The General Data Protection Regulation (GDPR) ensures a consistent level of protection for natural persons throughout the EU in a manner which provides legal certainty and transparency. EU Member States are enacting legislation regulating specific processing situations and other aspects which supplement the GDPR and enhance this legal certainty.
Cyprus enacted the Protection of Natural Persons Regarding the Processing of their Personal Data and the Free Movement of such Data Law 125(I) of 2018 (the Law) on 31 July 2018 to supplement the GDPR. We highlight the key aspects of the Law below.
Processing by Courts and Parliament
The processing of personal data by courts of law in the course of serving justice and by Parliament in the course of exercising its powers is lawful pursuant to the provisions of the Law.
Personal data and special categories of personal data (as provided under Article 9 of the GDPR) are lawfully processed for the purposes of a court of law issuing a judgment or otherwise for the purposes of serving justice.
Processing of a child’s personal data
Where information society services are offered directly to a child on the basis of the child’s consent, the processing of the child’s personal data will be lawful when the child is at least 14 years old. The Law therefore sets a lower age for which the child may lawfully consent to processing, compared to 16 years old under the GDPR.
Where the child is below the age of 14 years, processing of their personal data shall be lawful only if and to the extent consent is given or authorised by the holder of parental responsibility over the child.
Processing of Genetic and Biometric Data
The processing of genetic and biometric data for the purposes of life and health insurance is prohibited.
When the processing of genetic and biometric is based on the consent of the data subject, any further processing of this data requires a separate consent of the data subject.
Restriction of rights
Subject to Article 23(1) of the GDPR, the controller can implement measures restricting the rights set out in Articles 12, 18, 19 and 20 of the GDPR in whole or in part. Where such measures are implemented in the context of processing by a processor these are implemented subject to the provisions of Article 28 of the GDPR.
The controller must notify the data subjects concerned of the implementation of any restrictive measures subject to the provisions of Article 14(5) of the GDPR.
An impact assessment and consultation with the Data Protection Commissioner (the DPC) is required prior to the implementation of any measures restricting the rights set out in Articles 12, 18, 19 and 20 of the GDPR. The impact assessment concerned shall include the information provided under Articles 23(2) and 35(7) of the GDPR and – as may be required – a description of the appropriate technical and organisational measures set out under Articles 24, 25, 28 and 32 of the GDPR.
The DPC has the power to impose terms and conditions for the implementation of such restrictive measures and the notification of the data subject concerned.
Exemption from requirement to communicate a personal data breach to data subjects
The controller may be partly or wholly exempt from the requirement to communicate a personal data breach to data subjects on any of the grounds set out under Article 23(1) of the GDPR.
For the controller to be exempt from the requirement to communicate a breach to data subjects an impact assessment (including the information provided under Articles 23(2) and 35(7) of the GDPR) prior consultation of the DPC is required.
The DPC may impose terms and conditions on the exemption for the implementation of such restrictive measures and the communication of the data subject concerned.
Data Protection Officers (DPOs)
The DPC may publish a list of processing circumstances in which a DPO must be appointed, additional to those set out under Article 37(1) of the GDPR.
DPOs, appointed in accordance with Article 37 of the GDPR, are bound by an obligation of secrecy or confidentiality in the course of performing their duties, subject to any laws regulating such matters. A list of controllers and processors who have appointed DPOs may be published on the website of the DPC subject to such controllers and processors so consenting.
Accreditation of certification bodies
Under Article 43(1) of the GDPR, certification bodies which have an appropriate level of expertise in relation to data protection shall issue and renew certifications provided under Article 42 of the GDPR.
The Law provides that the accreditation of such certification bodies in Cyprus will be performed by the Cyprus Organisation for the Promotion of Quality (COPQ). The COPQ will accredit a certification body on obtaining the positive opinion of the DPC as to such body satisfying the requirements under paragraphs (a), (b) and (e) of Article 43(2) of the GDPR.
The accreditation of any certification body can be revoked by the COPQ, on either a determination by the COPQ that the applicable accreditation requirements are not satisfied or on receiving a relevant request by the DPC on the same grounds.
Transfer of special categories of data to a third country
Prior to transferring special categories of data to a third country or an international organisation on the basis of appropriate safeguards provided under Article 46 of the GDPR or under binding corporate rules in accordance with Article 47 of the GDPR, a controller or processor concerned must notify the DPC in advance of such intention.
The DPC may, on serious grounds of public policy, impose restrictions on the transfer of special categories of data to a third country or an international organisation.
Where appropriate safeguards or binding corporate rules have been approved by the European Commission or in the context of the consistency mechanism under Article 63 of the GDPR, the DPC will consult with the European Commission, the Council, the lead supervisory authority concerned and other authorities involved, prior to imposing any restrictions on an intended transfer of special categories of data to a third country or an international organisation.
Where transfers of special categories of data to a third country or an international organisation are to take place in accordance with the derogations under Article 49, prior consultation with the DPC and the performance of an impact assessment is required. The impact assessment concerned shall include the information provided under Article 35(7) of the GDPR and – as may be required – a description of the appropriate technical and organisational measures set out under Articles 24, 25, 28 and 32 of the GDPR.
Special circumstances of processing
Processing carried out for journalistic purposes or the purpose of academic, artistic, or literary expression is lawful provided that the purposes for which processing takes place are proportional to the pursued objective and respect the substance of the rights defined in the Charter of Fundamental Rights of the EU, the European Convention of Human Rights and Part II of the Constitution.
Personal data in official documents in the possession of a public authority in the course of performing a duty in the public interest may be disclosed subject to the provisions of the Right of Access to Public Sector Documents Law.
Processing performed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes excludes the use of personal data for the purposes of decision-making which produces legal effects concerning or similarly significantly affects a data subject.
The DPC may impose administrative fines in accordance with and subject to the conditions of Article 83 of the GDPR.
Administrative fines imposed on a public authority or body related to non-profit activities, may not exceed €200,000.
The Law also provides for criminal offences in the following cases:
- in relation to a controller or processor that fails to maintain or update records of processing activities in accordance with Article 30 of the GDPR or refusal to disclose such records to the DPC or provides false, inaccurate, misleading or insufficient information regarding such records to the DPC
- in relation to a controller or processor that does not cooperate with the DPC in accordance with Article 31 of the GDPR
- in relation to a controller that does not notify a breach to the DPC in accordance with Article 33(1) of the GDPR
- in relation to a processor that does not notify the controller without undue delay after becoming aware of a personal data breach, in accordance with Article 33(2) of the GDPR
- in relation to a controller that does not communicate a personal data breach to a data subject, in accordance to Article 34 of the GDPR
- in relation to a controller that does not carry out an impact assessment, infringing Article 35(1) of the GDPR or section 13 of the Law
- in relation to a controller or processor that prevents the DPO from performing their duties, particularly those concerning cooperation with the DPC
- in relation to a certification body which accredits or does not revoke an accreditation in accordance with Article 42 of the GDPR
- in relation to a controller or processor that transfers personal data to a third country or international organisation in breach of the provisions of Chapter V of the GDPR
- in relation to a controller or processor that transfers personal data to a third country or international organisation in breach of restrictions imposed by the DPC pursuant to the provisions of the Law
- in relation to any person that unlawfully intervenes with a filing system of personal data or receives knowledge of such personal data or removes, alters, harms, destroys, processes, exploits, broadcasts, announces, grants access to or allows unauthorised persons to obtain personal data for any purposes
- in relation to a controller or processor that prevents or obstructs the performance of the DPC’s powers provided under Article 58 of the GDPR and section 17 of the Law
- in relation to non-compliance with the GDPR or the Law in performing processing (where this does not fall under one of the other offences set out above)
- in relation to a public authority or body that interconnects a large scale filing system contrary to the provisions of the Law.
The offences listed above at points 1-12 (inclusive) are punishable by imprisonment of up to 3 years and/or a fine of up to €30,000. The offences listed above at points 13-14 are punishable by imprisonment of up to 1 year and/or a fine of up to €10,000.
Where a person is convicted for an offence under points 7 to 10 (inclusive) above, and such offence hinders the interests of the State or the operation of Government or threatens national security, such offence is punishable by imprisonment of up to 5 years and/or a fine of up to €50,000.
Where the controller or processor is:
- an undertaking or a group of undertakings, criminal liability rests with the chief executive body of the undertaking or group of undertakings concerned.
- a public authority or body, criminal liability rests with the head of the public authority or body or the person that carries out effective management of the public authority or body.
How we can help
The GDPR gives national data protection authorities greater powers of enforcement, with the potential for significant fines for regulatory infringement and increased litigation risk arising from aggrieved data subjects. The legislation enacted by Cyprus sets out particular rules for certain processing situations and creates criminal offences for infringement of statutory provisions.
We advise EU and non-EU controllers and processors on legal and compliance issues under the GDPR and Cyprus law and support DPOs in discharging their obligations under the same.
Contact us to discuss your precise requirements.