10 Aug 2018
On 31/07/2018, Cyprus enacted The Protection of Natural Persons against the Processing of their Personal Data and the Free Movement of such Data Law of 2018 (
L.125(I)/2018). According to the announcement on the website of the Cyprus Commissioner for the Protection of Personal Data, national legislation was enacted for the effective application of certain provisions of the GDPR into domestic law.
This article aims to provide a brief summary of the most notable aspects of the new domestic law:
Processing of data by the judiciary or legislature
The processing of personal data is permitted and is lawful when carried out by the judiciary for the purpose of serving justice and by the legislature in the context of their power, while the processing of specific categories of personal data, as provided in Article 9 of GDPR, is permitted and is lawful when it is carried out for the purpose of publishing or issuing a decision.
Conditions applicable to child's consent in relation to information society services
When the provision of information society services directly to a child is based on the consent of the child, the processing of personal data is lawful if the child is at least 14 years old. Where the child is below the age of 14 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
It is noteworthy that the Cyprus Parliament, using the flexibility provided by the GDPR, has chosen a lower age threshold compared to the 16 years old threshold set by the GDPR.
Processing of Genetic and Biometric Data
Processing of genetic and biometric data for life and health insurance purposes is prohibited. Furthermore, when the processing of genetic and biometric data is based on consent of the data subject, a separate consent of the data subject is required for further processing of such data.
Restriction of data subjects’ rights
Subject to the provisions of Article 23 (1) of the GDPR, the controller may apply measures to limit, in whole or in part, the rights referred to in Articles 12, 18, 19 and 20 of the GDPR. In case where the limitation of rights concerns a processing act entrusted to a processor, the said restrictive measures shall apply subject to Article 28 of the GDPR.
In order to apply any restrictive measures, it is necessary to conduct a data protection impact assessment and to request the prior consultation of the Commissioner and the data subjects must be notified of the implementation of any restrictive measures.
Additionally, the Commissioner may impose terms and conditions to the controller for the implementation of any restrictive measures as well as in regard to the data subjects’ required notification.
Exemption from the requirement of communication of breach to data subjects
The controller may be exempt, in whole or in part, from the requirement to communicate a data breach to the data subjects, for one or more of the grounds referred to in Article 23 (1) of the GDPR.
For the exemption to be effected, it is necessary to conduct a data protection impact assessment and to request the prior consultation of the Commissioner and the latter may impose terms and conditions to the controller for such exemption.
Data Protection Officer (DPO)
The Commissioner may publish list of processing acts and cases, additional to those referred to in Article 37 of the GDPR, in which the appointment of a DPO is obligatory.
Also, the Commissioner may publish on its website, a list of the controllers and processors who appointed a DPO and their contact details, provided that those controllers and processors wish to be included in that list.
The DPO, while performing his or her duties, is bound by the obligation of secrecy or confidentiality, subject to any laws governing issues of professional secrecy or confidentiality.
Accreditation of certification bodies
The accreditation of certification bodies is conducted by the Cyprus Organisation for the Promotion of Quality (COPQ). For the accreditation to be effected, the COPQ must receive the positive opinion of the Commissioner that the applicant fulfills the provisions of Article 43(2)(a)(b) and (e) of the GDPR. An accreditation may be revoked, in case where COPQ determines that the accreditation requirements are not satisfied or if the actions of the accredited body are against the GDPR or L.125(I)/2018.
Transfer of special categories personal data to a third country or an international organisation
Controllers and processors are obliged to inform the Commissioner prior to the transfer of special categories personal data to a third country or an international organisation on the basis of appropriate safeguards as stipulated in Article 46 of the GDPR or on the basis of binding corporate rules as stipulated in Article 47 of the GDPR.
Nonetheless, the Commissioner may, for serious public interest reasons, impose restrictions on the transfer of special categories of data to a third country or international organisation. In case where appropriate safeguards or binding corporate rules have been approved by the European Commission or in the context of the consistency mechanism of Article 63 of the GDPR, the Commissioner will consult with the Commission, the Council, the lead supervisory authority and other involved authorities, before imposing any such restrictions.
The transfer of special categories personal data to a third country or an international organisation by a controller or processor on the basis of the derogations for specific situations of Article 49 of the GDPR, requires the need for a data protection impact assessment and the prior consultation of the Commissioner and the latter may impose restrictions for the transfer of such data to the controller or the processor.
Special circumstances of processing
The processing of personal data or special categories personal data regarding criminal convictions and offenses for journalistc or academic purposes or for purposes of artistic or literature expression is lawful provided that these are proportional to the pursued objective and respect the essence of the rights as defined in the Charter of Fundamental Rights of the European Union, the European Convention of Human Rights (ECHR) and Part Ii of the Constitution.
Personal data in official documents possessed by a public authority for the purposes of performing a duty for the public interest are disclosed, subject to the provisions of the Right of Access to the Documents of the Public Sector Law.
Processing performed by a controller or processor for archiving purposes for the public interest or for scientific or historical research purposes or for statistical purposes excludes the use of personal data for decision-making purposes when the decision may produce legal effects against the data subject or significantly affects it in a similar way.
Administrative fines
In case an organisation fails to pay the administrative fine imposed by the Commissioner, the fine shall be collected as a civil debt due to the Republic of Cyprus. An administrative fine imposed on a public authority or public body for non-profit-making activities may not exceed two hundred thousand euros (€ 200,000).
Offenses and penalties
According to the new legislation, the following are considered as criminal offenses and they may be punishable of up to 3 years imprisonment and/or €30,000 fine:
(a) when a controller or processor fails to keep the record of activities as provided in Article 30 of the GDPR or does not update this record or refuses to present the record to the Commissioner, upon such request, or provides the Commissioner with false, inaccurate, incomplete or misleading information about this record,
(b) when a controller or processor does not cooperate with the Commissioner in accordance with the provisions of Article 31 of the GDPR,
(c) when a controller does not notify the Commissioner of a personal data breach, in accordance with the provisions of Article 33 (1) of the GDPR,
(d) when a processor does not promptly inform the controller of a personal data breach in accordance with the provisions of Article 33 (2) of the GDPR,
(e) when a controller does not notify a personal data breach to the subject of the data, in accordance with the provisions of Article 34 of the GDPR,
(f) when a controller does not carry out an impact assessment in violation of Article 35(1) of the GDPR or Article 13 of the new legislation,
(g) when a controller or a processor prevents the DPO to perform his or her duties, particularly those concerning his or her cooperation with the Commissioner,
(h) when a certification body which accredits or does not revoke a certification according to Article 42 of the GDPR,
(i) when a controller or a processor transfers personal data to a third country or international organisation in violation of the provisions of Chapter V of the GDPR,
(j) when a controller or a processor transfers personal data to a third country or international organisation in violation of restrictions imposed by the Commissioner pursuant to the provisions of the new legislation,
(k) when a person with no right intervenes in any way with a filing system of personal data or receives knowledge of such personal data or removes, alters, harms, destroys, processes, exploits in any way, broadcasts, announces, grants access to or allows unauthorised persons to become aware of the said personal data for profitable purposes or not,
(l) when a controller or a processor prevents or obstructs the execution of the Commissioner’s powers as stipulated in Article 58 of the GDPR and Article 17 of the new legislation,
(m) when a controller or a processor does not comply with the provisions of the GDPR and the new legislation during the performance of a processing activity which is not considered as an offence according to the above,
It is noteworthy that if a person is convicted for an offence under points (g) to (j) above and such offence hinders the interests of the State or raises risks for the seamless operation of Government or threatens national security, a sentence of 5 years of imprisonment and/or a fine of €50,000 may be imposed.
It must be also highlighted that if the controller or processor is an undertaking or a group of undertakings, criminal liability rests with the chief executive body of the undertaking or group of undertakings concerned.