January 9, 2020

Office of the Commissioner for Personal Data Protection: Cyprus Annual Report

The EU General Data Protection Regulation (“GDPR”) which was implemented over a year ago substantially changed data privacy rules. By now organisations in the EU or organisations outside the EU which process personal data of EU residents should be in a position to demonstrate that they fulfill the necessary requirements for compliance.

The President of the Republic of Cyprus, Mr. Nikos Anastasiadis, received today at the Presidential Palace the 2018 annual report (“Report”) of the Office of the Commissioner for Personal Data Protection. Delivering the Report, Data Protection Commissioner Ms. Irini Loizidou said the report "reflects the Office's activities since the full implementation of the European Regulation and clearly shows how people have accepted the Regulation, that is, both natural and legal persons".

Of course the competent regulatory authority plays a crucial role in implementation and enforcement of the GDPR and corresponding national legislation as well as respective guidelines, and should be consulted as appropriate.

Ms. Loizidou added that with implementation of the Regulation "there are many obligations, rights are strengthened and this is clearly demonstrated by the doubling of complaints and questions received and investigated by the Office." Ms. Loizidou also noted that the Office of the Commissioner is continuing its work at an intensive pace "to fully implement and ensure compliance with the Regulation in relation to the public and private sectors", adding that "the challenges are many and they multiply, and we are capable of serving society".

The President of the Republic of Cyprus, after congratulating the Commissioner on the work she has carried out, said that "the image has finally been established that there are finally institutions which, in the performance of their duties, are implementing legislation of a very strict importance, or with strictness for the importance they underlie.” And it is precisely that, in consideration of these strict provisions of the law, we have proceeded in order to facilitate the administration of justice by the law which I hope will pass by the Parliament on the 17th of the month, under which, under strict conditions, with approval by the Attorney General and by court order, telephone suspects will be monitored for committing crimes. And this is a significant improvement in the resolution, but also in the administration of justice. It is within the same context, too, that the major reform of the administration of justice is included and, therefore, taking into account a series of laws that we have introduced I believe will make a significant contribution to restoring the sense of law, to improving personal data conditions, but also to protect the privacy of every citizen, while not overlooking at the same time contributing and finally helping to improve the timeframe of serving justice. "

Key issues and practical considerations arise which impact the majority of organisations and address gaps in compliance. For instance, organisations should assess any non-EU entities that process personal data of EU residents, third party processors, determine their “main establishment” if they have establishments in more than one EU Member State and implement effective internal systems, safety controls and technical measures that comply with the GDPR, as well as a privacy policy.

It is particularly important for organisations to increase awareness through training of all stakeholders involved and to assess if they should appoint a Data Protection Officer (“DPO”) and set up a Privacy Office. The DPO should be able to provide to the organisation day-to-day independent advice in relation to the GDPR. Additionally, given the focus of the GDPR on accountability, a Data Privacy Impact Assessment should be carried out by organisations in certain circumstances in order to evaluate if specific processing may entail a high risk for the rights and freedoms of individuals.

Our firm helps SMEs and large organisations in a wide range of sectors to comply with the GDPR, national legislation, and the relevant guidelines of the European Data Protection Board and the local Commissioner for Personal Data Protection. Our associates focus on technology and cybersecurity aspects to cover all angles of the necessary exercise, in line with the rapid shifts in technological disruption. We advise on the appropriate safeguards that must be implemented in the Digital Age, particularly considering the substantial risks and potential consequences involved.


Please do not hesitate to contact us if you require any related advice or support.

Copyright © 2020 K. A. Kourtellos & Co LLC
K. A. Kourtellos & Co LLC is regulated by the Cyprus Bar Association
magnifiercrossmenuarrow-up linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram