Cyprus: Commissioner fines English School €4,000 for failure to implement sufficient technical and organisational security measures to prevent data breach by ESSA
The Office of the Commissioner for Personal Data Protection ('the Commissioner') published, on 24 March 2022, its decision, as issued on 22 March 2022, in which it fined the English School €4,000 for the violation of Article 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following notification of a data breach in which the unauthorised access and use of the email addresses of the students' parents and guardians, by the English School's staff union, ESSA.
Background to the decision
In particular, the breach notification concerned the use of the email addresses of students' parents and guardians of the English School, by a school professor who was also the President of the ESSA, for sending an email to all parents/guardians and to staff of the English School, for purposes other than those for which said email addresses were originally collected, and without the parents/guardians being informed of such use of their email addresses.
Findings of the Commissioner
The Commissioner found that, irrespective of the responsibility of the school professor and the ESSA, the English School, as a data controller, should have applied technical and organisational security measures in accordance with Article 32 of the GDPR. In that regard, the Commissioner highlighted that the security measures taken, were not sufficient to prevent the unauthorised use of the email addresses of parents and guardians.
In reaching this decision, the Commissioner considered mitigating factors, including the fact that the system used to send the emails prevented parents/guardians from seeing the email addresses of other parents/guardians, as well as the School's policy about the sending of emails to parents/guardians. Additionally, the Commissioner considered aggravating factors, including the large number of parents/guardians and the School's failure to admit to said violation.
As a result, the Commissioner imposed the fine of €4,000 on the English School.