Cyprus Police – €6,000 Fine (Cyprus, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Cyprus Police was fined EUR 6,000 for failing to protect personal data properly. A police officer accessed and shared sensitive information without authorization. This case emphasizes the need for strong data protection measures within organizations.
What happened
A police officer improperly accessed and shared personal data from a database.
Who was affected
Individuals whose personal data was accessed and shared without permission were affected.
What the authority found
The authority found that the Cyprus Police did not have effective measures in place to prevent unauthorized access and sharing of personal data.
Why this matters
This case underscores the importance of having robust data protection practices. Organizations must ensure their internal controls are effective to protect personal information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
A series of media publications (printed and online press) mentioned the telecommunications company CYTA, the Social Insurance Services of the Ministry of the Ministry of Labour, Welfare and Social Insurance of Cyprus, and the Cyprus Police as data processors (due to their role regarding the mechanised system of the Social Insurance Services) involved in a scandal of leakage and/or violation of personal data of natural persons via this database, leading to the initiation of an investigation by the Office of the Commissioner for Personal Data Protection of Cyprus. The publications suggested that a member of the Police proceeded with searching for, printing and forwarding to a non-authorised recipient/third party of documents from the database. The Commissioner brought the publications to the Police's knowledge and requested a detailed statement on its behalf regarding the alleged violations. In its statement, the Cyprus Police acknowledged that one of its members, whose professional duties included his ability to have access to the Mechanised Database on vehicle owners, acting beyond the orders of the Police, proceeded with specific searches (within the database), located and printed documents (from the database), and then passed them on to a third party (a retired Police Officer). The Commissioner held that the existing supervising mechanisms of the Police were not operating properly at that time or at least they did not operate as efficiently as they should and, thus, were considered insufficient. The organisational and technical measures that the Police had taken were not effective and they proved themselves insufficient and unable to prevent the non-authorised forwarding of personal data to third-parties. The undertaking of further organisational measures and the frequent undertaking of internal controls of the tracking archives/history was deemed necessary. Thus, the Commissioner concluded that Cyprus Police was responsible for a violation of Article 32 pa
Related Enforcement Actions (1)
Other enforcement actions involving Cyprus Police in CY
Details
About this data
Cite as: Cookie Fines. Cyprus Police - Cyprus (2020). Retrieved from cookiefines.eu
Last updated: