Cyprus: Commissioner fines ESSA €5,000 for data breach concerning unauthorised use of parents' email addresses
The Office of the Commissioner for Personal Data Protection ('the Commissioner') published, on 24 March 2022, its decision, as issued on 21 March 2022, in which it fined the staff union of the English School, ESSA, €5,000 for a violation of Articles 5(1)(a) and 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following notification of a data breach concerning the unauthorised use and access of the email addresses of students' parents and guardians, by the ESSA.
Background to the decision
In particular, the breach notification concerned the use of the email addresses of students' parents and guardians of the English School, by a school professor who was also the President of the ESSA, for sending an email to all parents/guardians and to staff of the English School, for purposes other than those for which said email addresses were originally collected, and without the parents/guardians being informed of such use of their email addresses.
Findings of the Commissioner
The Commissioner found that the ESSA had violated the principle of lawfulness, fairness, and transparency under Article 5(1)(a) of the GDPR, as well as failed to prove that it had a valid legal basis as required by Article 6(1) of the GDPR. Additionally, the Commissioner highlighted that the ESSA, as a separate joint controller, should have known that the communications system of another data controller, the English School, would have resulted in the access, use, and processing of personal data, which would require compliance with the provisions of the GDPR.
Furthermore, in reaching this decision, the Commissioner considered mitigating factors, including the fact that, despite the two complaints about ESSA, which the English School forwarded to the Commissioner, no parent had ever complained to the Commissioner directly about the ESSA. Additionally, the Commissioner considered aggravating factors, including the large number of data subjects affected, and the ESSA's failure to take any measures to mitigate the impact or consequences of the violation, or admit to such violation.
As a result, the Commissioner imposed the fine of €5,000 on the ESSA.