EU data protection rules apply to the European Economic Area (EEA), which includes all EU countries and non-EU countries Iceland, Liechtenstein and Norway. All countries outside the EEA are treated as third countries for the purposes of the General Data Protection Regulation (GDPR).

The GDPR lays down a number of rules aimed at establishing a high level of protection for natural persons against the misuse of their personal data. Businesses, whether acting as controllers or processors, are under strict restrictions over the transfer of personal data outside the EEA. Business must particularly take into account that transferring personal data to third countries, even if this takes place between entities that belong to the same group of companies, may result in a breach of the GDPR.

A transfer can take place only if the conditions laid down in the provisions of the GDPR relating to the transfer of personal data to third countries are complied with by the controller or processor concerned.

Member States may conclude international agreements which involve the transfer of personal data to third countries, as far as such agreements do not affect the GDPR or any other provisions of EU law and include an appropriate level of protection for the fundamental rights of the data subjects.

Cyprus has enacted legislation that regulates further the conditions and mechanics of transferring special categories of personal data from Cyprus to third countries and the involvement of the Office of the Commissioner of Personal Data Protection in Cyprus (the CPDP) in that process.

Sanctions

Transferring personal data to third countries (or companies established in third countries) in the absence of an adequacy decision by the Commission and without first providing the appropriate safeguards, may result in fines of up to €20 Million or 4% of the total worldwide annual turnover.

From a Cyprus law perspective, it is a criminal offence to transfer personal data in violation of the provisions of the applicable statutory framework or in breach of any restrictions imposed by the CPDP in relation to such transfer. Sanctions for committing such criminal offence(s) can involve, on conviction, either or both a prison sentence of up to 3 years and a fine of up to 30,000. These penalties can rise up to 5 years of imprisonment or a fine up to 50,000, depending on the gravity of the offence.

Transferring personal data to third countries under an adequacy decision

Where the European Commission has issued a decision that a third country (or even a specific sector of such country) ensures an adequate level of protection then, subject to the provisions (or limitations) included in the adequacy decision, transfers to third countries do not require any further authorisation.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection.

Transferring personal data to third countries under appropriate safeguards

In the absence of a European Commission adequacy decision, transfers of personal data may take place by establishing the appropriate safeguards outlined in the GDPR. Controllers and processors may establish the required safeguards by adopting one of the following:

  • Binding Corporate Rules (BCRs)
  • BCRs are usually adopted within a group company structure to ensure that the transfer of personal data is conducted within the group in a manner which safeguards the rights of the data subject under the GDPR.
  • Standard contractual clauses adopted by the European Commission (SCCs)
  • SCCs are a standard set of contractual clauses adopted by the European Commission ensuring an adequate level of protection.
  • Standard data protection clauses
  • Standard data protection clauses may be adopted by the CPDP for Cyprus. Such protection clauses require the approval of the European Commission and the European Data Protection Board before they qualify as ensuring adequate levels of protection.
  • Compliance with a code of conduct
  • A code of conduct must be approved by the CPDP and the EDPB, whilst the European Commission retains its power to decide on the validity of such code.
  • Certification under an approved certification mechanism
  • The certification mechanism must be approved by the CPDP for Cyprus and be aligned with applicable Cyprus law.
  • Contractual clauses authorized by the supervisory authority
  • Such clauses must receive approval by the CPDP.

Compliance with data protection rules in the context of third-country transfers may be achieved using one of these safeguards. Whilst each safeguard will ensure GDPR compliance choosing the one that makes the most commercial sense will depend on a number of factors including the size of the Group, the EU country or countries out of which personal data is exported to a third country and the national data protection legislation in each country.

Transferring special categories of data to third countries

Special categories of personal data can be transferred to third countries on the basis of appropriate safeguards or BCRs, provided that the controller or processor concerned has accordingly informed the CPDP prior to such transfer.

The CPDP has the power to impose express restrictions vis-à-vis the transfer of such special categories of data on serious public interest grounds. The CPDP must, however, consult with the European Commission and other competent authorities concerned, where the appropriate safeguards or BCRs relevant to the intended transfer were previously approved by the European Commission or under Article 63 of the GDPR.

In the absence of an adequacy decision or of appropriate safeguards, a transfer of special categories of data taking place on the basis of the conditions under Article 49 of the GDPR requires an impact assessment and prior consultation with the CPDP. The impact assessment must include:

  1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  3. an assessment of the risks to the rights and freedoms of data subjects; and
  4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned.

The impact assessment should also set out appropriate technical and organisational measures in place, as these are provided under articles 24, 25, 28 and 32 of the GDPR, as applicable.

The CPDP has the power to impose express restrictions vis-à-vis the transfer of such special categories of data on serious public interest grounds.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.