The Office of the Commissioner for Personal Data Protection ('the Commissioner') published, on 31 March 2022, its decision No. 11.17.001.007.267, as issued on 29 October 2021, in which it issued a recommendation to the Cyprus University of Technology ('TEPAK') to establish internal procedures for the investigation of the disclosure of employees' personal data, following a complaint by an employee.

Background to the decision

In particular, the Commissioner noted that a TEPAK employee had complained that another employee had maliciously disclosed the former's personal data, specifically their name, surname, and email address, in violation of Article 33(1)(k) of Law 125(I) of 2018 Providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of Such Data ('the 2018 Law'), and that they further disclosed an email that contained personal references to the complainant and their family, as well as sending emails to multiple people, the majority of whom were members of the academic and administrative staff of TEPAK. Furthermore, the Commissioner stated that the complainant specifically claimed that, in accordance with Article 33(1)(k) of the 2018 Law, the employee was criminally liable. Following this complaint, the Commissioner requested from TEPAK to inform whether the employee lawfully possessed the documents disclosed, and whether the staff's professional capacity allowed for lawful receipt of the documents sent by the employee. In this regard, the Commissioner highlighted that TEPAK did not provide any clarifications on the above.

Findings of the Commissioner

Further to the above, the Commissioner found that TEPAK did not cooperate with the same, and refrained from taking a stance in the dispute between the complainant and the employee. Additionally, the Commissioner found that TEPAK was responsible for the implementation of appropriate technical and organisational security measures, to ascertain to whom data and/or documents were sent, and to have appropriate measures in place in case of a security incident which would lead to leakage of personal data. To support this finding, the Commissioner made references to Articles 24 and 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Additionally, the Commissioner outlined that since the incident took place prior to the GDPR coming into force, the obligations of data controllers to have in place appropriate technical and organisational security measures were still mentioned under Article 10 of Law 138(Ι)/2001 (i.e. the predecessor of the 2018 Law).

Moreover, the Commissioner found, among other things, that the content of the correspondence and publications concerned the professional capacity of the complainant, rather than their private life, or that of their family, and that the disclosure of personal data occurred within the departments of TEPAK only, meaning that no data leak to third parties had occurred. Lastly, the Commissioner highlighted that it has no authority to conclude whether the employee had criminal liability.

Outcomes

Lastly, having decided that it had investigated the data subject complaint as far as possible within the scope of its duties, but that clear conclusions could not be drawn due to the lack of necessary information, the Commissioner recommended that TEPAK establishes internal procedures for the investigation of similar complaints.

You can read the press release here and the decision here, both only available in Greek.