Safeguarding Personal Privacy and Data in Cyprus, GDPR

Safeguarding Personal Privacy and Data in Cyprus, GDPR

Law 125(I) of 2018 Providing For The Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of Such Data or Law 125(I) of 2018 for short is a data privacy law that was recently passed in the country of Cyprus in 2018. As Cyprus is one of the many countries that makes up the European Union, the nation falls under the jurisdiction of the General Data Protection Regulation, or the GDPR for short. As such, Law 125(I) of 2018 Providing For The Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of Such Data sets forth the legal requirements that govern the collection and processing of personal data within Cyprus, as well as the punishments that can be imposed against those who violate said requirements.

What are the variations between Law 125(I) of 2018 and the EU’s GDPR law?

Law 125(I) of 2018 Providing For The Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of Such Data and the EU’s GDPR law are largely identical as it relates to the legal requirements for collecting and processing personal data. However, as is the case with many other laws that have been passed for the purposes of implementing the EU’s GDPR law, the two pieces of legislation do vary as it concerns the exceptions to these legal requirements. For instance, as it pertains to the legal age of consent regarding data collection and processing, the EU’s GDPR law places this age at 16, while member states within the EU have the right to lower this age when implementing the provisions of the law into their own national legislation.

To this point, Law 125(I) of 2018 Providing For The Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of Such Data places the age of consent regarding data collection and processing at 13, while all individuals younger than the age of 13 can only submit their personal data for collection or processing in accordance with the consent of their parent or legal guardian. Conversely, when a data controller or processor within Cyprus “intends to transfer special categories of personal data to a recipient in a third country or to an international organization and the intended transfer is based on appropriate safeguards provided for in Article 46 of the GDPR or on binding corporate rules (‘BCRs’) provided for in Article 47 of the GDPR, the controller or processor must inform the Commissioner of the intended transfer before the data are transferred.”

Moreover, while the EU’s GDPR law mandates that organizations and businesses conduct Data Protection Impact Assessments or DPIA’s in instances where data processing is “likely to create a high risk to the rights and freedoms of the persons concerned”, the law allows member states to define the activities that could lead to such risks. As such, under Law 125(I) of 2018, the following activities require a DPIA, as well as prior consultation with the Office of the Commissioner for Personal Data Protection or the Commissioner for short:

  • “Measures to limit, in whole or in part, the rights referred to in Articles 12, 18, 19, and 20 of the GDPR (Article 11 of the Law);
  • Exemption from the responsibility for data breach notification (Article 12 of the Law);
  • Transfers of personal data to third countries or international organizations (Article 17 of the Law);
  • The combination of filing systems that concern special categories of personal data or data concerning criminal convictions or to be used with an identification card number or any other general application identity information (Article 10 of the Law); and
  • The enactment of laws or regulations pursuant to a law, which provide for a particular act or series of personal data processing acts (Article 13 of the Law).”

What are the penalties for violating Law 125(I) of 2018?

Law 125(I) of 2018 is enforced by the Commissioner, who has the authority to impose a variety of punishments and penalties against individuals and organizations who fail to comply with the law when collecting or processing personal data. “In addition to administrative fines, the Law creates a number of criminal offenses for the violation of certain articles of the Law and of the GDPR (i.e. Articles 30, 31, 33(1)(2), 34, 35(1), 42, Chapter V, etc.), punishable upon first conviction with imprisonment of one to five years and/or a fine ranging between €10,000 to €50,000, depending on the offense (Article 33 of the Law).” Furthermore, violators of the law also face monetary fines ranging from a fine of up to €10 million or up to 2% of the total global annual turnover for a business’s previous financial year, whichever amount is higher, to a fine of up to €20 million or up to 4% of the total global annual turnover for a business’s previous financial year, whichever amount is higher.

Through the enactment of Law 125(I) of 2018 Providing For The Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of Such Data in accordance with the provisions of the EU’s GDPR law, the data protection and personal privacy rights of Cypriot Citizens were further secured. Through the passing of such legislation, member states within the European Union have been able to usher in a level of data privacy and protection that remains unrivaled around the world, as the legal framework that has been set forth by the EU’s GDPR law represents a major hurdle for any individual or organization who is looking to misuse the personal data European citizens.