This article briefly discusses the imposition of an administrative fine by the Cyprus Data Protection Commissioner on the Board of Registered Realtors for failure to meet data subject request.
A complainant submitted a written request to the Board of Registered Realtors (the Board), requesting various information concerning him personally, in his way of exercising the right of access provided to him by Article 15 of the General Data Protection Regulation (GDPR). The complainant received no reply from the Board and lodged a complaint with the Cyprus Data Protection Commissioner (the Commissioner).
The Commissioner reached out to the Board both while examining the complaint and subsequently during an evaluation of a prima facie infringement of the provisions of GDPR. The Commissioner requested the positions of the Board in relation to the prima facie infringements of the GDPR but received no response to this action. Therefore, the Commissioner has issued a decision on the matter.
The Commissioner ordered the Board of Registered Realtors, to comply with the complainant's request with an exclusive period of one month. It also imposed on the Board the penalty payment of €10.000 for infringing Articles 12 (transparent information, communication and modalities for the exercise of the rights of the data subject), 15 (right of access by the data subject), 31 (duty of controller and processor to cooperate with the supervisory authority); and 58(1)(e) (the power of the supervisory authority to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks) of the GDPR.
According to the Commissioner’s website, following the adoption of the decision, the Board complied with the Commissioner's decision and satisfied the complainant's request. However, the Board brought an action under Article 146 of the Constitution against the Commissioner's decision regarding the €10.000 administrative fine imposed on the Board.
Further to the above, responsible parties/businesses are urged to be careful to comply with data subject requests within required time frames to avoid monetary penalties as well as reputational damage.
 More information can be found here.
Back to News