Open University of Cyprus – €45,000 Fine (Cyprus, 2023)

On 30 March 2023, the Open University of Cyprus, the controller, notified a personal data breach to the Cypriot DPA (Commissioner for Personal Data Protection, DPC) in accordance with Article 33 GDPR. In addition to this, 11 complaints were filed with the DPC by data subjects stating that their data had been leaked following the incident. Accordingly, the DPC started investigating the case and asserted that the leaked data related to students, alumni and other partners of the controller and it was cached on the controller's servers and generally processed by its employees. In its submissions, the controller sent to the DPC a list of actions it intends to implement by 2026 in order to improve the security of its processing operations. After further investigations, the DPC concluded that the controller had failed to implement appropriate technical and security measures, thereby violating Article 32 GDPR and the principle of accountability under Article 5(2) GDPR. In light of Article 83 GDPR and taking all the above into account and also the fact that the controller is part of the wider public sector, the DPC considered it appropriate to impose a fine in the amount of €45,000 on the controller.