Data Protection in Cyprus

From GDPRhub
Data Protection in Cyprus
Data Protection Authority: Commissioner (Cyprus)
National Implementation Law (Original): Data Protection Act (2018)
English Translation of National Implementation Law: English Translation
Official Language(s): Greek
National Legislation Database(s): Link
English Legislation Database(s): n/a
National Decision Database(s): Link

Legislation[edit | edit source]

History[edit | edit source]

First law on processing of personal data in Cyprus was L. 138(1)/2001 for the harmonisation of national law with the Directive 95/46/EC. This law was amended in 2003 (L. 37(I)/2003) and 2012 (L. 105(I)/2012).

After the Data Protection Act 2018 125(I)/2018 came into force to implement GDPR, the previous law was abolished.

National constitutional protections[edit | edit source]

Article 17 of the Constitution of the Republic of Cyprus establishes the right to respect the secrecy of correspondence and Article 15 the right to privacy and family life.

There is no specific constitutional right to the protection of personal data.

National GDPR implementation law[edit | edit source]

In Cyprus the GDPR is implemented by the Data Protection Act (2018).

Age of consent[edit | edit source]

According to Article 8 of the Data Protection Act (2018) the age of consent is 14.

Below the age of 14, the processing of personal data is lawful upon consent or approval of consent by the ones having the parental responsibility.

Freedom of Expression and Information[edit | edit source]

Article 29 of the Data Protection Act (2018) provides for exception when processing is carried out for journalistic or academic purposes or purposes of artistic or literary expression. The provision mentions that these purposes must be proportionate to their objective and respect the essence of the rights as established in the Charter of Fundamental Rights of the EU and the European Convention of Human Rights.

According to Article 29(2), Article 14 GDPR and Article 15 GDPR apply insofar as the right to freedom of expression and information and the right of journalists to confidentiality are not affected.

Employment context[edit | edit source]

You can help us fill this section!

Access to official documents[edit | edit source]

Pursuant to Article 30 of the Data Protection Act (2018) personal data may be revealed when included in official documents which are held by a public authority or entity for the performance of their task carried out in the public interest. In such cases the national Law 184(I)/2017 on the right of access to documents in the public domain shall apply as well.

Research and statistical purposes[edit | edit source]

By way of derogation from the general rule, Article 31 of the Data Protection Act (2018) foresees that when processing is carried out for archiving purposes in the public interest or for purposes of scientific or historical research or for statistical purposes, the personal data concerned shall not be used in order to take a decision, which has legal effects or similarly significant consequences for the data subject.

Other relevant national provisions and laws[edit | edit source]

Alongside the Data Protection Act (2018), in Cyprus there is also L. 44(I)/2019, which implemented the Directive (EU) 2016/680 on the protection of natural persons when personal data is processed by law enforcement bodies.

The Data Protection Commissioner issues Opinions and (binding) Guidelines.

National ePrivacy Law[edit | edit source]

ePrivacy Directive has been implemented with Section 14 of L. 112(I)/2004 on the regulation of electronic communications and postal services, as amended.

In May 2017 the Data Protection Commissioner of Cyprus and the Commissioner for Electronic Communications and Posts signed a Memorandum of Understanding for their effective cooperation in cases of personal data breaches by the providers of publicly available electronic communications services.

Data Protection Authority[edit | edit source]

The Commissioner for Personal Data Protection (Επίτροπος Δεδομένων Προσωπικού Χαρακτήρα) is the national data protection authority for Cyprus. It resides in Nicosia, Cyprus.

→ Details see Commissioner (Cyprus)

Judicial protection[edit | edit source]

Civil Courts[edit | edit source]

Following a Commissioner's decision, a data subject is entitled to claim material or non-material damages for GDPR violations before the civil courts and to ask for compensation from the data controller or processor.

Administrative Courts[edit | edit source]

You can help us fill this section!

Constitutional Court[edit | edit source]

You can help us fill this section!