Cyprus Police – €6,000 Fine (Cyprus, 2020)

A series of media publications (printed and online press) mentioned the telecommunications company CYTA, the Social Insurance Services of the Ministry of the Ministry of Labour, Welfare and Social Insurance of Cyprus, and the Cyprus Police as data processors (due to their role regarding the mechanised system of the Social Insurance Services) involved in a scandal of leakage and/or violation of personal data of natural persons via this database, leading to the initiation of an investigation by the Office of the Commissioner for Personal Data Protection of Cyprus. The publications suggested that a member of the Police proceeded with searching for, printing and forwarding to a non-authorised recipient/third party of documents from the database. The Commissioner brought the publications to the Police's knowledge and requested a detailed statement on its behalf regarding the alleged violations. In its statement, the Cyprus Police acknowledged that one of its members, whose professional duties included his ability to have access to the Mechanised Database on vehicle owners, acting beyond the orders of the Police, proceeded with specific searches (within the database), located and printed documents (from the database), and then passed them on to a third party (a retired Police Officer). The Commissioner held that the existing supervising mechanisms of the Police were not operating properly at that time or at least they did not operate as efficiently as they should and, thus, were considered insufficient. The organisational and technical measures that the Police had taken were not effective and they proved themselves insufficient and unable to prevent the non-authorised forwarding of personal data to third-parties. The undertaking of further organisational measures and the frequent undertaking of internal controls of the tracking archives/history was deemed necessary. Thus, the Commissioner concluded that Cyprus Police was responsible for a violation of Article 32 pa