top of page

CYPRUS - Data Protection and GDPR Review

The history of data protection in Cyprus aligns with the wider efforts in the European Union to safeguard individual privacy rights. Below is an outline of the major developments and legislation related to data protection in Cyprus.

1. Early Efforts and the 1995 Directive

In Cyprus, data protection was largely influenced by European directives, specifically the EU Data Protection Directive (Directive 95/46/EC) that was adopted in 1995. This directive focused on protecting individuals' privacy with regard to the processing of personal data. It laid down regulations on how data was to be handled, stored, and processed.

2. Formation of the Data Protection Commissioner

In line with EU regulations, Cyprus enacted the Processing of Personal Data (Protection of Individuals) Law of 2001. This law established the Cyprus Data Protection Commissioner's office, an independent supervisory authority for the protection of individuals concerning the processing of personal data.

3. Implementing the Data Retention Directive

The EU Data Retention Directive (2006/24/EC) was also implemented in Cyprus. It required telecommunications providers to retain metadata for a certain period to assist in the investigation and prosecution of serious crimes.

4. General Data Protection Regulation (GDPR)

In 2018, the European Union's General Data Protection Regulation (GDPR) became enforceable, which had a profound impact on Cyprus, like other EU member states. The GDPR strengthened individuals' rights, such as the right to access, correct, or erase their personal data. It also placed more responsibilities on data controllers and processors, including the requirement to report data breaches within 72 hours.

Cyprus's Law Providing for the Protection of Natural Persons with Regard to the Processing of Personal Data was enacted to fully harmonize with the GDPR. This law repealed the previous data protection law from 2001.

5. Post-GDPR Developments

Since the implementation of the GDPR, Cyprus has continued to work on enhancing data protection measures. The Data Protection Commissioner actively supervises and enforces the regulations, ensuring that organizations within Cyprus comply with the GDPR.

Additionally, Cyprus has engaged in various awareness campaigns to educate both individuals and businesses about their rights and responsibilities concerning data protection.

The history of data protection in Cyprus has been shaped by its commitment to aligning with European directives and regulations. Starting from early adoption of EU directives to the robust implementation of the GDPR, Cyprus has shown a strong commitment to safeguarding individual privacy. This has been accompanied by the establishment of regulatory bodies and national legislation that reflects the broader EU approach to data protection.

Introduction to GDPR in Cyprus

The GDPR became enforceable in all EU member states, including Cyprus, on May 25, 2018. In Cyprus, the Law Providing for the Protection of Natural Persons with Regard to the Processing of Personal Data harmonizes the national legislation with the GDPR.

Key Principles

a. Lawfulness, Fairness, and Transparency

Data must be processed legally, fairly, and transparently.

b. Purpose Limitation

Data must be collected for specific, explicit, and legitimate purposes.

c. Data Minimization

Only necessary data should be collected and processed.

d. Accuracy

Data must be accurate and up-to-date.

e. Storage Limitation

Data should not be kept longer than necessary.

f. Integrity and Confidentiality

Data must be processed securely.

Rights of Individuals

a. Right to Information

Individuals must be informed about how their data is being used.

b. Right to Access

Individuals can request a copy of their personal data.

c. Right to Rectification

Individuals can ask for inaccurate data to be corrected.

d. Right to Erasure (Right to be Forgotten)

Individuals can request that their data be deleted.

e. Right to Restrict Processing

In certain circumstances, individuals can request that the processing of their data be restricted.

f. Right to Data Portability

Individuals can request their data in a format that can be easily transferred to another service provider.

g. Right to Object

Individuals can object to the processing of their data.

Responsibilities of Organizations

a. Appoint a Data Protection Officer (DPO)

Certain organizations must appoint a DPO to oversee compliance with the GDPR.

b. Conduct Data Protection Impact Assessments (DPIAs)

In some cases, organizations must assess the impact of processing activities on data protection.

c. Implement Privacy by Design

Organizations must consider privacy at the initial design stages of products and processes.

d. Report Data Breaches

Organizations must report data breaches to the relevant authorities within 72 hours.

Cyprus Data Protection Commissioner

The Cyprus Data Protection Commissioner is responsible for enforcing GDPR within Cyprus. Organizations and individuals can seek guidance and report violations to this body.


Non-compliance can result in fines up to €20 million or 4% of the company’s global annual turnover, whichever is higher.

Conclusion and Recommendations

Understanding and complying with the GDPR in Cyprus requires careful attention to both the rights of individuals and the responsibilities of organizations. Regular training, adherence to best practices, and consultation with legal experts or the Data Protection Commissioner can help ensure compliance.


This guide provides a general overview and should not replace legal counsel. Laws and regulations may change, and professional legal advice should be sought to understand specific rights and obligations within Cyprus regarding the GDPR.


bottom of page