Cyprus: Commissioner imposes reprimand on SBLA for failure to comply with security measures
The Office of the Commissioner for Personal Data Protection ('the Commissioner') published, on 31 March 2022, its decision in Case No. 11.17.001.009.169, as issued on 30 September 2021, in which it imposed a reprimand on the Sewerage Board of Limassol – Amathus ('SBLA'), for the violation of Article 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following complaints.
Background to the decision
In particular, the Commissioner noted that it had received complaints from co-owners of a plot, concerning the disclosure of their personal data to third parties without consent. Specifically, the Commissioner provided that the complainants had requested to be connected to the sewerage system which would be paid jointly with the owners of another plot, and to which their personal data was subsequently disclosed.
Findings of the Commissioner
Following an investigation, the Commissioner found that SBLA should have ensured that, in the absence of another legal basis under Article 6 of the GDPR, the complainants had been informed and consented to the disclosure of their personal data to third parties. Additionally, the Commissioner highlighted that SBLA should not have disclosed the personal data of the complainants, even if such data was already known to those third parties, and that SBLA should have complied with the procedure it had created, i.e. sending the letters/receipts directly to the owners of the plot. Furthermore, the Commissioner noted that, although SBLA had taken some organisational measures including providing seminars and data protection training to each department, it did not comply with the verification instructions it had established, resulting in a violation of Article 32 of the GDPR.
As such, the Commissioner issued a reprimand to SBLA, stressing that, if SBLA commits a similar violation in the next six months, it may proceed to an administrative sanction.