{"id":1694,"date":"2022-06-02T12:42:18","date_gmt":"2022-06-02T09:42:18","guid":{"rendered":"https:\/\/fzmayuxbif.wpdns.site\/?p=1694"},"modified":"2023-07-07T13:04:39","modified_gmt":"2023-07-07T10:04:39","slug":"general-data-protection-regulation-4-years-since-the-implementation-of-the-gdpr","status":"publish","type":"post","link":"https:\/\/www.kyprianou.com\/de\/general-data-protection-regulation-4-years-since-the-implementation-of-the-gdpr\/","title":{"rendered":"General Data Protection Regulation – 4 years since the implementation of the GDPR"},"content":{"rendered":"
\n

The General Data Protection Regulation 2016\/679 (the \u201cGDPR\u201d and\/or the \u201cRegulation\u201d) has been implemented as of 25 May 2018. As per the\u00a0European Commission\u2019s descriptions<\/a>\u00a0of the legislative framework, the GDPR\u00a0is an essential step to strengthen individuals\u2019 fundamental rights in the digital age and facilitate business by clarifying rules for companies and public bodies in the digital single market<\/em>.<\/p>\n

Following an\u00a0announcement<\/a>\u00a0made on 24 May 2022, the Cyprus Commissioner for the Protection of Personal Data has identified the importance of the GDPR and the benefits offered to businesses, applying a common rule and enjoying a reduction in their administrative expenses because of this common framework. The Commissioner\u2019s announcement also identified the number and value of administrative penalties imposed during these four years, since the GDPR\u2019s implementation.<\/p>\n

One of the most interesting cases examined by the Commissioner\u2019s office was in November 2021. An administrative fine of\u00a0\u20ac 925,000<\/a>\u00a0was imposed on a company in respect of the violation of Art. 5(1) of the GDPR. This case is interesting because of the value of the administrative penalty imposed as it is the highest administrative penalty imposed in Cyprus in relation to the violation of the provisions of the GDPR by the Commissioner\u2019s office up to date. It is also significant because of the circumstances and facts of what actually happened. The fine concerns the violation of the principle of legality, fairness and transparency.<\/p>\n

On its own initiative the Commissioner\u2019s Office undertook the investigation into the matter, together with the police\u2019s cooperation. After the completion of the relevant criminal investigation by the police and the preparation of the file submitted to the Law Office of the Republic, the company was notified of the relevant findings. The company in turn notified the Commissioner\u2019s Office that it admitted to the violation of the provisions of the GDPR.<\/p>\n

The said company\u2019s business operations included the collection of MAC Address (Media Access Control Address) and IMSI (International Mobile Subscriber Identity) data from a number of devices. The users of the said devices were not aware that such data were collected. The Commissioner, with her decision, clarified that MAC Addresses are unique numbers that identify a device when connected with the internet. The IMSI is also a unique number included in SIM cards (Subscriber Identity Module) that can recognize a subscriber when connected with its provider\u2019s network. These data in combination with the geo\u2013location of a device, at different times, may lead to the identification of the user of the device. This fact was the basis of the Commissioner\u2019s decision, after having taken into consideration all relevant aggravating and mitigating factors. The Commissioner noted that there was no device monitoring or intercepting any private communication.<\/p>\n

As stipulated in the\u00a0GDPR (Art. 5(1))<\/a>, the first principle is that personal data shall be\u00a0processed lawfully, fairly and in a transparent manner in relation to the data subject<\/em>. This principle in effect requires that the controller must, amongst others:<\/p>\n