Cyprus Public Sector under Audit for GDPR compliance

07 Nov 2019
The Cyprus Commissioner for personal data protection assessed the level of compliance of public sector with the General Data Protection Regulation (EU) 2016/679 (GDPR) and National legislation (Cyprus Law 125 (I)/2018).

The article 58 of the GDPR provides that the supervisory authorities have the power to carry out investigations in the form of data protection audits. In this context, the Commissioner sent questionnaires to all Public Authorities and Ministries in July 2019 and the deadline to submit the answers was fixed on the 13rd of September. Although the submission of answers was obligatory given that the Commissioner’s power derives from the Regulation, only 89 answers were received. Many Ministries and Departments processing personal data on a large scale did not respond to these questionnaires.

According to the statistical data, a great part of the public authorities has fulfilled their legal obligation to appoint a Data Protection Officer (DPO), however it was observed that the appointed DPOs have not been provided with the necessary resources and time to fulfil their role and in some cases the personnel was not informed of the DPO’s appointment and the DPO was not educated or trained on data protection.
It is notable that the 80% of the public authorities which replied to the questionnaires maintain records of processing activities, complying with their obligation under GDPR, while about half of them have already created a privacy policy and procedures to reply to the data subjects requests. Finally, the 63% have been trained on data protection issues.

The Commissioner’s general note is that despite that some measures have already been taken by the public sector to comply with their GDPR obligations, persistent and intense effort is required in order to safeguard the quality of the management and procedural systems on data protection and respect of data subjects’ rights.
The Commissioner intends to proceed with on-the-spot audits to verify public sector’s compliance with GDPR and based on the audits’ results, it may be decided that corrective measures must be taken and, possibly, fines may be imposed on the authorities which did not adequately comply with their obligations.   

The European Data Protection Board addresses Dark Patterns in Social Media Platforms
The managing partner of Privacy Minders, Maria Raphael, is appointed to ENISA Ad Hoc Working Group
Privacy Minders participates at the XIV Data Privacy Institute Privacy Forum held in Madrid
The Issue of Liability of EU and UK Representatives
Larnaca, Cyprus

57 Spyrou Kyprianou Avenue,
Bybloserve Business Center, Larnaca 6051, Cyprus

London, United Kingdom

71-75 Shelton Street
London WC2H 9JQ
United Kingdom

Get in touch

Tel: +357 24812581/82
Fax: +357 24812583

Click here to Subscribe