Investigation procedure of Complaints
Who can lodge a complaint?
Every data subject (that is the person whose data are being processed) has the right to lodge a complaint with the Commissioner, if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.
A complaint may also be filed by a not-for-profit body, organisation or association which has been properly constituted in accordance with the law, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data and have received a mandate from the data subject to lodge the complaint on his or her behalf.
When can I lodge a complaint?
Before lodging your complaint, you may contact directly the controller (usually the person against whom the complaint is made) to address your concerns. Where the controller has appointed a Data Protection Officer (DPO), you may apply to him or her in regard to any issue concerning the processing of your personal data and to exercise your rights. The details of the DPOs are usually published on the website of the controller.
If your concerns are not addressed, you may lodge a complaint with the Commissioner.
How do I lodge a complaint to the Commissioner?
For lodging a complaint you are requested to fill in one of the following forms, depending on the case, and send it to the Commissioner:
Form A: Complaint involving the data subject’s rights (right of access, right to object or to rectification or to erasure or to the restriction of processing or to data portability)
Form B: Complaint involving any other breach of the legislation for the processing of personal data (other than the rights)
Form C: Complaint concerning unsolicited electronic communication i.e. emails and sms (spam).
What is the procedure for investigating complaints?
While investigating your complaint the views and positions of the Authority/Organisation/Company or person against whom your complaint is lodged will be sought. In some cases information may also be sought from third parties, when it is deemed useful in the context of the investigation.
Your identity may be disclosed to the controller or to third parties, where necessary in the context of the investigation. Please inform the Commissioner if your do not wish to have your identity disclosed to the controller and the reasons for that. Depending on the nature of your complaint, notably if the complaint involves the exercise of the rights or spam, it might not be possible to examine your complaint without communicating your identity to the controller, in which case you will be informed accordingly.
Following the investigation, we will contact you to the address you communicated to us while lodging your complaint, to inform you on the result.
Does the Commissioner examine every complaint?
Complaints which are vague, unfounded or excessive, particularly due to their recurring nature, or if they are anonymous or do not contain the necessary details, may not be examined. In such case the complainant shall be duly informed.
What are the powers of the Commissioner in investigating complaints?
The Commissioner may impose corrective measures (including fines) to controllers or processors, when they are in breach of the data protection legislation.
The Commissioner may also refer the case to the Police. The Commissioner can notify to the Attorney General of the Republic and/ or to the police any violation of the provisions of the Regulation or of the law 125(I)/2018 that may constitute an offense (ref. section 33 of the Law 125(I)/2018).
Can I ask the Commissioner to make an award of compensation in the case of breach?
No. The Commissioner is competent to impose corrective measures (including fines) to controllers or processors, but not to grant compensation to affected data subjects.
Any person who has suffered material or non-material damage as a result of an infringement of the GDPR, has the right to seek compensation before a Civil Court.
Right to a judicial remedy
Both the complainant and the person against whom the complaint is lodged (the controller) have the right to appeal the decision of the Commissioner in the Administrative Court, pursuant to Article 146 of Cyprus Constitution and the Law on the Establishment and Operation of the Administrative Court of 2015, within seventy-five days from the date of the decision.
Cross-border complaints (IMI System):
In cases where the complaint involves cross-border processing, it will be entered in the Internal Market Information (IMI) in order to be handled with the cooperation and consistency mechanism of the Chapter VII of the GDPR.
Download here the investigation procedure in pdf format.
Note: The above links “Help us improve” and “Report an obstacle” are available for providing feedback about the website, not for the submission of complaints about infringements of the legislation. For the submission of a complaint please see the section “How do I lodge a complaint to the Commissioner” above.
We do not currently have the ability to contact the persons that submitted feedback using the links “Help us improve” and “Report an obstacle”.
Last Update: 26/8/2020
spam_complaint_form ENG.docx
Investigation procedure.pdf Complaint form A rights ENG v2.docxDOCX
Complaint form B ENG v2.DOCX