Legal-Updates
2026-07-09 00:00 Legal-Updates

Data Protection Update in Cyprus: Q4 2025

Cyprus data protection law is evolving rapidly, and the fourth quarter brought a cluster of enforcement decisions, updated guidance, and cross-border coordination activity that every business operating on the island needs to understand. The Office of the Commissioner for Personal Data Protection - Cyprus';s national supervisory authority under the EU General Data Protection Regulation (GDPR) - has sharpened its focus on accountability, data transfers, and the obligations of data processors. This guide summarises the key developments, explains their practical implications, and identifies the compliance steps that businesses should prioritise now.

Key regulatory actions by the Cyprus Commissioner in Q4

The Commissioner for Personal Data Protection (the "Commissioner") issued several formal decisions and reprimands during the quarter. The decisions reflect a clear enforcement priority: organisations that fail to implement adequate technical and organisational measures under Article 32 of the GDPR face not only corrective orders but also financial penalties calibrated to the scale of the infringement.

One notable cluster of decisions concerned the healthcare sector. Medical practices and private clinics received formal warnings for retaining patient records beyond the periods specified in their own retention policies. The Commissioner emphasised that a retention policy is a binding internal commitment, not a general aspiration, and that failure to enforce it constitutes a breach of the storage limitation principle under Article 5(1)(e) of the GDPR. Organisations in regulated sectors - healthcare, legal services, financial services - should treat this as a direct signal to audit their retention schedules and deletion workflows.

A second area of enforcement activity involved direct marketing communications. Several businesses received reprimands for sending promotional emails without a valid legal basis. The Commissioner reiterated that consent obtained through pre-ticked boxes or bundled with terms and conditions does not meet the GDPR standard of freely given, specific, informed and unambiguous consent. Businesses relying on consent for marketing must review their consent capture mechanisms and maintain granular records of when and how consent was obtained.

The Commissioner also opened a formal inquiry into a financial services firm following a complaint about the firm';s response to a data subject access request (DSAR). The inquiry highlighted a recurring problem: organisations acknowledge DSARs promptly but then fail to provide a substantive response within the one-month deadline set by Article 12 of the GDPR. In practice, this often happens because internal data mapping is incomplete, making it difficult to locate all personal data held about a specific individual. Businesses should treat this inquiry as a prompt to stress-test their DSAR handling procedures.

Legislative and guidance developments affecting Cyprus data protection 2025

Beyond enforcement, the quarter produced important guidance and legislative context that shapes how the GDPR applies in Cyprus.

The Commissioner published updated guidance on the use of cookies and similar tracking technologies. The guidance aligns Cyprus';s position with the approach taken by several other EU supervisory authorities and makes clear that analytics cookies are not strictly necessary and therefore require consent. The guidance also addresses consent management platforms (CMPs), specifying that a CMP must not be configured in a way that makes it easier for a user to accept all cookies than to reject them. Businesses operating websites with Cyprus-based users - or targeting Cyprus residents - should review their cookie banners against these requirements.

At the EU level, the European Data Protection Board (EDPB) continued to issue opinions and guidelines that bind all member state supervisory authorities, including Cyprus. The EDPB';s ongoing work on legitimate interests under Article 6(1)(f) of the GDPR is particularly relevant for businesses that rely on this legal basis for processing activities such as fraud prevention, network security, and internal analytics. The EDPB';s position narrows the scope of legitimate interests compared to some earlier national interpretations, and Cypriot businesses relying on this basis should reassess their legitimate interests assessments (LIAs).

Cyprus also continued to implement obligations arising from the NIS2 Directive, which entered into force across the EU and requires operators of essential and important entities to maintain robust cybersecurity measures. While NIS2 is distinct from the GDPR, the two frameworks overlap significantly in the area of incident response. A cybersecurity incident that results in a personal data breach triggers obligations under both regimes simultaneously. Organisations in sectors covered by NIS2 - energy, transport, banking, health, digital infrastructure - must ensure their incident response plans address both sets of obligations in a coordinated way.

Cross-border data transfers: practical implications for Cyprus businesses

Cyprus';s position as a hub for international business - particularly in financial services, shipping, and technology - means that cross-border data transfers are a daily operational reality for many organisations registered or operating on the island. The regulatory landscape for such transfers remained active during the quarter.

The EU-US Data Privacy Framework continues to provide a transfer mechanism for transfers to certified US entities. However, the Commissioner';s updated guidance reminds controllers that they cannot rely on the Framework passively. Controllers must verify that the US recipient remains certified, document that verification, and assess whether the specific categories of data being transferred are within the scope of the recipient';s certification. A common mistake is to check certification once at the outset of a relationship and then assume it remains valid indefinitely.

For transfers to countries without an adequacy decision, Standard Contractual Clauses (SCCs) remain the primary mechanism. The Commissioner';s guidance reinforces the requirement to conduct a Transfer Impact Assessment (TIA) before relying on SCCs. A TIA requires the controller to assess the legal framework of the destination country and determine whether it provides essentially equivalent protection to EU law. Many businesses complete this exercise superficially, relying on generic country assessments rather than analysing the specific data flows and the legal context of the recipient. The Commissioner has indicated that TIA quality will be a focus of future audits.

Businesses using cloud service providers headquartered outside the EU should also review their data processing agreements to ensure they reflect the current SCC modules. The transition period for legacy contracts has now passed, and contracts that still reference the old SCCs are non-compliant. This is a straightforward but frequently overlooked remediation task.

If your organisation transfers personal data outside the EU or relies on complex processing chains involving multiple jurisdictions, contact info@vlolawfirm.com. We can assist with transfer mechanism selection, TIA preparation, and contract review.

Accountability and documentation: what the Commissioner expects

The accountability principle under Article 5(2) of the GDPR requires controllers not only to comply with the regulation but to be able to demonstrate compliance. The Commissioner';s enforcement activity during the quarter consistently returned to this theme: organisations that could not produce documentation of their compliance decisions faced more severe outcomes than those that had documented their reasoning, even where the underlying decision was imperfect.

The Record of Processing Activities (RoPA) is the foundational accountability document. Under Article 30 of the GDPR, most organisations are required to maintain a RoPA that describes each processing activity, its purpose, legal basis, categories of data and data subjects, recipients, retention periods, and transfer mechanisms. The Commissioner';s inspections have found that many Cypriot businesses maintain a RoPA that was created at the time of GDPR implementation but has not been updated since. A RoPA that does not reflect current processing activities is worse than no RoPA at all, because it creates a documented discrepancy between stated and actual practice.

Data Protection Impact Assessments (DPIAs) are required under Article 35 of the GDPR for processing activities that are likely to result in a high risk to individuals. The Commissioner';s list of processing types requiring a mandatory DPIA in Cyprus includes systematic monitoring of publicly accessible areas, large-scale processing of special categories of data, and automated decision-making with significant effects. Businesses that have introduced new technologies - AI-assisted hiring tools, biometric access systems, behavioural analytics platforms - without conducting a DPIA are exposed to enforcement risk.

Data breach notification obligations under Article 33 of the GDPR require controllers to notify the Commissioner within 72 hours of becoming aware of a personal data breach, where the breach is likely to result in a risk to individuals. The quarter saw several cases where organisations notified the Commissioner late, citing internal investigation delays. The Commissioner has clarified that the 72-hour clock starts when the organisation becomes aware that a breach has occurred, not when the full scope of the breach has been established. Organisations should notify promptly with the information available and supplement the notification as the investigation progresses.

Two practical scenarios illustrate the accountability gap. First, a technology company operating in Limassol introduced an AI-powered customer service chatbot that processes personal data. The company did not conduct a DPIA before deployment, reasoning that the chatbot was a customer service tool rather than a high-risk system. The Commissioner';s guidance makes clear that automated processing of personal data at scale, combined with profiling elements, triggers the DPIA requirement regardless of how the system is characterised internally. Second, a shipping company based in Nicosia transferred crew member data to a third-country port authority without updating its SCCs or conducting a TIA, relying on a contract signed several years earlier. Both scenarios represent common patterns that the Commissioner';s current enforcement priorities are designed to address.

Employee data and workplace privacy: emerging focus area

Workplace privacy emerged as a distinct enforcement theme during the quarter. The Commissioner received a higher-than-usual volume of complaints from employees concerning monitoring practices, and several of these complaints resulted in formal investigations.

The legal framework for employee monitoring in Cyprus derives from the GDPR, the Processing of Personal Data (Protection of Individuals) Law of 2018 (Law 125(I)/2018), and the constitutional right to privacy. Employers are not prohibited from monitoring workplace communications or activity, but they must satisfy a demanding set of conditions. The monitoring must have a clear legal basis - typically legitimate interests or compliance with a legal obligation. It must be proportionate to the purpose. Employees must be informed in advance through a clear and accessible privacy notice. And the employer must be able to demonstrate that less intrusive alternatives were considered and rejected.

The Commissioner';s investigations found that several employers had implemented monitoring software - keystroke logging, screen capture, email scanning - without providing adequate notice to employees and without conducting a DPIA. Both failures are serious. The absence of a DPIA for systematic employee monitoring is a direct breach of Article 35. The absence of a privacy notice means employees were processed without being informed, breaching the transparency principle under Article 5(1)(a).

Employers who have introduced remote working monitoring tools since the shift to hybrid work should treat this enforcement trend as an urgent prompt to review their practices. The review should cover the legal basis for monitoring, the proportionality of the measures, the adequacy of employee notices, and whether a DPIA has been conducted. Where monitoring is found to be disproportionate, it should be scaled back rather than simply documented.

FAQ

What are the most significant compliance risks for businesses in Cyprus right now?

The Commissioner';s enforcement activity points to three primary risk areas: inadequate technical and organisational measures under Article 32, failure to handle data subject access requests within the one-month deadline, and non-compliant cross-border data transfer arrangements. Businesses that have not reviewed their security measures, DSAR procedures, and transfer mechanisms recently are likely to have gaps in at least one of these areas. The Commissioner has also signalled that employee monitoring and cookie consent will remain enforcement priorities, making these areas of particular concern for businesses with significant digital operations or hybrid workforces.

How long does it take to bring a data protection compliance programme up to standard, and what does it cost?

The timeline and cost depend heavily on the size and complexity of the organisation. A small business with straightforward processing activities can typically complete a gap assessment, update its RoPA, and revise its privacy notices within four to eight weeks, with professional fees in the low thousands of EUR. A medium-sized organisation with multiple processing activities, international data flows, and a significant employee base should budget for a more extended programme - typically three to six months - with correspondingly higher professional fees. The cost of non-compliance, including regulatory fines and reputational damage, generally exceeds the cost of a well-structured compliance programme.

Should a Cyprus-based business appoint a Data Protection Officer, and what are the alternatives?

Under Article 37 of the GDPR, a Data Protection Officer (DPO) is mandatory for public authorities, organisations that carry out large-scale systematic monitoring of individuals, and organisations that process special categories of data on a large scale. Many Cyprus-based businesses fall outside these categories and are not required to appoint a DPO. However, the accountability principle still requires them to demonstrate that data protection is managed responsibly. Alternatives to a mandatory DPO include appointing a voluntary DPO, designating an internal data protection coordinator, or engaging an external data protection adviser on a retainer basis. The right approach depends on the volume and sensitivity of processing activities and the organisation';s internal capacity.

Conclusion

The fourth quarter reinforced that data protection compliance in Cyprus is an active regulatory environment, not a one-time exercise. The Commissioner is enforcing across a broad range of sectors and processing activities, with particular attention to accountability documentation, cross-border transfers, employee monitoring, and consent quality. Businesses that treat compliance as a living programme - regularly reviewed and updated as operations change - are significantly better positioned than those that rely on legacy documentation.

VLO Law Firms advises international clients on data protection matters in Cyprus. We can assist with GDPR gap assessments, RoPA preparation, DPIA drafting, transfer mechanism review, employee privacy notices, and regulatory response. To request a consultation, contact: info@vlolawfirm.com