Commissioner - 11.17.001.008.001
|Comissioner - 11.17.001.008.001|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 5(2) GDPR
Article 15 GDPR
Article 32 GDPR
Article 33 GDPR
|National Case Number/Name:||11.17.001.008.001|
|European Case Law Identifier:||n/a|
|Original Source:||Commissioner of Cyprus (in EL)|
|Initial Contributor:||Elisavet Dravalou|
Cyprus DPA holds that the inability of the data controller to discover the original contract with the data subject constitutes a violation of the right to access the personal data. A fine of € 15000 was issued.
A data subject made an access request to the Bank of Cyprus and the insurance company Eurolife Ltd, requesting a copy of the original insurance agreement. The Bank of Cyprus had the obligation to store the original agreement. The agreement was signed in 2000 and the Bank of Cyprus was not able to locate the original agreement at her storage. Due to this fact, the Bank of Cyprus offered to cancel the agreement and sign a new one with the data subject.
Does the unavailability of personal data constitute a data breach?
The Cyprus DPA held that unavailability of personal data constitutes a data breach and that this data breach should be reported to the DPA, according to article 33 of the GDPR as it is likely to cause risk to the rights and freedoms of the data subject. The DPA also held that the Bank of Cyprus failed to implement appropriate technical and organisational measures to ensure the security (confidentiality, integrity and availability) of personal data. Due to the fact that the Bank of Cyprus couldn't locate the original agreement, it failed to comply with the data subject's access request, breaching article 15 of the GDPR and demonstrate accountability.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.