The Office of the Commissioner of Personal Data Protection (the Commissioner), the independent supervisory authority for the protection of the individual, has just announced the largest corporate fines to date following the implementation of the GDPR in Cyprus. The fines relate to three affiliated entities and in total they exceeded €82,000. The entities were found to have made unlawful use of an automated formula to manage and monitor their employees' sick leave.
The Bradford Factor, or Bradford Formula, is used in human resource management as a means of measuring worker absenteeism. The theory is that short, frequent, and unplanned absences are more disruptive than longer absences. The Commissioner held that the individual's sick leaves and their frequency constitutes "Special Categories of Personal Data" as per article 9 of the GDPR, and that the Company could not establish a lawful legal basis for such processing.
Whilst the right of an entity as an employer to monitor the frequency of sick-leaves and the validity of medical notes of employees is permitted, such right should not be abused and shall always be performed within the parameters of the Law. The evaluation and assessment of sick leaves, which the employee is rightfully and legally entitled to, goes beyond the competence of an employer, as in doing so renders the Company "a physician or health professional, and 'punishes' employees who take sick leave on specific days of the week or month."
Processing of "Special Categories of Personal Data" can only be lawful if it satisfies one of the conditions laid down by the law. The processing undertaken by the entities failed to satisfy any such condition. Further, the entities' claims that processing was performed pursuant to their legitimate interests was dismissed by the Commissioner. The Commissioner found that such processing would adversely affect and override the rights and freedoms of individuals involved, and therefore, the legal basis cannot be relied upon.
Other notable decisions held by the Commissioner in 2019 included:
- Instructing the Cyprus Bar Association to reconsider the way that first instance courts cases are published within their website "Cylaw.org" fines;
- A €14,000 fine to a private doctor who published Special Categories of Personal Data of a patient on a social networking platform without the prior consent of the patient, and
- Aa €9,000 administrative fine imposed on Social Insurance Services for inadequate security measures leading to a data leak and breach back in 2017.
The existing law mandates that where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, companies shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data ("Data Protection Impact Assessment"). Should the Assessment indicate that the processing would likely result in high risk, consultation would be required with the Data Commissioner.
The above examples are a wake-up call and a reminder that ignorance of privacy laws can be a costly omission for any organizations in Cyprus which process personal data. The definitions of "processing" and "personal data" under the GDPR are broadly interpreted, so that if a public or private body or organization is active in Cyprus (or anywhere else in the EU) it will most likely need to comply with the GDPR or risk facing the consequences of failing to do so. All that is required to expose a non-compliant organization to a heavy fine, as well as potential claims for compensation and reputational damage, is one displeased employee, customer or business partner, with knowledge of his/her legal rights.
GDPR compliance is, to a great extent, a self-regulated exercise which requires not only awareness but also the practical implementation of a number of legal, technical and organizational measures. Elias Neocleous & Co LLC, can help organizations carry out this exercise effectively and to comply with their rights and obligations under the GDPR.
Our GDPR Team, consisting of legal and technical consultants with substantial collective experience and expertise in all areas of Privacy and Cyber-security and our state-of-the-art data center provide the resources and infrastructure required to provide services of the highest quality to our clients. Our collective expertise and experience in advising clients on data protection and privacy matters for more than 20 years is what really makes us stand out from the competition. Our extensive base of clients, consists of local authorities, government departments and numerous multinational and national business organizations, most of which are well known household names.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.