Cyprus - Data Protection
History of Data Protection in CYPRUS
Cyprus was one of the ten states to join the EU on 1 May 2004. Compliance with Directive 95/46/EC, an important precondition of joining, was assured through the implementation of the Processing of Personal Data (Protection of the Individual) Law of 2001.
The 2001 law was amended in 2003, through Law No. 37(I)/2003. This amended the law under which processing for direct marketing purposes can take place.
Summary of Data Protection in CYPRUS
| Title of Data Protection Legislation | Processing of Personal Data (Protection of the Individual) Law 138(1) 2001 |
| Name of supervisory authority | Commissioner for Personal Data Protection |
| General Powers of supervisory authority |
The commissioner is responsible for monitoring the application
of the Processing of Personal Data Law 2001 (see s18(1)) Section 23 sets out the functions of the Commissioner. These include: b) to assist in the drawing up of codes of conduct e) to report any contraventions of the law to the relevant authorities. h) to conduct inquiries following complaints or on his own initiative |
| Who has standing to notify the supervisory authority of breaches? | The data subject |
| > What are the penalties for data controllers if they breach the law? |
Sanctions are laid out in s25(1) of the 2001 law. They are warnings, fines, temporary or permanent revocation of licences, destruction of filing systems or the cessation of processing and the destruction of the relevant personal data. |
| Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? | No |
| Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? | It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it. |
| Does the Data Protection Legislation cover the deceased? | No |
| Who is able to indirectly identify the data subject? | Anybody |