Cyprus Association of Automotive Engineer Assessors – Complaint Upheld (Cyprus, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Cyprus Association of Automotive Engineer Assessors shared a former member's status with insurance companies without consent. The Cypriot DPA reprimanded the association for not proving the legality of this data sharing and for failing to cooperate with the investigation. This case highlights the importance of obtaining consent before sharing personal information and responding promptly to regulatory requests.
What happened
The Cyprus Association of Automotive Engineer Assessors informed insurance companies about a former member's status without consent.
Who was affected
The affected individual was a former member of the Cyprus Association of Automotive Engineer Assessors whose membership status was shared.
What the authority found
The Commissioner found that the association violated GDPR by not having a valid legal basis for sharing the former member's information and failing to cooperate with the investigation.
Why this matters
This reprimand underscores the need for organizations to have a clear legal basis for processing personal data and to comply with regulatory inquiries. It serves as a reminder for businesses to ensure they have proper consent mechanisms and are responsive to data protection authorities.
GDPR Articles Cited
A data subject (X) was working as a professional assessor for the Pancyprian Association for Automotive Engineers Assessors (hereinafter AAEA). Following the rescission of X's membership, AAEA sent a letter to several insurance companies, informing them of the fact that X was no longer one of their members, without however obtaining the prior consent of X. X decided to file a complaint with the Cypriot DPA (the 'Commissioner') against AAEA, considering that they should not have shared such information with the concerned insurance companies, and had therefore unlawfully processed his personal data. After hearing X on the subject, the Commissioner required information from AAEA with respect to the processing of X's personal data. AAEA however did not reply to the Commissioner. The Commissioner considered that, by sending a letter to insurance companies regarding the rescission of X's membership, AAEA had violated Article 5(1)(a) GDPR, Article 6(1) GDPR and Article 9(1) GDPR. The Commissioner therefore decided to impose a Reprimand on AAEA, as the latter had failed to substantiate and/or prove the lawfulness of the relevant processing act. For reaching this decision, the Commissioner took into account, among others, the fact that compliance by AAEA with its Code of Professional Ethics was not demonstrated, but also the fact that AAEA is not a regulated or institutionalized supervisory authority (cf. there is no Cypriot law specifically regulating the profession of automotive engineer assessors). The Commissioner also considered that by failing to reply to its requests for information in the course of the procedure, AAEA had not complied with its obligation to cooperate under Article 31 GDPR. The Commissioner stressed that the requested information was not complex, and that AAEA ought to have responded in due time. However, since, in the end, AAEA provided answers to the Commissioner, the Commissioner decided to impose a warning rather than a fine.
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Cyprus Association of Automotive Engineer Assessors in CY
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Cyprus Association of Automotive Engineer Assessors - Cyprus (2021). Retrieved from cookiefines.eu
Last updated: