Cyprus: Commissioner publishes decision on TEPAK's unlawful collection and processing of COVID-related data
The Office of the Commissioner for Personal Data Protection ('the Commissioner') published, on 22 September 2021, its decision, following the investigation conducted into the collection and processing of students' and employees' personal data at the Cyprus University of Technology ('TEPAK'), including their sensitive personal data, such as information and relevant certificates on vaccination or recovery from COVID-19. In particular, the decision highlights that the collection and processing took place through an electronic form, noting that this data was stored for a period of one year.
Furthermore, the decision outlines the Commissioner's positions on the matter, including the fact that the collection and processing of the data cannot be based on the data subjects' consent due to the imbalance of power between employer and employee, the collection of data through an electronic form and their retention in electronic and/or printed form for a period of one year exceeded the necessary limits, and such processing violates the basic principles of lawful data processing, proportionality, and storage limitation. As such, the decision notes that TEPAK violated, among other things, the information obligation under Articles 12 and 13 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
As a result, the decision provides that the Commissioner ordered TEPAK to:
- terminate the processing through the electronic form;
- delete or destroy the COVID-19 vaccination and recovery certificates;
- take action to make processing compliant with GDPR provisions; and
- inform the Commissioner of the actions to be taken to achieve the aforementioned orders, within two weeks of receipt of the decision.