Enforcement

€10,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 10,000 on the Housing Finance Corporation. The controller stored client loan data for longer than necessary and did not ensure that the data was correct. This resulted in the controller incorrectly declining a client's loan application.

€3,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA fined Senira Limited EUR 3,000 for failing to sufficiently cooperate with the DPA.

€2,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 2,000 on Brivio Limited for failing to respond to a request for information in a timely manner.

€1,500 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 1,500 on Aylo Social LTD for failing to comply with a deletion request.

€1,500 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 1,500 on a physician. An individual had filed a complaint with the DPA because the physician had accessed their personal data in a healthcare system, even though the physician had not treated the individual or obtained their consent.

€45,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 45,000 on Open University of Cyprus. The university had suffered a data breach involving hackers publishing personal data of students, alumni etc. on the dark web. During its investigation, the DPA found that the university had failed to implement appropriate technical and organizational measures to protect personal data.

€9,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 9,000 on NAGA Markets Europe Ltd. The controller had suffered a data breach in which an unknown person accessed the company's database, holding the data of approximately 342,000 customers. The DPA found that the controller had not implemented appropriate technical and organizational measures to protect personal data, which facilitated such a breach.

€3,250 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 3,250 on Epic Ltd. The contoller had made unsolicited calls to 332 former customers without a valid legal basis. The DPA also found that the controller had not taken appropriate technical and organizational measures to prove that data processing was carried out in compliance with the GDPR.

€7,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 7,000 on the newspaper 'Πολίτης'. The controller had unlawfully published the names and pictures of two police officers.

€8,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 8,000 on the Cypriot Ministry of the Interior. The Ministry of Interior had unlawfully transmitted personal data of employees to the House of Representatives.

€3,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 3,000 on Breikot Management Ltd. The DPA found that the company had violated the principle of minimization by processing excessive personal data during reporting although less data would also have served the journalistic interest of the public.

€8,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 8,000 on Bank of Cyprus Public Company Ltd.. The controller had stored inaccurate data about a data subject in its system.

€4,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 4,000 on the English School in Cyprus. The school had reported a data breach to the DPA under Art. 33 GDPR. A teacher had used the email address of the students' parents for a purpose other than that for which the email addresses were originally collected. The DPA found that the school had failed to take adequate technical and organizational measures to ensure the protection of personal data and to prevent such incidents.

€5,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 5,000 on the English School staff union (ESSA). The school had notified the DPA of a data breach under Art. 33 GDPR. A teacher, also a member of the staff union, had used the email addresses of the parents of the students for a purpose other than the one for which the email addresses had originally been collected. The DPA found that the staff union had failed to take appropriate technical and organizational measures to ensure the protection of personal d

€10,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 10,000 on the publisher Εκδοτικού Οίκου Δίας. A public figure had filed a complaint with the DPA. The publisher had published incorrect information about the data subject's financial situation on a website. In the course of its investigation, the DPA, weighing the publisher's right to freedom of expression against the data subject's right to privacy and protection of personal data, found that the publisher had unlawfully processed the data of the data su

€5,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 17,000 on Bank of Cyprus Public Company Ltd. In the context of a sale of credit facilities, the bank had inadvertently transferred data of customers whose credit facilities had not been sold to the buyer. The incidents affected approximately 11,673 records and 5,500 individuals. The DPA found that the bank had failed to implement sufficient technical and organizational measures to protect personal data.

€2,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has fined the Oroklini Municipal Council EUR 2,000 for not properly cooperating with the DPA during an investigation.

€6,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 6,000 on Hermes Airport Ltd. The controller had suffered a cyber attack which, according to the DPA, had been caused due to a lack of technical and organizational measures for the protection of personal data and a lack of supervision of a processor.

€3,500 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 3,500 on Universal Life Insurance Public Co Ltd. The processor of the data controller had suffered a data breach in which personal data of customers were mistakenly disclosed to other customers. During its investigation, the DPA found that the controller had failed to contractually regulate the relationship with its processor. The DPA concluded that the controller had contracted a processor without ensuring that the processor provided sufficient guarante

€5,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 5,000 on the Cypriot Ministry of Defense. The controller had suffered a cyber attack which, according to the DPA, had been caused due to a lack of technical and organizational measures for the protection of personal data and a lack of supervision of a processor.

€5,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine on the Cyprus Judo Federation. The father of a member had filed a complaint with the DPA because the judo coach of his minor son had published photographic and audiovisual material on a social media platform without his prior consent. During the course of the investigation, the trainer did not sufficiently cooperate with the DPA, which therefore imposed a fine of EUR 5,000 for a violation of Art. 31 GDPR.

€5,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 5,000 on DW Dynamic Works LIMITED. The controller operated as a processor for Hermes Airport Ltd.. Hermes had suffered a cyberattack which, according to the DPA, was caused, among other things, by Dynamic Works' lack of technical and organizational measures to protect personal data.

€7,500 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 7,500 on DW Dynamic Works LIMITED. The controller operated as a processor for the Cypriot Ministry of Denfese. The minsitry had suffered a cyberattack which, according to the DPA, was caused, among other things, by Dynamic Works' lack of technical and organizational measures to protect personal data.

€1,500 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 1,500 on a physician. The DPA had conducted an investigation against the physician for the unlawful operation of a video surveillance system. For investigative purposes the DPA had requested information from the physician, which the physician did not provide to the DPA. For this reason, the DPA found that the physician had violated Art. 31 GDPR due to lack of cooperation with the DPA.

€3,750 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 3,750 on PRINTAFORM Ltd. PRINTAFORM, which worked as a processor for Universal Life Insurance Public Co Ltd, had suffered a data breach in which personal data of customers was mistakenly disclosed to other customers. According to the DPA, the data breach was caused by PRINTAFORM's lack of technical and organizational measures to protect personal data.

€17,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 17,000 on Bank of Cyprus Public Company Ltd. In the context of a sale of credit facilities, the bank had inadvertently transferred data of customers whose credit facilities had not been sold to the buyer. The incidents affected approximately 11,673 records and 5,500 individuals. The DPA found that the bank had failed to implement sufficient technical and organizational measures to protect personal data.

€925,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 925,000 on WS WiSpear Systems Ltd. The company had collected various data from individuals (Media Access Control addresses and International Mobile Subscriber Identity data) without their knowledge as part of tests and presentations of technologies. In this context, the DPA found a violation of the principle of legality, objectivity and transparency.

€10,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has fined Mediterranean Hospital of Cyprus EUR 10,000 for failing to provide information requested by the DPA during an investigation.

€25,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 25,000 on Hellenic Technical Enterprises Ltd.. The controller hat designed the ticket sales system of the soccer clubs AC Omonia and APOEL FC. Due to a lack of security measures in the ticket sales system, it was possible for an unauthorized person to access and disclose personal data of fans on the club's website. This data involved the name, the fan card number and the ID number of the data subjects. The DPA concluded that the controller failed to impl

€40,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 40,000 on the soccer club APOEL FC. Due to a lack of security measures in the club's ticket sales system, it was possible for an unauthorized person to access and disclose personal data of fans on the club's website. This data involved the name, the fan card number and the ID number of the data subjects. The DPA concluded that the club failed to implement adequate technical and organizational security measures. In separate proceedings, the DPA fined AC O

€40,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 40,000 on the soccer club AC Omonia. Due to a lack of security measures in the club's ticket sales system, it was possible for an unauthorized person to access and disclose personal data of fans on the club's website. This data involved the name, the fan card number and the ID number of the data subjects. The DPA concluded that the club failed to implement adequate technical and organizational security measures. In separate proceedings, the DPA fined APO

€40,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA imposed a fine of EUR 40,000 on the Electricity Authority of Cyprus. The controller used an automated system based on the so-called Brad-Factor to manage, monitor and control employee absences due to illness using a tool assessment. The DPA found that such an assessment mechanism was not covered by Cypriot labor law and had therefore been used unlawfully. Furthermore, an option for data subjects not to consent to such automated processing of their personal data should have been p

€10,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA imposed a fine of EUR 10,000 on the Cypriot Real Estate Registration Authority. The data subject submitted a written request to the controller requesting various information relating to him personally, exercising the right of access granted to him under Art. 15 GDPR. After the controller failed to respond to the request for information, the data subject filed a complaint with the DPA. In the course of the subsequent investigation by the DPA, the controller also failed to respond

€25,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA imposed a fine of EUR 25,000 on Hellenic Bank. The bank had closed one of its branches in the city of Nicosia in 2015. When moving out of the space, a safe containing old documents of still existing customers, installed in one of the walls, had been forgotten. As the building was vacant in the following years, the controller only learned about this incident when the property was rented out again for the first time in 2019. The new tenant had found the safe and informed the contro

€6,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA imposed a fine of EUR 6,000 against KEPIDES (real estate company). The controller had submitted a list of buyers of the properties it manages to a parliamentary committee. However, the controller had failed to anonymize the list, as a result of which the names of the data subjects were transmitted.

€6,000 fine - Cypriot Data Protection Commissioner

A police officer had unauthorized access to a database holding personal data about vehicle owners and used the database for non-official purposes to pass information from the database to a third party. In this respect, the organizational and technical measures taken by the police to prevent unauthorized access to the database were insufficient to prevent the unauthorized disclosure of personal data to third parties.

€1,000 fine - Cypriot Data Protection Commissioner

Sending emails to data subjects without sufficient legal basis.

€15,000 fine - Cypriot Data Protection Commissioner

The data subject made a claim for access to information according to Art. 15 GDPR, which could not be answered, since the insurance contract of the data subject could not be found and has been lost. This constituted a violation of the rights of the data subject under Art. 15 GDPR as well as a violation of the obligations to protect personal data according to Art. 5 (1) f) GDPR and Art. 32 GDPR. In addition, the Data Breach Notification Obligations pursuant to Art. 33 f. GDPR have also been viola

€1,000 fine - Cypriot Data Protection Commissioner

Sending SMS marketing messages without consent. In particular, no appropriate measures were taken, such as the possibility for telephone users to block marketing messages from the eShop for Sports by opting out of receiving SMS marketing messages.

€9,000 fine - Cypriot Data Protection Commissioner

Granting the police access to personal data and failing to take adequate measures to secure the data, despite the warnings of the Supervisor, constituted a breach of Article 32 of the GPPR.

€70,000 fine - Cypriot Data Protection Commissioner

The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.

€10,000 fine - Cypriot Data Protection Commissioner

The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.

€2,000 fine - Cypriot Data Protection Commissioner

The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.

€5,000 fine - Cypriot Data Protection Commissioner

A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital.

€10,000 fine - Cypriot Data Protection Commissioner

The publication of the newspaper, both in hard copy and in electronic form, allegedly involved inconvenience, unnecessary and unlawful detention of a citizen, and revealed the names and pictures of the two police investigators involved, as well as the photograph of a third police investigator. The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance so th

€14,000 fine - Cypriot Data Protection Commissioner

A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital.