You are currently viewing General Data Protection Regulation (GDPR) in Cyprus

General Data Protection Regulation (GDPR) in Cyprus

On 8 April 2016 the eu has followed the general records protection law (in short GDPR) to be able to come into impact on the 25th of may 2018 repealing the statistics safety Directive 95/forty three/EC. Its objectives are (1) to defend herbal humans in terms of the processing of their non-public records, (rec 1) (2) to permit natural folks greater control over their information, (rec 7) (three) harmonize the regulation and get rid of uncertainty in terms of facts protection (rec 9 and 10) (four) to provide for extra safety and reinforce the rights of records subjects, impose responsibilities to records processors and increase tracking skills and sanctions by way of Member States (rec 11) and (five) to permit for fair and lawful processing of personal facts (rec 39). The GDPR will all in all, support the inner marketplace, reinforce the enforcement of regulations and set global facts safety requirements.

The advantages to individuals

underneath the GDPR, the records topics (i.e. the individuals making the most of the law) will be able to:

first off, access their data greater easily within the experience that they will be able to know from the beginning of giving their consent, the uses that the records will undergo.
Secondly, they’ll have the right to delete the information that a information-controller continues. Termed because the “right to be forgotten”, article 17 of the GDPR pursuits to allow for an character to have his records deleted if he/she does now not want such records to be processed (furnished that there are no valid grounds for the records controller to keep it).
Thirdly, beneath article 25 of the law, statistics protection is covered by way of design and through default. data protection through layout approach that the controller have to enforce appropriate technical and organisational measures as a way to combine the safeguards vital with the intention to meet the necessities of the GDPR and defend the rights of statistics subjects. information protection via default way that the controller must implement appropriate measures if you want to ensure that by using default, best private records vital for each precise reason of the processing are processed, and at the identical time ensure, that by way of default, personal information can’t be made handy with out the person’s intervention.
Fourthly, the individual has the right to know if and while a protection breach has passed off on every occasion his statistics have been hacked. The GDPR creates an duty on the records-controller no longer only to inform the supervisory authority of the breach (and this have to be inside 72 hours) however it additionally creates the duty to talk to the records difficulty a private statistics breach, describing the nature of the breach as well as hints for the herbal character worried to mitigate any capacity unfavorable effects.
Who and what records is included?
The GDPR covers non-public records which can be processed. Processing need no longer be computerized. guide processing is included with the aid of the law’s ambit. It does no longer but cowl files or set of documents not structured in line with specific standards (rec 15).

underneath the definitions of the law, private statistics mean facts relating to an recognized or identifiable herbal man or woman. Such men and women are folks who can be identified without delay or indirectly via reference to a name, identity quantity, region statistics, on-line identifier and many others. for example a photograph or an IP deal with can be counted as personal facts.

it’s far of fantastic importance that the GDPR does no longer practice to criminal entities (Rec 14) or natural folks who have surpassed away (Rec 27).

The entities affected need now not be resident within the ecu. it is for this reasons that the changes have extensive attaining results stemming from the desire of the eu to vicinity responsibilities on every person (even from a 3rd us of a) providing goods or services or who monitors the behaviour of records subjects inside the european (Rec 22. 23 and 24).

who’s a facts controller and who is a facts processor?

Article four of the GDPR defines a facts controller as a “herbal or criminal individual, public authority, agency or different body which, alone or at the same time with others, determines the functions and means of the processing of personal information”. A data processor then again is a “natural or felony character, public authority, agency or other body which tactics personal facts on behalf of the controller”.

for instance, a records controller will be the Ministry of fitness of a member state, which requires virtual records to be stored concerning sufferers treated in public hospitals. The controller defines that the motive for data to be gathered is the effective treatment of patients. however, a statistics processor may be the personal criminal entity which has obtained a settlement with the Ministry to create, replace and handle the database of sufferers’ records.

who’s a records safety officer?

In positive instances, data controllers and facts processors should designate someone as a facts protection officer. those instances are indexed in article 37 of the GDPR and they’re the following: (1) where the processing is executed by means of a public authority or body, (2) the core activities of the controller or processor encompass processing operations which, with the aid of virtue of their nature, their scope and/or their functions, require ordinary and systematic monitoring of records topics on a big scale; (3) or the core activities of the controller or the processor include processing on a large scale of special categories of information.

The facts protection officer’s responsibilities include the availability of data and recommendation to the controller, processor and personnel in terms of data processing, the monitoring of compliance with the regulation, the supply of advice in which asked as regards the facts protection impact evaluation, and eventually, the cooperation/performing as a point of touch with the supervisory authority (article 39 of the GDPR).

One forestall store:

one of the predominant ambitions of the regulation is to act as a one-prevent-shop. This has an effect on enterprises situated in exclusive Member States (i.e. MNEs). where the MNE would normally be difficulty to the law of the supervisory authority of each of the Member States wherein it’s far located under the GDPR, a supervisory authority located in a single Member state may additionally act as the lead supervisory authority, as a result decreasing the administrative burden within the MNE. it is then for the lead authority to coordinate with other governmental authorities with a purpose to follow the regulation on the particular organisation.


under recital 32, consent is given:

“through a clear affirmative act establishing a freely given, unique, informed and unambiguous indication of the records subject’s settlement to the processing of private records relating to him or her, together with through a written announcement, along with by using electronic approach, or an oral statement. this could include ticking a box while journeying an internet internet site, selecting technical settings for data society services or another declaration or behavior which without a doubt shows in this context the records concern’s recognition of the proposed processing of his or her personal facts. Silence, pre-ticked packing containers or inaction must no longer therefore represent consent. Consent have to cover all processing sports executed for the same cause or purposes. while the processing has a couple of functions, consent ought to accept for all of them.”

For the consent to be knowledgeable it is necessary that it isn’t situation to any unfair terms or encompass greater imposed responsibilities to the statistics difficulty (if for instance there is no true or free preference or whilst the statistics problem is not able to refuse or withdraw his/her consent with out detriment).

furthermore, the information difficulty ought to be aware about the identity of the controller and the functions for which the non-public statistics could be processed. (rec 42) beneath recital 43:

“Consent is presumed not to be freely given if it does not allow separate consent to accept to specific private facts processing operations no matter it being appropriate inside the person case, or if the overall performance of a agreement, consisting of the supply of a provider, is depending on the consent in spite of such consent not being necessary for such overall performance.”

information portability:

one of the very useful features of the law is that of records portability. records portability is a right granted to information-subjects which permits them to request and obtain personal information concerning themselves from the facts controller or have the information controller transmit those facts to any other controller. The necessities are that (1) the facts-subject supplied the controller with the records, (2) the data is dependent, usually used in gadget-readable format (3) wherein the statistics processing is primarily based on consent or the processing is vital for the performance of a agreement to which the records difficulty is birthday party or a good way to take steps on the request of the facts situation prior to stepping into a agreement and (four) in which the processing is finished via automated manner.

statistics portability may be used as an instance in situations where a statistics challenge wishes to transfer his commercial enterprise from competitor A to competitor B. In such instances, competitor A has an responsibility below the regulation not to avoid or make it tough for the information problem to make this transition. another example which information portability can be of assistance is while an individual uses precise offerings which examine his/her information with those of other consenting people in an effort to offer the individual with comparisons or suggestions with regards to high-quality value. because of this, statistics portability has wide ranging results because it brings competitiveness to the market with the aid of forestalling methods which may additionally avert opposition from coming into the marketplace and via providing a obvious environment for consumers.


In cases of breach of the provisions protected inside the GDPR, the Supervisory authorities can problem written warning and impose fines according with the sort, recurrence and quantity of the breach. beneath article eighty three of the law, the fines may additionally reach up to 20 mil EUR or 4% of the full worldwide turnover of the preceding financial yr, whichever is better. This makes the GDPR one of the most crucial rules which want to be taken into consideration each time a business is involved with records processing of individuals.

What should you do:

organizations managing personal records of people ought to be wary of the changes added by way of the GDPR and that they should start taking steps that allows you to keep away from any unwanted outcomes which might also find them in breach of the regulation. The heavy fines which can be imposed for breaches of the law means that the GDPR is an issue of serious dialogue at the board level of any enterprise.

At Lindaduncan we allow you to with the transition via an in depth evaluation of the cutting-edge legal framework and the brand new duties set by the regulation. moreover, we can provide felony advice on comparing your modern-day non-public records safety structures and the way to continue with all the vital measures including drafting the specified prison documentation in order which will put together before the implementation deadline.

this newsletter is given for records functions most effective and it does now not constitute prison recommendation. Please supply us a name in case you would love to book a consultation with a expert on this region from our office. we are able to be happy to assist you.

GDPR and the Cyprus Property Industry

In a new show by the Commissioner of Data Protection, Ms. Loizidou, disclosed to the Cyprus Property experts how the General Data Protection Regulation – GDPR – makes commitments and liabilities. The business isn’t prohibited from these commitments and liabilities and consideration is required.

GDPR applied to the Cyprus Property Industry

Taking into account that GDPR applies to each industry and portion that individual information is made accessible, shared, imparted and prepared the development business is comparably influenced and every Cyprus property expert ought to be agreeable.

Role of Cyprus Property Professionals and GDPR

Cyprus property designers, property specialists, valuers, draftsmen, development organizations might be the two information regulators and information processors. Current realities and conditions will decide the kind of preparing attempted and the job of the property proficient.

Sharing of individual information

The sharing of individual information between various Cyprus property experts is caught by the arrangements of the General Data Protection Regulation. As needs be, express assent is needed from the information subject (individual) before the sharing of such data. A couple of reasonable models:

Specialist acquaints the customer with at least one land engineers.

Property Developer shares the name and phone of a customer to the modeler to call straightforwardly.

In the above models, the party holding such data should get express agree concerning the sharing of such close to home data. Further to the prior, it very well may be fascinating to consider going into explicit information handling arrangements between these gatherings and as such guarantee that the transmission of such information is acted as per the provisions of the understanding.


The necessity to conform to the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007-2019 by the Cyprus property Professionals and the reception of measures to follow the General Data Protection Regulation seems to have made vulnerability inside the market. Consistence with the one doesn’t naturally mean consistence with the other.