GDPR and Data Protection Compliance in Cyprus: What Businesses Need to Know

The General Data Protection Regulation has been directly applicable in Cyprus since May 2018 and is supplemented by the Processing of Personal Data (Protection of Individuals) Law of 2018, which addresses matters left to member state discretion under the GDPR. For businesses operating in Cyprus — whether locally incorporated or operating through a branch or representative office — compliance with the GDPR is a legal obligation that carries significant potential liability for non-compliance. This article sets out the key GDPR obligations for businesses operating in Cyprus and the practical steps required to achieve and maintain compliance.

Scope and Application

The GDPR applies to any organisation that processes personal data in the context of its activities in Cyprus, and to organisations established outside the EU that offer goods or services to individuals in Cyprus or that monitor the behaviour of individuals in Cyprus. The territorial scope of the GDPR is broad and businesses should not assume that they fall outside it simply because they are not incorporated in Cyprus or an EU member state.

Personal data is any information relating to an identified or identifiable natural person. The definition is broad and includes not only obvious categories such as names, addresses and identification numbers but also IP addresses, cookie identifiers, location data and any other information that can be used to identify an individual directly or indirectly.

Lawful Basis for Processing

Every processing activity must have a lawful basis under the GDPR. The six available lawful bases are consent, contract, legal obligation, vital interests, public task and legitimate interests. The choice of lawful basis affects the data subject's rights and the obligations of the controller, and the basis relied upon must be identified before processing commences and documented in the organisation's records of processing activities.

Consent as a lawful basis is subject to strict conditions under the GDPR — it must be freely given, specific, informed and unambiguous, and data subjects must be able to withdraw it as easily as they gave it. Relying on consent where another lawful basis is available and more appropriate is poor practice and can leave the organisation's processing activities vulnerable if consent is subsequently withdrawn.

Key Obligations

Organisations processing personal data in Cyprus must comply with the full range of GDPR obligations, which include the following.

Records of processing activities must be maintained by all organisations with 250 or more employees and by smaller organisations whose processing carries a risk to the rights of data subjects. The records must document the categories of processing activity, the purposes of processing, the categories of data processed, the recipients of data and the retention periods applied.

Privacy notices must be provided to data subjects at the time their data is collected, setting out the identity of the controller, the purposes and legal basis for processing, the recipients of the data and the data subject's rights. Privacy notices must be concise, transparent and written in plain language.

Data subject rights — including the right of access, the right to rectification, the right to erasure, the right to restriction of processing and the right to data portability — must be honoured within prescribed time limits. Organisations must have processes in place to receive, verify and respond to data subject requests.

Data processing agreements must be in place with all third-party processors — organisations that process personal data on behalf of the controller. The agreement must contain the prescribed provisions set out in Article 28 of the GDPR and must be reviewed when the processing arrangements change.

Data protection impact assessments are required for processing activities that are likely to result in a high risk to the rights and freedoms of data subjects. Common examples include large-scale processing of sensitive data, systematic monitoring of publicly accessible areas and the use of new technologies with significant privacy implications.

Personal data breaches must be notified to the Commissioner for Personal Data Protection — the supervisory authority in Cyprus — within 72 hours of the organisation becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of data subjects. Where the risk is high, the affected data subjects must also be notified without undue delay.

International Data Transfers

Transferring personal data outside the European Economic Area requires a legal mechanism to ensure that the level of protection afforded by the GDPR is maintained. Approved mechanisms include adequacy decisions by the European Commission, standard contractual clauses, binding corporate rules and approved codes of conduct. Organisations that transfer data internationally — whether to service providers, group companies or clients outside the EEA — must identify the applicable transfer mechanism for each transfer and ensure that it is properly documented and implemented.

The Commissioner for Personal Data Protection

The supervisory authority for data protection in Cyprus is the Commissioner for Personal Data Protection. The Commissioner has powers to investigate complaints, conduct audits and impose administrative fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher, for the most serious infringements. The Commissioner has been active in enforcing the GDPR in Cyprus and businesses should not underestimate the regulatory risk of non-compliance.

Practical Steps

Achieving GDPR compliance is not a one-time exercise. It requires an ongoing programme of assessment, documentation, training and review. The starting point for most organisations is a data mapping exercise to understand what personal data is held, how it is used, where it is stored and who has access to it. From that foundation, gaps in compliance can be identified and addressed systematically.

Kourtellos & Co advises businesses on GDPR compliance in Cyprus, including data mapping, privacy documentation, data processing agreements, data subject rights processes and breach response.

This article is for informational purposes only and does not constitute legal advice. For advice specific to your circumstances, contact us.