In today’s online world, the matter of personal data protection comes to the forefront. Vestnik Kipra talks to Irene Loizidou Nikolaidou, the Commissioner for Personal Data Protection, about the implementation of relevant policies and the actions members of the public can take to protect their rights.
Could you tell us about the main areas of responsibility of the Personal Data Protection Commission?
First of all, it should be mentioned that a part of our responsibility is to provide guidance and advice not only to organisations but also to individuals. Besides these two functions, we have corrective powers. That is, if we investigate a case and conclude there has been a violation of privacy, we have the right to impose fines. Of course, this is not something we want to do often and it is not an image we want to portrait, but if there is a serious violation, then fines are imposed.
When the General Data Protection Regulation, the GDPR, was introduced in the EU, many companies in Cyprus thought it impossible to comply with. Has their attitude changed since then?
Although there is still much work ahead, I can say that we have made major steps towards compliance with the GDPR. There are many variables to consider and it is not an easy goal but compliance is an ongoing process, with much effort and sometimes substantial costs, which we have to encourage.
What would be the most common queries and complaints members of public present to the Commission?
In the past, the majority of the complaints we use to receive involved spamming. Today it is a matter of less than a third of complaints. The rest have to do with the exercise of rights, such as the right of access to one’s data. This can be the right of people to ask for a copy of their personal data report held by public authorities or a doctor, for example. They also have a right to ask for their information to be deleted. More people become aware of this right and we have tangible examples and proof that they exercise it.
Speaking of the information deletion, the so-called “right to be forgotten”, what would be your practical reccommendations to those who might consider using it at some point?
There should be a clear understanding of who can exercise this right, how, and when. This right comes with many exceptions and restrictions. It is not easy to erase data from the Internet. People should be aware of what information they upload and for what purpose because if it comes to deletion of the information online, the restrictions are many and our power is limited.
How do you ensure the data protection regulations are followed in Cyprus?
We expect compliance, compliance, and more compliance. If we receive repeating complaints against a specific company, this company comes r under our office’s scrutiny. That’s why we conduct more and more audits. From May 2018 until the end of 2018 we conducted 10 audits. In 2019 there were 16 audits with on-the-spot inspections and 89 inspections through questionnaires. For 2020 these numbers stood at 16 and 136 respectively. By comparing these figures only, it becomes obvious that we are actively monitoring compliance in both the public and the private sectors.
Could you give some examples of data protection violation cases? What is the procedure for filing a complaint?
We receive many complaints about the unlawful collection of data. Organisations might have a legal basis to ask for data but sometimes they ask for more than necessary. This is a violation of the principle of proportionality. This principle implies that organisations must only collect the data they need for a specific purpose. They cannot collect data they might need in the future or not at all.
A complaint can be submitted in template forms available on our website. If the complaint has a ground for investigation, we ask for the opinion of the plaintiff. After getting the opinions of the parties we proceed with a binding decision.
There are three types of template complaint forms available on the website: one for reporting spam, one for exercising rights, and one for any other type of complaint. By filling out either of these forms, we will have the details needed to facilitate the investigation of the case.
You mentioned earlier that violators could be subject to fines in some cases. Are there any standard amounts, or what is the usual procedure?
It depends on the particular characteristics and criteria of each case. For spamming, for example, we impose a fine of €1,000 per natural person who distributes spam messages without consent and the option to opt out of it. For politicians that would be €1,500. Other cases are looked into on an individual basis.
To conclude our interview, what would you like to say to the Russian-speaking community of Cyprus?
For members of the Russian-speaking community, being a Cypriot citizen means to be protected by the GDPR against any public and private entity which processes their data. Therefore I would like to encourage them to use this privilege and not hesitate to file a complaint to our office if they think their rights are being violated.
Office of the Commissioner for Personal Data Protection
Tel. +357 22818456
Fax: +357 22304565