1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

Data privacy is primarily governed in Cyprus by:

  • the EU General Data Protection Regulation (2016/679) (GDPR);
  • Law 125(I)/2018 on the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018 (‘Data Protection Law'), which was adopted for the effective implementation of certain provisions of the GDPR; and
  • Law 44(I)/2019 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, which was enacted in 2019 for the purpose of harmonisation with EU 2016/680.

The Office of the Commissioner for Personal Data Protection has the authority to issue directives on matters pertaining to data protection, which are binding. Such directives are available in Greek on its official website at www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/page3f_gr/page3f_gr?opendocument.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

While the laws mentioned in question 1.1 apply to the processing of personal data in any given sector, some sectors have additional requirements for the processing of personal data.

In the telecommunications sector, for example, specific data retention requirements are imposed on providers of publicly available electronic communications services.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

Cyprus is a party to the following multilateral instruments which relate to data privacy matters:

  • Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and the Protocol amending the Convention; and
  • the European Convention on Human Rights.

As Cyprus is an EU member state, it follows any bilateral agreements to which the European Union is a party. Examples include the EU-US, EU-Australia and EU-Canada passenger name record agreements and the EU-US Terrorist Finance Tracking Programme.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The body responsible for enforcing data privacy legislation in Cyprus is the Office of the Commissioner for the Protection of Personal Data. This is an independent supervisory public authority, entrusted with monitoring the implementation of the Cyprus Data Protection Law and the GDPR.

The commissioner has all necessary investigative, corrective, authorisation and advisory powers, as set out in Article 58 of the GDPR. Among the commissioner's main powers are the following:

  • to examine and investigate complaints, and inform the parties involved of the progress and outcome of the investigation;
  • to access all personal data and all information required for the performance of her tasks, including confidential information, except for information covered by legal professional privilege;
  • to enter, without necessarily giving prior notification to the controller or processor, any office, professional premises or mean of transport, and to seize documents or electronic equipment under a search warrant, in accordance with the provisions of the Criminal Procedure Code;
  • to impose administrative fines for infringements of the provisions of the GDPR;
  • to notify the attorney general and/or the police of any contravention of the provisions of the GDPR or of the Data Protection Law that may constitute a criminal offence in accordance with Section 33 of the latter; and
  • to provide as a witness or expert any evidence before a court for the application of the GDPR and of the Data Protection Law, as well as other legislative measures relating to the processing of personal data.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

The Office of the Commissioner, in its efforts to enforce personal data protection under the GDPR and the Data Protection Law, frequently issues directives, guidelines and opinions on specific data privacy issues, which serve as industry standards and best practices, and in some cases are binding.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

The Cyprus data privacy regime applies to:

  • controllers and processors with an establishment in Cyprus that process personal data in the context of the establishment, regardless of whether the data processing takes place in Cyprus;
  • controllers and processors not established in Cyprus that process personal data of data subjects residing in Cyprus, where the processing activities relate to:
    • offering goods or services to data subjects residing in Cyprus, regardless of whether they require payment; or
    • monitoring their behaviour that takes place in Cyprus; and
  • persons not established in Cyprus, but located where Cypriot law applies according to public international law.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

The processing of personal data is permitted and lawful when it is carried out by:

  • courts acting in their judicial capacity for the purposes of delivering justice, including the processing of personal data necessary for the publication and adoption of decisions of any court; or
  • the House of Representatives within its powers.

Furthermore, the processing of special categories of data is permitted and lawful when it is carried out for the purpose of publishing or issuing a decision of any court, or where it is necessary for the purpose of delivering justice.

Processing by a controller or processor for the purpose of archiving in the public interest or for scientific or historical research is permissible, provided that it does not create legal consequences as against the data subject or significantly affect the rights thereof.

2.3 Does the data privacy regime have extra-territorial application?

The territorial scope of application of the Data Protection Law is in accordance with Article 3 of the GDPR (please see question 2.1). It may thus be argued that it has extra-territorial application to the extent that it applies, among other things, to controllers and processors that are based outside Cyprus, but that:

  • offer goods or services to individuals in Cyprus; or
  • monitor their behaviour in Cyprus.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(b) Data processor

Any natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

(c) Data controller

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Cyprus law, the controller or the specific criteria for its nomination may be provided for by EU law or Cyprus law.

(d) Data subject

An identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(e) Personal data

Any information relating to an identified or identifiable natural person (‘data subject').

(f) Sensitive personal data

Personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

None.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

No.

4.2 What is the process for registration?

N/A.

4.3 Is registered information publicly accessible?

N/A.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

Cyprus data protection law follows the provisions of the General Data Protection Regulation (GDPR), which is directly applicable in Cyprus.

The lawful bases for the processing of personal data in general are set out in Article 6 of the GDPR, and for the processing of special categories of personal data (sensitive data) in Article 9 of the GDPR.

In essence, pursuant to Article 6 of the GDPR, the processing of personal data is lawful only if and to the extent that at least one of the following applies:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
  • The processing is necessary for compliance with a legal obligation to which the controller is subject;
  • The processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • The processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child; or
  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Further to the above, the Data Protection Law provides that, without prejudice to the final bullet above, the processing of personal data is permitted and lawful when it is carried out by:

  • courts acting in their judicial capacity for purposes of delivering justice, including the processing of personal data necessary for the publication and adoption of decisions of any court; or
  • the House of Representatives, acting in the context of its powers.

The processing of special categories of personal data is prohibited, pursuant to Article 9 of the GDPR, unless one of the following exceptions applies:

  • The data subject has given explicit consent to the processing of the personal data for one or more specified purposes, except where EU or member state law provides that the prohibition may not be lifted by the data subject.
  • The processing is necessary to carry out the obligations and exercise specific rights of the controller or of the data subject in the field of employment and social security and social protection law, insofar as it is authorised by EU or member state law or a collective agreement pursuant to member state law providing for appropriate safeguards for the fundamental rights and interests of the data subject.
  • The processing is necessary to protect the vital interests of the data subject or of another natural person, where the data subject is physically or legally incapable of giving consent.
  • The processing:
    • is carried out by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim, in the course of its legitimate activities and with appropriate safeguards; and
    • relates solely to members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and the personal data is not disclosed outside that body without the consent of the data subjects.
  • The processing relates to personal data which has been manifestly made public by the data subject.
  • The processing is necessary for the establishment, exercise or defence of legal claims or for courts to act in their judicial capacity.
  • The processing is necessary for reasons of substantial public interest on the basis of EU or member state law, which must:
    • be proportionate to the aim pursued;
    • respect the essence of the right to data protection; and
    • provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
  • The processing is necessary:
    • for the purposes of preventive or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of EU or member state law; or
    • pursuant to contract with a health professional and subject to relevant conditions and safeguards provided in the GDPR.
  • The processing is necessary for reasons of public interest in the area of public health, such as to protect against serious cross-border threats to health or ensure high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of EU or member state law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject – in particular, professional secrecy.
  • The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), based on EU or member state law, which must:
    • be proportionate to the aim pursued;
    • respect the essence of the right to data protection; and
    • provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.

Further to the above, the Data Protection Law provides as follows with regard to special categories of personal data (sensitive data):

  • The processing of such data is permitted and lawful when it is:
    • carried out for the purpose of publishing or issuing a decision of any court; or
    • necessary for the purpose of delivering justice.
  • The processing of genetic and biometric data for purposes of health and life insurance is prohibited. It is also provided that, without prejudice to Article 5(1)(b) of the GDPR – which provides that any further processing of data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes will not be considered to be incompatible with the initial purposes (‘purpose limitation') – where the processing of genetic and biometric data is based on a data subject's consent, the further processing of such data requires the separate consent of the data subject.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

Any processing of personal data should comply with all key principles provided for in the GDPR. Therefore, personal data should be:

  • processed in a lawful, transparent and fair manner;
  • collected for specific, legitimate and determined purposes at the time of collection;
  • adequate, relevant and limited to what is necessary for the purposes for which it is processed;
  • processed in a manner that ensures appropriate security and confidentiality;
  • processed only if the purpose of the processing could not reasonably be fulfilled by other means; and
  • stored for a strict minimum period.

Controllers are responsible for, and must be able to demonstrate compliance with, all of the aforementioned principles, which apply irrespective of the type of personal data processed or of whether the data is outsourced.

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

  • When the offer of information society services directly to a child is based on the child's consent, the processing of the personal data of a child shall be lawful where the child is at least 14 years old. For children younger than 14 years old, the processing shall be lawful when consent is given or authorised by a parent or the holder of parental responsibility over the child.
  • The processing of genetic and biometric data for the purposes of health and life insurance is prohibited. Further, without prejudice to Article 5(1)(b) of the GDPR – which provides that any further processing of data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes will not be considered to be incompatible with the initial purposes (‘purpose limitation') – where the processing of genetic and biometric data is based on a data subject's consent, the further processing of such data requires the separate consent of the data subject.
  • The combination of large-scale filing systems of two or more public authorities or bodies is permitted only for reasons of public interest and only as long as the provisions of any of the relevant appropriate legal bases can be fulfilled.
  • The processing of personal data or special categories of personal data or personal data relating to criminal convictions and offences, which is carried out for journalistic or academic purposes or for purposes of artistic or literary expression, is permitted, provided that those purposes are proportionate to the aim pursued and respect the essence of the rights as set out in the Charter of Fundamental Rights of the European Union and in the European Convention for the Protection of Human Rights and Fundamental Freedoms, which was ratified by the ratifying law on the European Convention for the Protection of Fundamental Rights and in Part II of the Constitution.
  • Processing which is carried out by a controller or processor for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes must not be used to take a decision which produces legal effects concerning the data subject or which significantly affects him or her.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

There are no restrictions on the transfer of personal data to third parties within Cyprus, as long as such processing is undertaken in compliance with the general principles of processing and on the basis of appropriate legal grounds under the General Data Protection Regulation (GDPR).

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

There are no restrictions on the transfer of personal data within the European Union, as long as such processing is undertaken in compliance with the general principles of processing and on the basis of appropriate legal grounds under the GDPR.

The transfer of personal data to third countries or international organisations is restricted; in order to be lawful, they must comply with the conditions laid out in the GDPR. Specifically, such transfers can take place on the basis of:

  • an adequacy decision of the European Commission (ie, where the European Commission has decided that a third country or the international organisation in question ensures an adequate level of protection);
  • where the controller or processor have provided appropriate safeguards, such as through:
    • standard data protection clauses adopted by the European Commission;
    • standard data protection clauses adopted by a supervisory authority and approved by the commission;
    • binding corporate rules;
    • an approved code of conduct or approved certification mechanism; and
    • binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards as regards the data subjects' rights; or
  • an individual derogation. Such derogations include transfers that are:
    • made with the data subject's explicit consent;
    • necessary for the performance of a contract with, or in the interests of, the data subject;
    • necessary or legally required on important public interest grounds or for legal claims;
    • necessary to protect the vital interests of the data subject; or
    • made from a public register.

Where a transfer to a third country or international organisation cannot be based on any of the above grounds, it may take place only if:

  • it is not repetitive;
  • it concerns only a limited number of data subjects;
  • it is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject; and
  • the controller has assessed all the circumstances surrounding the data transfer and, on the basis of that assessment, has provided suitable safeguards with regard to the protection of personal data.

In such case, the controller must inform the commissioner and the data subjects of the transfer and of the compelling legitimate interests pursued.

Further to the above, pursuant to the Data Protection Law, special conditions are imposed on the transfer of special categories of personal data (sensitive data) to third countries.

In such cases, there is a requirement to submit prior notification to the commissioner where the transfer is to be based on Article 46 (appropriate safeguards) or Article 47 of the GDPR (binding corporate rules). The commissioner may, for important reasons of public interest, impose on a controller or a processor explicit limits to such transfer.

Furthermore, where a transfer of special categories of personal data (sensitive data) to third countries is to be made based on one of the specific derogations listed in Article 49 of the GDPR, the Data Protection Law imposes a requirement to carry out an impact assessment and a prior consultation with the commissioner.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

Subject to the provisions of the Data Protection Law on transfers of sensitive personal data to third countries, and where a transfer is made on the basis of the minor transfer exemption, explained further below, transfers of personal data to third countries do not require prior notification.

Irrespective of the above, certain of the legal bases upon which a transfer may be made will require the approval of the commissioner. By way of example, if a transfer is to be based on standard contractual clauses to be entered into between the parties involved, other than those approved by the European Commission, binding corporate rules or codes of conduct, these instruments must be approved by the commissioner.

A notification requirement applies where a controller wishes to effect a transfer of personal data to a third country on the basis of the so-called ‘minor transfer exemption'. In such case, the controller must inform the commissioner as well as the data subjects.

Furthermore, the Data Protection Law imposes certain notification and consultation requirements on transfers of special categories of personal data (sensitive data) to third countries.

There is in particular a requirement to submit prior notification to the commissioner where the transfer will be based on Article 46 (appropriate safeguards) or Article 47 (binding corporate rules) of the GDPR. The commissioner may, for important reasons of public interest, impose on a controller or a processor explicit limits to such transfers.

Furthermore, where a transfer of special categories of personal data (sensitive data) to third countries is to be made on the basis of one of the specific derogations listed in Article 49 of the GDPR, the Data Protection Law imposes a requirement to carry out an impact assessment and a prior consultation with the commissioner.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

Data subjects enjoy the following rights in relation to their personal data:

  • Right to access information: Data subjects have the right to access copies of their personal data by making a written request to the controller. The initial request is free, although a charge can be made for subsequent requests. Controllers can refuse the request if it is manifestly unfounded or excessive. The response must be provided within one month, although this can be extended by two months if the request is complex.
  • Right to data portability: Data subjects also have a right to data portability where the condition for processing personal data is consent or the performance of a contract. This entitles individuals to obtain any personal data that they have ‘provided' to the controller in a machine-readable format. Individuals can also ask for the data to be transferred directly from one controller to another. There is no right to charge fees for this service. Data controllers may impose restrictions on the right to data portability on public policy grounds in accordance with the conditions of Article 23 of the General Data Protection Regulation (GDPR). This is subject to a data protection impact assessment and prior consultation with the commissioner, as well as notification of the relevant data subjects.
  • Right to be forgotten: A data subject can ask that his or her data be deleted in certain circumstances. However, those circumstances are relatively limited – for example, where the processing is based on consent, that consent is withdrawn and there are no other grounds for processing. Even where the right does arise, several exemptions apply – for example, where there is a legal obligation to retain the data. Data controllers may impose restrictions on the right to notification of erasure on public policy grounds in accordance with the conditions of Article 23 of the GDPR. This is subject to a data protection impact assessment and prior consultation with the commissioner, as well as notification of the relevant data subjects.
  • Objection to direct marketing: A data subject can object to his or her personal data being processed for direct marketing purposes at any time. This includes profiling to the extent that it relates to direct marketing.
  • Other rights: The GDPR contains a range of other rights, including the right to have inaccurate data corrected. There is also a right to object to processing being carried out in the performance of a public task or under the legitimate interest condition.

Finally, limitations are imposed on taking decisions based solely on automated decision making that produce legal effects or otherwise similarly significantly affect the data subject. The Article 29 Working Party has issued Guidelines on Automated Decision Making and Profiling (WP251).

There is also a right to restriction of processing – for example, pending verification of the accuracy of the relevant data. Data controllers may impose restrictions on this right on public policy grounds in accordance with the conditions of Article 23 of the GDPR. This is subject to a data protection impact assessment and prior consultation with the commissioner, as well as notification of the relevant data subjects.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

There is no prescribed form or manner for the exercise by data subjects of their rights. In practice, the most common way is for data subjects to directly submit a request in writing, either to the appointed data protection officer of the data controller (if applicable) or to such other point of contact as may be designated by the data controller.

7.3 What remedies are available to data subjects in case of breach of their rights?

Data subjects have the right to lodge a complaint with the commissioner if they consider that the processing of their personal data infringes the GDPR or the Data Protection Law.

Decisions of the commissioner are subject to appeal by way of filing an administrative recourse before the Administrative Court in Cyprus. A further final appeal may be launched before the Supreme Court of Cyprus as against the decision of the Administrative Court.

Where data subjects consider that their rights under the GDPR or national law have been infringed as a result of the unlawful processing of their data, they may bring proceedings before the courts of Cyprus against the relevant controller or processor.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

The circumstances under which a data protection officer must be appointed are set out in Article 37 of the General Data Protection Regulation (GDPR).

In addition to the cases referred to in Article 37 of the GDPR, the Data Protection Law authorises the commissioner to establish and publish a list of processing operations and cases that require the appointment of a data protection officer. The commissioner has not issued any such list to date.

Failure to appoint a data protection officer where this is required constitutes an infringement of the GDPR and is subject to administrative fines. Infringement of the particular obligation of controllers is subject to administrative fines of up to €10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

8.2 What qualifications or other criteria must the data protection officer meet?

In accordance with the GDPR, a data protection officer "shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39". The necessary level of expert knowledge should be determined on the basis of the specific operations carried out and the protection required for the personal data being processed.

The necessary skills and expertise include:

  • expertise in national and European data protection laws and practices, including an in-depth understanding of the GDPR;
  • an understanding of the processing operations carried out;
  • an understanding of information technologies and data security;
  • knowledge of the business sector and the organisation; and
  • the ability to promote a data protection culture within the organisation.

8.3 What are the key responsibilities of the data protection officer?

The key responsibilities of the data protection officer include:

  • monitoring compliance with the GDPR, applicable national data protection laws and policies of the controller or processor;
  • informing and advising the controller or processor on its obligations pursuant to the GDPR and national data protection laws;
  • advising on the data protection impact assessment and monitoring its performance; and
  • cooperating with and acting as the contact point for the commissioner.

In exercising his or her responsibilities, the data protection officer may:

  • collect information to identify processing activities;
  • analyse and check processing activities for compliance; and
  • inform, advise and issue recommendations to the controller or the processor.

Data protection officers are not personally responsible for non-compliance. The GDPR makes it clear that it is the controller or processor that must ensure and be able to demonstrate compliance.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

Yes, pursuant to Article 37(6) of the GDPR, the data protection officer may be a staff member of the controller or the processor, or may fulfil the tasks on the basis of a service contract.

Irrespective of whether a data protection officer is internal or external to an organisation, he or she must fulfil his or her tasks and obligations in compliance with Articles 37 to 39 of the GDPR.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

The general principle of storage limitation applies in the data privacy context, which stipulates that personal data must be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Neither the GDPR nor the Data Protection Law provides for specific record-keeping and documentation requirements. However, record-keeping requirements may be imposed on data controllers or processors pursuant to other national laws – for example, in the context of employment relations or in the banking sector.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

There are no other requirements.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

Taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller must implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the General Data Protection Regulation (GDPR).

Such measures are not specified in the GDPR or the Data Protection Law; it is up to the controller in each case to decide what measures are most appropriate to preserve the security of personal data under its control.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

A personal data breach must be notified to the commissioner unless it is unlikely to result in a risk to the rights and freedoms of data subjects. The notification must, where feasible, be made within 72 hours of the controller becoming aware of it.

If the notification is not made within 72 hours, it must be accompanied by reasons for the delay.

The notification must provide at least the following information:

  • a description of the nature of the data breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • the likely consequences of the breach; and
  • the measures taken or proposed to be taken by the controller to address the breach and measures to mitigate possible adverse effects.

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

If a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller must communicate the breach to the relevant data subjects without undue delay.

The communication must describe in clear and plain language the nature of the breach and contain at least the following information:

  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • the likely consequences of the breach; and
  • the measures taken or proposed to be taken by the controller to address the breach and to mitigate possible adverse effects.

Pursuant to the Data Protection Law controllers may be exempted, in whole or in part, from the obligation to notify data subjects of a personal data breach for any one or more of the reasons set out in Article 23(1) of the GDPR (eg, national security; deference; the prevention, investigation, detection or prosecution of criminal offences; public security and other important reasons of public interest).

For an exemption to apply, the controller must undertake a data protection impact assessment and prior consultation with the commissioner. The commissioner may impose on the controller such terms and conditions for the exemption as it may deem appropriate.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

The commissioner has published a Data Breach Notification Form on its website which should be completed by controllers in the event of a personal data breach notification. The form is available at:
www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/page2e_en/page2e_en?opendocument.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

While the General Data Protection Regulation (GDPR) permits EU member states, by law or by collective agreements, to provide more specific rules on the processing of personal data in the employment context (Article 88 of the GDPR), the Personal Data Law does not provide for more specific rules relating to the processing of personal data in the employment context.

The processing of personal data in the context of an employment relationship will therefore be subject to the general principles of the GDPR.

Furthermore, the commissioner has issued a Directive for the Processing of Personal Data in the Context of Employment Relations (2005) regarding the processing of personal data in the context of employment relations, which is binding.

The commissioner has also issued:

  • Guidelines 4/2017 for public sector controllers regarding the right of access by employees or candidates;
  • Opinion 1/2018 for trade unions regarding notification by employers of employees' salary and trade union contribution amounts;
  • Opinion 2/2018 regarding the use of video surveillance and biometric data in the workplace (see question 10.2);
  • Opinion 1/2019 regarding access to employees' and former employees' email accounts; and
  • an announcement regarding the use of polygraph testing during recruitment and in the workplace.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

The commissioner has published Opinion 2/2018 on the use of video surveillance and biometric data in the workplace. The opinion permits workplace surveillance in limited circumstances, provided that:

  • the employer is in a position to establish the lawfulness and necessity of the surveillance; and
  • there is no less invasive option to achieve the same purpose.

In the opinion, the commissioner gives a number of examples where such surveillance could be justified, such as:

  • in view of the specific working conditions; or
  • where such surveillance is necessary to protect employee health and/or safety.

The commissioner also notes that in a typical office, video surveillance should be limited to points of entry and exit, outside elevators, parking garages, cash tills and areas where safes are located, and should focus cameras on the protected object and not on employees' faces.

In addition, employers should not install cameras in employees' offices, conference rooms, corridors, kitchen, restrooms or dressing rooms. Employers further must not use video surveillance data as the sole criterion for assessing employees' behaviour and performance.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

There are no other requirements over and above the laws and directive and guidelines discussed in question 10.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

‘Personal data' is information relating to identified or identifiable natural persons.

This is a broad term that includes a wide range of information. The General Data Protection Regulation (GDPR) expressly states that it includes online identifiers such as cookies.

Under the Regulation of Electronic Communications and Postal Services (Law 112(I)/2004, as amended), the use of cookies is allowed only with the consent of the subscriber or user concerned, who must have been provided with clear and comprehensive information, in accordance with the Data Protection Law, on the purposes of the processing, among other things. There is an exception if the cookie:

  • is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • is strictly necessary for the provision of an information society service requested by the subscriber or user.

The commissioner has indicated that the Article 29 Working Party's opinion on the cookie consent exemption (WP194) and the working document providing guidance on obtaining consent for cookies (WP208) can be used as guidance on the use of cookies.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

There are no specific requirements or restrictions that apply to cloud computing services over and above the need to ensure compliance with the GDPR and the Data Protection Law. The cybersecurity legislation must also be complied with.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

There are no other requirements in this regard.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

Disputes are heard before the commissioner, where a complaint has been made thereto by a data subject, or before the Cyprus courts.

12.2 What issues do such disputes typically involve? How are they typically resolved?

Complaints regarding alleged infringements of data protection law are typically filed by data subjects with the commissioner. These might include:

  • complaints by employees against their employer;
  • complaints by data subjects whose rights of access/erasure or other rights have not been satisfied;
  • complaints against unlawful processing of data by public authorities, hospitals or insurance companies; and
  • complaints regarding the receipt of unsolicited emails.

When the commissioner receives such complaints, she will launch an investigation into the matter and, upon completion of the process, will issue a decision as to the legality of the controller's actions or omissions. Where an irregularity is found, the commissioner can make recommendations, issue instructions or warnings and/or impose administrative fines.

12.3 Have there been any recent cases of note?

Examples of recent decisions include the following:

  • The commissioner imposed a fine on a large banking institution for losing a customer's insurance policy. It was held that the loss of the complainant's insurance policy posed a risk to his rights, as he could not check the correctness and validity of his data and could not verify the legality of the processing (loss of control over his data).
  • Following a complaint by an employee of a large beverage company, the commissioner examined the legality, under the provisions of the General Data Protection Regulation (GDPR), of a new card swipe and camera system installed on the premises of the company. The commissioner considered that the installation of cameras for the purpose of taking low-resolution photographs of employees without first considering other less intrusive measures was unlawful and ordered the company to suspend the installation of the system.
  • The commissioner issued an important decision regarding automated processing of employee data. Specifically, a complaint was lodged regarding the processing of employee data through an automated tool used to track employee sick leave, known as the Bradford Factor. In its decision, the commissioner found that data relating to the dates and frequency of sick leave of individual employees constitutes special categories of personal data, as defined under Article 9(1) of the GDPR, and consequently found that the specific automated system had no legal basis under the GDPR and was thus unlawful. Having established such unlawful conduct, the commissioner ordered the controller to cease the processing and delete all data collected. Moreover, a number of fines were issued against the controller for infringements of Articles 6(1) and 9 of the GDPR.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The Office of the Commissioner for Personal Data Protection has been quite active in monitoring the application of the General Data Protection Regulation (GDPR) and the Data Protection Law in the last couple of years. In addition to investigating and publishing decisions taken in response to complaints by data subjects, the commissioner has made an effort to promote a data protection culture and awareness by making presentations to different public or private forums in order to educate the public on data protection matters.

Furthermore, in July 2020 the Office of the Commissioner for Personal Data Protection announced that it would be conducting raids on private companies in a number of different sectors in order to evaluate the level of compliance of Cypriot companies with the GDPR.

We are not aware of any proposed legislative reforms or developments likely to take place in the next 12 months.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

Organisations that process personal data should aim to achieve data protection by default and by design. They must be clear about the processing activities that they undertake, so that they can carefully design the necessary procedures and take the appropriate technical and organisational measures to secure the relevant data.

The necessary procedures include:

  • implementing appropriately drafted privacy policies covering all categories of data subjects;
  • properly communicating such policies to data subjects;
  • obtaining valid consents where necessary;
  • conducting impact assessments;
  • entering into appropriate data processing agreements; and
  • ensuring that any transfers out of the European Union are lawfully undertaken.

It is equally important that data controllers establish a data protection culture within their organisations by appropriately informing and training employees on data protection matters.

Businesses should also put in place procedures to be followed should a personal data breach occur.

Co-authored by Athena Mavroyiannis

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.