HARSH FINES FOR UNLAWFUL PROCESSING OF PERSONAL DATA BY THE COMMISSIONER
The latest decisions of the Commissioner for the Protection of Personal Data in Cyprus (“The Commissioner) indicate that the Commissioner will not tolerate violation of the provisions of the General Data Protection Regulation (“the GDPR”). The three cases below, indicate her reluctance regarding such infringements.
Case No. 1 – Fine of €82.000 regarding monitoring of sick leave by employees
In her recent decision (December 2019), the Commissioner decided to impose a total fine of €82.000 on a group of Companies in Cyprus. The group had been using the Bradford Factor, a test used to assess the group’s employees’ conduct by monitoring their sick leaves. According to the Commissioner, this processing constituted processing of Special Categories of Personal Data, for which process the group of companies could not provide a lawful basis to the Commissioner.
Case No. 2 – Fine of €14.000 on a doctor
The Commissioner has also recently imposed a fine of €14,000 on a doctor who published Special Categories of Personal Data of a patient on social media without obtaining their consent in advance.
Case No – 3 Fine of €9.000 on Social Insurance Services
In another decision (December 2019), the Commissioner imposed a fine of €9,000 on Social Insurance Services for inadequate security measures leading to a data leak in 2017. The Commissioner, before imposing the fine, took into account the failure of the Social Insurance Services to respond to vital questions addressed to them by her Office while investigating the case.
GDPR COMPLIANCE OF UTMOST IMPORTANCE
The above fines are the highest imposed in the Republic of Cyprus since the coming into force of the GDPR. Such fines constitute an indication of the reluctance of the Commissioner for non-compliance with the provisions of the GDPR. GDPR compliance is of vital importance and businesses should ensure that they are fully compliant with the provisions of the GDPR to avoid facing any sanctions by the Commissioner.
Should you require assistance regarding compliance of your business with the provisions of the GDPR and domestic legislation regarding the processing of personal data, do not hesitate to contact us.