May 7, 2020

Data Protection: Cyprus Covid-19 Tracing app

The Cyprus government has been put on a pedestal and has been praised globally for having dealt with preventing the spread of the coronavirus outbreak in a timely, sensible and effective manner. Having already entered the first phase of easing the measures and witnessing one of the lowest numbers in cases worldwide, the government is working towards a mellow return to normal life, however staying alert.

Cyprus‘ government is now suggesting the voluntary use of a mobile phone app called COVTRACER, which has been designed to locate people who have come in contact with individuals tested positive to Covid-19. The app will allow people who have tested positive to the virus to share the information with public health authorities, which would then in turn utilize the data to trace anyone who may have been in close proximity to an infected individual. 

As announced by the Deputy Ministry of Research, Innovation and Digital Policy, the COVTRACER app was developed in partnership with a government funded research centre and it uses GPS data to track an individual’s daily movements. This data is then stored into the device’s log file, which can then be shared with health authorities if tested positive to Covid-19. It has been clarified that the use of the app is strictly voluntary and only the device owners can share any data.

The Ministry mentioned that Cyprus would back a coordinated European approach in terms of tracing apps that may improve the management of Covid-19 across the globe and in turn lift any travel restrictions.

Covid-19 and Data Protection

We are already witnessing an unprecedented processing of different types of personal data including sensitive data by public authorities and private organisations due to the coronavirus outbreak.

It is noteworthy that normally under GDPR consent would be required for the purpose of processing sensitive data, however exceptions are provided. Data controllers and processors must ensure the protection of the personal information of the data subjects.


The EU General Data Protection Regulation (“GDPR”) substantially changed data privacy rules. By now organisations in the EU or organisations outside the EU which process personal data of EU residents should be in a position to demonstrate that they fulfill the necessary requirements for compliance.

Key issues and practical considerations arise which impact the majority of organisations and address gaps in compliance. For instance, organisations should assess any non-EU entities that process personal data of EU residents, third party processors, determine their “main establishment” if they have establishments in more than one EU Member State and implement effective internal systems, safety controls and technical measures that comply with the GDPR, as well as a privacy policy.

“Personal Information” means any information that can be used to identify an individual or that we can connect to a person. Such Personal Information does not consist of anonymous data.

European Data Protection Board Statement

On 19 March 2020 the European Data Protection Board adopted its statement on the processing of personal data in the context of the Covid-19 outbreak.

Of course the competent regulatory authority plays a crucial role in implementation and enforcement of the GDPR and corresponding national legislation as well as respective guidelines, and should be consulted as appropriate.



Our firm helps SMEs and large organisations in a wide range of sectors to comply with the GDPR and national legislation.

Our associates focus on technology and cybersecurity aspects to cover all angles of the necessary exercises, in line with the rapid shifts in technological disruption.

  • Data Protection & Privacy
  • GDPR Assessment & Implementation
  • Privacy Policy
  • Data Privacy Impact Assessment
  • Data Protection Officer
  • Data Security and Privacy Management
  • Technology
  • Cybersecurity

Please do not hesitate to contact us if you require further information or support on such matters.

Data Protection Law Firm of the Year in Cyprus: 2020 Global Law Experts 11th Annual Awards

Copyright © 2020 K. A. Kourtellos & Co LLC
K. A. Kourtellos & Co LLC is regulated by the Cyprus Bar Association
magnifiercrossmenuarrow-up linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram