Brivio Limited – €2,000 Fine (Cyprus, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Brivio Limited, an online gambling platform, was fined EUR 2,000 for not responding to a user's request for their personal data in time. This ruling stresses the importance of timely communication with users about their data rights.
What happened
Brivio Limited failed to respond to a user's request for access to their personal data within the required timeframe.
Who was affected
A user of Brivio Limited who requested their payment and gaming history.
What the authority found
The DPA found that Brivio Limited violated GDPR by not responding to the user's access request in a timely manner.
Why this matters
This case highlights the obligation of companies to respond promptly to user requests regarding their personal data. It serves as a warning for online businesses to improve their data handling processes.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 25 November 2022, a data subject lodged a complaint with the Cypriot DPA against Brivio Limited (the controller), an online gambling platform, claiming an infringement of the right of access. The data subject had requested the controller to provide complete information regarding their payment and gaming history as well as any other personal data relating to them, including data concerning other websites. The controller failed to respond to the data subject’s request within one month. Shortly after it was informed of the complaint to the DPA, the controller replied to the access request. The DPA requested that the controller explain its failure to respond to the data subject’s access request in time. The controller stated that an internal investigation had revealed a failure by a staff member responsible for registering incoming correspondence and directing it to the relevant department and officer. It also noted a higher-than-normal volume of data subject requests, with 37 total received in a span of four months. The majority of the requests were made by one law firm on behalf of different data subjects. The controller argued that the law firm’s access requests were all “manifestly unfounded.” It argued that the firm represented customers who were unsatisfied with the controller’s services and sought reimbursement, and used access requests to assist these demands and complaints; their interests were unrelated to data protection and privacy. The controller cited UK case Lees v. Lloyds Bank Plc EWHC 2249 (24 August 2020), in which a court dismissed an access request infringement claim because of the abusive number of repetitive access requests, ulterior motive other than data protection and the lack of benefit to the data subject. It requested the DPA's advice on whether they could refuse future access requests from the law firm due to their “manifestly unfounded” nature. The DPA found that the controller infringed Article 12(3) GDPR because it failed to respo
Related Enforcement Actions (1)
Other enforcement actions involving Brivio Limited in CY
Details
About this data
Cite as: Cookie Fines. Brivio Limited - Cyprus (2024). Retrieved from cookiefines.eu
Last updated: