Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Cyprus: Commissioner imposes reprimand on SBLA for failure to comply with security measures

The Office of the Commissioner for Personal Data Protection ('the Commissioner') published, on 31 March 2022, its decision in Case No. 11.17.001.009.169, as issued on 30 September 2021, in which it imposed a reprimand on the Sewerage Board of Limassol – Amathus ('SBLA'), for the violation of Article 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following complaints.

Background to the decision

In particular, the Commissioner noted that it had received complaints from co-owners of a plot, concerning the disclosure of their personal data to third parties without consent. Specifically, the Commissioner provided that the complainants had requested to be connected to the sewerage system which would be paid jointly with the owners of another plot, and to which their personal data was subsequently disclosed.

Findings of the Commissioner

Following an investigation, the Commissioner found that SBLA should have ensured that, in the absence of another legal basis under Article 6 of the GDPR, the complainants had been informed and consented to the disclosure of their personal data to third parties. Additionally, the Commissioner highlighted that SBLA should not have disclosed the personal data of the complainants, even if such data was already known to those third parties, and that SBLA should have complied with the procedure it had created, i.e. sending the letters/receipts directly to the owners of the plot. Furthermore, the Commissioner noted that, although SBLA had taken some organisational measures including providing seminars and data protection training to each department, it did not comply with the verification instructions it had established, resulting in a violation of Article 32 of the GDPR.

Outcomes

As such, the Commissioner issued a reprimand to SBLA, stressing that, if SBLA commits a similar violation in the next six months, it may proceed to an administrative sanction.

You can read the press release here and the decision here, both only available in Greek.