The Office of the Commissioner for Personal Data Protection ('the Commissioner') announced, on 19 October 2020, its decision to fine Bank of Cyprus Public Company Ltd €15,000 for violation of Articles 5 (1)(f), 5 (2), 15, 32, and 33 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the Commissioner highlighted that the Bank did not comply with its obligations under the GDPR because the loss of the complainant's insurance policy deprived him of his right of access to the insurance contract, making him incapable of checking the correctness and validity of his data and verifying the lawfulness of the processing. Furthermore, the Commissioner noted that the fine was a result of the Bank's failure to notify the Commissioner of the data breach in relation to the loss of the contract within 72 hours from the moment the breach was brought to its knowledge. Lastly, the Commissioner stated that Eurolife Ltd, which was also targeted by the complainant, and which acted as a separate data controller, did not illegally process the complainant's personal data.

You can read the press release here and the decision here, both only available in Greek.