CYPRUS

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Ο περί της Προστασίας των Φυσικών Προσώπων Έναντι της Επεξεργασίας των Δεδομένων Προσωπικού Χαρακτήρα και της Ελεύθερης Κυκλοφορίας των Δεδομένων αυτών Νόμος του 2018 (Ν. 125(I)/2018)

Status: Adopted

SME EXCEPTION

No Deviation

Lawfulness of processing (Art 6)

VARYING:
Exception added for courts of Cyprus during their operations; and the Cypriot parliament during its operations.

CHILD’S CONSENT (ART 8)

SPECIFYING: 14 years old

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

VARYING:
Prohibition of processing genetic or biometric data for life insurance or medical insurance purposes.

CCTV (Art 6)

No Deviation

Criminal convictions/security measures (Art 10)

VARYING:
When public bodies combine two or more databases that contain a large number of personal data relating to criminal convictions, they need to first conduct a DPIA and consult with the Cypriot data protection commissioner.

Information obligation (Art 13 & 14)

Information obligations are applicable to the extent they do not violate the freedom of expression or the freedom of journalism.

Automated individual decision making (Art 22)

No Deviation

Restrictions to data subject’s rights (Art 23)

ADDITIONAL:
In order for a data controller or processor to invoke an Article 23 exception, they need to first conduct a DPIA and consult with the Cypriot data protection commissioner. The data protection commissioner can impose conditions on any such restriction.

Joint controller responsibilities (Art 26 (1))

No Deviation

Ad hoc notifications – records of processing activities (Art 30)

ADDITIONAL:
The following aspects of records of processing activities are a criminal offense:

  • Not having a record of processing activities.
  • Having but not updating a record of processing activities.
  • Having but not providing a record of processing activities to the authorities upon request.
  • Providing an outdated, inaccurate, or incomplete record of processing activities to the authorities.

Security of processing (Art 32)

No Deviation

Data breach (Art 33 & 34)

VARYING:
It is a criminal offense not to notify the Supervisory Authority about a data breach. It is a criminal offense not to notify the data subject about a data breach.

Data protection impact assessment (Art 35)

VARYING:
It is a criminal offense not to conduct a data protection impact assessment.

Data protection officer (Art 37(4))

No Deviation

Certification (Art 42)

VARYING:
It is a criminal offense for a certification body to provide a certificate that does not fulfill all the GDPR Article 42 requirements.

Data transfer derogations (Art 49(5))

ADDITIONAL:
A DPIA and previous consultation with the SA is required for every data transfer derogation.

Powers of supervisory authorities (Art 58)

ADDITIONAL:
The SA has the following additional authorities:

  • Access to any personal data requested for any reason without any confidentiality claim (excluding the client-lawyer legal privilege).
  • Dawn raid in any establishment (excluding houses).
  • Engage forensic experts and/or the police forces for any of its functions.
  • Confiscate any relevant documents and equipment.
  • Require the Cypriot Organization for the Promotion of Quality to revoke any certification.
  • To report the Cypriot Organization for the Promotion of Quality to the European Commission for noncompliance.
  • Impose conditions on a number of GDPR functions.
  • Report to the police and the criminal prosecutor any noncompliance that may amount to a criminal offense.
  • Be in charge of staff member transfers.

Class actions (Art 80(2))

No Deviation

Administrative sanctions (Art 83)

SPECIFYING:
Administrative sanction to a public body regarding not-for-profit processing activities cannot be higher than €200,000.

Penalties (Art 84)

SPECIFYING:
Depending on the GDPR violation, criminal penalties range from 1–5 years of imprisonment and €10,000–50,000.

Freedom of expression and information (Art 85)

No Deviation

HR processing (Art 88)

No Deviation

Processing for archiving, scientific, historical research, or statistical purposes (Art 89)

No Deviation

Obligations of secrecy (Art 90)

No Deviation