Cyprus Public Sector under Audit for GDPR compliance

07 Nov 2019
The Cyprus Commissioner for personal data protection assessed the level of compliance of public sector with the General Data Protection Regulation (EU) 2016/679 (GDPR) and National legislation (Cyprus Law 125 (I)/2018).

The article 58 of the GDPR provides that the supervisory authorities have the power to carry out investigations in the form of data protection audits. In this context, the Commissioner sent questionnaires to all Public Authorities and Ministries in July 2019 and the deadline to submit the answers was fixed on the 13rd of September. Although the submission of answers was obligatory given that the Commissioner’s power derives from the Regulation, only 89 answers were received. Many Ministries and Departments processing personal data on a large scale did not respond to these questionnaires.

According to the statistical data, a great part of the public authorities has fulfilled their legal obligation to appoint a Data Protection Officer (DPO), however it was observed that the appointed DPOs have not been provided with the necessary resources and time to fulfil their role and in some cases the personnel was not informed of the DPO’s appointment and the DPO was not educated or trained on data protection.
It is notable that the 80% of the public authorities which replied to the questionnaires maintain records of processing activities, complying with their obligation under GDPR, while about half of them have already created a privacy policy and procedures to reply to the data subjects requests. Finally, the 63% have been trained on data protection issues.

The Commissioner’s general note is that despite that some measures have already been taken by the public sector to comply with their GDPR obligations, persistent and intense effort is required in order to safeguard the quality of the management and procedural systems on data protection and respect of data subjects’ rights.
The Commissioner intends to proceed with on-the-spot audits to verify public sector’s compliance with GDPR and based on the audits’ results, it may be decided that corrective measures must be taken and, possibly, fines may be imposed on the authorities which did not adequately comply with their obligations.   
MORE RELATED NEWS

Saudi Arabia Data Protection Compliance: National Register for Controllers and Data Protection Officer Requirements
Raphael Legal and Privacy Minders Author the Cyprus Chapter in the ICLG Data Protection Guide 2024
How IAB Europe TCF v2.2 Enhances Digital Advertising Privacy Compliance
ENISA Report on Engineering Personal Data Protection in EU Data Spaces
Larnaca, Cyprus

32 Konstantinou Paleologou Street,
The Square, 2nd Floor,
6036 Larnaca, Cyprus

London, United Kingdom

71-75 Shelton Street
London WC2H 9JQ
United Kingdom

Get in touch

Tel: +357 24 32 33 33
Email: info@privacyminders.com

Click here to Subscribe