Elena Argyropoulou & Associates LLC

OCTOBER TO DECEMBER 2019 – Decisions of the Commissioner on GDPR

Decisions of the Commissioner on GDPR

Penalty to Louis Companies

The Office of the Commissioner for Personal Data Protection received a complaint from SEK (the Cyprus Worker’s Confederation) claiming that three related companies had used the Bradford Factor, an automated system for the purpose of managing and monitoring workers’ sick leaves.

According to the Commissioner where either directly or indirectly the identity of a person is revealed, the date of sick leave and the frequency of sick leave for them constitute “special categories of personal data.”

“Employers cannot exercise unlimited control and supervision over their employees, violating their personality.”

On the basis of the facts examined by the Office of Commissioner, the Commissioner considered that such treatment had no legal basis and decided that the particular use of the Bradford Factor was in violation of privacy laws and thus orders Louis companies to dismiss the act and to erasure any relevant created record.

The Commissioner fined:

  • LGS Handling with €70,000
  • Louis Travel with €10,000
  • Louis Aviation with €2,000

Some of the factors taken into account to calculating the penalties were the number of the affected Data Subjects (818 employees), the nature and duration of the violation; and the turnover of the companies concerned.

Personal Data Leakage by the Cyprus Police, CYTA and Social Security Services

The Commissioner was informed of the occurrence of the incident by the Police, which confirmed that officials of the Ministry of Labor and Social Insurance Services (YKA) had access to information and were able to print screen the documents in question and hand them over illegally to a former policeman.

According to the Commissioner:

  • YKA failed to properly inform her Office of this security breach in its system as well as to respond to significant questions raised by her Office on examination.
  • The security measures taken by the service at the time were inadequate.

The Commissioner imposed an administrative fine of € 9,000 to YKA for allowing leaks of personal data from its system.

Complaint on receipt of marketing spam messages

The Commissioner imposed a fine of €1000 and one of €1200 respectively to companies which failed to remove from their internal records the mobile numbers of complainants despite having received an explicit request to do so in the past.

Further detailed information concerning data publicized by the Commissioner on the above topics can be found of the Commissioner’s website at www.dataprotection.gov.cy.

Argyropoulou & Associates LLC offers a wide range of privacy and data protection services locally and internationally. For any enquiry or assistance please contact our law firm at info@argyropouloullc.com.