Complaint for lack of organizational security measures by former employee results in violation of the GDPR Regulation.
A complainant alleged that a former employer of his stored a letter containing personal information related to his work performance, in an electronic file located on a shared server.
Unauthorised access to this server was permitted to employees, regardless of their duties.
After investigating the case, it was found that former employer was following organizational and security measures, which, however, needed to be updated.
The letter in question was stored in a file under the name ‘Personnel’ on 17/9/2020 and was deleted on 25/9/2020, after the complainant raised the issue.
It was accepted from the outset by the former employer that the letter in question should not have been kept in the file under the name “Personnel”, since it was accessible to employees whose responsibilities were not related to that theme.
The matter was brought to the attention of the Cyprus Commissioner for Personal Data Protection (the Commissioner), who ruled that the keeping of the said letter in the file entitled ‘Personnel’, without the appropriate security, organization and access measures (e.g. restricting access to persons who were necessary), constitutes a violation of Articles 24 (which imposes a duty upon the controller to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the provisions of the GDPR) and Article 32 (which imposes a duty upon the controller and the processor to ensure, via the appropriate technical and organisational measures which they will implement, a level of security appropriate to the risk associated with such data) of the GDPR.
Therefore, pursuant to Article 58(2)(b) (which grants the corrective power to issue reprimands to a controller or a processor where processing operations have infringed provisions of the GDPR) of the GDPR, the former employer was reprimanded for a violation of Articles 24 and 32. The Commissioner considered some mediating factors such as small period of time which the letter was stored in the folder and that the employee could not show what damage he suffered because of the exposure of his data and did not impose a fine.
The Commissioner also suggested that the former employer conducts regular intervals in reviewing and updating its security and organization measures, both those related to the termination of cooperation with employees and in general the security, confidentiality and organization measures it implements.
In the event that it is found that the former employer commits a similar breach of the GDPR within the next 2 years, an administrative sanction shall be imposed.
By Antonia Michailidi
For more information please visit our website microsite on Data Protection & Cyberlaw or contact us at [email protected].