Personal Data


  • Giannos Danielidis, Commissioner For Personal Data Protection

What is personal data?

Personal data are any information that identify or can potentially identify a natural living person. Such data are, for example, our identity, social insurance, passport, telephone or vehicle registration number, or biometric data such as fingerprints or even DNA data extracted from a piece of hair.

What is sensitive personal data?

The law provides that data concerning racial or ethnic origin , political convictions, religious or philosophical beliefs, participation in a body, association or trade union, sex life and erotic orientation and data relevant to criminal prosecutions and convictions are sensitive data. The legislator provides that sensitive data should enjoy a higher level of protection because it is often easy for people to suffer discriminations on the basis of these data.

Which acts fall within the term “processing of personal data”? Which business activities are really affected by the legislation on personal data protection?

Any operation that includes the collection, recording, organization, preservation, storage, alteration, extraction, use, transmission, dissemination or any form of form of disposal, connection or combination, blocking, erasure or destruction of data is a form of processing of personal data. Therefore, any business activity or set of activities carried out by automatic means or not, that falls under this description, is affected by the legislation on personal data protection.

Is there any special law in Cyprus? 

The Law for personal data protection in Cyprus was put in effect into 2001. The first Commissioner was appointed in 2002, and the Commissioner’s Office was fully operational in 2003. Many people are not yet fully aware of the obligations and rights that arise from this law and a lot of work is still needed to raise awareness.

Are there any regulations, guidelines etc regarding personal data processing?

My office has issued a number of guidelines concerning the use of internet and mobile telephone services and applications, the processing of data in the employment sector and video surveillance, which are available both in printed form and on our website www. dataprotection.gov.cy .

Which are the parties involved in personal data processing?

First of all it is us, the data subjects to whom the personal data relate to. It is us who must learn when we should give our data and when not. Then we have the data controllers who collect and process data from various categories of data subjects, employees, customers, applicants etc. Sometimes a controller that does not have the knowledge or equipment to carry out a particular form of processing may assign this particular task to a processor, who acts under the direct written instructions of the controller. The law provides that if the controller is established outside the European Union then he must appoint a representative within the Union. Finally we have the third parties to whom data may be communicated to. The Law permits this communication under certain conditions for lawful processing.

Which are the conditions for lawful processing of personal data?

The law provides that the processing of personal data is permitted when we give our concern. But it is also permitted without our consent when processing is necessary for compliance with a legal obligation or for a the performance of a contract we are party to, or for the protection of our vital interests, or for purposes of public interest or for the legitimate interests pursued by a controller or a third party, on condition that these interests override our rights, interests and fundamental freedoms. As regards sensitive data the Law provides that the processing of sensitive data is prohibited.

Are there any exemptions from the above conditions?

There are some exemptions that allow the processing of sensitive personal data, for example, when the data subject has given his explicit consent, or for the fulfillment of obligations in the employment sector, or for the protection of vital interests, or in the context of the activities of an organization or union the data subject is a member of or the processing relates to data made public by us or health data processed by professionals bound to rules of confidentiality or for grounds of national or public security, or for statistical, research and scientific purposes or for journalistic purposes.

Do the above exemptions allow to easily circumventing the law regarding the protection of personal data?

The Law serves two primary purposes, to protect individuals and, to facilitate the free movement of personal data within the European Union. In that respect, the above exemptions are there to serve these purposes and it is not an issue of easily circumventing the law.

Is there any additional condition when transferring personal data abroad?

The Law provides several conditions that allow the transfer of data to countries outside the Union and the European Economic Area, even to countries that do not have an adequate level of protection, in accordance with a relevant decision of the European Commission. However, the current system of authorizing transfers has proved to be too bureaucratic and burdensome, both for controllers and supervisory authorities and it is currently under revision.

When does the Cyprus Law apply?

The Law applies to controllers established in Cyprus but also to controllers established outside the Union and the European Economic Area, who use automated means for processing personal data in Cyprus. In the latter case, the controllers have to appoint representatives here in Cyprus.

Special cases of personal data processing: “whistle blowing”/ platforms/ monitoring projects

Our Office does not have extensive experience in issues such as whistle blowing, complaints against social networks or profiling practices for targeted online behavioral advertising. However, we have active participation in the Article 29 Working Party, which is composed by representatives of all EU supervisory authorities and deals with these issues. The Working Party has issued relevant Opinions on the aforementioned issues, which are available on our website.

Are data subjects conferred specific rights at Law?

The Law gives data subject the right to be given basic information about the processing of their data in order to be able to take informed decisions. Any individual has the right to access his/ her personal data by submitting relevant written requests to controllers. The controller can charge 17 euro for each request. If the information that the controller has is inaccurate the data subject has the right to demand erasure of rectification or to object to the processing or to seek judicial remedy.

What changes does the Commission’s proposal for a (General) Data Protection Regulation introduce? What is the aim of this Regulation?

In January 2012 the Commission presented a proposal for a (General) Data Protection Regulation, which substitutes Directive 95/46/EC, the current legislation. This was deemed necessary in order to be in line with the obligations provided for by the Lisbon Treaty, to better deal with rapid technological developments and globalization and to remedy the non-harmonizing problems that arose during the implementation of Directive 95/46/EC. The proposed Regulation aims to strengthen citizens’ right to data protection and privacy and to better regulate single market objectives. The proposal introduces, inter alia, provisions for better protection to children in the online word, obligations to manufacturers to apply privacy by design and by default in new technologies and applications and the right to be forgotten, i.e. the data subject’s right to object to or delete or further disseminate, under certain conditions, information relating to him published on the internet. One major improvement is the one-stop-shop, which determines that both data subjects and controllers throughout the Union will have to deal with only one supervisory authority. The proposal is currently discussed at the Council, under the Cyprus Presidency.




Log in to your account or