Commissioner (Cyprus) - 11.17.001.008.001: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Cyprus |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoCY.jpg |DPA_Abbrevation=Comissioner |DPA_With_Country=Comissioner (Cyprus) |Case_N...")
 
mNo edit summary
Line 56: Line 56:
}}
}}


Cyprus DPA holds that the inability of the data controller to discover the original contract with the data subject constitutes a violation of the right to access the personal data.
Cyprus DPA holds that the inability of the data controller to discover the original contract with the data subject constitutes a violation of the right to access the personal data. A fine of € 15000 was issued.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
A data subject made an access request to the Bank of Cyprus and the insurance company Eurolife Ltd, requesting a copy of the original insurance agreement. The Bank of Cyprus had the obligation to store the original agreement. The agreement was signed in 2000 and the Bank of Cyprus was not able to locate the original agreement at her storage. Due to this fact, the Bank of Cyprus offered to cancel the agreement and sign a new one with the data subject.
A data subject made an access request to the Bank of Cyprus and the insurance company Eurolife Ltd, requesting a copy of the original insurance agreement. The Bank of Cyprus had the obligation to store the original agreement. The agreement was signed in 2000 and the Bank of Cyprus was not able to locate the original agreement at her storage. Due to this fact, the Bank of Cyprus offered to cancel the agreement and sign a new one with the data subject.


=== Dispute ===
===Dispute===
Does the unavailability of personal data constitute a data breach?
Does the unavailability of personal data constitute a data breach?


=== Holding ===
===Holding===
The Cyprus DPA held that unavailability of personal data constitutes a data breach and that this data breach should be reported to the DPA, according to article 33 of the GDPR as it is likely to cause risk to the rights and freedoms of the data subject. The DPA also held that the Bank of Cyprus failed to implement appropriate technical and organisational measures to ensure the security (confidentiality, integrity and availability) of personal data. Due to the fact that the Bank of Cyprus couldn't locate the original agreement, it failed to comply with the data subject's access request, breaching article 15 of the GDPR and demonstrate accountability.
The Cyprus DPA held that unavailability of personal data constitutes a data breach and that this data breach should be reported to the DPA, according to article 33 of the GDPR as it is likely to cause risk to the rights and freedoms of the data subject. The DPA also held that the Bank of Cyprus failed to implement appropriate technical and organisational measures to ensure the security (confidentiality, integrity and availability) of personal data. Due to the fact that the Bank of Cyprus couldn't locate the original agreement, it failed to comply with the data subject's access request, breaching article 15 of the GDPR and demonstrate accountability.


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.



Revision as of 10:01, 4 November 2020

Comissioner - 11.17.001.008.001
LogoCY.jpg
Authority: Comissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 15 GDPR
Article 32 GDPR
Article 33 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 17.06.2020
Published: 17.06.2020
Fine: 15.000 EUR
Parties: n/a
National Case Number/Name: 11.17.001.008.001
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Commissioner of Cyprus (in EL)
Initial Contributor: Elisavet Dravalou

Cyprus DPA holds that the inability of the data controller to discover the original contract with the data subject constitutes a violation of the right to access the personal data. A fine of € 15000 was issued.

English Summary

Facts

A data subject made an access request to the Bank of Cyprus and the insurance company Eurolife Ltd, requesting a copy of the original insurance agreement. The Bank of Cyprus had the obligation to store the original agreement. The agreement was signed in 2000 and the Bank of Cyprus was not able to locate the original agreement at her storage. Due to this fact, the Bank of Cyprus offered to cancel the agreement and sign a new one with the data subject.

Dispute

Does the unavailability of personal data constitute a data breach?

Holding

The Cyprus DPA held that unavailability of personal data constitutes a data breach and that this data breach should be reported to the DPA, according to article 33 of the GDPR as it is likely to cause risk to the rights and freedoms of the data subject. The DPA also held that the Bank of Cyprus failed to implement appropriate technical and organisational measures to ensure the security (confidentiality, integrity and availability) of personal data. Due to the fact that the Bank of Cyprus couldn't locate the original agreement, it failed to comply with the data subject's access request, breaching article 15 of the GDPR and demonstrate accountability.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.