Cyprus - National GDPR Implementation Overview
1.1. National implementing legislation of the GDPR
Law 125(I) of 2018 Providing For The Protection Of Natural Persons With Regard To The Processing Of Personal Data And For The Free Movement Of Such Data ('the Law') which entered into force, on 31 July 2018, implemented certain provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and repealed the previous law (Law 138(Ι)/2001) which had implemented Data Protection Directive (Directive 95/46/EC) ('the Data Protection Directive').
For the better application of the GDPR, the Office of the Commissioner for Personal Data Protection ('the Commissioner') has adopted certain guidelines issued by Article 29 Working Party ('WP29') and has also issued its own guidelines and opinions.
The Guidelines from the Commissioner cover in particular:
- Data Protection Officers ('DPOs') (only available in Greek here);
- Data Protection Impact Assessments ('DPIAs') (only available in Greek here);
- personal data breach notifications (only available in Greek here);
- codes of conduct and certification mechanisms (only available in Greek here);
- security of processing (only available in Greek here);
- data transfers (only available in Greek here);
- records of processing activities (only available in Greek here); and
- health data retention (only available in Greek here).
1.3. Case Law
Since the entry into force of the GDPR in Cyprus, only a very limited number of cases were investigated by the Commissioner, for which public announcements have been issued.
The most notable case for which an announcement was made by the Commissioner concerns a campaign launched by credit institutions in 2018, by which clients were required to update their personal data under the threat of having their accounts suspended or blocked in the event that they failed to submit such data. According to the Commissioner's announcement in June 2018, this campaign was not found to be fully in line with the relevant laws while certain requirements of the GDPR had not been duly observed, such as the lack of providing adequate information, non-personalisation of requests, lack of legal justification, non-observance of the principles of proportionality and minimisation as well as the inclusion of disproportionate measures (the blocking of accounts). The Commissioner did not impose any fines but made observations and suggestions to the credit institutions for compliance and stated that it will be monitoring the matter closely.
It should also be mentioned that any decisions and judgments issued under the repealed legislation which implemented the Data Protection Directive can still be used as guidance. The Commissioner also publishes an annual report with all matters and cases examined in the relevant year. The latest annual report currently available is for 2017 (only available in Greek here).
2. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
2.1. Main regulator for data protection
The regulatory authority for data protection in Cyprus is the Commissioner, established since 2002. Apart from the Commissioner herself, the office is currently staffed by 9 officers and 5 administrative members of staff.
2.2. Main powers, duties and responsibilities
The Commissioner carries out the duties and powers assigned to him/her under the provisions of the GDPR, the Law and any other relevant regulation.
Subject to the provisions of Article 57 of the GDPR, and in addition to duties provided for in that Article, the Commissioner carries out the following tasks (Article 24 of the Law):
- publish on its website the submission forms for complaints and applications;
- examine a complaint and, where possible, depending on the complaint's nature and type, it must inform the complainant in writing of the progress and outcome of the complaint within thirty days of the submission of the complaint: provided that the complaint is unfounded or does not fall within the responsibilities of the Commissioner, it must inform the complainant in writing within thirty days of the submission of the complaint;
- inform, where appropriate, the data subject, the controller and processor for the time limits provided in Articles 60 to 66 of the GDPR;
- it may not examine a complaint or discontinue its examination for reasons of public interest and must notify the data subject within a reasonable time for the reasons of the non-examination or the discontinuation of the examination of a complaint;
- draw up and publish the list of processing operations and cases requiring the appointment of a DPO, in accordance with the provisions of Article 14 of the Law; and
- publish on its website the list of controllers and processors available, who have appointed a DPO as provided for in Article 14 of the Law.
Furthermore, subject to the provisions of Article 58 of the GDPR, in addition to powers provided for in that Article, the Commissioner exercises the following powers (Article 25 of the Law):
- subject to the provisions of Article 58(1)(a) and 58(1)(e) of the GDPR, it has access to all personal data and to all the information required for the performance of the duties and the exercise of its powers, without the possibility of opposing any form of confidentiality against it, with the exception of lawyers' confidentiality;
- subject to the provisions of Article 58(1)(f) of the GDPR, the Commissioner may enter, without necessarily a prior warning of the controller or the processor or their representative, any office, business premises or means of transport, with the exception of private residences;
- for the exercise of the provisions of Article 58(a) of the GDPR and those of Article 25 of the Law, the Commissioner may be assisted by an expert and/or the Police; and
- during the exercise of its investigative powers, the Commissioner may seize documents or electronic equipment under a search warrant, according to the provisions of the Criminal Procedure Law 1949 (only available in Greek here).
3.1. National requirements
As regards the appointment of a DPO, where such appointment is required under the GDPR, the DPO should be notified to the Commissioner in writing or electronically (Article 14 of the Law).
The transfer to a third country of any special category personal data requires prior notification to the Commissioner (Article 17 of the Law).
The transfer of any special category personal data to a third country or to an international organisation, by a controller or processor on the basis of the derogations provided for in Article 49 of the GDPR for specific situations requires a DPIA as well as prior consultation with the Commissioner (Article 18 of the Law).
Other than the above, consultation with the Commissioner is also required when the rights of data subjects are restricted by the controller as well as in the event of a decision to not notify a data subject about a data breach (Articles 11(2) and 12(2) of the Law).
No official fees currently apply in relation to the above notification requirements.
4. DATA SUBJECT RIGHTS
Subject to the provisions of Article 23(1) of the GDPR, the controller may apply measures to limit, in whole or in part, the rights referred to in Articles 12, 18, 19 and 20 of the GDPR; provided that if the limitation of rights concerns a processing act entrusted to a processor, the measures shall apply subject to Article 28 of the GDPR (Article 11(1) of the Law).
A DPIA and prior consultation of the Commissioner is required for the implementation of such limiting measures. The DPIA shall include the information provided in Article 23(2) and Article 35(7) of the GDPR and, where appropriate, a description of the information provided for in Articles 24, 25, 28 and 32 of the GDPR on technical and organisational security measures (Article 11(2)(3) of the Law).
Subject to the provisions of Article 14(5) of the GDPR, the controller shall inform the data subject about the application of such limiting measures. The Commissioner may impose conditions on the controller for the implementation of the limiting measures and for the data subject's information (Article 11(4)(5) of the Law).
The Law does not currently implement variations to the right of erasure. For variations regarding the notification obligation regarding rectification or erasure of personal data or restriction of processing under Article 19 of the GDPR see section 4.1.
See section 4.1.
See section 4.1.
5.1. National regulation of the processing of children's data and age of consent
When providing information society services directly to a child based on the child's consent, the processing of personal data is lawful if the child is at least 14 years old (Article 8(1) of the Law).
For a child under the age of 14, the processing of personal data is lawful following consent provided or approved by the person having parental responsibility for the child (Article 8(2) of the Law).
6.1. National regulation concerning the processing of special categories of data and criminal conviction data
The processing of personal data or special categories of personal data or personal data relating to criminal convictions and offenses carried out for journalistic or academic purposes or for purposes of artistic or literary expression, is lawful, provided that those purposes are analogous to the intended objective and respect the essence of the rights as defined in the Charter of Fundamental Rights of the EU, in the European Convention of Human Rights and Fundamental Freedoms, which has been ratified by the European Convention for the Protection of Human Rights (Ratification) Law, and in Part II of the Constitution (Article 29(1) of the Law).
The provisions of Articles 14 and 15 of the GDPR shall apply to the extent that they do not affect the right to freedom of expression and information and the press confidentiality (Article 29(2) of the Law).
7.1. Additional/varied requirements on DPO appointment, role and tasks
The DPO shall be appointed, subject to the provisions of Article 37 of the GDPR (Article 14(1) of the Law).
The Commissioner may draw up and make public a list of processing activities and cases requiring the appointment of a DPO, additional to the activities referred to in Article 37(1) of the GDPR (Article 14(2) of the Law).
The Commissioner may make publicly available on its website a list of controllers and processors who have designated a DPO and their contact details, provided that the controller and the processor wish to be included in this list (Article 14(3) of the Law).
Subject to the provisions of any law governing professional matters of confidentiality or secrecy, in the performance of his/her duties the DPO is bound by the obligation of confidentiality or secrecy (Article 15(1) of the Law).
Observance of confidentiality or secrecy by the DPO does not affect the provisions set out in Article 58(1) of the GDPR and the powers of the Commissioner set out in Article 25(a)(b) of the Law (Article 15(2) of the Law).
8.1. Variation/exemptions on breach notification obligation
The controller may be relieved, in whole or in part, of the responsibility for the disclosure of a personal data breach to the data subject, for one or more purposes referred to in Article 23(1) of the GDPR. The exemption from the responsibility for data breach notification requires a DPIA and prior consultation with the Commissioner. The DPIA must include the information set out in Article 23(2) and Article 35(7) of the GDPR. The Commissioner may impose terms and conditions on the controller for the exemption (Article 12 of the Law).
8.2. Sectoral obligations
Data controllers in certain sectors may be required to inform sectoral regulators of any breach.
9.1. National activities subject to prior consultation/authorisation
Under the Law, the following activities require a DPIA and prior consultation with the Commissioner:
- measures to limit, in whole or in part, the rights referred to in Articles 12, 18, 19 and 20 of the GDPR (Article 11 of the Law);
- exemption from the responsibility for data breach notification (Article 12 of the Law);
- transfers of personal data to third countries or international organisations (Article 17 of the Law);
- the combination of filing systems which concern special categories of personal data or data concerning criminal convictions or to be used with an identification card number or any other general application identity information (Article 10 of the Law); and
- the enactment of laws or regulations pursuant to a law, which provide for a particular act or series of personal data processing acts (Article 13 of the Law).
9.2. National activities not subject to prior consultation/authorisation
All activities other than the ones stated in section 9.1. above do not require prior consultation with the Commissioner.
10.1. National implementation of Article 89 of the GDPR
Processing carried out by a controller or processor for archiving purposes in the public interest or for scientific purposes or historical research or for statistical purposes excludes the use of personal data with the purpose of taking a decision, which produces legal effects vis-à-vis the data subject or significantly affects it in a similar way (Article 31 of the Law).
Subject to the provisions of Article 83 of the GDPR, the Commissioner may impose administrative fines. In case of failure to pay the administrative fine, this is collected as a civil debt due to the Republic. An administrative fine imposed on a public authority or public body in respect of non-profit-making activities, may not be higher than €200,000 (Article 32 of the Law).
In addition to administrative fines, the law creates a number of criminal offences for the violation of certain articles of the Law and of the GDPR (i.e. Articles 30, 31, 33(1)(2), 34, 35(1), 42, Chapter V, etc.), punishable upon first conviction with imprisonment of one to five years and/or a fine ranging between €10,000 to €50,000, depending on the offence (Article 33 of the Law). For the purposes of this, if the controller or processor is a business undertaking or group of business undertakings, legal responsibility lies with the person designated as the highest executive instrument or body of the undertaking or group of undertakings. If the controller or processor is a public authority or public body, the head or the person who exercises effective management of the public authority or public body is legally responsible (Article 33(5) of the Law).
12. OTHER SPECIFIC JURISDICTIONAL ISSUES
Processing Genetic and Biometric Data for Life Insurance Purposes
Processing of genetic and biometric data for life insurance purposes is forbidden under the Law. Notwithstanding the provisions of Article 5(1)(b) of the GDPR, when the processing of genetic and biometric data is based on the consent of the data subject's separate consent of the data subject is required for the further processing of such data (Article 9 of the Law)
Certification of Accreditation Bodies
The accreditation of certification bodies pursuant to Article 43 of the GDPR has been assigned to the Cyprus Organisation for the Promotion of Quality and requires the positive opinion of the Commissioner that the Organisation complies with the requirements of Article 43(2)(a), (b) and (e) of the GDPR. (Article 16 of the Law).
Personal data in official documents held by a public authority or entity for carrying out a task in the public interest shall be disclosed, subject to the provisions of Right of Access to Documents of the Public Sector Law 2017 (only available in Greek here) (Article 30 of the Law).
Third Countries and International Organisations
In the absence of an appropriate legal measure by the European Commission, binding on Member States, the Commissioner may propose to the Minister of Justice and Public Order the conclusion of agreements with third countries or international organisations for the fulfilment of the purposes referred to in Article 50 of the GDPR (Article 35 of the Law).