Support Centre

You have out of 10 free articles left for the week

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Cyprus: Commissioner publishes decision on TEPAK's unlawful collection and processing of COVID-related data

The Office of the Commissioner for Personal Data Protection ('the Commissioner') published, on 22 September 2021, its decision, following the investigation conducted into the collection and processing of students' and employees' personal data at the Cyprus University of Technology ('TEPAK'), including their sensitive personal data, such as information and relevant certificates on vaccination or recovery from COVID-19. In particular, the decision highlights that the collection and processing took place through an electronic form, noting that this data was stored for a period of one year. 

Furthermore, the decision outlines the Commissioner's positions on the matter, including the fact that the collection and processing of the data cannot be based on the data subjects' consent due to the imbalance of power between employer and employee, the collection of data through an electronic form and their retention in electronic and/or printed form for a period of one year exceeded the necessary limits, and such processing violates the basic principles of lawful data processing, proportionality, and storage limitation. As such, the decision notes that TEPAK violated, among other things, the information obligation under Articles 12 and 13 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

As a result, the decision provides that the Commissioner ordered TEPAK to:

  • terminate the processing through the electronic form;
  • delete or destroy the COVID-19 vaccination and recovery certificates;
  • take action to make processing compliant with GDPR provisions; and
  • inform the Commissioner of the actions to be taken to achieve the aforementioned orders, within two weeks of receipt of the decision.

You can read the press release here and the decision here, both only available in Greek.