Data Protected Cyprus | Insights | Linklaters: "In Cyprus, there is no current enforcement practice in relation to the GDPR. However, the enforcement of the current law is instructive.
The Commissioner investigates complaints submitted to her office and also launches her own investigations. Criminal proceedings for contraventions of the current legislation (the “DPA”) have been brought in a limited number of cases and there have been a couple of reported convictions.
The most significant civil sanction imposed by the Commissioner under the DPA to date is a fine of €10,000 imposed in November 2017 on the Cyprus Telecommunications Authority (CYTA), the government-owned telecom operator, for failure to implement appropriate organisational measures (revision of employee access rights on change of position within the organisation) to prevent unauthorised access to and disclosure of personal data of a significant number of CYTA clients to a third party. This matter is still investigated by the police and it is possible that criminal charges may be brought against the employee and/or the third party to whom the data were disclosed.
In an earlier case, a fine of €3,000 and an order to terminate processing and destroy relevant personal data had been imposed on a company that had infringed the proportionality principle under the DPA as more data than necessary was being collected.
A fine of €3,000 has also been imposed in two occasions for failure by the Nicosia General Hospital to take appropriate security measures to protect patient personal data contained in their hospital files from accidental or unintended loss or destruction.
In another case, the Commissioner imposed a fine of €2,562 on a company that had infringed various provisions of the DPA, including by sending advertising text messages without the prior written consent of the data subjects; and failing to notify the Commissioner of the commencement of processing. The same fine of €2,562 was imposed on the Director - General of a government ministry for breach of the DPA provisions on the security of sensitive personal data.
The most significant civil sanction imposed by the Commissioner under the ePrivacy Law (see below) to date was a fine of €8,000 on a person who had repeatedly infringed various provisions of the ePrivacy Law, specifically: (i) the prohibition on the use of electronic mail for direct marketing purposes without the recipient’s prior consent; and (ii) the requirement that the sender’s identity and a valid electronic mail address, to which a request that communications cease may be sent, be included in such electronic mail.
The first criminal proceeding to be reported under the DPA involved the owner of a massage business who had installed a secret video camera without consent of clients and without notification to the Commissioner. The sentence imposed at first instance was three months’ imprisonment, which was reduced to 55 days on appeal.
In a more recent criminal case, a sentence of 16 months’ imprisonment was imposed on an individual for a breach of the prohibition on unauthorised access to, and processing of, personal data. The case involved the unauthorised use of credit card information of other persons for the purpose of illegal money withdrawals.
In another case, the court imposed a criminal fine of €1,200 for the unauthorised dissemination of personal data through social media." 'via Blog this'
No comments:
Post a Comment