Senira Ltd. – €3,000 Fine (Cyprus, 2024)

The decision of the Cyprus DPA was based on two complaints regarding the platform nicelocal.com (the controller). An entry on the controller’s platform containing personal data was published without the knowledge of a person (data subject 1). She then contacted the controller requesting the immediate removal of the entry under Article 17 GDPR. Upon receiving no feedback from the controller the data subject 1 then filed a complaint with the Sachsen-Anhalt DPA in Germany. The controller created another unsolicited profile containing personal data such as name, photos of premises of data subject 2, as well as unverified reviews. Data subject 2 as well requested the deletion of that profile as well as the erasure of all personal data that it contained. He received an automated message that his request was in progress. However, only the photos of the premises were removed and the profile remained online. The data subject 2 also claimed that the controller’s platform falsely indicated that his business was closed. The data subject 2 then filed a complaint with the Polish DPA. After the initiated proceedings by the Cyprus DPA the controller failed to meet a deadline the DPA had set for a reply. During the course of the investigation, the controller complied with the requests for the erasure of data. The Cypriot DPA held that the controller did not take action within the one-month period under Article 12(3) GDPR. Furthermore, it failed to comply with a request by the DPA to provide information on, inter alia, how exactly the system dealing with the requests worked in detail and safeguards applied. Thus, the controller also violated Article 31 GDPR. Regarding the processing itself, the DPA held that the controller could rely on Article 6(1)(f) GDPR because, inter alia, the personal data in question was originally made public by the data subjects themselves and therefore there could be no harm to the data subjects as the data was already public before. Therefore, the DPA is