Brivio Limited – €2,000 Fine (Cyprus, 2024)

On 25 November 2022, a data subject lodged a complaint with the Cypriot DPA against Brivio Limited (the controller), an online gambling platform, claiming an infringement of the right of access. The data subject had requested the controller to provide complete information regarding their payment and gaming history as well as any other personal data relating to them, including data concerning other websites. The controller failed to respond to the data subject’s request within one month. Shortly after it was informed of the complaint to the DPA, the controller replied to the access request. The DPA requested that the controller explain its failure to respond to the data subject’s access request in time. The controller stated that an internal investigation had revealed a failure by a staff member responsible for registering incoming correspondence and directing it to the relevant department and officer. It also noted a higher-than-normal volume of data subject requests, with 37 total received in a span of four months. The majority of the requests were made by one law firm on behalf of different data subjects. The controller argued that the law firm’s access requests were all “manifestly unfounded.” It argued that the firm represented customers who were unsatisfied with the controller’s services and sought reimbursement, and used access requests to assist these demands and complaints; their interests were unrelated to data protection and privacy. The controller cited UK case Lees v. Lloyds Bank Plc EWHC 2249 (24 August 2020), in which a court dismissed an access request infringement claim because of the abusive number of repetitive access requests, ulterior motive other than data protection and the lack of benefit to the data subject. It requested the DPA's advice on whether they could refuse future access requests from the law firm due to their “manifestly unfounded” nature. The DPA found that the controller infringed Article 12(3) GDPR because it failed to respo