ARTICLE
5 March 2025

Data Protection Officer In Cyprus: Role, Responsibilities And Liabilities

CA
CYAUSE Audit Services Ltd

Contributor

CYAUSE Audit Services Ltd logo
CYAUSE Audit Services is an Audit & Assurance firm with offices in Cyprus and the UAE, regulated by the UK ICAEW, International ACCA, Cyprus ICPAC and UAE ADGM. Our firm has extensive knowledge and experience in relocation consultation, international tax planning solutions and licensing of investment firms, funds and insurance agents / brokers. Our routine day to day services include accounting, audit, tax and advisory services to international businesses interested in relocating or establishing presence to Cyprus. Our memberships with international networks ensure seamless collaboration with overseas experts and access to fast and accurate information on overseas tax and corporate legislations. Our partnerships: BKR International (a USA accounting association ranked number 10 in the world) ; ACCACE Circle (European Network) ; 3E Accounting International (Hong Kong Network)
Explore Firm Details
A DPO is responsible for ensuring that an organization manages personal data in compliance with the GDPR and local data protection laws.
Cyprus Privacy
CYAUSE Audit Services Ltd
Your Author LinkedIn Connections

What is a Data Protection Officer, commonly known as the DPO?

A DPO is responsible for ensuring that an organization manages personal data in compliance with the GDPR and local data protection laws. 

This includes data related to employees, customers, and other individuals the organization interacts with.

Who Needs to Appoint a DPO?

Organizations must appoint a DPO if:

  • They are a public authority or body.
  • Their main activities involve monitoring individuals on a large scale, such as tracking behaviour or profiling users.
  • They process significant amounts of sensitive data, including health records, financial data, or criminal records.

What are the Key Responsibilities of a DPO?

  • Ensuring Compliance to the GDPR and Cyprus data protection laws when handling personal data.
  • Advising the Organization on data protection obligations and best practices, including training staff and raising awareness about data privacy.
  • Conducting Data Protection Impact Assessments (DPIAs) to identify and reduce risks associated with personal data processing, particularly for new projects and technologies.
  • Serving as a Point of Contact between the organization and the Office of the Commissioner for Personal Data Protection in Cyprus. Additionally, a DPO handles inquiries from individuals regarding their data rights, such as requests to access or delete their personal information.
  • Monitoring and Auditing the organization's data processing activities and ensures internal policies, including privacy policies and data retention schedules, are up to date.
  • Managing Data Breaches via assessing the impact, notifying the relevant authorities within 72 hours, and informing affected individuals if necessary.
  • Managing Documentation & Reviewing of Policies by keeping records of processing activities, reviewing and updating related policies and ensuring that such policies comply with legal requirements.
  • Maintaining Independence and Confidentiality in all matters related to personal data.

What are the necessary skills and expertise of a DPO?

  1. Expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR.
  2. Understanding of the processing operations carried out by the data controller.
  3. Understanding of information technologies and data security.
  4. Knowledge of the business sector and the organisation.
  5. Ability to promote a data protection culture within the organisation – data controller.

Is it possible to appoint an external DPO?

Yes, it is possible to appoint an external DPO on the basis of a service contract concluded with an individual or an organisation. In this case, a team of individuals working for that entity may effectively carry out the DPO's tasks as a team, under the responsibility of a designated lead contact and ‘person in charge' of the client. It is however, essential that each member of the external organisation exercising the functions of a DPO fulfils all relevant requirements of the GDPR.

What is the Legal Framework and Liabilities in Cyprus?

The DPO's role is governed by:

  • The GDPR (Regulation (EU) 2016/679); and 
  • The Cyprus Data Protection Law of 2018 (Law 125(I)/2018), which supplements the GDPR with specific national provisions.

Is the DPO personally responsible for non-compliance with the GDPR?

No, the DPO is not personally responsible for non-compliance with the GDPR. 

The GDPR makes it clear that data protection compliance is the controller or the processor's responsibility are required to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation' (Article 24(1)). 

What are the penalties of non-compliance with the GDPR?

Organizations can face significant fines if they fail to comply with data protection regulations. These include:

  • Fines of up to €20 million or 4% of the company's global annual revenue for major violations;
  • Administrative penalties for failing to appoint a DPO when required or not providing them with sufficient resources to perform their role effectively.

The DPO must operate independently, and organizations are prohibited from dismissing or penalizing them for carrying out their duties.

What is the role of the Office of the Commissioner for Personal Data Protection in Cyprus?

In Cyprus, the Office of the Commissioner for Personal Data Protection serves as the independent public authority responsible for overseeing the application of data protection laws, including the General Data Protection Regulation (GDPR). 

The Commissioner's duties encompass monitoring compliance, investigating complaints, and imposing sanctions for data protection violations. 

The Office actively enforces data protection regulations and highlights the importance for organizations to ensure compliance to avoid substantial penalties. 

The Office has handled over 2,500 complaints (including going after the State Health Services Organization, Social Insurance Services, newspapers, doctors, private companies, etc.) and imposed more than €1.5 million in administrative fines since the GDPR came into effect in 2018. 

Conclusion

A DPO is essential and required for organizations handling personal data in Cyprus, ensuring compliance with the GDPR and national data protection laws. 

Their role includes advising, monitoring, and liaising with authorities, helping businesses avoid regulatory penalties while protecting individuals' privacy. 

Ensuring a capable DPO is in place is essential for upholding trust and adhering to legal requirements in today's data-centric environment. │Find more information here

About Us

CYAUSE Audit Services has extensive experience in the insurance industry has helped tens of insurance brokers and agents register and get licensed by the local Cyprus regulator granting them passporting access to the rest of the European Union.

CYAUSE Audit Services is an Audit & Assurance firm with offices in Cyprus and the UAE. During 2015 we have been awarded by I.C.P.A.C and the A.C.C.A (local and international association of Chartered Certified Accountants) for the Quality of our Audit Services and our Office's Procedures.

Being a Truly International Audit & Assurance firm, we have associates from all over the world and we are constantly looking for new associates to expand our network further. At present, CYAUSE Audit Services operates internationally through its membership with BKR International amongst the largest American associations in the world, Accace Circle, a co-created business community of like-minded BPO providers and advisors who deliver outstanding services with elevated customer experience. Our network covers almost 40 jurisdictions with over 2,000 professionals, it supports more than 10,000 customers, mostly mid-size and international Fortune 500 companies from various sectors, and processes at least 170,000 payslips globally.

CYAUSE Audit Services Ltd is also a member of BKR International one of the biggest US Accounting Associations of the word and the 3E Accounting Network, an international accounting network which originates from Hong Kong and has more than 80 members from all over the world.

Learn More about Cyprus Corporate Environment

Information about CYAUSE Audit Services and the Cyprus Corporate & Tax System can be obtained from our Website or our YouTube channel which provides valuable information about the Corporate & Tax Environment of Cyprus.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of CYAUSE Audit Services Ltd
CYAUSE Audit Services Ltd
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More