Commissioner - 11.17.001.008.001

From GDPRhub
Revision as of 07:11, 6 November 2020 by Panayotis.Yannakas (talk | contribs) (Typo)
Commissioner - 11.17.001.008.001
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 15 GDPR
Article 32 GDPR
Article 33 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 17.06.2020
Published: 17.06.2020
Fine: 15.000 EUR
Parties: n/a
National Case Number/Name: 11.17.001.008.001
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: Commissioner of Cyprus (in EL)
Initial Contributor: Elisavet Dravalou

Cyprus DPA holds that the inability of the data controller to discover the original contract with the data subject constitutes a violation of the right to access the personal data. A fine of € 15000 was issued.

English Summary

Facts

A data subject made an access request to the Bank of Cyprus and the insurance company Eurolife Ltd, requesting a copy of the original insurance agreement. The Bank of Cyprus had the obligation to store the original agreement. The agreement was signed in 2000 and the Bank of Cyprus was not able to locate the original agreement at her storage. Due to this fact, the Bank of Cyprus offered to cancel the agreement and sign a new one with the data subject.

Dispute

Does the unavailability of personal data constitute a data breach?

Holding

The Cyprus DPA held that unavailability of personal data constitutes a data breach and that this data breach should be reported to the DPA, according to article 33 of the GDPR as it is likely to cause risk to the rights and freedoms of the data subject. The DPA also held that the Bank of Cyprus failed to implement appropriate technical and organisational measures to ensure the security (confidentiality, integrity and availability) of personal data. Due to the fact that the Bank of Cyprus couldn't locate the original agreement, it failed to comply with the data subject's access request, breaching article 15 of the GDPR and demonstrate accountability.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.