Personal data and private life are more exposed than ever before

The office of the Commissioner for Personal Data Protection in Cyprus was established in 2001 to deal with the protection of personal information against unauthorized and illegal collection, in addition to recording date and using further.

The Office grants the individual certain rights, including the right to information, and gives them the possibility to submit to the Office complaints relating to the application of the Law.

On September 27, Yiannos Danielides was appointed as the new Commissioner. In an interview with CNA, Danielides acknowledged that there is a need to make the public more aware of the Commissioner’s role in Cyprus.

He explains the risk that we run regarding the protection of personal data when accessing the internet and social networking websites. Danielides analyses some of the most important problems his Office has to deal with.

Asked about his plans, the Commissioner says that in due time he will try to see where the Office has got to and what needs to be done regarding people’s perception of the Commissioner for Personal Data Protection.

“I truly believe that we are lagging behind. People do not know what exactly is the role of the Commissioner for Personal Data Protection,” he remarks.

Fortunately, he adds, “we have a very well-staffed office. The staff is remarkable and works very hard. Every day I deal with various cases and take the appropriate decisions in consultation with the administrative personnel of the Commissioner’s office”.

In relation to the control of the establishment and operation of filing systems by various bodies, Commissioner Danielides stresses that his Office applies the law strictly. “If we receive a complaint concerning the operation of a filing system without the Commissioner’s approval, as required, we invite them to follow the legal procedures”.

According to the Processing of Personal Data (Protection of Individuals) Law 2001, as amended, the data controller must submit to the Commissioner’s Office a Notification about the establishment and operation of a filing system or the commencement of processing.

“Personal data must be respected as the constitutional rights of every citizen are. There are Cypriot citizens who do not know their rights deriving from the law for the protection of personal data. What needs to be understood is that every citizen’s personal data, either typical ones, such as their phone number, or more sensitive ones, such as their race, or religion and political beliefs, must be fully respected” he points out. “Entities that keep records of thousands of citizens’ personal data cannot process or divert them, comment on them or send them elsewhere without the personal data subject’s consent or the Commissioner’s approval” he adds.

Commissioner Danielides recognizes that previous Commissioners, Goulla Frangou and Toula Polychronidou, have done a great job.

Asked about the complaints his Office receives, Commissioner Danielides notes that there is a variety of problems and complaints to tackle. “We receive complaints about the banking sector, the Bankruptcies and Liquidations Section, complaints about unsolicited communications, commonly known as spam or junk mail or commercial junk mail, vilifications and CCTV. These complaints are being investigated by our administrative staff and if there is a violation of the law, they call on the offenders to abide by the law otherwise we impose sanctions”.

Asked to say if he considers the sanctions the Commissioner can impose to be deterrent, Danielides told CNA that after studying a number of cases he reached the conclusion that the “offenders” complied with the law after sanctions had been imposed on them.

On complaints received about “spam” or “junk mail” and ways his Office handles them, he notes that each case is examined on an individual level. Moreover, he stresses that the law is clear as regards this issue.

“Whoever receives unwanted mail or sms has the right to contact the sender and request to stop receiving them. If the sender fails to comply with law, then the person receiving the unwanted mail can complain to the Commissioner’s Office, who on his part will impose sanctions”. According to Commissioner Danielides there is a variety of issues relating to advertising, and it is only a matter of time to tackle them.

Referring to the exposure of personal data on the internet and especially on social networking sites, he indicates that the greatest risk is that of publishing a lot of personal data on personal webpages, blogs and social networking sites without knowing how and who may use it. In many cases, he adds, even if we delete some of the data posted on webpages, this may still be available through cashed copies of some search engines.

“Young users of the internet, usually excited about introducing themselves and meeting other people, disclose too much personal information, without having checked first what kind of protection the specific website provides to them in relation to who can actually view their personal data and if these will be accessed by other persons or companies for other purposes, such as advertising”, he adds.

Often, he notes, “fake email messages are sent that try to trick the users into giving their passwords of various online services (Phishing). Other scams also exist like for example the cases where the users receive an email stating that they have won a lottery and in order to receive their winnings they need to pay some expenses for the transfer of the money”.

Asked about the Inland Revenue Department’s request for the “combination” of several governmental departments filing systems in order to collect information on individuals and identify those who evade taxes, Commissioner Danielides says that “we cannot violate the law according to which the Office of the Commissioner operates”.

On September 30, he had a meeting with representatives of the Interior Ministry, the Ministry of Finance, the Inland Revenue Department and the VAT Services. The Commissioner describes the meeting as constructive, adding that “we are on the right track to ensure compliance with the law, and at the same time dispel the notion that the Office of the Commissioner protects tax evaders”.

According to Commissioner Danielides there has been a recommendation on the matter from the Office of the Attorney General, which reconciles the views of both the Inland Revenue Department and the Commissioner for personal data protection, on this matter. He explains that according to the Principle of Proportionality, which ensures that personal data collected is relevant, appropriate and not excessive in relation to the purposes of processing, the Office of the Commissioner cannot permit full “combination” of filing systems.

“If we apply the so called ‘fishing expedition’ we are running the risk of facing sanctions by the EU,” he warns. “However, I do not believe that permitting ‘combination’ of filing systems so that the Inland Revenue Department can collect information on yacht owners, will necessarily mean that they are ‘fishing’ ” because the number of yacht owners in Cyprus could not be more than a hundred or maybe two hundred. Access to various filing systems can be allowed when looking for something specific and limited, he explains. “I understand that the number of yacht owners in Cyprus is limited”.

“I believe that the opinion of the Attorney General will resolve the matter” Commissioner Danielides stated.

Asked about other issues that his Office needs to deal with, the Commissioner referred to the establishment and operation of ''Artemis'' Bank Information Systems Ltd, responsible for the operation of data exchange among banking institutions members of the Association of Commercial Banks in Cyprus, for control purposes of credit ratings and creditworthiness of their clients. “We receive a lot of complaints regarding ‘Artemis’. What I know is that ‘Artemis’ is a legal process designed to protect the legitimate interests of the banks. But there are several other issues we need to deal with and make suggestions for its improvement”.

Another issue the Office of the Commissioner has to tackle concerns complaints about the Bankruptcies and Liquidations Section. Specifically, the Commissioner receives complaints from individuals who went bankrupt and although they have recovered they still cannot receive a loan from a bank. That is because the Bankruptcies and Liquidations Section does not have a mechanism to “delete” those who have actually recovered after a bankruptcy, he explains. “These people remain exposed” the Commissioner notes, adding that on October 24 he will be meeting with representatives of the Department of Registrar of Companies and Official Receiver to examine the issue.

Last but not least the Office of the Commissioner will examine, in consultation with the Cyprus Sport Organisation, whether an athlete’s name should be published when found positive at an anti-doping control and has been excluded from an athletic event.

Commissioner Danielides has told CNA that in 2011 his Office issued Decisions concerning seven cases, four of which had sanctions imposed on the “offenders”. Specifically, Larnaca General Hospital has been obliged to pay 3000 euro for the loss of a patient’s file. Also the online news website “sigmalive.com” faced a 3000 euro fine, for illegally publishing online an individual’s personal data. A 3000 euro fine has also been imposed to Archbishop Makarios III Hospital, for not taking appropriate security measures for the protection of personal data. Cyprus Scientific and Technical Chamber also faced a fine of 1000 euro also for not taking appropriate measures for the protection of personal data.