Cyprus: Developments On Penalties Imposed On Financial Institutions For GDPR Violations In Cyprus

This article discusses the decision of the Commissioner for Personal Data (Commissioner) issued on 17^th June 2020, through which a fine in the amount of €15.000 was imposed to a Bank for violation of several obligations stemming from the General Data Protection Regulation (hereinafter the GDPR).  These obligations refer to, among others, principles relating to processing of personal data, right of access by the data subject, security of processing and the notification of a personal data breach of GDPR.

What was the factual background?

  A complaint was filed against a Bank (Bank) and the insurance company from an individual due to the inability of the Bank to provide him with a copy of his insurance contract upon his request. According to Bank's allegations the provision of a copy of the document was not feasible because the original contract has been archived in a place, where its trace was difficult and time consuming. The Bank did not notify the competent Commissioner regarding this incident, since there was not even the slightest suspicion that the document may be outside the Bank.

What was Bank's conduct?

  The critical conduct of the Bank from a legal perspective lies in:

• its inability to trace customers' original insurance contract and to provide him with a copy thereof (loss of the contract); and
• its failure to notify the Commissioner of the incident regarding the loss of customer's insurance contract.

What was Commissioner's decision?

The Commissioner held that the Bank's conduct did not comply with its obligations set out in the GDPR.

Specifically, the loss of the customer's insurance contract constitutes a violation of the GDPR since the customer was deprived of his right to access to the insurance contract. As a result, on one hand, the customer was not able to check the veracity and the validity of his personal data and on the other hand, he was not able to check the lawfulness of their processing (loss of control of his data).

Furthermore, the Bank's omission to notify the incident regarding the loss of the contract to the Commissioner within 72 hours from the moment at which the incident came to its knowledge constituted a violation of article 33 of the GDPR.

As it becomes clear from the Commissioner's decision and the relevant legal framework, the "violation of personal data" under the GDPR can take the form of a personal data breach. A breach is a type of security incident and a personal data breach may, among others, occur when the personal data stored or processed are lost or cannot be accessed to.
 
How was the fine calculated?

The Commissioner calculating the administrative fine considered several critical factors such as the duration of the violation, the fact that the Commissioner was informed of the violation incident after the complaint and not directly by the Bank.

The Commissioner also took into account the fact that the incident concerned several violations under GDPR, which are deemed to be violations of greater importance.
 
Critical view

The Decision of the Commissioner is worth-mentioning, since it is anticipated to lead the legal entities which act as processors and/or controllers of personal data to be more careful and to act with more diligence when handling personal data. Such examples also show the importance of notifying the Commissioners of personal data breaches on time taking into account the strict deadlines provided under GDPR. Failure to report a personal data breach to the Commissioner is also considered as a criminal offense in accordance to Law 125(I)/2018, with a penalty of maximum three (3) years of imprisonment, or fine up to €30.000, or both the above.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.