Data Protection & Privacy in Cyprus: Frequently Asked Questions

Cyprus applies the EU General Data Protection Regulation (GDPR) directly and supplements it with the Processing of Personal Data (Protection of Individuals) Law of 2018 (Law 125(I)/2018), which designates the Commissioner for Personal Data Protection (CPDP) as the national supervisory authority. For any business collecting, storing or transferring personal data in Cyprus, non-compliance carries administrative fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher. This article answers the most frequently asked questions on data protection and privacy in Cyprus, covering the legal framework, obligations for controllers and processors, data subject rights, cross-border transfers, enforcement practice, and practical steps to reduce exposure.

The primary source of data protection law in Cyprus is the GDPR, which has applied directly since May 2018 as an EU regulation requiring no domestic transposition. The GDPR establishes the core principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability, all set out in Article 5 of the GDPR.

Law 125(I)/2018 (the Processing of Personal Data Law) fills the gaps that the GDPR expressly leaves to member states. It sets the minimum age for a child';s consent to information society services at 16 years, specifies conditions for processing special categories of data by employers and public authorities, and grants the CPDP its investigative and corrective powers under domestic law.

The Law on Electronic Communications and Postal Services (Law 112(I)/2004, as amended) implements the ePrivacy Directive and governs cookies, electronic marketing and confidentiality of communications. Businesses operating websites or sending marketing emails in Cyprus must comply with both the GDPR and this ePrivacy framework simultaneously.

The Commissioner for Personal Data Protection is an independent authority established under Article 9 of Law 125(I)/2018. The CPDP has the power to conduct audits, issue warnings, impose temporary or permanent bans on processing, and levy administrative fines. It also handles complaints from data subjects and cooperates with other EU supervisory authorities through the European Data Protection Board (EDPB) consistency mechanism.

In practice, international businesses often underestimate the dual-layer compliance obligation: satisfying the GDPR alone is not sufficient if the ePrivacy rules on cookies and direct marketing are ignored. The CPDP has issued guidance making clear that cookie consent banners must meet the same freely given, specific, informed and unambiguous standard required for GDPR consent.

Any organisation that determines the purposes and means of processing personal data of individuals located in Cyprus - or that targets Cyprus-based individuals with goods or services - qualifies as a data controller under Article 4(7) of the GDPR and bears the full compliance burden. A data processor, defined in Article 4(8) as an entity processing data on behalf of a controller, carries a narrower but still significant set of obligations.

The core obligations for controllers operating in Cyprus include:

• Maintaining a Record of Processing Activities (RoPA) under Article 30 of the GDPR, documenting every processing operation, its legal basis, retention period and security measures.
• Appointing a Data Protection Officer (DPO) under Article 37 where the organisation is a public body, carries out large-scale systematic monitoring, or processes special categories of data at scale.
• Conducting a Data Protection Impact Assessment (DPIA) under Article 35 before any high-risk processing, including large-scale profiling, systematic monitoring of public spaces, or processing of sensitive data.
• Implementing appropriate technical and organisational security measures under Article 32, calibrated to the risk level of the processing.
• Notifying the CPDP of a personal data breach within 72 hours of becoming aware of it, under Article 33, and notifying affected individuals without undue delay where the breach is likely to result in high risk.

A common mistake made by international companies establishing a Cyprus subsidiary or using Cyprus as an EU gateway is assuming that group-level GDPR compliance documents automatically satisfy Cyprus-specific requirements. The CPDP expects locally adapted privacy notices, DPO registration where required, and processing records that reflect the actual Cyprus operations rather than a copy-paste of a parent company';s documentation.

To receive a checklist of core GDPR compliance obligations for controllers and processors operating in Cyprus, send a request to info@vlolawfirm.com.

Article 6 of the GDPR provides six lawful bases for processing personal data. Selecting the correct basis is not a formality - it determines what rights data subjects can exercise and what defences a controller can raise in enforcement proceedings.

Consent under Article 6(1)(a) is the most frequently misused basis. It must be freely given, specific, informed and unambiguous. Pre-ticked boxes, bundled consent and consent obtained as a condition of service do not meet the standard. The CPDP has consistently applied the EDPB';s guidance that consent is not freely given where there is a clear imbalance between the data subject and the controller, particularly in employment contexts.

Contractual necessity under Article 6(1)(b) covers processing that is objectively necessary to perform a contract with the data subject or to take pre-contractual steps at their request. Controllers frequently over-rely on this basis, claiming it covers processing that is merely convenient rather than strictly necessary.

Legitimate interests under Article 6(1)(f) requires a three-part balancing test: identifying a legitimate interest, demonstrating that processing is necessary for that interest, and confirming that the interest is not overridden by the data subject';s rights and freedoms. This basis is unavailable to public authorities acting in their official capacity.

For special categories of data - health data, biometric data, racial or ethnic origin, religious beliefs, trade union membership, sexual orientation and genetic data - Article 9 of the GDPR applies a higher threshold. Processing is prohibited unless one of the Article 9(2) exceptions applies, such as explicit consent, employment law obligations, or vital interests. Law 125(I)/2018 adds domestic conditions for processing health data by healthcare providers and for processing by employers in the context of occupational medicine.

A non-obvious risk arises with employee monitoring. Cyprus employers increasingly deploy productivity monitoring software, GPS tracking and email surveillance. Each of these involves special-category-adjacent data or highly intrusive processing. The CPDP requires a DPIA for systematic employee monitoring and expects a documented legitimate interests assessment even where the employer relies on contractual necessity or legal obligation.

The GDPR grants data subjects a catalogue of rights that controllers must be operationally ready to fulfil. Failure to respond within the prescribed deadlines is itself an infringement that the CPDP can sanction independently of any underlying processing violation.

The right of access under Article 15 entitles a data subject to receive a copy of their personal data and supplementary information about the processing within one month of the request. This period may be extended by a further two months for complex or numerous requests, but the controller must notify the data subject of the extension within the first month and explain the reasons.

The right to erasure under Article 17 - commonly called the "right to be forgotten" - applies where the data is no longer necessary for the purpose for which it was collected, where consent is withdrawn and no other basis exists, or where the data has been unlawfully processed. Controllers must also take reasonable steps to inform other controllers to whom the data has been disclosed.

The right to data portability under Article 20 applies only where processing is based on consent or contract and is carried out by automated means. The data must be provided in a structured, commonly used and machine-readable format. This right is particularly relevant for fintech, healthtech and SaaS businesses operating in Cyprus.

The right to object under Article 21 allows data subjects to object at any time to processing based on legitimate interests or for direct marketing purposes. For direct marketing, the objection is absolute and must be honoured immediately without any balancing exercise.

Controllers must respond to requests free of charge. Where requests are manifestly unfounded or excessive, a reasonable fee may be charged or the request refused, but the controller bears the burden of demonstrating this. A common mistake is treating data subject requests as an administrative nuisance rather than a compliance obligation with its own enforcement timeline.

In practice, it is important to consider that Cyprus courts have jurisdiction to hear civil claims by data subjects for material and non-material damages under Article 82 of the GDPR. Non-material damage - including distress, loss of control over personal data and reputational harm - is compensable without proof of financial loss. This creates litigation exposure separate from CPDP enforcement.

Cyprus, as an EU member state, applies the GDPR';s Chapter V restrictions on transfers of personal data to third countries. A transfer is any disclosure, transmission or making available of personal data to a recipient outside the European Economic Area (EEA). The rules apply regardless of the technical mechanism used - cloud storage, email, API access or physical media.

Transfers to countries with an adequacy decision from the European Commission are permitted without additional safeguards. The list of adequate countries includes the United Kingdom (under a time-limited decision subject to review), Japan, South Korea, Israel, Canada (for commercial organisations) and several others. Controllers must verify that the adequacy decision covers the specific type of transfer they intend to make.

Where no adequacy decision exists, the most widely used mechanism is Standard Contractual Clauses (SCCs), adopted by the European Commission under Article 46(2)(c) of the GDPR. The current SCCs, adopted in 2021, include four modules covering controller-to-controller, controller-to-processor, processor-to-controller and processor-to-processor transfers. Controllers must complete a Transfer Impact Assessment (TIA) to verify that the legal framework of the destination country does not undermine the protections offered by the SCCs.

Binding Corporate Rules (BCRs) are available for intra-group transfers and require approval from a lead supervisory authority. Given Cyprus';s relatively small supervisory capacity, the CPDP is rarely the lead authority for BCR applications, but it participates in the EDPB';s mutual recognition procedure.

A non-obvious risk for Cyprus-based businesses using US cloud providers is that the EU-US Data Privacy Framework (DPF), adopted in 2023, is subject to ongoing legal challenge. Controllers relying solely on DPF certification should maintain SCCs as a fallback mechanism and document this contingency in their RoPA.

To receive a checklist on cross-border data transfer mechanisms applicable to Cyprus-based operations, send a request to info@vlolawfirm.com.

The Commissioner for Personal Data Protection exercises enforcement powers under both the GDPR and Law 125(I)/2018. The CPDP can initiate investigations on its own motion, following a complaint from a data subject, or as part of coordinated EU-wide enforcement actions coordinated through the EDPB.

The CPDP';s investigative tools include requests for information, on-site inspections, access to premises and systems, and interviews with staff. Controllers and processors are legally obliged to cooperate with the CPDP under Article 31 of the GDPR. Obstruction or failure to cooperate is itself an infringement subject to fines of up to EUR 20 million or 4% of global annual turnover.

Administrative fines are tiered under Articles 83(4) and 83(5) of the GDPR. Lower-tier infringements - such as failure to maintain a RoPA, failure to appoint a DPO, or breach of processor obligations - attract fines up to EUR 10 million or 2% of global turnover. Higher-tier infringements - including unlawful processing, violation of data subject rights, and unlawful cross-border transfers - attract fines up to EUR 20 million or 4% of global turnover. The CPDP applies the EDPB';s guidelines on calculating fines, which consider the nature, gravity and duration of the infringement, the number of data subjects affected, the degree of responsibility, and whether the controller cooperated.

Beyond fines, the CPDP can issue warnings, reprimands, orders to bring processing into compliance, temporary or permanent bans on processing, and orders to notify data subjects of a breach. In practice, the CPDP frequently issues warnings and compliance orders before escalating to fines, particularly for first-time infringements by smaller organisations.

Appeals against CPDP decisions lie to the Administrative Court of Cyprus (Διοικητικό Δικαστήριο) under Article 146 of the Cyprus Constitution. The appeal must be filed within 75 days of the decision. The Administrative Court reviews the legality of the decision rather than its merits, meaning it will not substitute its own assessment of the fine amount unless the CPDP';s reasoning was arbitrary or procedurally flawed. A further appeal on points of law lies to the Supreme Court of Cyprus (Ανώτατο Δικαστήριο).

The risk of inaction is concrete: a data breach that is not notified to the CPDP within 72 hours, combined with a failure to document the breach in the controller';s internal breach register, can result in a compounded infringement - one for the breach itself and one for the notification failure. Controllers who discover a breach and delay while seeking legal advice should be aware that the 72-hour clock runs from the moment the controller "becomes aware," which courts and supervisory authorities interpret as the moment a reasonable person in the organisation';s position would have had sufficient information to recognise that a breach had occurred.

Scenario one: a fintech startup using Cyprus as its EU base. A payment services company incorporated in Cyprus processes transaction data, KYC documents and behavioural analytics for customers across the EU. It relies on a third-party cloud provider based in the United States. The company must: designate Cyprus as its EU establishment for GDPR purposes, register its DPO with the CPDP, complete a DPIA for its profiling activities, execute SCCs with its US cloud provider and complete a TIA, and maintain a RoPA covering all processing activities. Failure to complete the TIA before the transfer begins constitutes an unlawful transfer, regardless of whether the SCCs are in place.

Scenario two: a Cyprus employer implementing remote monitoring. A professional services firm with 80 employees in Nicosia deploys software that logs keystrokes, captures periodic screenshots and tracks application usage. This processing involves systematic monitoring of employees and likely qualifies as high-risk processing requiring a DPIA under Article 35. The employer must also identify a lawful basis - legitimate interests is the most plausible, but requires a documented balancing test. Employees must receive a transparent privacy notice before monitoring begins. The CPDP has indicated in published guidance that covert monitoring is disproportionate except in narrowly defined circumstances involving suspected criminal activity.

Scenario three: a real estate company receiving subject access requests. A Cyprus property developer holds data on thousands of prospective buyers, including financial information, passport copies and correspondence. When a former customer submits a subject access request, the company must identify all data held across CRM systems, email archives and paper files, redact third-party data, and respond within one month. A common mistake is providing only the data held in the primary CRM while overlooking email archives and shared drives. The CPDP treats incomplete responses as a violation of Article 15, separate from any underlying processing issue.

We can help build a strategy for GDPR compliance tailored to your business model in Cyprus. Contact info@vlolawfirm.com to discuss your specific situation.

What is the most significant practical risk for a business that has not yet implemented GDPR compliance in Cyprus?

The most immediate risk is a personal data breach that triggers simultaneous obligations: notifying the CPDP within 72 hours, notifying affected individuals, and documenting the breach internally. A business without a breach response plan will almost certainly miss the 72-hour deadline, creating a second infringement on top of the underlying security failure. The CPDP has the power to impose fines for both the breach and the notification failure independently. Beyond regulatory exposure, affected individuals can bring civil claims for non-material damages in Cyprus courts without needing to prove financial loss, which creates a separate litigation risk that is difficult to quantify in advance.

How long does a CPDP investigation typically take, and what are the financial consequences?

A CPDP investigation can range from a few months for straightforward complaint-based cases to over a year for complex cross-border matters involving the EDPB consistency mechanism. During an investigation, the controller must cooperate fully and respond to information requests within the deadlines set by the CPDP, typically 10 to 30 days per request. The financial consequences depend on the tier of infringement and the size of the business. For a mid-sized company, a higher-tier fine calculated at 2-4% of global turnover can reach several hundred thousand euros. Legal costs for responding to an investigation - including external counsel, technical experts and document review - can add significantly to the total cost, often starting from the low tens of thousands of euros for a moderately complex matter.

When should a business appoint a Data Protection Officer, and is it worth doing voluntarily?

The GDPR mandates DPO appointment in three situations: the controller or processor is a public authority, the core activities involve large-scale systematic monitoring of individuals, or the core activities involve large-scale processing of special categories of data. Outside these mandatory cases, voluntary appointment is worth considering for businesses that process significant volumes of personal data, operate in regulated sectors such as finance or healthcare, or use Cyprus as their EU establishment for GDPR purposes. A voluntary DPO demonstrates accountability to the CPDP and can reduce the risk of fines by showing proactive compliance. The DPO must have expert knowledge of data protection law, must be given sufficient resources, and must not receive instructions regarding the exercise of their tasks - conditions that are often underestimated by businesses that appoint a DPO in name only.

Data protection and privacy compliance in Cyprus is a substantive legal obligation with direct financial and operational consequences. The GDPR, supplemented by Law 125(I)/2018 and the ePrivacy framework, creates a layered compliance environment that requires documented processes, trained staff, and ongoing monitoring rather than a one-time exercise. The CPDP is an active supervisory authority with the full range of GDPR enforcement powers, and data subjects have independent civil remedies in Cyprus courts.

To receive a checklist of priority compliance actions for businesses operating under Cyprus data protection law, send a request to info@vlolawfirm.com.

Our law firm VLO Law Firms has experience supporting clients in Cyprus on data protection and privacy matters. We can assist with GDPR compliance audits, DPO services, data subject rights procedures, breach response, cross-border transfer mechanisms, and representation before the CPDP. To receive a consultation, contact: info@vlolawfirm.com.