| Inspection under Article 58(1)(b) of the RegulationMy Office carried out an ex officio inspection at the premises of Aylo Freesites Ltd (formerly Mindgeek), which owns and operates world-renowned adult content websites. The inspection focused on issues such as cookie consent, processing of biometric data by a third party, data protection impact assessments and data processing agreements. Several breaches of the Regulation were found, leading to a prima facie decision with a compliance order. In summary, a lack of compliance with several key data protection principles was found, including accountability, transparency, lawfulness, data minimisation, storage limitation, data security and the necessity of a legal basis for processing. These gaps were considered significant because they occurred four years after the implementation of the Regulation. The Company responded to the instructions I gave it in the context of my Mandate and implemented corrective measures. I then issued a final Decision where, after taking into account the Company's compliance with my recommendations, I imposed an administrative penalty of a fine of €48,000 for violations of the Regulation that took place before its compliance. In addition, I imposed an administrative penalty of €10,400 for the illegal use of cookies. The Company paid the imposed fine within the deadline. Complaint for employer’s interference with personal belongings and documents of a former employee A complaint was filed with my Office by an individual against his employer for placing his personal belongings and documents that he had in the office he used, in boxes and storing them in the office of the office’s chief of staff, without his information and consent. The Complainant was absent for a long period of time on unpaid leave for personal reasons. His former employer claimed that, because it was uncertain whether the Complainant would return to work, he hired a new employee who would use the same office as the Complainant. The boxes were delivered to the Complainant on the day he requested them. It was not proven that, during the placement of objects and documents in boxes, any disclosure of data of the Complainant and his family took place. Upon completion of the investigation of the case, I concluded that the employer's failure to inform the Complainant of the intention to place his documents and objects in boxes and store them in the office of the chief of personnel constituted a violation on its part of the Principle of Legality, Objectivity and Transparency established by Article 5(1)(a) of the Regulation. Taking into account the particular circumstances of the case, as put before me by both the Complainant and the employer, as well as the CJEU Decision in case C 768/21, where it was decided that there is no obligation to impose an administrative sanction "in the event that such intervention is not appropriate, necessary or proportionate to remedy the identified deficiency and ensure full compliance with the said regulation", I considered that there were no grounds for imposing an administrative sanction on the employer. However, based on Article 57(1)(c) of the Regulation, I advised the employer to, henceforth, fulfil its obligation to be transparent towards its employees, regarding any processing of their personal data, regardless of the particular circumstances and adversities that may surround the provision of such information, in order to avoid similar incidents. Complaint against the company CMC Certus Management Consultants Ltd A complaint was submitted to my Office against the company CMC Certus Management Consultants Ltd by natural persons, regarding the communication and transmission of their personal data and the failure to satisfy the right to erasure. The Complainants had sent the Respondent, for translation purposes, documents that included their personal data. At a later stage, the Complainants were informed that some of those documents were posted on a translation platform. Upon the Complainants’ request, the platform downloaded the documents. In response to the above incident, the Complainants linked the incident to a company based in Georgia, whose Director was the same person who directed the Respondent’s complaint. Furthermore, they requested that the Respondent’s complaint delete any of their data. The Complainants submitted a relevant complaint to my Office. In the context of the investigation of the complaint, I contacted the Respondent’s complaint in writing, who claimed that the documents had never been disclosed to any third party and that the translation was done at the Respondent’s offices in Cyprus. It also stated that it deleted all the Complainants’ data, as requested. In the absence of sufficient evidence regarding the alleged disclosure and transmission of the documents, the examination of the case was terminated. At a later stage, the Complainants again contacted my Office, providing further evidence showing that the payment for the translation services was made to the company in Georgia. Taking into account the new evidence, my Office again contacted the Respondent to the complaint, which argued that it could not provide any clarifications, as it had deleted all the data concerning the Complainants. In light of the evidence submitted before me, I considered that the Complainants’ documents had been transmitted by the Respondent to the company in Georgia, in breach of Article 44 of the Regulation and I imposed on the Respondent the administrative sanction of a fine of €2,000. I also found that there was a violation of Article 5(1)(f) of the Regulation, for the absence of appropriate technical or organizational measures to prevent the leakage of the documents and their exposure on the platform and I imposed on the Respondent the administrative sanction of a fine of €2,000. Furthermore, since the Respondent did not provide the necessary explanations, I addressed a Reprimand to the Respondent, due to the non-cooperation with my Office, to the extent and scope required by Article 31 of the Regulation. The Respondent paid the imposed fine within the deadline. For the entire Decision, click here. Complaint for failure to satisfy the right of access to a recorded call The Complainant sent an email to the Health Insurance Organization, requesting to change the beneficiary category in the General Health System (GHS). In this message, it was stated that in his communication with the GHS call center, he requested to be given the recorded call, so that he would have proof of the request to change the beneficiary category. However, he received the answer that the relevant possibility for the recorded call was not provided. In its written response, the Agency informed the Complainant that his application would be deleted and that he could submit a new registration request. Given that the Complainant’s request to be registered in another beneficiary category had been granted, the Agency considered his request to receive the audio recording of the call to be irrelevant, since, as he stated, he was requesting the recorded call for the purposes of proof of filing the request to change beneficiary category. In the context of the investigation, I considered that the possibility of changing the beneficiary category did not mean that, automatically, the request to receive the recorded call was revoked. It could also not be considered that this request was revoked because, as the Complainant stated, he requested the call as proof of the request to change beneficiary category. Furthermore, even if the change of beneficiary category had taken place as he wished, the Agency should have immediately investigated the response received by the Complainant that the call could not be received, by studying the recorded call, but also by informing the Agency’s data protection officer. In addition, despite the fact that the request was not sent to the email address of the Agency’s data protection officer, I considered that the request to receive the call was successfully made and, therefore, that it should have been satisfied, since the request was sent to an address that concerns beneficiary matters, i.e. to a non-random or incorrect address. Therefore, because the recorded call was not given to the Complainant, I considered that the Agency violated Article 15(1) of the Regulation. However, taking into account mitigating factors related to the incident, mainly the satisfaction of his request for the possibility of changing the category within a month of receiving the Complainant's message, I considered that the imposition of an administrative fine was not justified under the circumstances. However, I addressed the Organization with the administrative sanction of Reprimand. For the entire Decision, click here. Complaints for publication of personal data Two complaints were submitted to my Office against a natural person, which concerned the publication of personal data in a book without their prior consent. In the context of investigating the complaints, the Respondent of the complaint informed me that he was not aware that he was required to inform the interested persons of the inclusion of their personal data in his book and to obtain their prior consent. After careful evaluation of all the information placed before me, I addressed the following Orders to the Respondent of the complaint: Order 1: Not to proceed with the publication of additional copies of the book and not to publish another book with similar content, without the prior consent of the persons who may be affected. | | Inspection under Article 58(1)(b) of the Regulation |
| • Order 2: To remove all information concerning the Complainants from the book and to inform my Office as soon as he has done so. I have informed the Complainants accordingly. For the full Decision, click here. Complaint regarding the installation of a Closed Circuit Video Surveillance (CCTV) in a medical office. A natural person filed a complaint against a medical officer regarding the operation of a Closed Circuit Video Surveillance (CCTV) in the medical office, which the Complainant visited. Specifically, the Complainant claimed that one of the cameras was facing the examination room, while there was also a camera installed that recorded the entrance to the adjacent apartment. Also, as the Complainant claimed, the KKBP also recorded audio. As part of the investigation of the complaint, I communicated in writing with the medical officer and provided the necessary guidance on the matter. I issued a relevant Decision, through which I directed Orders to the medical officer to act appropriately so that the installation of the KKBP would be in accordance with my instructions and to inform my Office about his actions, attaching any evidence of his positions (e.g. screenshots). My Office remains in contact with the medical officer, who informed me about the actions he will take to comply with my Orders. The completion of these actions and the receipt of relevant evidence are expected. For the entire Decision, click here. Complaint for failure to satisfy the right of access The Complainant, who sat for examinations to fill positions announced by the Health Insurance Organization, exercised her right of access to her corrected written test, the detailed grading of her written test (correct, incorrect, points per question, etc.), the detailed method of calculating her final score and the correct answers used to correct her written test. However, the Organization only provided the Complainant with a copy of her written test, the final score and the score she received in each section. In this particular examination, the answers were provided to the candidates by the examiners and the candidates had to grade these answers. The ideal answer, as determined by the examiners, received a grade, however, it was possible for other answers to be assigned a lower grade. Each written test was graded by two independent graders, via computer, while in the event of a specific difference in the final score, it was also graded by a third grader. The organizer of the exams, who held the role of the processor, was of the opinion that both the written test and the answers constitute an assessment tool and are protected by the provisions on intellectual property. He also stated that any disclosure of the answers would make the written test commercially unexploitable. However, no positions were put before me to prove the above. During the investigation of the complaint, the Organization did not answer the questions I submitted to it, nor did it provide the requested information, despite my repeated reminders. Therefore, I issued a prima facie Decision, since it did not prove that it had fulfilled its obligations regarding the Complainant's right of access and because it was not cooperating with my Office. I also gave an Order to submit the requested information to my Office within ten days. Due to the unproven lack of cooperation, I considered that Article 31 of the Regulation was violated and imposed an administrative penalty of a fine of €3,000. Both the exam questions and the answers, since they were given by the examiners, did not constitute personal data of each candidate. However, within the framework of the right of access, the Complainant was entitled to receive:
| | My Office carried out an ex officio inspection at the premises of Aylo Freesites Ltd (formerly Mindgeek), which owns and operates world-renowned adult content websites. The inspection focused on issues such as cookie consent, processing of biometric data by a third party, data protection impact assessments and data processing agreements. Several breaches of the Regulation were found, leading to a prima facie decision with a compliance order. In summary, a lack of compliance with several key data protection principles was found, including accountability, transparency, lawfulness, data minimisation, storage limitation, data security and the necessity of a legal basis for processing. These gaps were considered significant because they occurred four years after the implementation of the Regulation. The Company responded to the instructions I gave it in the context of my Mandate and implemented corrective measures. I then issued a final Decision where, after taking into account the Company's compliance with my recommendations, I imposed an administrative penalty of a fine of €48,000 for violations of the Regulation that took place before its compliance. In addition, I imposed an administrative penalty of €10,400 for the illegal use of cookies. The Company paid the imposed fine within the deadline. |
| - other notes of hers, which could identify her. Since she had not been given all of the above data, I considered that the Organization did not fully satisfy the Complainant’s right of access, thus violating Article 15(1) of the Regulation. For this violation, I imposed an administrative penalty of a fine of €1,500 and gave an Order to satisfy the Complainant's right of access within three weeks of the decision. The Organization paid the imposed fine within the deadline and informed that the Complainant's right of access was satisfied based on my instructions. My Office awaits confirmation from the Complainant that her right was satisfied based on my instructions. For the entire Decision, click here. Complaint against the company Eurolife Ltd for publication of personal data A complaint was submitted to my Office against the company Eurolife Ltd, which concerned the disclosure of personal data to unauthorized recipients. The Complainant stated that the Company delivered, through a third party, an open letter of termination of employment to a relative of his. When the person in question refused to receive it on behalf of the Complainant, the third person threw the letter on the floor and left. In written communication with the Company, I requested to be informed of the legal basis on which its decision to deliver the letter to a relative of the Complainant was based, as well as the reason why the letter was delivered open, exposing its contents to unauthorized persons. The Company responded that it delivered the letter open to the relative of the Complainant, following an Affidavit of Service by a private court bailiff, in accordance with Part 6.4.(3)(j) of the Civil Procedure Rules. After evaluating all the evidence placed before me, I found a violation of Articles 5(1)(a) and (f), 6 and 24(1) of the Rules. As a result, I issued a Reprimand to the Company. In addition, I issued an Order for the immediate review and amendment of the procedure for serving notices of termination of employment by the Company, within one month of the Decision, ensuring that the procedure complies with the requirements of the Regulation and that there is an appropriate legal basis. For the full Decision, click here.
| |
