• Insights

Cyprus – The GDPR one year on

Written by
George Z. Georgiou & Associates LLC, recognised in Cyprus and abroad as a leader in employment and pensions law.
This article looks back on a busy year for the Cyprus Data Protection Authority since the entry into force of the GDPR, including investigations and fines for data protection breaches and the publication of guidelines and opinions on key topics for employers.

The Cyprus Data Protection Authority (DPA) has announced and started drastic inspections and audits in the public and private sectors but its aim is to give guidance and not to impose high fines, except for very serious issues or breaches.

From 25 May 2018 until the end of 2018, the Cyprus DPA received 281 complaints. It has been notified about 32 personal data breaches and issued four decisions with fines up to EUR 11,500. In the DPA co-operation system, 255 cross-border cases have been registered for which two decisions have been issued. The Cyprus DPA has stressed that it is within its tasks and powers to carry out inspections to monitor and enforce compliance.

Some recent decisions issued by the Cyprus DPA (February to April 2019) include a EUR 4,000 fine on an insurance company for unsolicited SMS advertising after eight complaints. In a similar case, a media company that published and processed personal data in breach of the GDPR was fined EUR 3.000 following five complaints.

On 31 July 2018 ‘Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018’ (Law 125(I)/2018) was published in the official gazette of the Cyprus Republic. The Law was adopted for effective implementation of the GDPR. Upon its entry into force, the previous national law on processing of personal data was repealed.

In Cyprus, the right to privacy is vested in the Constitution and is afforded the highest protection. The GDPR has strengthened the legal regime around privacy even further. Its entry into force has enhanced the previous legal privacy framework, but more importantly have raised awareness and managed to put compliance onto the agendas of board meetings, influencing workplace policies and procedures and employers’ attitude to employees’ rights and privacy.

The Cyprus DPA has issued opinions and guidelines on video surveillance at the workplace and the use of biometric systems, access to employees’ and former employees’ email and general guidance on monitoring in the workplace.

Exercising its power under Article 58(3)(b) of the GDPR, it has recently issued an opinion regarding workplace email monitoring, emphasising that the employer should ensure that work-related emails are also accessible from other sources. In addition, the employer could offer employees the option to have two email accounts, clarifying the distinction between emails for professional and private use, and reducing the likelihood of the employers violating employees’ privacy.