Peculiarities of the GDPR Compliance in Cyprus

In 2018 the General Data Protection Regulation (GDPR) was adopted by the European Commission and superseded the Directive on privacy and Electronic Communications 2002. GDPR has a direct application in all Member-States of the EU. However, it provides opportunities to adjust its rules to the realities of each country.

So what are the main differences of the Law providing for the protection of natural persons with regard to the processing of personal data and the free movement of such data (Law 125(I) of 2018) (the “Data Protection Act”) adopted in Cyprus upon the implementation of GDPR?


GDPR defines the amplitude of the minors’ age from 13 to 16 years- that is the controller who collects and processes the personal data of children below this age should ask for the explicit consent of their parents. In Cyprus, the age of explicit consent obtained from parents relates to the processing of personal data of children under 14 years old.

Sensitive data

GDPR sets out that the sensitive data (data about health, biometric, genetic, political, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership) may be processed upon the consent of the data subject. In Cyprus, the biometric and genetic data may not be processed for medical or life insurance in any case. Even if you have obtained consent, this wouldn’t be regarded as a lawful basis. Thus, it is important to bear in mind that the genetic and biometric data of Cypriots shall not be considered while deciding which type of of the insurance to issue.

Restrictions of rights

GDPR permits in some strict cases to restrict the rights of the data subjects by the controller. In most cases, it pertains to national security, judicial proceedings and prevention of breaches of rights and freedoms of the citizens. The Data Protection Act lays out that the only rights in articles 12 (informing data subject of the modalities for the exercise of his/her rights), 18 (right to restrict processing by the data subject), 19 (notification to the data subjects about any rectification or erasure of his/her personal data) and 20 (right of the data subject to receive and transmit to third parties his/her personal data) might be restricted upon the grounds provided in article 23 of the GDPR.

However, the companies may not benefit from these restrictions for their own sake. So. these restrictions shall not be of big concern for any commercial activities conducted by the businesses.

Exemption from data breach notification to the data subject

As in the case with the restrictions of rights, exemption from the notification may be granted only under article 23 of the GDPR. That is when the controller is allowed to restrict the rights of the data subject, it may also not to notify about the data breach if the processing was necessary for ensuring national security, judicial proceedings, etc. However, this decision not to notify must be prior agreed with the Data Protection Authority and the Data Protection Impact Assessment should be conducted.

So, as you see, restriction of rights and opportunity not to notify about the data breach may take place only in the exceptional cases to benefit the community as a whole and upon the authorisation of the Data Protection Authorities.

Powers of the Data Protection Authority

This is the most peculiar issue to carry about in Cyprus. The GDPR in article 58 assigns a variety of the investigating and corrective powers without defining the details. Therefore, The Data Protection Act provides additional to the Commissioner for Personal Data Protection.

The Commissioner is authorized to enter without necessarily informing the controller or the processor or their representative in advance, in any office, professional premises or mean of transport, except for residences. Thus, for instance, if the Commissioner has a lawful basis for entering the premises, he/she may do so and notify the company on its arrival in 10 minutes.

Moreover, the Commissioner is authorised to have access to all the personal data and all the information required for the performance of his/her tasks and the exercise of his/her powers, including confidential information, except for information covered by legal professional privilege.

So, this provision is a reflection of the accountability principle defined in article 5 of the GDPR- the company shall always be ready to demonstrate and provide evidence of its compliance with the GDPR. It is important to keep all the policies and procedures regarding the processing of personal data up-to-date and regularly test and verify the technical measures such as encryption, pseudonymization, etc.

Data Protection Officer (DPO)

DPO is a professional who is hired by the company or its employee in order to advise on compliance with the GDPR. DPO is mandatorily required only in some certain cases defined in the GDPR, though it is reasonable to get constant support in the collection of personal data. Data Protection Act does not impose any significant additional obligations on the DPO, nevertheless, the Commissioner may issue a list of operations to conduct which the DPO is required. For now, there is no such list.

Transfer of special categories of personal data to third parties

Transfer of personal data to third parties outside the EU is always a challenge, in case of special categories of personal data it is an impossible mission. As was mentioned the genetic and biometric data of Cypriots may not be processed in any case, other sensitive data may be transferred outside only with prior information of the Commissioner. That is the company is obliged to present all the necessary documents (evidence of the informed consents of the data subjects) and demonstrate that the appropriate safeguards (SCC, BCRs), technical and organisational measures are put in place.

Moreover, if the Commissioner considers that such transfer may be of prejudice to the public interest, the transfer is restricted or cancelled at all. So, if you want to develop any fitness app or track the health of the users (for example, women’s period) and send it to the processor outside the EU, you are likely to fall under this requirement.

The volume of fines under the Data Protection Act

In general, the GDPR set out the amount of fine- 4% of the annual income or 20 000 000 euro. The Member-states may adjust these limits as they deem it necessary. In Cyprus the offences are divided into three categories based on their gravity as defined in the Data Protection Act:

  • 10 000 euro and/or 1 year of imprisonment;
  • 30 000 euro and/or 3 years of imprisonment;
  • 50 000 euro and/or 5 years of imprisonment.

Specific requirements

Cyprus as any other country of the EU has its own Data Protection Authority and specific demands to the documents necessary to become compliant with the GDPR. Below are described the documents that should be provided in the form established by the Commissioner.


GDPR clearly lays out in article 30 that each data controller and data processor must keep records of their processing activities. Also, the article defines the exact information to be kept, though the Officer of Commissioner provides the necessary forms of records to fill in. The information in these templates may be provided in English and Greek that substantially facilitate the completion by non-residents of Cyprus.

Breach notification

As well as with the Records forms, the Office of Commissioner provides templates form to notify the breach and opportunity to submit to the Commissioner in English.

Complaint forms

For complaints the Officer developed three types of form:

  • when the rights of the data subjects are violated;
  • regarding the unsolicited emails and messages;
  • other issues regarding the breach of the data protection law.

Also, these forms might be completed in English and in Greek.

Examples of violations

Since the establishment of GDPR in 2018, there have been not many cases of violations. The greatest penalty was imposed with a view to the unlawful use of the Bradford factor. The company used this technology to monitor sick leaves and develop profiles of employees. The Commissioner found that the Bradford factor infringes articles 6 (legal bases for processing) and 9 (special categories of data) of the GDPR. There were imposed three fines of 70 000 euro, 10 000 euro and 2000 euro.

Another penalty pertains to the negligence of the hospital personnel. The patient submitted the claim to the Office of Commissioner as the hospital did not provide her with the medical file. The hospital stated that it could not identify/locate it. So, for the loss of medical documentation, the hospital was fined for 5000 euro. Article 15 of the GDPR-right to access was violated by the hospital.

There was one case of corruption. The police officer obtained unauthorized access to the database of vehicles owners to transfer it to the third parties. His misuse of power was revealed and the police were fined for 6000 euro.

So, becoming GDPR compliant in Cyprus does not require a lot of additional efforts if you are already in compliance with the GDPR. It is just necessary to remember to take into account certain peculiarities and requirements established in Cyprus.

    Your question to IT lawyers