data breach and that this data breach should be reported to the DPA, according to article 33 of the GDPR as it is likely to cause risk to the rights and freedoms of the data subject. The DPA also held that the Bank of Cyprus failed to implement appropriate technical and organisational measures to ensure the security (confidentiality, integrity and availability) of personal data. Due to the fact that the Bank of Cyprus couldn't locate the original agreement, it failed to comply with the data subject's access request, breaching article 15 of the GDPR and demonstrate accountability.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

DECISION 

Exercise of the right of access by Mr. .

I am referring to the complaint submitted to my office regarding the above issue andfollowing the correspondence between us that ends with the letter of the Foreign LawyerSymbol of Bank of Cyprus Public Company Ltd, Chrysafini & Polyviou D. OP. E., withdate 05.06.2020 and I inform you the following:

Events

1.1. On 21 .01 .2020, I received a complaint from Mr.against the BankCyprus Public Company Ltd (hereinafter "the Bank") and the insurance company Eurolife Ltd,who, as he states, requested as he has a copy of his insurance policy with numberM-056482.Specifically, the complainant provided a copy of the correspondence he had with Mr.Regional Director of Nicosia Bank of Cyprus, who, in a letter todate 23.09.2019, informed him that:


".... because your account was transferred several years ago from Limassol, theThe original Limit Insurance contract you are referring to appears to have been filed on site whose detection is delayed and is objectively difficult and time consuming, which is why the A bank is willing to cancel this limit insurance with your signed application. "

1.2. Based on the task of examining complaints provided to the Data Protection CommissionerArticle 57 (1} (f) of Regulation (EU) 2016/679 (hereinafter referred to as "theRegulation ") and Article 24 (b) of the Law that provides for the Protection of Physicists Persons Against the Processing of Personal Data and for Free Circulation of This Data (Law 125 (1) / 2018), with the same letter of the Officedated 03.02.2020, a letter was sent to the Data Protection Officer of Bank and the Data Protection Officer of Eurolife Ltd, with whom they were informed for the above complaint. In the same letter, I asked for their positions / views on these allegations and in addition to inform me:(a) The storage areas of old / expired / canceled contracts; and(b) the technical and organizational measures for their safekeeping and protection.

1.3. By letter of my Office dated 03.02.2020, I informed the complainant that,I called the Defendants to tell me their positions / views, no later thanon 23 February 2020 and that they will be informed in writing of their reply.

1.4. On 20.02.2020, the company Eurolife Ltd sent a letter to my Office , in which it statedThe following:

• The Bank is the owner of the group limit insurance contract and has the right its management. He is responsible for the inclusion and removal of members in the contract Limit insurance as well as the signing, delivery and safekeeping of originals and copies of the contracts of the members of the border insurance.
• The insurance company Eurolife Ltd, has the obligation to pay the benefitwill arise on the basis of the terms of the contract.
• Regarding the request of Mr.. ., no forms are in custody of the insurance company Eurolife Ltd.

1.5. In her reply letter dated 20.02.2020, Dr.The Regional Director of Nicosia of the Bank informed me that:
• If a border insurance contract is drawn up with a customer and assigned for its benefit Bank, this is stored in an archived storage box at its appropriate branchBank.
• When the Bank will close a branch or warehousethe branch is exhausted, then the archived storage box ends up in the central safekeeping file (depository) of the Bank, which holds a certification ISO and comply with all appropriate security and safety measures for their protection documents that lead to this.
• Due to the relevant investigation, it was not possible to locate the client's contractin the relevant archived storage box
• The Bank has also inspected the physical file of the customer where all the original agreements / contracts and communication with the customer including identification documents where again it was not possible to locate the specificcontract.

1.6. Based on the above and the data before me as well as its data and evidence investigation, it appears that the Defendant Eurolife Ltd, as a separate legal entityand therefore as a separate controller has not carried out any illegal processing personal data and therefore there is no case against her but only against her According to the complaint, Bank.

1.7. Then, with my letter dated 11 .05.2020, the Defendant complainedwas informed that, at first sight, I found a breach of its obligation under the articles5 (1) (f), 5 (2), 15, 32 and 33 of the Regulation, as well as article 33 (1) (y) of Law 125 (1) / 2018and she was asked to submit her positions / views on the above and the reasons for them who believes that no administrative sanction should be imposed on her within the time limit 4 weeks from the above date. In addition, in the same letter, she was asked to inform its turnover.

1.8. Stir n! = I.06.2020, the Bank's External Legal Advisers, r(Chrysafinis & Polyviou D.E.P.E.), acting on behalf of their client,(Bank), sent me a letter stating, among other things, that:
(a) The customer's marginal insurance. concluded on 24 January 2000 foramount of f: 20,000 ("twenty thousand Cyprus Pounds) to secure a current account atcompany name· Ltd
(b) According to the then archiving process of the Bank (part of it was attached Policy / internal procedure), the original was kept by the customer, a copy had to archived in the client file and a copy was archived in a separate folder (bo fife ). Inadvertently, a copy of the client file was not archived in 2000, with result his file. which is owned by the Bank. not containspecific copy.
(c) Initially, the customer's account was at the Molos store in Limassol, which he has terminate its operations. The records of that store have been kept in specific warehouses and to date it has not been possible to locate this document. Although Defendant does not consider that Article 4 and 5 (1 ) (f) of the Regulation, if it can not be proven any breach of safety that led to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access personal data transmitted, stored or otherwise submitted to processing, on the one hand there was no loss of customer personal data and on the other hand the form did not contain data, such as medical examination results, evaluations treating physicians or any data falling within the specific categories of staff data.
(d) The Bank does not have the slightest reasonable suspicion that the form is located anywhere other than Bank. The difficulty in finding it is due to the godfather that, in 2000 the process archiving did not provide for electronic storage of files and on the other hand in their transfer customer accounts from Limassol in Nicosia to a store that has also closed operation and its files were transferred to the central files of the Bank. Therefore, believe that Article 32 of the Rules of Procedure has not been violated , which is why the Bank has not notification of any breach of personal data as provided by provisions of Rule 33 of the Rules of Procedure.3

(e) Since 2012, the company Eurolife Ltd, has automate sending acknowledgment insurance premium certificates and therefore the complainant received relevant information each year at least since 2012. Therefore, the Bank is in compliance with Article 15 thereof Regulation, concerning the right of access. With the insurance premium certificates, his Bank reported on an annual basis, since 2012, the following data:
• Insurance contract number
• Title of insurance contract
• Date of renewal
• Name of the insured member
• Insured member ID number
• Insurance certificate number
• Insured amount
• Date of accession
• Coverage period
• Life insurance
• Total disability premium
• Premium paid

The above is proof of compliance with data processing activities.(f) From 2000 until today, the archiving process has significantly improved. Specifically,applications are now archived both electronically and in the files of customers who are in a fire-safe area (today's recorded procedure is attached archiving).

(g) The current measures are appropriate and effective in accordance with Article 5 (2) and that 2000 to date processes are improving, upgrading and evolving over time technology.
(h) From May 2018, the Bank fully complies with the Regulation. Specifically, it executes all the requests of its customers regarding their rights and proceeds immediately informing the Commissioner of information leaks and acting on the basis ofits instructions. Furthermore, the Bank has adopted a relevant record-keeping policy, which implemented in 2020. The Bank has also recorded its procedures in a file and has conducted an impact assessment for all processes and systems who support them. Where deemed necessary, review procedures or set timetables for the actions required to take place.

(i) Regarding the archiving process, since 2011 the Bank has started the scan various agreements and forms signed by the customer and today most forms are scanned. This helps both the easy and the safest way of archiving them but and the immediate availability of such data in the event that data subjects exercise the right of access under the Rules. Specifically, now these applications are filed both electronically and in the files of customers whoare in a safe place.

(j) The Defendant did not report the incident as there is nothe slightest suspicion that the document is outside the Bank. Considering the closureof the branches, the merger of the Bank with the former Laiki Bank and the changesof storage space, it is not certain whether the relevant document has been lost or simply has placed in the wrong place based on the archiving procedures and therefore not madeaccess to the limit insurance contract is still possible.


Legal framework
2.1. Article 4 - Definitions:

" Personal data 'means any information relating to an identity oridentifiable natural person ("data subject"); the identifiable natural personis a person whose identity can be verified, directly or indirectly, in particular throughreference to an ID, such as name, ID number, datalocation, on an online ID or on one or more agents thatspecific to physical, physiological, genetic, psychological, economic, cultural or socialidentity of that natural person. 

"" Processing "means any operation or sequence of operations performed with or without useautomated media, personal data or data setspersonal, such as collection, registration, organization, structure, storage,adaptation or alteration, retrieval, information retrieval, use, disclosure bytransmission, dissemination or any other form of disposal, association or combination, restriction,deletion or destruction. 

""" Archiving system "means any structured set of personal datawhich are accessible based on specific criteria, or this set is concentratedeither decentralized or distributed on an operational or geographical basis. ».

"Controller" means a natural or legal person, public authority, service or otherbody which, alone or in conjunction with others, determines the purposes and manner of processingpersonal data; when the purposes and manner of such processingdetermined by Union law or the law of a Member State, the controller or thespecific criteria for his appointment may be laid down in Union law or in lawMember State. ».

'' Data relating to health '' means personal data relating tothe physical or mental health of a natural person, including the provision of serviceswhich disclose information about her conditionof his health. 
"'' Breach of personal data 'means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or accesspersonal data transmitted, stored or otherwise submittedway of processing ".

Rule 9 (1) of the Rules of Procedure provides that 01 "specific categories of personal data"means personal data revealing racial or ethnic origin, politicsopinions, religious or philosophical beliefs or membership in a trade unionorganization, as well as the processing of genetic data, biometric data for the purpose ofindisputable identification of a person, health-related data or data whichconcern the sexual life of a natural person or sexual orientation.

2.2. Article 5 - Principles governing the processing of personnel datacharacter:The principles governing the processing of personal data are set out in Article 5 (1) thereofRegulation. Among them, personal data "are processed in a way thatguarantees the appropriate security of personal data, includingprotect them from unauthorized or illegal processing and accidental loss, destruction or deterioration, using appropriate technical or organizational measures ('integrity andconfidentiality ")." (Article 5 (1) (f)).

In addition, paragraph (2) of the same article provides that "the controller bears theresponsibility and is able to demonstrate compliance with paragraph 1 ("accountability").2.4. Article 15 - Right of access of the data subject:

2.4.1. Pursuant to Rule 15 of the Rules of Procedure:

«1. The data subject has the right to receive from the controller confirmation as to whether or not the personal data concerning itare processed and, if so, the right of access to personnel datacharacter and the following information:
(a) the purposes of the processing;
(b) the relevant categories of personal data;
(c) the recipients or categories of recipients to whom they have been disclosed or will bedisclose personal data, in particular recipients in third countries or internationallyorganizations,
(d) if possible, the period for which staff data will be storedcharacter or, where this is not possible, the criteria for determining that period,
(e) the existence of a right of request to the controller for correction; ordeletion of personal data or restriction of data processingof a personal nature concerning the data subject or right of objection to the endue to processing,
(f) the right to lodge a complaint with a supervisory authority;(g) where personal data are not collected by the data subject;any available information on their origin,
(h) the existence of automated decision - making, including training profile provided for in Article 22 ( 1) and ( 4) and, at least in those cases,important information about the logic followed, as well as its importance andexpected consequences of such processing for the data subject. ».

Furthermore, paragraphs 3 and 4 of the same article provide that:

3. The controller provides a copy of the personal data thatprocessed. For additional copies that may be requested bysubject to the data, the controller may require reasonable paymentfee for administrative expenses. If the data subject submits the request electronicallyinside and unless the data subject requests otherwise, the update is providedin electronic form commonly used.

4. The right to receive a copy referred to in paragraph 3 shall not be affectedadversely affect the rights and freedoms of others. ».


Page 1
2.4.2. Recital 63 of the Rules of Procedure states:"A data subject should have the right to access dataof a personal nature which have been collected and relate to it and to be able to exercise the endue right easily and at reasonably regular intervals, in order to have ascension and toverifies the legality of the processing. This includes the right of subjectsto have access to data relating to their health, iefor example the data of their medical records which contain information such astransitions. test results, evaluations by treating physicians and anyprovided treatment or surgery. Therefore, every data subject shouldto have the right to notify and be notified in particular of the purposes for which theprocessing of personal data, if possible for how longDuring the processing of personal data of the recipient, which recipientsreceive personal data. what logic is followed in anyautomatic processing of personal data and what could be theconsequences of such processing, at least when it is based on profiling. THEThe controller should be able to provide remote access to securesystem through which the data subject has direct access to the dataconcerning it. This right should not adversely affect the rights or rightsfreedoms of others, such as professional secrecy or intellectual property rights; andin particular, the copyright that protects the software. However, these factors do notshould result in the refusal to provide any information to the subjectdata. When the controller processes large amounts of informationon the data subject, the controller should be able to requestby the subject, before giving the information, identify the information orrequest-related processing activities. ».

2.5. Article 32 - Processing security:2.5.1. In accordance with the provisions of Article 32 of the Rules of Procedure, which concern its safetyprocessing:«1. Taking into account the latest developments, implementation costs and nature, scopeapplication, the context and purposes of the processing, and the risks of differentpossibility of occurrence and seriousness for the rights and freedoms of physicistspersons, the controller and the controller shall apply appropriatelytechnical and organizational measures to ensure the appropriate level of security againstrisks, including, where appropriate: ""

(B) the ability to ensure the confidentiality, integrity, availability andreliability of processing systems and services on an ongoing basis,(c) the possibility of restoring the availability and access to personnel datacharacter in a timely manner in the event of a physical or technical event,
(d) a procedure for regularly testing, evaluating and evaluating the effectiveness of the techniquesand organizational measures to ensure processing security. "2.5.2. Paragraph 2 of the same article states that:"In assessing the appropriate level of security, the risks posed byresulting from the processing, in particular from accident or unlawful destruction, loss, alienation,unauthorized disclosure or access to personal data transmitted,stored or otherwise processed ".

2.5.3. According to the last paragraph of recital 39 of the Rules of Procedure:"Personal data should be processed in such a way thatensures the appropriate protection and confidentiality of personnel datato prevent any unauthorized access to thempersonal data and the equipment used to process themor the use of such personal data and such equipment. "

2.5.4. Recital 74 of the Rules of Procedure states:"The responsibility and obligation to compensate the controller should be established forany processing of personal data made by the person in chargeor on behalf of the controller. In particular, the controllershould be required to implement appropriate and effective measures and be able todemonstrates the compliance of the processing activities with this Regulation,including the effectiveness of the measures. These measures shouldtake into account the nature, context, scope and purposes of the processing; andthe risk to the rights and freedoms of individuals. " .

2.5.5. With regard to Rule 32 of the Rules of Procedure, recital 83 of the Rules of Procedureadds that:"To maintain security and avoid processing in violation of thisregulator, the controller or processor should evaluate themthe risks involved in processing and implementing measures to mitigate those risks,such as through encryption. These measures should ensureappropriate level of security, which includes confidentiality ... Whendata security risk assessment should be consideredrisks arising from the processing of personal data ... '.

2.6. Article 33 - Notification of breach of personal data tosupervising Authority:

2.6.1. Rule 33 of the Rules of Procedure lays down specific obligations for those responsibleprocessing of personal data breaches. Specifically, inIn the event of a breach of personal data, the controller shall notify it without delayand, if possible, within 72 hours of becoming aware of the breachpersonal data to the competent supervisory authority, unless the breach of personalmay not endanger the rights and freedoms of individualspersons. Where notification to the supervisory authority is not made within 72 hours,accompanied by a justification for the delay.

2.6.2. Regarding the notification of a breach of personal data, the reasoningparagraph 85 states:"The violation of personal data can. if not treated properly andin time, result in physical, material or non-material harm to individuals. such asloss of control over their personal data or their restrictionδ1καιωuάτων τους. discrimination, identity abuse or interception, financial loss, illegalremoval of pseudonyms, damage to reputation, loss of data confidentialityprotected by professional secrecy or otherwise importanteconomic or social disadvantage for the natural person concerned. Therefore, immediatelyas soon as the controller becomes aware of a breach of personal data,
should be immediately and, as far as possible, within 72 hours from the moment he acquires knowledge of the event.to report the violation of personal data to the competent supervisorprinciple. unless the controller can prove, in accordance with its principlethat the breach of personnel data: character may not pose a riskfor the rights and freedoms of individuals. If such a notification does notcan be achieved within 72 hours, the notification should be accompanied by a statement of reasonswhich states the reasons for the delay and the information can be provided graduallywithout undue delay. ».

2.6.3. With regard to Rule 33 of the Rules of Procedure, recital 87 of the Rules of Procedure supplements:that:"It must be ascertained whether all the appropriate measures have been implementedtechnological protection and organizational measures for the immediate detection of any violationpersonal data and the immediate notification of the supervisory authority and itsdata subject ", as detailed in the 06-02-2018 GuidelinesLines of OE 29 (Article 29 Working Group ) for the notification of violationdata (WP 250 rev. 1).

2.6.4. According to the Guidelines of the Working Group of article 29 of the Directive95/46 / EC (now European Data Protection Council - EDPB) on Notificationpersonal data breach (ltGuide / ines on Personal data breach notification underRegulation 20161679 WP 250 rev. 1), dated 06.02.2018, two types of personal violationare classified as "loss" and "availability breach". Specifically, according to the above Guidelines:"As for the 'loss' of personal data, the term shouldis interpreted as a case where the data may still be subject to,but the supervisor has lost their access or access to them or notIt is now in his possession. ""Availability violation" - when there is an accidental or unauthorized loss1 access to personal data or accidental or unauthorized accessdestruction of personal data."Whether a breach of confidentiality or integrity has been committed is relevantclearly, whether a breach of availability has been committed may be less obvious.A breach will always be considered a breach of availability when it existspermanent loss or destruction of personal data. " ."Therefore, a security incident that results in unavailabilityPersonal data for a period of time is also a typeviolation. as the lack of access to data must be significantimpact on the rights and freedoms of individuals. "1 It is widely accepted that "access" is a fundamental part of "availability". See, for example,standard NIST SP80Q..53rev4, which defines "availability" as follows: "Ensuring timely and reliableaccess to and use of information ", available athttp: // nν! ρubs.nist.gov / nistpubs / SpecίaιPublications / NIST.SP.800-53r4. pdf. The CNSSl-4009 standard is also mentionedin: "Easy, reliable access to data and information services for authorized users. »Βλ.https: //rmf.orglwP: c9ntent / uploadsl'2017 / 10 / CNSSl-4009.pdf. The standard 1SO / IEC 27000: 2016 also defines"Availability" means "Accessibility and readiness for use at the request of an authorizedcarrier »: https: // www. iso .org / obp / uίl # iso: std: iso - iec: 27000: ed-4: v1 : en


The following are also excerpts from the same Guidelines on the case.
Lines:

"Any breach plan should focus on protectionof persons and their personal data. Therefore, the notification should be considered as a tool to improve compliance withprotection of personal data. At the same time, it should be noted that the noReporting a breach to either a person or a supervisory authority maymeans that, pursuant to Article 83, a penalty may be imposed on the person responsible processing.Therefore, editors and processors are encouragedplan in advance and implement procedures to identify andthe timely reduction of an infringement, the risk assessment for persons 2 and,then making a decision on whether it is necessary to inform the person in chargesupervisory authority and the notification of the breach to the persons concerned, when it isnecessary. Notification to the supervisory authority should be part of thisincident plan. ""... a key feature of any data security policy is to providethe possibility, where possible, of preventing a breach and, if that happens,prompt response. ""It is also important to keep in mind that, in some cases, the nonnotification of a breach could indicate either the absence of existing onessecurity measures or the inadequacy of existing security measures. "OE 29 considers that a controller should be considered to acquire"Knowledge" when the controller in question has a reasonable degree of certainty that he hasa safety incident occurs which results in endangering thepersonal data. ».Article 26 concerns the joint controllers and clarifies that the jointcontrollers define their respective compliance responsibilitieswith IGC 3 • This will include the definition of the party responsible forcompliance with the obligations under Articles 33 and 34. OE29 constitutes 01 contractualarrangements between co-controllers to include provisions todetermine which controller will be responsible for compliance withobligations to report violations of the GCC. »"Article 33 ( 1) makes it clear that, in the event of a breach which" may notendanger the rights and freedoms of individuals ", is not requirednotification to the supervisory authority. An example might be the case where the dataare already available, but their disclosure to the public is not possibledanger to the person. " ."A violation can affect only one person or a small number of persons or even somethousands, if not more. In general, the higher the number ofaffected persons, the greater the impact a breach can have. However, oneViolation can have a serious impact even on a person, depending on their naturepersonal data and the context in which they are compromised. "2 This can be ensured in the context of the obligation to monitor and review an impact assessmentData Protection Regulation (EAPD), which deals with processing processes that may result inhigh risk to the rights and freedoms of natural persons (Article 35 ( 1) and ( 11)).3 See see also recital 79 (of the Rules of Procedure).

2.6.5. The following excerpts from the book by L. Kotsalis - K. Menoudakos are quoted, withtitle General Data Protection Regulation - Legal dimension and practical application, ch.ni., concerning the notification of breaches of personal data:

In the new Regulation 01 "principles of processing" include "integrity" and"Confidentiality" (article 5 par. 1 f). The obligation of confidentiality and the receipt of techniquesand organizational security measures were included in the responsibilities of the manageralready introduced by Directive 95/46 / EC: In particular the controller should haveensure a level of safety commensurate with the risks involved in processingand the nature of the data, so as to protect the data from accidental or unfairdestruction, accidental loss, prohibited dissemination or access and any other form of unlawfulnessprocessing. " .

"The General Data Protection Regulation adds to the corresponding regulation (article 32) oneindicative list of security measures, such as pseudonymization and encryption but alsoprocesses that ultimately consist of adopting a holistic security policy. At the same time thetechnical and organizational measures appear to be emphatically adopted as an additional obligation ora guarantee that balances forms or processes of data processing that involve risks tothe rights of persons. ».

"The EU legislature defines what it perceives as a breach of personal data:in accordance with Article 4 (12) this is a breach of security leading to accidental orunlawful destruction, loss, alteration, unauthorized disclosure or access to datapersonal information transmitted, stored or otherwise submitted toprocessing. As the Article 29 Group clarifies, this may be a violationthe confidentiality, availability or integrity of the data or a combination of theseof them. The Regulation obliges to notify the violation of personnel datacharacter to the competent supervisory authority ".

"The Article 29 Group clarifies, however, that in order to deal with a breach asavailability breach should be a permanent loss or destruction of data.Notes, however, that a non-permanent breach leading to unavailabilityrequires notification taking into account potential risks to the rights of individuals.See Article 29 Data Protection Working Party, Guidelines on Personal data breach notification underRegulation 2016/679, 03/10/2017 (WP 250), p. 6 ».


2. 7. Decisions

A useful reference can also be made to the following excerpts from the Greek AuthorityPersonal Data Protection:Decision No. 98/2013"First of all, security specializes in three main objectives, namely confidentiality,integrity and availability of data, while complementary objectives, in particular from the point of viewthe protection of personal data, in particular the non-disclaimer (oraccountability) as well as the separation of data according to the purpose of processing. Againstinternationally accepted information systems security standards (eg see 1SO / IEC series27000) the appropriate measures according to article 10 par. 3 of law 2472/1997 are part of a SystemInformation Systems Security (ISMS). This System presupposes the elaborationrisk study based on the risks and nature of the data, includingincludes the development of security policies and plans, where they are specifiedtechnical and organizational measures. These meters. except that they must be applied, in additionare monitored and evaluated for the purpose of their continuous improvement in business
responsibilities of the controller and the tennolonic developments, which he must takeunder the control of the controller (see article 17 par. 1 Directive 95/46 / EC). ".

Decision No. 44/2019"In view of the above, the Authority considers that the audited company AMRNI as the controller:On the one hand, it did not apply all the principles of Article 5 ( 1) GIP and 6 ( 1) GPA regardingwith the legality of the processing of personal data ... ... that took placein the computer infrastructure used .. ... . ... . ... . . . . ... . . . . but also in the context of eachsubsequent or further processing of the same personal data, norproved by no. 5 par. 2 GPD the observance of these.On the other hand, it violated the provisions of articles 5 par. 1 ed. a 'and f' and par. 2 in combination withArticles 24 ( 1) and ( 2) and 32 ( 1) and ( 2) GIP regarding the principle of safe treatment(in particular the "confidentiality") of personal data taking place incomputer infrastructure used . . . . . . . . . . . . . . . from not receiving appropriate techniques andorganizational measures, but also in the context of any subsequent or further elaboration ofpersonal data of the same nature, so that there is no need to examine compliance with the principlesprocessing of subparagraphs b '. y '. d 'and e' of par. 1 of article 5 as well as of article 6 par. 1ΓΚΠΔ ... ».

3. Reasoning

3.1. The data contained in an insurance policy and relating to a person inconstitute "personal data".The data concerning the health and / or the medical history of a living natural person, atmeasure that immediately or indirectly reveals his identity, constitute “special categoriesin accordance with the definition given in Article 9 (1) thereofRegulation.The insurance policies that are kept by the Company and concern the customersits insured persons constitutes an "archiving system" as defined in Article 4 (6) thereofRegulation.The collection, registration, use, search, association / storage and storage of personaldata processing of personal data within the meaning of Article 4 (2)of the Regulation.Responsible for processing Bank of Cyprus Public Company Ltd (article 4 (7) ofRegulation).

Data subjects are the customers of Bank of Cyprus Public Company Ltd (article4 (1) of the Rules of Procedure).

3.2. In order to be legally processed, personal data must be metcumulatively the conditions of compliance with the principles governing the processing of personneldata (Rule 5 of the Rules of Procedure), as is also apparent from its decisionCourt of Justice of the European Union (CJEU) 16.01.2019 in case C-496/2017 DeutschePost AG against Hauptzollamt Kdln4. According to this Decision, the existence of a legal4 «57. However, any processing of personal data must, on the one hand, be in accordance with the principlesthe quality of the data laid down in Article 6 of Directive 95/46 or Article 5Regulation 20161679 and, on the other hand, to the basic principles of lawful data processing listed inArticle 7 of that Directive or Article 6 of that Regulation (cf. decisions of 20 May 2003, Osterreichischer
(Article 6 (1) of the Rules of Procedure) does not release the controller fromobligation to comply with the principles (Rule 5 ).

3.3. As mentioned by Grigoris Tsolias, Lawyer, Member of the Protection AuthorityPersonal Data and Member of the EU Exper1 Group for the Regulation2016/679 and the Directive 2016/680:"Cumulative fulfillment of conditions for the application and observance of principles no. 5 par. 1 and 6 GKPD(General Data Protection Regulation)

• The existence of a legal foundation (no. 6 par . 1 GKPD () does not release the subordinate (responsibleprocessing) from the obligation to comply with the principles of no.5 par.1 GKPD. The againstviolation of the principles of no.5 GGP illegal collection and processing is not remediedfrom the existence of a lawful purpose
• If one of the principles of article 5 par. 1 GCC is violated (eg legitimate and lawfulprocessing. security) there is no need to consider the other authorities or article 6 par.

3.4. In addition, the controller has the further task of provingat all times its compliance with the principles governing the processing of personneldata, as set out in Rule 5 of the Rules of Procedure. Specifically, accountability is part of itthe principles governing the processing of personal data and entails theability of the controller to demonstrate compliance with the Regulation. In addition,enables the superintendent to be able to legally review and document aprocessing carried out in accordance with the legal bases provided by the Regulation.The processing of personal data in a transparent manner is a manifestation of the principleof fair treatment and is linked to the principle of laundering, giving the right todata subjects to exercise control over their data by making them accountableControllers (see Guidelines OE 29, Guidelines ori Transparency undersRegulation 2016/679, WP260}.The principle of accountability, in essence, shifts to the controller “its weightproof of the legality of the processing.

3.5.1. In addition, the controller is obliged to take,pursuant to Rule 32 of the Rules of Procedure, the appropriate technical and organizational measures to be takenensure the appropriate level of security and protection of personal datadepending on the risks involved in processing and the nature of the datasubject of processing. In particular, the controller must receive theappropriate technical and rehabilitative measures to ensure the appropriate levelsecurity against the risks that may lead to the breach of personal data,within the meaning of Rule 4 (12) of the Rules of Procedure.

3.5.2. From the wording and purpose of the provisions of recital 83 of the Rules of Procedure, isclear that, the obligation to ensure the safety of processing by the controllerprocessing has so much precaution. as well as repressive character. Precautionary, soso that the measures applicable can prevent incidents of staff misconductdata and suppressive, so that any incident can be detected andinvestigated.Although as the Defendant states in the letter dated 20.02.2020, the contractsare kept in an archived storage box at the competent branch of theRundfunk etc. , C-465/00, C-138/01 and C-139/01, EU: C: 2003: 294, paragraph 65, and of 1 May 2014, GoogleSpain and Googie. C-131/12, EU: C: 2014: 317, paragraph 71). 

Bank, which end up in the central custody file (depository) of the Bank, thewhich, as Defendant claims, is ISO certified and complies with all appropriate safety measuresand safety, however the result was that, the complainant's insurance policycan not be found. Therefore, it is established that they did not work properlyand appropriately organizational and / or technical security measures, as measuresof a preventive nature, with the consequence of the impossibility of finding the insurance policycontract.

3.6.1. The loss / violation of the availability (inability to locate) of the insurance policyof the complainant's contract constitutes a breach of personal data anddemonstrates the lack of adequate and appropriate technical and organizational measures under Article32 of the Rules of Procedure.

3.6.2. As soon as the Defendant became aware of the breach of personal data, she shouldwithout delay and, if possible, within 72 hours of becoming aware of the event, toreport a breach of personal data to my Office, such asprovided for in Article 33 of the Rules of Procedure.

• Notification to my Office was not necessary if Defendant could prove. that the breach of personal data would not endanger the rights andthe complainant's freedoms, which the Defendant did not do.

• If such notification could not be achieved within 72 hours, the notificationshould be accompanied by a statement of reasons for the delayand information could be provided gradually without justificationdelay, which the Defendant did not do.

• I note that, the fact that, I was informed about this personal breachdata through the submission of a complaint / complaint to my Office bycomplainant, is irrelevant and irrelevant, since the obligation to notifybreach of personal data is the responsibility of the controller.

3.6.3. Therefore, data subjects should have the right to accesspersonal data concerning them and to be able to exercise this right easilyand at reasonable regular intervals, so that they are aware of and verify the legalityof processing. In the present case, the non-finding of his insurance policydefendant posed a threat to his rights as the defendantwas deprived of the right of access to his insurance policy, with the resulton the one hand not to be able to check the accuracy / accuracy / validity of the datacontained in it and on the other hand can not verify its legalitytraining.

3.6.4. In view of what was mentioned in paragraphs 3.6.1. - 3.6.3. above, the DefendantThe perpetrator was obliged to report the incident of staff misconductdata (loss / loss of availabilityinability to locate - ofinsurance policy of the patient}.

4. Conclusions

In the present case, from the data of the case file and its admissionOn the complaint that the insurance policy in question cannot be found, 
~At first glance, I am of the opinion that the Bank did not comply with the followingits obligations under the Rules of Procedure, since:

4.1. Principles governing the processing of personal dataPursuant to Rule 5 {1) (f) of the Rules of Procedure:He did not take the necessary organizational and / or technical measures to guarantee the appropriate security of personal data, including their protection against nonauthorized or unlawful processing and accidental loss, destruction or deterioration ( "integrity and confidentiality ”). Therefore, due to lack of appropriate technical and / or organizational measures, endangered the confidentiality and / or integrity of personnel data through the loss of 5 and / or breach of availability 6 (inability to locate) the the insurance policy of the complainant. Pursuant to Rule 5 (2) and recital 7 4 of the Rules of Procedure:It did not implement appropriate and effective measures and was not able to prove it compliance of its processing activities with the Regulation including effectiveness of these measures.

4.2. Processing security 
Pursuant to Rule 32 and recital 83 of the Rules of Procedure:
(a) Has breached its obligation to take appropriate organizational and / or technical measures tosecurity of the insurance symbol containing personal data and its protectionfrom accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access tostored or otherwise processed. These measures mustensure a level of safety commensurate with the risks involved in processing andthe nature of the data being processed.
(b) Has not assessed the risks involved in processing and has not taken / implemented measures for themitigation of such risks, such as accidental or unlawful destruction and loss.5 Guidelines of the Working Group on Article 29 of Directive 95/46 / EC (now the European CouncilData Protection - EDPB) for the Notification of personal data breach: "With regard to"Loss" of personal data, the term should be interpreted as a term where the datamay still exist, but the controller has lost control or access to themor no longer owns them. "6 Working Group Guidelines on Article 29 of Directive 95/46 / EC (now European CouncilOf Data Protection - EORB) for the Notification of breach of personal data: "Violation of availability"- when there is an accidental or unauthorized loss of access to personal data or accidental or notauthorized destruction of personal data. ""Although it is relatively clear whether a breach of confidentiality or integrity has been committed, whetherViolation of availability may be less obvious. A violation will always be consideredconstitutes a breach of availability when there is a permanent loss or destruction of personnel datacharacter." 

4.3. Reporting breach of personal data to the supervisor principle

Pursuant to Rule 33 of the Rules of Procedure. did not submit the relevant notification to my Office, withinseventy two (72) hours from the moment he became aware of the incident. In accordance with the Guidelines of the Working Group on Article 29 of Directive 95/46 / EC(now European Data Protection Council - EDPB) for Notification of Infringementpersonal data ("Guidelines on Personal data breach notification under Regulation2016/679 WP 250 rev. 1), dated 06.02.2018, the non-notification of a violation will could indicate either the absence of existing security measures or theinadequacy of existing security measures.

4.4. Right of access of the data subject
Pursuant to Rule 15 of the Rules of Procedure:Failure to take proper organizational or technical security measures as requiredin Article 32 of the Rules of Procedure, contributed to an incident of breach of personal data,in accordance with the provisions of Article 4 (12) of the Rules of Procedure and in case of non-satisfaction of the rightaccess of the complainant to his insurance policy (Article 15 of the Rules of Procedure).It should be noted that, as set out in the Working Group Guidelines of Article 29 of theDirective 95/46 / EC on the notification of a breach of personal data, a breach ofcan potentially have several significant adverse effects on individuals, whichcan lead to physical, material or moral damage. This damage canincludes loss of control over their personal data.restriction of their rights, discrimination, abuse or interception of identity andfinancial loss. It can also include any other importanteconomic or social disadvantage for these persons7.

4.5. The allegations of the Foreign Legal Symbol of the Defendant,as mentioned in his letter dated 05.06.2020 are answered asbelow:Par.1 of the Defendant • marginal insurance contract(a) The Defendant's allegation that there was no breach of security (Articles 4 (12));5 (1) (f) and 32 of the Rules of Procedure), is unfounded since, according to the EuropeanCommission 8 , data breach occurs when a security incident occurs in relation todata for which a plantation or organization is responsible, which results in thebreach of confidentiality. availability or integrity.If that happens. and the breach is likely to jeopardize rights and freedomsnatural person, the company or body planner must notify the supervisory authority withoutunjustified delay and at the latest within 72 hours after realizing the violation. As7 See also recitals 85 and 75 (of Regulation 679/2016).8https: Uec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organ isa tions / obl igati ons / wha t-data-brea ch-a nd-what-do-we-ha ve-do-case-data-breach el
It is vital that you implement the appropriate technical and regulatory measures forto avoid possible data breaches.In addition, the Hellenic Authority for the Protection of Personal Data states that 9 :"Traditionally,Thetermsecurityinformation / data(information / data security),used to describe the methodology, as well as the methods and techniques usedare followed in order to achieve the following objectives:
• Confidentiality : Data should not be disclosed to nonauthorized persons.
• Integrity : Data must be accurate, whole and genuine - noincorrect, corrupted or uninformed.
• Availability: Data must be available whenever their use is required.

A blow to any of the above - by accidental or deliberate action - constitutes,in general, a security incident. "In this case, a security incident occurred in relation to the Contract concernedto the complainant, for which the Bank is responsible, as the person responsible for processing theits archiving system. which resulted in a breach of his availabilitycontract and consequently the inability to satisfy his right of accesscomplainant in personal data concerning him (contract).

(b) The Defendant's allegation that there was no loss of staffMr. data .is unfounded and probably lies in the fact that, incorrectlyconsiders that the contract must contain / indicate personal data concerning itexclusively to the health of Mr.so that this is' staff datacharacter".Pursuant to recital 26 of the Rules of Procedure supplementing Rule 4 (1) of the Rules of Procedure,concerning the definition of "personal data":"The principles of data protection should apply to any information whichconcerns an identified or identifiable natural person. Personal data sethave undergone a pseudonym, which could be attributed to a natural person withuse of additional information should be considered information onidentifiable natural person.To judge whether a natural person isidentifiable, all instruments that are reasonably likely to beused, such as its separation, either by the controlleror from a third party for the direct or indirect verification of the identity of the natural person. Towhether any means are reasonably likely to be used forverification of the identity of the natural person, allobjective factors, such as the costs and time required for identification,taking into account the technology available at the time of processing andtechnological developments ..... ».9 https://www.dpa.gr/portal/page? pageid = 33,211421 & dad = portal & schema = PORTAL

..It follows from the above that, ANY INFORMATION refers to a natural person inlife, is a "personal fact". Therefore, the personal data thatincluded in the policyholder's insurance policy constitute 'dataof a personal nature ".

(y) Consequently, the Defendant alleges that the marginal insurance contract in question does notcontains data relating to the complainant's health, does not negate the obligation thatAppropriate technical and organizational safety measures must be observed at all times, asthat the contract in question concerns the complainant and is therefore his personal data.

{d) Defendant's allegation that the Bank is in compliance with Article 15 ofRegulation, concerning the right of access, due to the fact that, with the insurance premium certificates, theBank has been reporting to him on an annual basis, since 2012, data relating to insurancehis contract, is rejected as unfounded and is not valid.For this purpose , a copy of the sample "Certificate" was attached as Annex 3.Payment of Group Life Insurance Premiums ", which states that:" TheThis certificate is issued for the sole purpose of submitting it to the Department of the InteriorRevenue, if requested, and has no other value or purpose, nor does it guarantee that thepremium will be tax exempt. »:The patient received an annual INFORMATION / INFORMATION about the insurancehis contract number M-056482, but the RIGHT OF ACCESS EXERCISE OF HIMTHE INSURANCE CONTRACT HAS NOT BEEN SATISFIED UNTIL TODAY, BECAUSE ASDefendant admitted the abduction. can not be found.It follows from the above that the Bank was NOT able to satisfy the rightaccess of the patient, depriving him of the opportunity to check its legalityand therefore violated, in full view. the provisions of Article 15of the Regulation.The Bank admitted not to find the Contract in question in the followingher letters:
• Letter dated 20 February 2020 from Dr.Nicosia Regional Director of the Bank:"Despite the relevant investigation, it was not possible to locate the client's contract:: r the relevant archived storage box. »."The Bank has also inspected the customer's physical file where all the originals areagreements / contracts and communication with the customer including and in writingidentifications where again it was not possible to locate the specified contract. ».
• Letter dated 05 June 2020 (paragraph 1 - Limit Insurance Contract):"Inadvertently. no copy appears to have been archived in the client's file in 2000, withresult his file. which is in the possession of the Bank, not to contain thesunken copy. "."The records of that store have been kept in specific warehouses until nowit was not possible to locate the specified suspect. ".

"The difficulty in finding it is due to the fact that, .... ".

• Letter dated 05 June 2020 (paragraph 5 - Mitigation-FinalComments):

"Taking into account the closure of the branches, the merger of the Bank with the formerPopular T-bank and storage changes, is not sîyoupo whether the relevantdocument has been lost or simply placed in the wrong place based on archiving proceduresand therefore it has not been possible to access the border clearance contract to date. "

Par.1 of the Defendant - limit insurance contract and Par. 5 of the Defendant - MitigatingConcluding remarksDefendant failed to prove to me that, in fact, the contract in questionis located inside the Bank's premises, since to date it has not been found, an element thatproves the non-existence of proper archiving of documents, consequence of taking insufficient measuressecurity, an obligation that she has as the person in charge of the systemits archiving (Rule 32 ).Under the provisions of Rules 5 (1) (f) and 32 of the Rules of Procedure, the Bank should haveadopt / apply specific procedures for proper organization / archiving / classificationboth its electronic and physical filing system.In addition, it had to have procedures for conducting scheduled audits(internal and / or external, on an annual basis), where compliance is observed and checkedsafety measures and their effectiveness. Result of the controls, couldwas the modification of the existing security policy, some security measures or theadd new.

Par.3 of the Defendant - relationship with customersThe relationship of the Bank with its customers, as listed in paragraph 3 ofDefendant's letter of complaint dated 5 June 2020 and the Bank's proposal thatmade to the complainant to return all premiums, do not fall under the responsibilitiestherefore not examined and evaluated. In addition, it is information that does notrelated to the substance of the present case, which is to obtain a copy of itinsurance policy of the complainant with number M-056482 during his exercisehis right of access to personal data concerning him (Article 15 thereof)Regulation).In any case, it goes without saying that the Bank's proposal for the return of allpremiums to Mr.leads to the revocation of the exercise of the right of accesson the part of the data subject and inability to control its legalityprocessing carried out by the Bank. The inability to satisfy the right of access,due to a deficiency concerning the operation of the Bank 's file and recommends andlack of diligence measures he had to comply with as an overseer in order toavoid the mistake.

Par. 5 of the Defendant - Mitigating-Concluding remarksDefendant's allegation that, to date, has not been imposed on the Bankfine from the Bank in relation to issues of the Bank's compliance with the Regulation,> nois correct after, to date, four administrative sanctions have been imposed (File No.: NP19
Page 14
8/2006, Α / Π 48/2010, Α / Π 61/2014, Α / Π 67/2017 and Α / Π 56/2017), which, however, will notbe counted during the measurement of the sentence, since they do not relate to a similar natureinfringement.5. ΚυπWσεις5.1.1. As defined in the provisions of Rule 83 (5) of the Rules of Procedure. violation of the provisions ofArticles 5 and 15, draws, 'in accordance with paragraph 2, administrative fines of up to 20 000 000EUR or, in the case of undertakings, up to 4% of total world annual turnoverof the previous financial year, whichever is higher ".5.1.2. As defined in the provisions of Rule 83 (4) of the Rules of Procedure, infringement of the provisions ofapthpov 32 and 33 draws, "in accordance with paragraph 2, administrative fines of up to 1 A 000 000EUR or, in the case of undertakings, up to 2% of total global annual turnoverof the previous financial year, whichever is higher ".5.1.3. Paragraph 2 of Rule 83 of the Rules of Procedure is quoted as follows :«2. Administrative fines, depending on the circumstances of each individual case, are imposedin addition to or instead of the measures referred to in Article 58 ( 2 ) (a) to (h) andin Article 58 ( 2 ) (j). When making an administrative decisionas well as the amount of the administrative fine for each individualIn this case, due account shall be taken of the following:
(a) the nature, gravity and duration of the infringement, taking into account the nature, extent orpurpose of the relevant processing, as well as the number of data subjects it touched onthe infringement and the degree of damage suffered,
(b) the deceit or negligence which caused the infringement;
(c) any action taken by the controller or the executorprocessing to mitigate the damage suffered by data subjects,
(d) the degree of responsibility of the controller or processor takingHaving regard to the technical and organizational measures applicable pursuant to Articles 25 and 32,
(e) any relevant previous infringements by the controller or the executor
(f) the degree of cooperation with the supervisory authority to remedy the infringementand limiting its potential adverse effects,
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority was informed of the infringement, in particular whether and againstwhether the controller or controller notified the infringement,
(i) where the measures referred to in Article 58 have previously been orderedparagraph 2 against the controller involved or the processoron the same subject matter, compliance with those measures,
(j) the observance of approved codes of conduct in accordance with Article 40 or approvedcertification mechanisms in accordance with Article 42 and
(k) any other aggravating or mitigating factor arising from its circumstancesin such a case, such as the financial benefits or losses incurredavoided, directly or indirectly, the infringement. ».

6. Penalty increaseTaking into account the provisions of Article 83 of the Regulation, which concerns the General Termsadministrative fines, when calculating the administrative fine I took into accountthe following mitigating (a-g) and aggravating (n - i) factors:
(a) The nature of the breach: The breach concerns the contractual relationship of the Bank withdata subject.
(b) The number of data subjects affected by the infringement:a person is affected.
(c) The categories of personal data affected by the infringement: Given that, up toToday, the limit insurance contract was not revoked, I believe, the personal dataincluded is, at a minimum, the name, contract number andID number, as the most common identification
(d) The fact that the Defendant took action to mitigate the damagesuffered by the data subject:The Defendant made a proposal to Mr.for return of all premiumsincluding interest with the signed insurance cancellation order.
(e) The fact that the Defendant in the complaint cooperated sufficiently with my Office inredress of the infringement.
(f) The fact that the Defendant informed me in the complaint that, at least subsequently,take additional measures that would contribute to strengthening / improving security and protectionof the insurance policies of its clients-insured.
(g) The controller did not derive any financial benefit or material damage to thedata subject.
(h) The duration of the infringement: Can not be determined precisely, as the data thattaken into account, arose in the course of the investigation.
(i) The fact that I was informed of the illegal processing following a complaint to my Officeand not directly from the Defendant.
(j) The fact that these are infringements due to the processing of personal data (articles5 (1 ) (f), 5 (2), 32 and 33), which are judged to be of greater weight and duration but alsoon the non-satisfaction of a subject's right of access.

7. ConclusionIn the light of the above and on the basis of the powers conferred on me by the provisions of the article58 (2) (i) of the Rules of Procedure, I have the view that, at first sight, the failure to find, to date, thedisputed border insurance policy of Mr.violates the provisions of the articles5 (1 ) (f), 5 (2), 15, 32 and 33 of the Rules of Procedure.
Therefore, I DECIDED as:

Therefore, I decided to impose the complaint on the Defendant, Bank of Cyprus PublicCompany Ltd, in its capacity as the person in charge of processing the archiving system, thea fine of € 15,000 (fifteen thousand euros) for her violationobligation under Articles 5 (1) (f), 5 (2), 15, 32 and 33 of the Rules of Procedure.

Commissioner
Data protection
Personal Character