Cyprus: Data Protection Authority fined Aylo for breaches of GDPR

On 28 March 2025, the Cypriot Data Protection Authority concluded an investigation into Aylo Freesites Ltd (formerly Mindgeek) and imposed two administrative fines totalling EUR 58'400 for breaches of the General Data Protection Regulation (GDPR). The authority conducted an ex officio inspection at the company’s premises, which focused on cookie consent mechanisms, biometric data processing through third parties, data protection impact assessments, and data processing agreements. The investigation identified failures to comply with several core data protection principles, including accountability, transparency, lawfulness, data minimisation, storage limitation, and legal basis requirements, which were found to persist years after the GDPR became applicable. While Aylo implemented corrective measures following a compliance order, the Authority imposed a EUR 48'000 fine for prior violations and an additional EUR 10'400 for unlawful use of cookies. The company paid the total fine within the set deadline​.