side-area-logo

DATA PROTECTION & PRIVACY

The Notion of Data Protection & Privacy

as Two Fundamental Rights

It could be argued that data protection and privacy are two interconnected, fundamental rights underpinning sustainable democracy across the European Union (EU).

Data protection relates to protecting any information relating to an identified or identifiable natural (living) person, including their name, date of birth, photograph and video footage, email addresses, telephone numbers, as well as IP addresses and communications content that is related to, or provided by, end-users of communications services.

Article 4(1) GDPR defines “personal data” as any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Article 9(1) GDPR defines “special categories of personal data” as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Privacy, or the right to a private life, relates to one’s right to respect for their private and family life, home and communications – it connotes living an autonomous life in which you are in control of information regarding yourself. Privacy may also be considered to be something more than a fundamental right: a social value.

The right to privacy is enshrined in the Universal Declaration of Human Rights, the European Convention for the Protection of Human Rights and Fundamental Freedoms, the EU Charter of Fundamental Rights, and the Constitution of the Republic of Cyprus (refer to Data Protection & Privacy: Legal Framework).

Data Protection & Privacy

Legal Framework

The data protection and privacy framework in the Republic of Cyprus is predominantly governed by the following pieces of international, EU and national legislation:

  • The Universal Declaration of Human Rights, a milestone document in the history of human rights, provides for the right to one’s privacy, family, home or correspondence, and for the right to legal protection against such interference or attacks to one’s honour and reputation.
  • The EU Charter of Fundamental Rights contains two (2) key provisions in Title II (Freedoms) relating to data protection and privacy: Article 7 (Respect for private and family life) and Article 8 (Protection of personal data).
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, known as the GDPR). The GDPR has entered into force on 25 May 2018.
  • The Government of the Republic of Cyprus has enacted a supplementary law to the GDPR, namely the Law for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018 (Law 125(I)/2018). This Law has entered into force on 31 July 2018.
  • Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
  • Directive (EU) 2016/680 has been transposed into the legal framework of the Republic of Cyprus through the enactment of Law for the Protection of Natural Persons with regard to the Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and on the Free Movement of such Data of 2019 (Law 44(I)/2019). This Law has entered into force on 27 March 2019.
  • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications, known as the e-Privacy Directive). Pending the entry into force of an EU regulation governing e-privacy and e-marketing, the text of the e-Privacy Directive remains the key piece of legislation on the matter.
  • Directive 2002/58/EC has been transposed into the legal framework of the Republic of Cyprus through the enactment of The Regulation of Electronic Communications and Postal Services Law of 2004, as amended (Law 112(I)/2004). This Law has entered into force on 30 April 2004.
  • Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
  • Directive (EU) 2016/1148 has been transposed into the legal framework of the Republic of Cyprus through the enactment of The Security of Network and Information Systems Law of 2020 (Law 89(I)/2020). This Law has entered into force on 12 August 2020.
  • The Law ratifying the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Law 28(III)/2001), with Council of Europe treaty reference ETS No.108. This Law has entered into force on 23 November 2001.
  • The Law ratifying the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Law 30(III)/2003), with Council of Europe treaty reference ETS No.181. This Law has entered into force on 4 July 2003.
  • The Law ratifying the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Law 6(III)/2020), with Council of Europe treaty reference CETS No.223. This Law has entered into force on 14 August 2020.
  • The European Convention for the Protection of Human Rights and Fundamental Freedoms of 1950 (ECHR), as amended and supplemented, provides that everyone has the right to respect for his private and family life, his home and his correspondence: Article 8 (Right to respect for private and family life).
  • The Constitution of the Republic of Cyprus contains two (2) key provisions in Part II (Fundamental Rights & Freedoms) relating to privacy. Article 15 safeguards the right to respect for one’s private and family life. Article 17 protects the right to respect and safeguard the confidentiality of correspondence and communication.
  • Memorandum of Understanding and Cooperation (MOU) signed on 19 May 2017 between the Commissioner of Electronic Communications and Postal Regulation (OCECPR) of the Republic of Cyprus and the Commissioner for Personal Data Protection of the Republic of Cyprus for the purposes of implementing the provisions of Law 112(I)/2004 and the Decree on Notification of Breaches by Providers of Publicly Available Electronic Communication Services (RAA 190/2015).
  • Guidelines issued by the European Data Protection Board.
  • Opinions issued by the Commissioner for Personal Data Protection of the Republic of Cyprus.
Data Protection & Privacy

Data Subject’s Rights under the GDPR

Where the GDPR applies, a data subject has the following rights giving them control over their personal data:
  • Right to information about the individual’s personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language;
  • Right of access to the individual’s personal data;
  • Right to rectification of the individual’s personal data which is inaccurate or incomplete;
  • Right to erasure of the individual’s personal data (known as the “right to be forgotten”);

  • Right to restriction of processing of the individual’s personal data;
  • Right to restriction of processing of the individual’s personal data;
  • Right to object to the processing of the individual’s personal data;
  • Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the individual, or similarly significantly affects the individual; and
  • Right to withdraw consent.
Data Protection & Privacy

Child’s Consent

According to Article 8 GDPR, an EU Member State may provide by law for a lower age than sixteen (16) years old for the purposes of obtaining a child’s consent for the processing of personal data in relation to the offer of information society services directly to a child, provided that such lower age is not below thirteen (13) years old.

The Law for the Protection of Personal Data (Law 125(I)/2018) provides that a child is a person under the age of fourteen (14) for the aforesaid purposes.

Data Protection & Privacy

Certification Body

The Certification Body pursuant to Article 43 GDPR is the Cyprus Organisation of the Promotion of Quality (CYS-CYSAB) founded under the Standardisation, Accreditation and Technical Notification Law (Law 156(I)/2002).

Data Protection & Privacy

National Supervisory Authority

The Office of the Commissioner for Personal Data Protection of the Republic of Cyprus is the supervisory authority of the Government of the Republic of Cyprus pursuant to the GDPR and the supplementary Law 125(I)/2018 and represents the State before the European Data Protection Board.

The Office is headed by Ms. Irene Loizidou Nikolaidou, as the Commissioner for Personal Data Protection of the Republic of Cyprus.

Commissioner for Personal Data Protection: Authority

The Commissioner has regulatory, investigative, corrective and decision-making authority, which include the power to:

  • examine and decide upon complaints in relation to the protection of personal data and associated personal data breaches;
  • conduct investigations;
  • issue warnings and reprimands to controllers and processors; and

  • decide on the imposition of penalties and other administrative fines.

For the full list of competences, tasks and powers of National Supervisory Authorities under the GDPR, refer to Articles 55-59 GDPR as well as to Sections 23-25 Law 125(I)/2018 for certain additional duties and powers of the Commissioner.

Commissioner for Personal Data Protection: Administrative Fines

The Commissioner has discretion to impose hefty administrative fines for GDPR infringements, which include:

  • administrative fines up to €10million or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for breach of a controller or a processor’s obligations pursuant to Articles 8, 11, 25-39, 42 and 43 GDPR, obligations of the Certification Body pursuant to Articles 42-43 GDPR, and obligations of the monitoring body pursuant to Article 41(4) GDPR;
  • administrative fines up to €20million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for breach of the basic principles for processing, including conditions for consent pursuant to Articles 5-7 and 9 GDPR, the data subjects’ rights pursuant to Articles 12-22 GDPR, the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44-49 GDPR, any obligations pursuant to Member State law adopted under Chapter IX GDPR, and non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) GDPR or failure to provide access in violation of Article 58(1) GDPR; and

  • administrative fines up to €20million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for non-compliance with an order by the supervisory authority as referred to in Article 58(2) GDPR.

Commissioner for Personal Data Protection: Criminal Liability

Breach of certain provisions of the Law 125(I)/2018 or the GDPR amounts to a criminal offence which, upon conviction, leads to imprisonment of up to five (5) years and/or a fine of up to €50,000 depending on the criminal offence committed.

Commissioner for Personal Data Protection: International Cooperation

In addition, the Commissioner’s Office is in close cooperation with the following national, EU and international bodies and organisations relating to data protection and privacy:

  • The European Data Protection Supervisor (EDPS), which is the EU’s independent data protection supervision authority.
  • The Global Privacy Assembly (formerly known as the International Conference of Data Protection and Privacy Commissioners, or ICDPPC), to which the Commissioner is an Accredited Member.
  • Large-scale IT systems operating in the EU, the supervision of which is shared between the National Supervisory Authorities and the EDPS in order to ensure a high and consistent level of data protection. These databases include:

    -the second generation Schengen Information System (SIS II)

    -the EURODAC (which is a European asylum dactyloscopy database)

    -the Visa Information System (VIS)

  • Other large-scale IT systems operating in the EU include:

    -EUROPOL information systems

    -the European Union Agency for Criminal Justice Cooperation (EUROJUST)

    -the Internal Market Information System (IMI)

    -the Customs Information System (CIS)

  • The Global Privacy Assembly (formerly known as the International Conference of Data Protection and Privacy Commissioners, or ICDPPC), to which the Commissioner is an Accredited Member.

Commissioner for Personal Data Protection: Contact Details

A: 1 Iasonos Street, P.O. Box 23378, 1082 Nicosia

T: +357 22 818 456

F: +357 22 304 565

E: [email protected]

W: http://www.dataprotection.gov.cy/

Data Protection & Privacy

Judicial Recourse & Damages

Every person, be it natural or legal, has the right to appeal a decision issued by the Commissioner for Personal Data Protection by commencing a recourse before the Administrative Court.

In addition, a data subject has the right to claim compensation as material and/or non-material damages for GDPR infringements before the Civil Courts of the Republic of Cyprus by commencing a legal action against a data controller and/or processor.

Our Data Protection & Privacy Practice Portfolio

The Data Protection & Privacy practice at ServPRO aims to provide its clientele with a spherical approach to related services, which include, first and foremost, advising and assisting clients with regards to their obligations under the applicable national, EU and international data protection and privacy legislation.

By extent, we advise our clients on the transfer of personal data within the EU / EEA and on the cross-border transfers of personal data to processors located outside the EU / EEA.

In addition, our clients seek our services in drafting, reviewing, and conducting the legal vetting of data processing agreements and applicable policies including their respective client, employee, and candidate privacy policies.

Our clients further seek our services in drafting, reviewing, and conducting the legal vetting of terms and conditions of website use, website privacy and cookie policies.

At ServPRO, we always assist our clientele with their marketing and e-commerce legal duties and obligations in order to ensure their compliance with the applicable legislation, as well as to enable their e-business to rise up to the standards of today, and prepare for tomorrow.

For our clients seeking to commence legal proceedings, we undertake the recourse before the Administrative Court and any appeal before the Supreme Court on our clients’ behalf, as well as legal actions for damages before the Civil Courts of the Republic of Cyprus.

Where the circumstances so necessitate, we may undertake proceedings before the competent institutions of the EU and/or the Council of Europe, depending on the case at hand.

LET’S WORK

TOGETHER.

Image icon
T: +357 22 021100
F: +357 22 757566
Image icon
Image icon
1 Kinyras Street, Kinyras Tower,
3rd Floor, 1102 Nicosia, Cyprus
Image icon
servpro.com.cy
© ServPRO 2011-2023. All Rights Reserved. Policies
Name*
Untitled*