Cyprus: Cyprus Enacts National Legislation Supplementing The GDPR

Last Updated: 12 February 2019
Article by Antoniou McCollum & Co. LLC

The General Data Protection Regulation (GDPR) ensures a consistent level of protection for natural persons throughout the EU in a manner which provides legal certainty and transparency. EU Member States are enacting legislation regulating specific processing situations and other aspects which supplement the GDPR and enhance this legal certainty.

Cyprus enacted the Protection of Natural Persons Regarding the Processing of their Personal Data and the Free Movement of such Data Law 125(I) of 2018 (the Law) on 31 July 2018 to supplement the GDPR. We highlight the key aspects of the Law below.

Processing by Courts and Parliament

The processing of personal data by courts of law in the course of serving justice and by Parliament in the course of exercising its powers is lawful pursuant to the provisions of the Law.

Personal data and special categories of personal data (as provided under Article 9 of the GDPR) are lawfully processed for the purposes of a court of law issuing a judgment or otherwise for the purposes of serving justice.

Processing of a child's personal data

Where information society services are offered directly to a child on the basis of the child's consent, the processing of the child's personal data will be lawful when the child is at least 14 years old. The Law therefore sets a lower age for which the child may lawfully consent to processing, compared to 16 years old under the GDPR.

Where the child is below the age of 14 years, processing of their personal data shall be lawful only if and to the extent consent is given or authorised by the holder of parental responsibility over the child.

Processing of Genetic and Biometric Data

The processing of genetic and biometric data for the purposes of life and health insurance is prohibited.

When the processing of genetic and biometric is based on the consent of the data subject, any further processing of this data requires a separate consent of the data subject.

Restriction of rights

Subject to Article 23(1) of the GDPR, the controller can implement measures restricting the rights set out in Articles 12, 18, 19 and 20 of the GDPR in whole or in part. Where such measures are implemented in the context of processing by a processor these are implemented subject to the provisions of Article 28 of the GDPR.

The controller must notify the data subjects concerned of the implementation of any restrictive measures subject to the provisions of Article 14(5) of the GDPR.

An impact assessment and consultation with the Data Protection Commissioner (the DPC) is required prior to the implementation of any measures restricting the rights set out in Articles 12, 18, 19 and 20 of the GDPR. The impact assessment concerned shall include the information provided under Articles 23(2) and 35(7) of the GDPR and – as may be required – a description of the appropriate technical and organisational measures set out under Articles 24, 25, 28 and 32 of the GDPR.

The DPC has the power to impose terms and conditions for the implementation of such restrictive measures and the notification of the data subject concerned.

Exemption from requirement to communicate a personal data breach to data subjects

The controller may be partly or wholly exempt from the requirement to communicate a personal data breach to data subjects on any of the grounds set out under Article 23(1) of the GDPR.

For the controller to be exempt from the requirement to communicate a breach to data subjects an impact assessment (including the information provided under Articles 23(2) and 35(7) of the GDPR) prior consultation of the DPC is required.

The DPC may impose terms and conditions on the exemption for the implementation of such restrictive measures and the communication of the data subject concerned.
Data Protection Officers (DPOs)

The DPC may publish a list of processing circumstances in which a DPO must be appointed, additional to those set out under Article 37(1) of the GDPR.

DPOs, appointed in accordance with Article 37 of the GDPR, are bound by an obligation of secrecy or confidentiality in the course of performing their duties, subject to any laws regulating such matters. A list of controllers and processors who have appointed DPOs may be published on the website of the DPC subject to such controllers and processors so consenting.

Accreditation of certification bodies

Under Article 43(1) of the GDPR, certification bodies which have an appropriate level of expertise in relation to data protection shall issue and renew certifications provided under Article 42 of the GDPR.

The Law provides that the accreditation of such certification bodies in Cyprus will be performed by the Cyprus Organisation for the Promotion of Quality (COPQ). The COPQ will accredit a certification body on obtaining the positive opinion of the DPC as to such body satisfying the requirements under paragraphs (a), (b) and (e) of Article 43(2) of the GDPR.

The accreditation of any certification body can be revoked by the COPQ, on either a determination by the COPQ that the applicable accreditation requirements are not satisfied or on receiving a relevant request by the DPC on the same grounds.

Transfer of special categories of data to a third country

Prior to transferring special categories of data to a third country or an international organisation on the basis of appropriate safeguards provided under Article 46 of the GDPR or under binding corporate rules in accordance with Article 47 of the GDPR, a controller or processor concerned must notify the DPC in advance of such intention.

The DPC may, on serious grounds of public policy, impose restrictions on the transfer of special categories of data to a third country or an international organisation.

Where appropriate safeguards or binding corporate rules have been approved by the European Commission or in the context of the consistency mechanism under Article 63 of the GDPR, the DPC will consult with the European Commission, the Council, the lead supervisory authority concerned and other authorities involved, prior to imposing any restrictions on an intended transfer of special categories of data to a third country or an international organisation.

Where transfers of special categories of data to a third country or an international organisation are to take place in accordance with the derogations under Article 49, prior consultation with the DPC and the performance of an impact assessment is required. The impact assessment concerned shall include the information provided under Article 35(7) of the GDPR and – as may be required – a description of the appropriate technical and organisational measures set out under Articles 24, 25, 28 and 32 of the GDPR.

Special circumstances of processing

Processing carried out for journalistic purposes or the purpose of academic, artistic, or literary expression is lawful provided that the purposes for which processing takes place are proportional to the pursued objective and respect the substance of the rights defined in the Charter of Fundamental Rights of the EU, the European Convention of Human Rights and Part II of the Constitution.

Personal data in official documents in the possession of a public authority in the course of performing a duty in the public interest may be disclosed subject to the provisions of the Right of Access to Public Sector Documents Law.

Processing performed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes excludes the use of personal data for the purposes of decision-making which produces legal effects concerning or similarly significantly affects a data subject.

Sanctions

The DPC may impose administrative fines in accordance with and subject to the conditions of Article 83 of the GDPR.
Administrative fines imposed on a public authority or body related to non-profit activities, may not exceed €200,000.

The Law also provides for criminal offences in the following cases:

  1. in relation to a controller or processor that fails to maintain or update records of processing activities in accordance with Article 30 of the GDPR or refusal to disclose such records to the DPC or provides false, inaccurate, misleading or insufficient information regarding such records to the DPC
  2. in relation to a controller or processor that does not cooperate with the DPC in accordance with Article 31 of the GDPR
  3. in relation to a controller that does not notify a breach to the DPC in accordance with Article 33(1) of the GDPR
  4. in relation to a processor that does not notify the controller without undue delay after becoming aware of a personal data breach, in accordance with Article 33(2) of the GDPR
  5. in relation to a controller that does not communicate a personal data breach to a data subject, in accordance to Article 34 of the GDPR
  6. in relation to a controller that does not carry out an impact assessment, infringing Article 35(1) of the GDPR or section 13 of the Law
  7. in relation to a controller or processor that prevents the DPO from performing their duties, particularly those concerning cooperation with the DPC
  8. in relation to a certification body which accredits or does not revoke an accreditation in accordance with Article 42 of the GDPR
  9. in relation to a controller or processor that transfers personal data to a third country or international organisation in breach of the provisions of Chapter V of the GDPR
  10. in relation to a controller or processor that transfers personal data to a third country or international organisation in breach of restrictions imposed by the DPC pursuant to the provisions of the Law
  11. in relation to any person that unlawfully intervenes with a filing system of personal data or receives knowledge of such personal data or removes, alters, harms, destroys, processes, exploits, broadcasts, announces, grants access to or allows unauthorised persons to obtain personal data for any purposes
  12. in relation to a controller or processor that prevents or obstructs the performance of the DPC's powers provided under Article 58 of the GDPR and section 17 of the Law
  13. in relation to non-compliance with the GDPR or the Law in performing processing (where this does not fall under one of the other offences set out above)
  14. in relation to a public authority or body that interconnects a large scale filing system contrary to the provisions of the Law.

The offences listed above at points 1-12 (inclusive) are punishable by imprisonment of up to 3 years and/or a fine of up to €30,000. The offences listed above at points 13-14 are punishable by imprisonment of up to 1 year and/or a fine of up to €10,000.

Where a person is convicted for an offence under points 7 to 10 (inclusive) above, and such offence hinders the interests of the State or the operation of Government or threatens national security, such offence is punishable by imprisonment of up to 5 years and/or a fine of up to €50,000.

Where the controller or processor is:

  • an undertaking or a group of undertakings, criminal liability rests with the chief executive body of the undertaking or group of undertakings concerned.
  • a public authority or body, criminal liability rests with the head of the public authority or body or the person that carries out effective management of the public authority or body.

How we can help

The GDPR gives national data protection authorities greater powers of enforcement, with the potential for significant fines for regulatory infringement and increased litigation risk arising from aggrieved data subjects. The legislation enacted by Cyprus sets out particular rules for certain processing situations and creates criminal offences for infringement of statutory provisions.

We advise EU and non-EU controllers and processors on legal and compliance issues under the GDPR and Cyprus law and support DPOs in discharging their obligations under the same.

August 2, 2018

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Antoniou McCollum & Co. LLC
AGP Law Firm | A.G. Paphitis & Co. LLC
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Antoniou McCollum & Co. LLC
AGP Law Firm | A.G. Paphitis & Co. LLC
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Sign Up
Gain free access to lawyers expertise from more than 250 countries.
 
Email Address
Company Name
Password
Confirm Password
Position
Industry
Mondaq Newsalert
Select Topics
Select Regions
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions