The General Data Protection Regulation 2016/679 (the “GDPR” and/or the “Regulation”) has been implemented as of 25 May 2018. As per the European Commission’s descriptions of the legislative framework, the GDPR is an essential step to strengthen individuals’ fundamental rights in the digital age and facilitate business by clarifying rules for companies and public bodies in the digital single market.
Following an announcement made on 24 May 2022, the Cyprus Commissioner for the Protection of Personal Data has identified the importance of the GDPR and the benefits offered to businesses, applying a common rule and enjoying a reduction in their administrative expenses because of this common framework. The Commissioner’s announcement also identified the number and value of administrative penalties imposed during these four years, since the GDPR’s implementation.
One of the most interesting cases examined by the Commissioner’s office was in November 2021. An administrative fine of € 925,000 was imposed on a company in respect of the violation of Art. 5(1) of the GDPR. This case is interesting because of the value of the administrative penalty imposed as it is the highest administrative penalty imposed in Cyprus in relation to the violation of the provisions of the GDPR by the Commissioner’s office up to date. It is also significant because of the circumstances and facts of what actually happened. The fine concerns the violation of the principle of legality, fairness and transparency.
On its own initiative the Commissioner’s Office undertook the investigation into the matter, together with the police’s cooperation. After the completion of the relevant criminal investigation by the police and the preparation of the file submitted to the Law Office of the Republic, the company was notified of the relevant findings. The company in turn notified the Commissioner’s Office that it admitted to the violation of the provisions of the GDPR.
The said company’s business operations included the collection of MAC Address (Media Access Control Address) and IMSI (International Mobile Subscriber Identity) data from a number of devices. The users of the said devices were not aware that such data were collected. The Commissioner, with her decision, clarified that MAC Addresses are unique numbers that identify a device when connected with the internet. The IMSI is also a unique number included in SIM cards (Subscriber Identity Module) that can recognize a subscriber when connected with its provider’s network. These data in combination with the geo–location of a device, at different times, may lead to the identification of the user of the device. This fact was the basis of the Commissioner’s decision, after having taken into consideration all relevant aggravating and mitigating factors. The Commissioner noted that there was no device monitoring or intercepting any private communication.
As stipulated in the GDPR (Art. 5(1)), the first principle is that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. This principle in effect requires that the controller must, amongst others:
- identify valid grounds (“lawful basis”) under the GDPR for collecting and using (processing) personal data;
- ensure that the personal data are not used (processed) in breach of any other laws;
- ensure that the personal data are used only in a way that is fair; and
- ensure that the use (processing) of the data is transparent, i.e. there is clarity, honesty and transparency as to the processing of the personal data.
It can be argued that one of the GDPR’s first principles may be considered as a “catch-all” provision. All three elements must be satisfied in order for the principle to be considered as fulfilled. It is not enough for a controller to show that they only satisfy part of these elements.
Lawfulness is usually satisfied by identifying the specific legal grounds for which a controller processes personal data. At least one of the following must apply:
- consent – must always be specific, informed and unambiguous as to the data subject’s intention; or
- performance of a contract – whereby the data subject is a party at the time or prior to entering into such a contractual arrangement with the data subject; or
- legal obligation – the processing of the data is necessary for compliance with legislative provisions; or
- vital interests – processing of the data is necessary for the protection of the data subject’s or of another natural person’s life;
- public interest – the processing is necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller;
- legitimate interests – the processing is necessary to pursue the controller’s legitimate interests provided that these interests are not overridden by the interests or the fundamental rights and freedoms of a data subject.
On its own fairness is also a general term. Fairness refers to the obligation to handle personal data in ways that they would be reasonably perceived as fair. The intention of the lawmakers of the GDPR was obviously to ensure that the controller would not withhold information as to the reasons why personal data are being collected and that such data are not misused or unfairly used.
Similarly, transparency is linked to lawfulness and fairness. The underlying purpose is for the controllers to provide clear, open, transparent and honest information with the data subjects as to who, why and how their personal data are being processed.
The aforementioned are only a part of the basic principles of the GDPR. As the intention of the GDPR is to set out the data controllers’ and data processors’ responsibilities, and to ensure that all processing activities and business practices that are being followed, from an organization’s design stage to the fulfilment of their data processing, are correctly implemented and in accordance with the Regulation.
It is therefore evident that the Office of the Data Commissioner fairly and rightfully, as it is within its discretionary powers, has applied such a high penalty to the company which failed to comply with the most basic principle of the GDPR. It only remains to be seen whether any other administrative penalties exceeding this penalty will be imposed. It is worth mentioning that Art. 83(4) of the Regulation provides for administrative fines of up to €10,000,000 (ten million Euros) or up to 2% of an undertaking’s worldwide annual turnover of the preceding financial years, whichever is the higher.
The content of this article is valid as at the date of its first publication. It is intended to provide a general guide to the subject matter and does not constitute legal advice. We recommend that you seek professional advice on a specific matter before acting on any information provided.
Source: Michael Kyprianou & Co LLC by Ioanna Solomou, Partner