Housing Finance Corporation – €10,000 Fine (Cyprus, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Housing Finance Corporation in Cyprus was fined €10,000 for mishandling a loan application. They kept outdated information about a rejected loan longer than allowed, which affected a person's ability to secure new financing. This case shows how important it is for companies to keep accurate and timely records.
What happened
The Housing Finance Corporation retained outdated loan rejection information beyond the allowed time frame.
Who was affected
A person who applied for a loan and was unfairly rejected due to incorrect data about previous loans.
What the authority found
The DPA ruled that the corporation violated GDPR rules by failing to delete outdated personal data as required.
Why this matters
This ruling emphasizes the need for financial institutions to maintain accurate records and comply with data retention policies. Companies should regularly review their data management practices to avoid similar issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is ‘Housing Finance Corporation’ (Οργανισμός Χρηματοδοτήσεως Στέγης), a bank specialised in the provision of long-term loans relating to housing, education, and health. In 2023, the data subject filed an application to the controller for a loan (third loan). The data subject was informed by letter that his application had been rejected due to a non-performing loan he had received several years ago (first loan). The letter also mentioned that, according to the controller’s system, a previous loan application dated in 2020 that had been rejected for the same reason (second loan). The data subject filed a complaint before the DPA (Commissioner for Personal Data Protection). He stated that he had settled the alleged non-performing loan in 2020, as demonstrated from the database of the credit information agency ‘Artemis’. This loan should not have been included in the data maintained by the controller. He also claimed that the data about the second loan application shouldn’t have been retained for more that 6 months, as described in the controller’s privacy policy. The controller informed the DPA that, with regard to the electronic registration of applications and the process of deleting information and electronic attachments, there was no automated setting in the system and, in such cases, any action had to be performed by an official who had access to the application system for each document/item individually. It maintained that the serious shortage of human resources made this task more difficult. It also claimed that this created a time-consuming process that was prone to human error. Regarding the retention of the data about the rejection of the second loan application, the controller claimed that it did not keep the data, instead, the members of its credits committee remembered this information and took it into consideration for the rejection of the third loan application. Finally, it claimed that a reference to the rejection of the second loan a
Related Enforcement Actions (0)
No other enforcement actions found for Housing Finance Corporation in CY
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
10 March 2025
Authority
DPA Commissioner
Fine Amount
€10,000
About this data
Cite as: Cookie Fines. Housing Finance Corporation - Cyprus (2025). Retrieved from cookiefines.eu
Last updated: