Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Cyprus: Commissioner fines English School €4,000 for failure to implement sufficient technical and organisational security measures to prevent data breach by ESSA
The Office of the Commissioner for Personal Data Protection ('the Commissioner') published, on 24 March 2022, its decision, as issued on 22 March 2022, in which it fined the English School €4,000 for the violation of Article 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following notification of a data breach in which the unauthorised access and use of the email addresses of the students' parents and guardians, by the English School's staff union, ESSA.
Background to the decision
In particular, the breach notification concerned the use of the email addresses of students' parents and guardians of the English School, by a school professor who was also the President of the ESSA, for sending an email to all parents/guardians and to staff of the English School, for purposes other than those for which said email addresses were originally collected, and without the parents/guardians being informed of such use of their email addresses.
Findings of the Commissioner
The Commissioner found that, irrespective of the responsibility of the school professor and the ESSA, the English School, as a data controller, should have applied technical and organisational security measures in accordance with Article 32 of the GDPR. In that regard, the Commissioner highlighted that the security measures taken, were not sufficient to prevent the unauthorised use of the email addresses of parents and guardians.
In reaching this decision, the Commissioner considered mitigating factors, including the fact that the system used to send the emails prevented parents/guardians from seeing the email addresses of other parents/guardians, as well as the School's policy about the sending of emails to parents/guardians. Additionally, the Commissioner considered aggravating factors, including the large number of parents/guardians and the School's failure to admit to said violation.
Outcomes
As a result, the Commissioner imposed the fine of €4,000 on the English School.
You can read the press release here and the decision here, both only available in Greek.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
