Cyprus Police – €6,000 Fine (Cyprus, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Cyprus Police mishandled personal data by allowing unauthorized access and sharing it with a third party. This case matters because it shows that even government agencies must follow strict data protection rules. The fine of €6,000 indicates the seriousness of failing to protect personal information.
What happened
Cyprus Police improperly shared personal data from a database with an unauthorized recipient.
Who was affected
Individuals whose personal data was accessed and shared by a member of the Cyprus Police.
What the authority found
The Commissioner found that the Cyprus Police did not have effective measures in place to prevent unauthorized access to personal data.
Why this matters
This case serves as a reminder that all organizations, including public agencies, must ensure strong data protection measures. It stresses the importance of internal controls to safeguard personal information.
GDPR Articles Cited
Entities Involved
A series of media publications (printed and online press) mentioned the telecommunications company CYTA, the Social Insurance Services of the Ministry of the Ministry of Labour, Welfare and Social Insurance of Cyprus, and the Cyprus Police as data processors (due to their role regarding the mechanised system of the Social Insurance Services) involved in a scandal of leakage and/or violation of personal data of natural persons via this database, leading to the initiation of an investigation by the Office of the Commissioner for Personal Data Protection of Cyprus. The publications suggested that a member of the Police proceeded with searching for, printing and forwarding to a non-authorised recipient/third party of documents from the database. The Commissioner brought the publications to the Police's knowledge and requested a detailed statement on its behalf regarding the alleged violations. In its statement, the Cyprus Police acknowledged that one of its members, whose professional duties included his ability to have access to the Mechanised Database on vehicle owners, acting beyond the orders of the Police, proceeded with specific searches (within the database), located and printed documents (from the database), and then passed them on to a third party (a retired Police Officer). The Commissioner held that the existing supervising mechanisms of the Police were not operating properly at that time or at least they did not operate as efficiently as they should and, thus, were considered insufficient. The organisational and technical measures that the Police had taken were not effective and they proved themselves insufficient and unable to prevent the non-authorised forwarding of personal data to third-parties. The undertaking of further organisational measures and the frequent undertaking of internal controls of the tracking archives/history was deemed necessary. Thus, the Commissioner concluded that Cyprus Police was responsible for a violation of Article 32 pa
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Cyprus Police in CY
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
30 September 2020
Authority
DPA Commissioner
Fine Amount
€6,000
Enforcement Tracker ID
ETid-432
GDPRhub ID
gdprhub-2824About this data
Cite as: Cookie Fines. Cyprus Police - Cyprus (2020). Retrieved from cookiefines.eu
Last updated: