University of Cyprus – Court Ruling (Cyprus, 2025)

An assistant professor (the data subject) requested access to the content of evaluation reports by independent reviewers and letters of recommendation prepared during the academic promotion procedure from the University of Cyprus (the controller). The controller refused access during the ongoing promotion process, relying on their [https://www.ucy.ac.cy/legislation/wp-content/uploads/Rules_of_Evaluation_for_Professional_Advancement_Continuation_or_Termination_of_Employment_of_Academic_Staff_09.05.2023.pdf internal regulations] and long-standing academic practice requiring confidentiality and anonymity of external reviewers to protect objectivity and impartiality. They indicated, however, that access could be granted after completion of the procedure, with the reviewers’ identities redacted. The data subject filed a complaint with the Commissioner, the Cypriot DPA. The DPA held that the controller had violated the right of access to personal data under [https://www.afapdp.org/wp-content/uploads/2018/05/Chypre-Loi-n%C2%B0138I-sur-le-traitement-des-donnees-personnelles-2001.pdf Article 12 of Cypriot data protection law] and issued a formal decision ordering the controller to ensure access, suggesting anonymization of reviewers’ names. The controller then appealed that decision before the Administrative Court. The Administrative Court annulled the DPA’s decision. It held that the DPA had failed to properly balance the data subject’s right of access under Article 15 GDPR against the legitimate interests of the controller in preserving confidentiality and procedural integrity during an ongoing promotion process. The Court emphasized that the timing of the access request was crucial and that temporary restrictions could be justified where disclosure might affect the fairness and objectivity of a complex administrative procedure. The Court further found that the DPA had focused too narrowly on anonymization and had not adequately considered whether deferring access unti