Page 1

Unofficial translation

16/10/18

LAW 125(I) of 2018
LAW PROVIDING FOR THE PROTECTION OF NATURAL PERSONS WITH REGARD
TO THE PROCESSING OF PERSONAL DATA AND FOR THE FREE MOVEMENT OF
SUCH DATA
Official Journal of
the EU: L.119,
4.5.2016, page.1

For the purpose of effectively implementing certain provisions of the
European Union Act titled «Regulation (EE) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation)»,
The House of Representatives votes as follows:
PART I
GENERAL PROVISIONS

Short title

1. This Law shall be referred to as the Protection of Natural Persons With
Regard to the Processing of Personal Data and for the Free Movement of
Such Data of 2018.

Definitions

2.-(1) In this Law, unless the text of the Regulation provides a different
meaning –
«Police» shall mean the Cyprus Police;
«genetic data» shall mean personal data relating to the inherited or acquired
genetic characteristics of a natural person which give unique information
about the physiology or the health of that natural person and which result, in
particular, from an analysis of a biological sample from the natural person in
question;
«personal data» shall mean any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural person is
one who can be identified, directly or indirectly, in particular by reference to
an identifier such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that
natural person;
«binding corporate rules» shall mean personal data protection policies which
are adhered to by a controller or processor established on the territory of a
Member State for transfers or a set of transfers of personal data to a
controller or processor in one or more third countries within a group of
undertakings, or group of enterprises engaged in a joint economic activity;
«Republic» shall mean the Republic of Cyprus;
«Cross-border processing» shall mean 1

Page 2
Unofficial translation

16/10/18

a) processing of personal data which takes place in the context of the
activities of establishments in more than one Member State of a
controller or processor in the Union where the controller or processor
is established in more than one Member State; or
b) processing of personal data which takes place in the context of the
activities of a single establishment of a controller or processor in the
Union but which substantially affects or is likely to substantially affect
data subjects in more than one Member State;
«International organisation» shall mean an organisation and its subordinate
bodies governed by public international law, or any other body which is set up
by, or on the basis of, an agreement between two or more countries.
«representative» shall mean a natural or legal person established in the
Union who, designated by the controller or processor in writing pursuant to
Article 27, represents the controller or processor with regard to their
respective obligations under this Regulation;
«processor» shall mean a natural or legal person, public authority, agency or
other body which processes personal data on behalf of the controller;
«processing» shall mean any operation or set of operations which is
performed on personal data or on sets of personal data, whether or not by
automated means, such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction;
«Commissioner» shall mean the Commissioner of Personal Data Protection
appointed pursuant to the provisions of Article 19 of this Law;
«enterprise» shall mean a natural or legal person engaged in an economic
activity, irrespective of its legal form, including partnerships or associations
regularly engaged in an economic activity;
«supervisory authority» shall mean the Commissioner appointed in
accordance with Article 19 of this Law, which implements the provisions of
Article 51 of the Regulation;
«Regulation» shall mean Regulation (ΕU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation);
Official Journal of
the EU: L.218,
13.8.2008,
page.30

«Regulation (EU) 765/2008» shall mean Regulation (EC) No 765/2008 of the
European Parliament and of the Council of 9 July 2008 setting out the
requirements for accreditation and market surveillance relating to the
marketing of products and repealing Regulation (EEC) No 339/93;

2

Page 3
Unofficial translation
156(I)/2002
10(I)/2010
57(I)/2011
69(I)/2012
120(I)/2012

Official Journal of
the EU: L.241,
17.9.2015,
page.1

16/10/18

«Cyprus Organisation for the Promotion of Quality» shall mean the Cyprus
Organisation for the Promotion of Quality which is designated as the national
accreditation body in accordance with the provisions of Standardisation,
Accreditation and Technical Notification Law;

«Directive (EU) 2015/1535 » shall mean Directive (EU) 2015/1535 of the
European Parliament and of the Council of 9 September 2015 laying down a
procedure for the provision of information in the field of technical regulations
and of rules on Information Society services;
«group of undertakings» shall mean a controlling undertaking and its
controlled undertakings;
« personal data breach» shall mean a breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorised disclosure of,
or access to, personal data transmitted, stored or otherwise processed;
«consent» of the data subject means any freely given, specific, informed and
unambiguous indication of the data subject's wishes by which he or she, by a
statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her;
«filing system» shall mean any structured set of personal data which are
accessible according to specific criteria, whether centralised, decentralised or
dispersed on a functional or geographical basis;
«controller» shall mean the natural or legal person, public authority, agency or
other body which, alone or jointly with others, determines the purposes and
means of the processing of personal data; where the purposes and means of
such processing are determined by Union or Member State law, the controller
or the specific criteria for its nomination may be provided for by Union law or
the law of the Republic;
«information society service» shall mean a service as defined in point (b) of
Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of
the Council;
«Minister» shall mean the Minister of Justice and Public Order.
(2) Any terms contained in this Law that are not specifically defined by this
Law, shall have the meaning attributed to them by the Regulation.

Scope

3. This provisions of the Law shall apply to the Republic in accordance with
the provisions of Articles 2 and 3 of the Regulation.

Competent
authority

4. The competent authority for implementing the provisions of the Regulation
and of this Law in the Republic is the Minister of Justice and Public Order.
PART II
LAWFULNESS OF CERTAIN PROCESSING OPERATIONS
3

Page 4
Unofficial translation
Processing of
personal data by
Courts and the
House of
Representatives.

16/10/18

5. Without prejudice to the provisions of Article 6, paragraph 1 point (e) of the
Regulation, the processing of personal data is permitted and is lawful when it
is carried out by -

(a) Courts acting in their judicial capacity for purposes of delivering
justice, including the processing of personal data necessary for the
publication and adoption of decisions of any court, and

(b) The House of Representatives within its powers.
Publication or
adoption of
decisions of the
courts

6. The processing of special categories of data laid down in Article 9 of the
Regulation is permitted and is lawful when it is carried out for the purpose of
publishing or issuing a decision of any court or when it is necessary for the
purpose of delivering justice.

Processing on the
basis of a
Decision of the
Council of
Ministers

7. The processing of personal data which is vested by virtue of a Decision of
the Council of Ministers to a public authority or body for the performance of a
task carried out in the public interest or in the exercise of official authority
shall be performed lawfully and fairly, in a clear, precise and transparent
manner in relation to the data subject, in accordance with the provisions of
Article 5, paragraph (1), point (a) and Article 6 paragraph (1) point (e) of the
Regulation.

Offering of
information
society services
to a child

8.-(1) When the offering of information society services directly to a child is
based on the child’s consent, the processing of personal data shall be lawful
where the child is at least fourteen (14) years old.
(2) For a child younger than fourteen (14) years old, the processing of
personal data referred to in subsection (1) shall be lawful when consent is
given or authorised by the holder of parental responsibility over the child.

Processing of
genetic and
biometric data

9.-(1) The processing of genetic and biometric data for purposes of health
and life insurance is prohibited.
(2) Without prejudice to Article 5, paragraph (1) point (b) of the Regulation,
where the processing of genetic and biometric data is based on a data
subject’s consent, the further processing of such data requires the separate
consent of the data subject.

Combination of
filing systems by
public authorities
or bodies

10.-(1) The combination of large-scale filing systems of two or more public
authorities or bodies, is permitted only for reasons of public interest and
provided that the provisions of Article 6 paragraph (1), points (c) or (e) or
Article 9 paragraph 2 points (g), (h) or (i) of the Regulation are fulfilled.
(2) In the case where the combination relates to special categories of
personal data or to personal data relating to criminal convictions and offences
or is to be carried out with the use of the identity card number or any other
identifier of general application, it is required to carry out a data protection
impact assessment and a prior consultation with the Commissioner.
(3) The impact assessment referred to in subsection (2) shall be carried out
jointly by the public authorities or bodies that intend to combine their filing
systems and shall contain the information provided for in Article 35 paragraph
4

Page 5
Unofficial translation

16/10/18

(7) of the Regulation and, where applicable, a description of the technical and
organisational security measures provided for in Articles 24, 25, 28 and 32 of
the Regulation.
(4) The Commissioner can authorise the combination of the filing systems
referred to in this Article and impose to the public authorities or bodies that
intend to combine their filing systems, terms and conditions for the
materialisation of the combination.
PART III
RESTRICTIONS OF RIGHTS AND OBLIGATIONS
Restriction of
rights

11.-(1) Subject to the provisions of Article 23, paragraph (1) of the Regulation,
a controller may implement measures to restrict, wholly or partly, the rights
referred to in Articles 12, 18, 19 and 20 of the Regulation:
Where the restrictions of the rights relates to a processing operation carried
out by a processor, the measures referred to in subsection (1) are
implemented in accordance with the provisions of Article 28 of the Regulation.
(2) The implementation of the measures referred to in subsection (1) requires
carrying out an impact assessment and prior consultation with the
Commissioner.
(3) The impact assessment referred to in subsection (2) shall contain the
information provided for in Article 23 paragraph (2) and Article 35 paragraph
(7) of the Regulation and, where applicable, a description of the technical and
organisational security measures provided for in Articles 24, 25, 28 and 32 of
the Regulation.
(4) Subject to the provisions of Article 14 paragraph (5) of the Regulation, the
controller shall inform the data subject for the implementation of the measures
referred to in subsection (1).
(5) The Commissioner may impose to the controller terms and conditions for
the implementation of the measures referred to in subsection (1) and for the
information to the data subject referred to in subsection (4).

Derogation in
relation to the
communication of
a data breach

12.-(1) A controller may be exempt from the obligation to communicate a
personal data breach to the data subject, wholly or partly, for one or more of
the purposes referred to in Article 23, paragraph 1 of the Regulation.
(2) The exemption to the obligation to communicate a personal data breach
referred to in subsection (1) requires carrying out an impact assessment and
prior consultation with the Commissioner.
(3) The impact assessment referred to in subsection (2) shall contain the
information provided for in Article 23 paragraph (2), Article 35 paragraph (7)
of the Regulation.
(4) The Commissioner may impose to the controller terms and conditions for
the exemption to the obligation to communicate a personal data breach
referred to in subsection (1).
5

Page 6
Unofficial translation

16/10/18

PART IV
IMPACT ASSESSMENT DURING THE PREPARATION OF LEGISLATIVE
MEASURES
Carrying out an
impact
assessment after
the adoption of
legislative or
regulatory
measures

13.-(1) Before the adoption of a law or Regulations by virtue of law, which
regulate a specific processing operation or set of operations, an impact
assessment and prior consultation with the Commissioner is required.
(2) The provisions of subsection (1) shall not apply, if the Commissioner
considers that the impact assessment carried out during the adoption of a law
or Regulations by virtue of law is adequate and that it is not required to carry
out an additional impact assessment prior to the initiation of the specific
processing operation or set of operations regulated by this law or
Regulations.
PART V
DATA PROTECTION OFFICER

Designation of
the data
protection officer

14.-(1) The data protection officer is designated in accordance with the
provisions of Article 37 of the Regulation.
(2) The Commissioner may establish and make public a list of processing
operations and cases requiring the designation of a Data Protection Officer, in
addition to the cases referred to in Article 37 paragraph 1 of the Regulation.
(3) The Commissioner may publish on the Office’s website a list of controllers
and processors who designated a data protection officer and their contact
details, provided that the controller and the processor wish to be included in
the list.

Obligation to
professional
secrecy or
confidentiality of
the data
protection officer

15.-(1) Subject to the provisions of any law regulating issues of professional
secrecy or confidentiality, the data protection officer is bound to professional
secrecy or confidentiality in the performance of his or her duties.
(2) The obligation to professional secrecy or confidentiality of the data
protection officer shall not affect the investigative powers of the
Commissioner, provided for in Article 58, paragraph 1 of the Regulation and
in paragraphs (a) and (b) of section 25 of this Law.
PART VI
ACCREDITATION OF CERTIFICATION BODIES

Accreditation of
certification
bodies

16.-(1) The accreditation of certification bodies shall be carried out by the
Cyprus Organization for the Promotion of Quality in accordance with the
provisions of Article 43 of the Regulation.
(2) For the accreditation of a certification body, the Cyprus Organization for
the Promotion of Quality shall receive a favorable opinion from the
Commissioner, that the applicant certification body fulfills the requirements of
Article 43 paragraph (2) points (a), (b) and (e) of the Regulation.
(3) The Cyprus Organization for the Promotion of Quality shall revoke the
6

Page 7
Unofficial translation

16/10/18

accreditation of a certification body where the requirements for accreditation
are not, or are no longer, met or where actions taken by a certification body
infringe the provisions of the Regulation or of this Law.
(4) The Commissioner may demand from the Cyprus Organization for the
Promotion of Quality to revoke the accreditation of a certification body
provided that the Commissioner detects that the requirements for
accreditation are not, or are no longer, met or where actions taken by a
certification body infringe the provisions of the Regulation or of this Law.
(5) In the case where the Cyprus Organization for the Promotion of Quality
does not revoke the accreditation of a certification body in accordance with
subsections (3) and (4), the Commissioner shall report the case to the
European Commission.

PART VII
TRANSFER OF SPECIAL CATEGORIES OF DATA TO A THIRD COUNTRY
OR INTERNATIONAL ORGANISATION
Transfer of
special categories
of personal data
based on
appropriate
safeguards or
binding corporate
rules

17.-(1) When the controller or the processor intends to transfer special
categories of personal data to a recipient in a third country or to an
international organisation and the intended transfer is based on appropriate
safeguards provided for in Article 46 of the Regulation or on binding corporate
rules provided for in Article 47 of the Regulation, the controller or the
processor shall inform the Commissioner for the intended transfer before the
said data are transferred.
(2) Notwithstanding the provisions of Articles 46 and 47 of the Regulation, the
Commissioner may, for important reasons of public interest, impose explicit
limits to the controller or the processor for the transfer of the special
categories of personal data referred to in subsection (1).
(3) In the case where the appropriate safeguards or the binding corporate
rules referred to in subsection (1) were adopted by the Commission or in
accordance with the consistency mechanism provided for in Article 63 of the
Regulation, before imposing the limits referred to in subsection (2), the
Commissioner shall consult, where appropriate, with the Commission, the
lead authority and the other concerned authorities.

Transfer of
special categories
of personal data
based on
derogations for
specific
processing
situations

18.-(1) A transfer carried out by a controller or processor, of special
categories of personal data to a third country or an international organisation,
which is based on derogations for specific situations provided for in Article 49
of the Regulation requires carrying out an impact assessment and prior
consultation with the Commissioner.
(2) The impact assessment referred to in subsection (2) shall contain the
information provided for in Article 35 paragraph (7) of the Regulation and,
where applicable, a description of the technical and organisational security
measures provided for in Articles 24, 25, 28 and 32 of the Regulation.
(3) Notwithstanding the provisions of Article 49 of the Regulation, the
7

Page 8
Unofficial translation

16/10/18

Commissioner may, for important reasons of public interest, impose explicit
limits to the controller or the processor for the transfer of special categories of
personal data referred to in subsection (1).
PART VIII
THE COMMISSIONER FOR PERSONAL DATA PROTECTION
Appointment,
qualifications, term
of office of the
Commissioner

19.-(1) The Commissioner for Personal Data Protection shall be appointed by
the Council of Ministers, upon the recommendation of the Minister.
(2) The person appointed as Commissioner shall possess the qualifications
for the appointment of a Supreme Court Judge.
(3) The term of office of the Commissioner shall be for a period of six (6)
years, renewable for one more term.
(4) Subject to the provisions of Article 53, paragraph 4 of the Regulation and
section 20 of this Law, the Commissioner shall not be dismissed during his or
her term of office for reasons other than mental or physical incapacity or
physical handicap rendering him or her incapable of exercising his or her
duties.
(5) The Commissioner is appointed as the supervisory authority for the
purposes of the Regulation and shall be responsible for monitoring the
application of the Regulation and of this Law in the Republic and of other
legislative measures relating to the processing of personal data.

Dismissal of the
Commissioner

20.-(1) The Commissioner shall be dismissed, if during his or her term of
office:(a) takes any action incompatible with his or her duties or engages in
any incompatible occupation, whether gainful or not; or
(b) is convicted for the offence provided for in subsection (3) of
section 21 of this Law.
(2) The Council of Ministers shall publish in the Official Gazette of the
Republic the dismissal of the Commissioner referred to in subsection (1) and
the date of effect of the dismissal.

Rights and
obligations of the
Commissioner

21.-(1) The Commissioner shall receive remuneration which shall be
determined by the Council of Ministers.
(2) The Commissionera) in the performance of his or her duties, tasks and powers shall act
according to his or her conscience and in accordance with the
provisions of the Regulation and of this law,
b) during his or her term of office and after its expiry, he shall be bound
by a duty of professional secrecy or confidentiality,
c) as a witness or expert he or she may provide any evidence before a
8

Page 9
Unofficial translation

16/10/18

court for the application of the Regulation and of this Law, as well as
of other legislative measures relating to the processing of personal
data,
d) after the expiry of his or her term of office, he shall refrain from any
action incompatible with his or her duties and shall not engage in any
incompatible occupation, whether gainful or not, for a period of two (2)
years.
(2) In the case where the Commissioner, in contravention of the Regulation
and of this Law, discloses, in any way, information or personal data to which
he has access to as a result of his or her capacity, or allows anyone to
acquire knowledge thereof, commits an offense and in the case of conviction,
is subject to imprisonment which shall not exceed three (3) years or to a fine
which shall not exceed thirty thousand euro (€30.000) or to both of these
penalties.

Office of the
Commissioner

22. The Commissioner shall have an office, that may be staffed by
permanent, temporary and open ended contract public servants:
The Commissioner shall be involved in the procedure for the selection of the
Office’s staff and the staff shall be subject to the exclusive direction of the
Commissioner:
The staff of the Commissioner’s Office shall be bound to professional secrecy
or confidentiality, even after the expiry of their service.

Duties and
powers of the
Commissioner

23.-(1) The Commissioner shall perform the duties entrusted to him or her
and exercise the powers conferred by the provisions of the Regulation, this
Law and any other law.
(2) The Commissioner may, subject to the principle of hierarchy, authorise in
writing, any officer of his or her Office, who holds a position of authority, to
exercise on his or her behalf such duties and powers under such conditions,
exceptions and reservations which the Commissioner shall determine in his
authorisation.
(3) The Commissioner may, upon his or her discretion, give publicity to a
case which concerns the performance of his or duties and the exercise of his
or her powers:
Where a case relates to cross-border processing, the Commissioner shall
consult with the lead authority and other concerned authorities his or her
intention to give publicity to the case, in accordance with the provisions of this
subsection.
(4) The Commissioner shall have no competence to supervise processing
operations carried out by courts of the Republic when acting in their judicial
capacity.

Additional duties

24. Subject to the provisions of Article 57 of the Regulation and in addition to
9

Page 10
Unofficial translation
of the
Commissioner

16/10/18

the duties provided for in that Article, the Commissioner performs the
following duties: (a) may publish on the Office's website the means of lodging complaints and
requests;
(b) shall examine a complaint and, where possible, depending on the nature
and type of the complaint, shall inform the complainant in writing for the
progress and outcome within thirty (30) days of the submission of the
complaint:
If the complaint is deemed unfounded or does not fall within the competence
of the Commissioner, he shall inform the complainant in writing within thirty
(30) days of the filing of the complaint;
(c) shall inform, where appropriate, the data subject, the controller and the
processor for the time limits provided for in Articles 60 to 66 of the Regulation;
(d) may not investigate a complaint or discontinue its investigation for reasons
of public interest and shall notify to the data subject, within a reasonable
period, the reasons for not investigating or for terminating the investigation of
the complaint;
(e) may establish and make public the list of processing operations and cases
that require the designation of a Data Protection Officer, in accordance with
the provisions of section 14 of this Law; and
(f) may publish on the Office’s website, the list of controllers and processors
who designated a data protection officer as provided for in section 14 of this
Law.

Additional powers
of the
Commissioner

25. Subject to the provisions of Article 58 of the Regulation and in addition to
the powers provided for in that Article, the Commissioner shall exercise the
following powers: a) Subject to the provisions of Article 58, paragraph 1, points (a) and (e)
of the Regulation, the Commissioner shall have access to all the
personal data and to all the information required for the performance
of his or her tasks and the exercise of his or her powers, including
confidential information, except for information covered by legal
professional privilege;
b) Subject to the provisions of Article 58, paragraph 1, point (f) of the
Regulation, the Commissioner shall have the power to enter, without
necessarily informing the controller or the processor or their
representative in advance, in any office, professional premises or
mean of transport, with the exception of residences;
c) For the exercise of the investigative powers provided for in Article 58,
paragraph (1) of the Regulation and in this section, the Commissioner
may be assisted by an expert or/and the police;

Chapter 155.

d) In the exercise of his or her investigative powers, the Commissioner
10

Page 11
Unofficial translation
L.93 of 1972
2 of 1975
12 of 1975
41 of 1978
162 of 1989
142 of 1991
9(I) of 1992
10(I) of 1996
89(I) of 1997
54(I) of 1998
96(I) of 1998
14(I) of 2001
185(I) of 2003
219(I) of 2004
57(I) of 2007
9(I) of 2009
111(I) of 2011
165(I) of 2011
7(I) of 2012
21(I) of 2012
160(I) of 2012
23(I) of 2013
16(Ι) of 2014
42(I) of 2014
186(Ι) of 2014.

16/10/18

may seize documents or electronic equipment by virtue of a search
warrant in accordance with the Criminal Procedure Law;

e) In addition to the corrective powers provided for in Article 58,
paragraph 2 of the Regulation, the Commissioner shall require the
Cyprus Organization for the Promotion of Quality to revoke the
accreditation of a certification body, when the Commissioner
ascertains that the requirements for the certification are not or are no
longer met or where actions taken by the certification body violate the
provisions of the Regulation or of this Law;
f) The Commissioner shall denounce the Cyprus Organization for the
Promotion of Quality to the European Commission , in the case where
the Cyprus Organization for the Promotion of Quality does not revoke
an accreditation of a certification body in accordance with subsections
(3) and (4) of section 16 of this Law;
g) In addition to the authorisation and advisory powers provided for in
Article 58, paragraph 3 of the Regulation, the Commissioner shall
have the power to: i. authorise the combination of filing systems provided for in section
10 of this Law and impose terms and conditions for the
materialisation of the combination,
ii. impose terms and conditions in relation to the application of the
measures for the restriction of the rights referred to in section 11 of
this Law,
iii. impose terms and conditions for the exemption to the obligation to
communicate the data breach referred to in section 12 of this Law,
iv. impose explicit limits for the transfer of special categories of
personal data referred to in sections 17 and 18 of this Law,

11

Page 12
Unofficial translation

16/10/18

v. recommend to the Minister the conclusion of agreements with
other countries and conclude, establish and sign the Memoranda
of Understanding provided for in section 35 of this Law;
h) Subject to the provisions of Article 58, paragraph 5 of the Regulation,
the Commissioner shall notify to the Attorney General of the Republic
and/ or to the police any contravention of the provisions of the
Regulation or of this law, that may constitute an offense in accordance
with provisions of section 33 of this Law; and
i) The Commissioner shall confer the powers provided for in section 27
of this law to members or staff of the seconding authority who
participate in a joint operation in the Republic.
Annual Report

26. The Commissioner shall submit an annual activity report to the President
of the Republic and to the President of the House of Representatives which
shall published on the Office’s website.

Joint Operations

27.-(1) Subject to the provisions of Article 62 of the Regulation, the
Commissioner may participate in joint operations with supervisory authorities
of other member states.
(2) Where a joint operation takes place in the Republic, the Commissioner
may confer powers, including investigative powers, to the members or staff of
the seconding supervisory authority who participate in the joint operation.

Judicial remedy
against decisions
of the
Commissioner

28. Every natural or legal person shall have the right to an effective judicial
remedy against a decision of the Commissioner concerning them, before the
Administrative Court.
PART IX
PROCESSING OF PERSONAL DATA IN SPECIFIC SITUATIONS

Processing and
freedom of
expression and
information

Law 39 of 1962

29.-(1) The processing of personal data or special categories of personal data
or personal data relating to criminal convictions and offenses, which is carried
out for journalistic or academic purposes or for purposes of artistic or literary
expression, is permitted, provided that those purposes are proportionate to
the aim pursued and respect the essence of the rights as set out in the
Charter of Fundamental Rights of the European Union and in the European
Convention for the Protection of Human Rights and Fundamental Freedoms
(ECHR), which was ratified by the ratifying law on the European Convention
for the Protection of Fundamental Rights and in Part II of the Constitution.
(2) The provisions of Article 14 and 15 of the Regulation shall apply to the
extent that they do not impair the right tο freedom of expression and
information and journalistic secrecy.

Processing and
public access to
official documents
Law 184(I) of 2017

30. Personal data in official documents held by a public authority or body for
the performance of a task carried out in the public interest shall be disclosed
in accordance with the provisions of the Right of Access to Documents of the
Public Sector Law.

Safeguards and

31. The processing which is carried out by a controller or a processor for
12

Page 13
Unofficial translation
derogations
relating to
processing for
archiving
purposes in the
public interest,
scientific or
historical
research
purposes or
statistical
purposes

16/10/18

archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes shall not be used for taking a decision which
produces legal effects concerning the data subject or similarly significantly
affects him or her.

PART X
ADMINISTRATIVE FINES AND OFFENSES
Administrative
fines

32.-(1) The Commissioner shall impose administrative fines in accordance
with Article 83 of the Regulation.
(2) Where the administrative fine referred to in subsection (1) remains unpaid,
it shall be collected as a civil debt due to the Republic.
(2) An administrative fine imposed to a public authority or body, which relates
to non-profitable activities shall not exceed two hundred thousand (200,000)
euro.

Offenses and
sanctions

33.-(1) An offense shall be committed by: –
(a) a controller or a processor who does not maintain the record of
processing activities provided for in Article 30 of the Regulation or
does not update this record or does not make the record available to
the Commissioner on request or provides false, inaccurate,
incomplete or misleading information to the Commissioner in relation
to this record,
(b) a controller or a processor who does not cooperate with the
Commissioner in accordance with the provisions of Article 31 of the
Regulation,
(c) a controller who does not notify to the Commissioner a personal
data breach, in accordance with the provisions of Article 33,
paragraph 1 of the Regulation,
(d) a processor who does not notify to the controller without undue
delay a personal data breach, in accordance with the provisions
Article 33, paragraph 2 of the Regulation;
(e) a controller who does not communicate a personal data breach to
the data subject, in accordance with the provisions of Article 34 of the
Regulation;
(f) a controller who does not carry out an impact assessment, in
breach of the provisions of Article 35, paragraph 1 of the Regulation or
13

Page 14
Unofficial translation

16/10/18

of section 13 of this Law;
(g) a controller or a processor who prevents the data protection officer
to perform his or her tasks, in particular those relating to the
cooperation with the Commissioner.
(h) a certification body which issues or does not withdraw a
certification, in accordance with the provisions of Article 42 of the
Regulation;
(i) a controller or a processor who transfers personal data to a third
country or an international organisation, in breach of Chapter V of the
Regulation;
(j) a controller or a processor who transfers personal data to a third
country or an international organisation, in breach of the explicit limits
imposed by the Commissioner in accordance with sections 17 or 18 of
this law;
(k) a person who, without right intervenes, in any way, in a filing
system or acquires knowledge of the personal data thereof or
removes, alters, damages, destroys, processes or uses in any way,
discloses, communicates, renders them accessible to non authorised
persons or allows these persons to acquire knowledge of the said
data, for gainful purposes or not;
(l) a controller or a processor who prevents or impairs the exercise of
the Commissioner’s powers provided for in Article 58 of the Regulation
and in section 17 of this law;
(m) a controller or a processor who does not comply with the
provisions of the Regulation and of this law when carrying out a
processing activity which does not constitute an offense in accordance
with the provisions of this section;
(n) a public authority or body which proceeds to the combination of
large scale filing systems in breach of the provisions of section 10 of
this law;
(2) If a person is convicted for committing any of the offenses referred to in
subsection (1) paragraphs (a) to (l) he or she shall be subject to imprisonment
which shall not exceed three (3) years or to a fine which shall not exceed
thirty thousand (30,000) euro or to both of these penalties.
(3) If a person is convicted of committing any of the offenses referred to in
subsection (1) paragraphs (m) and (n) he or she shall be subject to
imprisonment which shall not exceed one (1) year or to a fine which shall not
exceed ten thousand (10,000) euro or to both of these penalties.
(4) If a person is convicted of committing any of the offenses referred to in
subsection (1) paragraphs (g) to (j), which damages the interests of the
Republic or impairs the free governing of the Republic or compromises
national security, he or she shall be subject to imprisonment which shall not
14

Page 15
Unofficial translation

16/10/18

exceed five (5) years or to a fine which shall not exceed fifty thousand
(50,000) euro or to both of these penalties.
(5) For the implementation of the provisions of this sectiona) Where the controller or the processor is an enterprise or a group of
undertakings, the legal responsibility lays with the person designated
as the supreme executive instrument or body of the enterprise or
group of undertakings,
b) Where the controller or the processor is a public authority or body, the
legal responsibility lays with the head of the public authority or body or
with the person who exercises substantial administration of the public
authority or body.
PART XI
FINAL PROVISIONS
Regulations

34. The Council of Ministers shall issue Regulations for the effective
implementation of the provisions of the Regulation and of this Law, upon the
recommendation of the Commissioner.

International
cooperation

35.-(1) In the absence of an appropriate legal measure taken by the
Commission, binding for the Member States, the Commissioner may
recommend to the Minister the conclusion of agreements with third countries
or international organisations for the fulfillment of the purposes referred to in
article 50 of the Regulation.
(2) The Commissioner may conclude, establish and sign memoranda of
understanding with equivalent authorities of other countries or with
international organizations.

Repealing of Law
138 (I) / 2001
37(I)/2003
105(I)/2012

36. Upon entry into force of the provisions of this law, the Processing of
Personal Data (Protection of Individuals) Laws of 2001 to 2012 shall be
repealed.
PART XII
TRANSITIONAL PROVISIONS

Transitional
provisions

37.-(1) The appointment of the Commissioner, which was made by the
Council of Ministers on the basis of Decision no. 79.538, dated 28.9.2015, for
four (4) years, is valid until the expiration of his or her term of office.
(2) Acts issued by the Commissioner under the provisions of the Processing
of Personal Data (Protection of Individuals) Law, which is repealed, shall
continue to be valid until their expiration or replacement.
(3) Until the Cyprus Organisation for the Promotion of Quality is successfully
submitted to the peer evaluation provided for in Article 10 of Regulation (EC)
No 765/2008 as regards the procedures for the assessment of adherence for
which accreditation is requested, an applicant certification body may be
accredited by another accreditation organisation, in accordance with the
15

Page 16
Unofficial translation

16/10/18

provisions of the Accreditation, Standardization and Technical Information
Law and the provisions of Regulation (EC) No 765/2008.

16

