Cyprus: Commissioner orders Altius Insurance to comply with data minimisation and legal basis requirements
The Office of the Commissioner for Personal Data Protection ('the Commissioner') published, on 31 March 2022, its decision in Case No. 11.17.001.009.070, as issued on 10 September 2021, in which it ordered ALTIUS INSURANCE LTD to comply with Articles 5(1)(c) and 6 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint from an individual.
Background to the decision
In particular, the decision notes that the Commissioner received a complaint from an individual, who had concluded an insurance contract with Altius Insurance whereby Altius Insurance had requested that the complainant specify their involvement in politics. Additionally, according to the decision, the complainant had been contacted by an employee at Altius Insurance, insisting that the complainant reveal further information about their political affiliations. Subsequently, in response to the Commissioner's request to provide information on, among other things, legal basis for the question about the political party of the complainant, Altius Insurance stated that the legal basis is its compliance with Law 188(I)/2007 which provides that an insurance company is obliged to identify politically exposed persons, as well as their close relatives or partners.
Findings of the Commissioner
Due to the conflicting positions and time lapsed since the submission of the complaint, the Commissioner decided it could no further investigate the incident regarding Altius Insurance's question as to which political party the complainant belonged.
However, the Commissioner investigated the sections of the life insurance proposal form relating to the identification of politically exposed individuals. Regarding the form, the Commissioner determined that, although the form's sections appear to be linked to the obligations of Altius Insurance under Law 188(I)/2007, they were not clearly stated and/or went beyond the scope of the Altius Insurance's said obligations. Correspondingly, the Commissioner determined that Altius Insurance had violated the data minimisation principle under Article 5(1)(c) of the GDPR because it had collected personal data unnecessarily, which, in turn, resulted in the violation of Article 6 of the GDPR because of the absence of a legal basis for the processing of such data.
As a result, the Commissioner ordered Altius Insurance to:
- reword the life insurance proposal form to comply with Articles 5(1)(c) and 6 of the GDPR and send the new form to the Commissioner, within one month from the receipt of the decision; and
- destroy the responses of all customers in relation to the disputed documents, as they violated Articles 5(1)(c) and 6 of the GDPR, and inform the Commissioner accordingly, within three months of the receipt of the decision.
Lastly, the Commissioner confirmed that Altius Insurance had complied with the above orders.