+357 250 250 36
CYPRUS

Internet & Data Protection

General Data Protection Regulation (GDPR) in Cyprus

General Data Protection Regulation (GDPR) in Cyprus

Our lawyers can assist you with all elements of GDPR compliance and data protection in Cyprus. We can guide you through the first steps of compliance by doing a GDPR Audit to determine where you presently stand. We can then advise you on a compliance plan as well as the policies and processes you will need to implement to demonstrate compliance.

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It came into effect on May 25, 2018, and replaces the 1995 Data Protection Directive.

In Cyprus, GDPR is fully enforced by the Commissioner for Personal Data Protection and the Police. The Commissioner is responsible for enforcing the provisions of the GDPR, investigating and imposing administrative fines, and promoting public awareness of personal data protection rights. The Police also have powers to investigate breaches of GDPR and to take necessary actions.

Under the GDPR, organizations that process personal data must ensure that they comply with the principles of data protection, such as the lawful processing of personal data, data accuracy, and data security. Organizations must also obtain explicit consent from individuals for the collection, processing, and storage of their personal data.

Cypriot organizations must appoint a Data Protection Officer (DPO) if they are a public authority, if their core activities require large-scale monitoring of individuals, or if their core activities consist of processing special categories of personal data. The DPO is responsible for advising on and monitoring compliance with the GDPR.

Individuals in Cyprus have several rights under the GDPR, including the right to access their personal data, the right to have their personal data erased, and the right to data portability. They also have the right to object to processing, and the right to restrict processing.

Main Provisions of the General Data Protection Regulation (GDPR)

The main provisions of the General Data Protection Regulation (GDPR) in Cyprus are as follows:

  1. Lawful Processing: Organisations must process personal data in accordance with the principles of data protection, such as fairness, lawfulness, and transparency.
  2. Consent: Organisations must obtain explicit consent from individuals for the collection, processing, and storage of their personal data.
  3. Data Protection Officer: Organisations that process a significant amount of personal data must appoint a Data Protection Officer (DPO) to advise on and monitor compliance with the GDPR.
  4. Data Security: Organisations must implement appropriate technical and organisational measures to ensure the security of personal data.
  5. Data Accuracy: Organisations must ensure that personal data is accurate and kept up-to-date.
  6. Individual Rights: Individuals have several rights under the GDPR, including the right to access their personal data, the right to have their personal data erased, and the right to data portability.
  7. Enforcement: The Commissioner for Personal Data Protection and the Police are responsible for enforcing the provisions of the GDPR and investigating breaches.
  8. Administrative Fines: The Commissioner has the power to impose administrative fines for breaches of the GDPR.
  9. Public Awareness: The Commissioner promotes public awareness of personal data protection rights and the provisions of the GDPR.

Exemptions to the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) in Cyprus provides several exemptions from its provisions, including:

  1. National security and defense: Processing of personal data may be exempt if it is necessary for the protection of national security and defense.
  2. Criminal investigations: Processing of personal data may be exempt if it is necessary for the prevention, investigation, detection or prosecution of criminal offences.
  3. Freedom of expression and information: Processing of personal data may be exempt if it is necessary for the exercise of the right to freedom of expression and information.
  4. Performance of a task in the public interest: Processing of personal data may be exempt if it is necessary for the performance of a task in the public interest.
  5. Archiving, research, and statistics: Processing of personal data may be exempt if it is necessary for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes.

It is important to note that these exemptions are only applicable if the processing of personal data is necessary and proportionate, and if appropriate safeguards are in place to protect the rights and freedoms of individuals.

Obligations of Data Controllers

The General Data Protection Regulation (GDPR) in Cyprus imposes several obligations on data controllers, including:

  1. Lawful Processing: Data controllers must process personal data in accordance with the principles of data protection, such as fairness, lawfulness, and transparency.
  2. Consent: Data controllers must obtain explicit consent from individuals for the collection, processing, and storage of their personal data.
  3. Data Protection Officer: Data controllers that process a significant amount of personal data must appoint a Data Protection Officer (DPO) to advise on and monitor compliance with the GDPR.
  4. Data Security: Data controllers must implement appropriate technical and organisational measures to ensure the security of personal data.
  5. Data Accuracy: Data controllers must ensure that personal data is accurate and kept up-to-date.
  6. Individual Rights: Data controllers must respect and uphold the rights of individuals under the GDPR, such as the right to access their personal data, the right to have their personal data erased, and the right to data portability.
  7. Record Keeping: Data controllers must keep records of their processing activities, including the categories of personal data processed, the recipients of the personal data, and the purposes of the processing.
  8. Data Breaches: Data controllers must notify the Commissioner for Personal Data Protection and affected individuals without undue delay in the event of a data breach that is likely to result in a risk to the rights and freedoms of individuals.
  9. Data Protection Impact Assessment: Data controllers must conduct a Data Protection Impact Assessment (DPIA) for processing activities that are likely to result in a high risk to the rights and freedoms of individuals.
  10. Cooperation with the Commissioner: Data controllers must cooperate with the Commissioner for Personal Data Protection in the performance of its duties and investigations.

Applicable Fines

The General Data Protection Regulation (GDPR) in Cyprus provides for administrative fines for breaches of its provisions. The amount of the fine depends on the nature and severity of the breach and can be up to:

  1. €10 million or 2% of the total worldwide annual revenue of the preceding financial year, whichever is higher, for breaches of the obligations related to the management of personal data, such as the obligation to appoint a Data Protection Officer (DPO).
  2. €20 million or 4% of the total worldwide annual revenue of the preceding financial year, whichever is higher, for breaches of the obligations related to the security of personal data, the rights of individuals, and the transfer of personal data to third countries.

The Commissioner for Personal Data Protection has the power to impose administrative fines for breaches of the GDPR in Cyprus. The Commissioner takes into account the nature, gravity, and duration of the breach, as well as any actions taken by the organization to mitigate the damage suffered by individuals. In addition to administrative fines, organizations may also face legal action and reputational damage as a result of a breach of the GDPR.

In conclusion, GDPR plays an important role in protecting personal data and privacy in Cyprus. Organizations must ensure that they comply with the GDPR, and individuals have the right to control their personal data. The Commissioner for Personal Data Protection and the Police enforce the provisions of the GDPR to ensure that the rights of individuals are respected.

It might be difficult to know exactly what you need to do to be GDPR compliant. Our data protection Lawyers will collaborate with you closely to understand your business and give advice customised to your present commercial condition and future strategic goals.

Please visit our E-commerce in Cyprus section for more information.

Internet Law & Data Protection

See how our lawyers can help you with Internet Law & Data Protection.