A complaint was filed with the Office of the Personal Data Protection Commissioner against one of the major Banking Institutions in Cyprus and its associated insurance company, by an individual, who had requested a copy of his insurance policy, but despite the relevant investigation, it was not possible to locate it. According to the Bank, the client's account had been transferred to another city many years ago and the original contract had been filed somewhere where it was difficult and time consuming to locate. For that reason, the Bank suggested to the client to cancel the contract.

Nevertheless, based on the data of the investigation, it was clear that the insurance company, as a separate controller, did not illegally process the personal data of the complainant. On the other hand, it was found that the Bank did not notify the Commissioner of a breach of contract in relation to the loss of the contract, as required by Article 33 of the Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018 (Law 125(I)/2018). The bank stated that the main reason for this is because there was no suspicion that the document was outside the Bank, since it had only been located in the wrong place.

From the evidence in the case file and the Bank's admission that the insurance policy in question could not be found, the Commissioner considered that the Bank had not complied with its following obligations under the Rules of Procedure:

  1. The loss of the complainant's insurance policy posed a risk to his rights, as the complainant was deprived of the right of access to the insurance contract, with the result that he could not check the correctness and validity of his data and consequently he could not verify the legality of the processing (loss of control over its data).
  2. The Bank was obliged to notify the Commissioner of the breach of the contract, regarding the loss of the contract within 72 hours from the moment the breach became known to it, which it failed to do. According to the GBER, “breach of personal data” means breach of security which leads, inter alia, to the loss of personal data stored or processed. Therefore, from the moment the insurance contract was lost, either inside or outside the Bank, there was an obligation to make a report regarding breach to the Commissioner within 72 hours
  3. Lastly, the Commissioner stated that the insurance company, which was also targeted by the complainant, and which acted as a separate data controller, did not illegally process the complainant's personal data.

The Office of the Commissioner for Personal Data Protection announced, on 19 October 2020, its decision to fine the Bank in the amount of €15,000 for violation of Articles 5 (1)(f), 5 (2), 15, 32, and 33 of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR').

In order to measure the administrative fine, the following were considered as aggravating factors:

  1. The duration of the violation;
  2. The fact that the Commissioner was informed of the breach following the complaint and not directly from the Bank; and
  3. The fact that these are violations of Articles 5, 15, 32 and 33 of the GCC which are considered to be of greater gravity.

Originally Published By G. Vrikis & Associates, November 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.