, ,

Cyprus GDPR implementation: local peculiarities

Cyprus GDPR implementation law

The implementing Law and the interplay with GDPR

by Christiana Markou

Another EU country has adopted a GDPR implementation law: the Law on the Protection of Natural Persons with regard the Processing of Personal Data and on the Free Movement of such Data, Law 125(I)/2018 ( “the Law”) was published in the Official Gazette of the Republic of Cyprus on the 31st July 2018.

The purpose of the Law is the effective application (or implementation) of some of the provisions of the General Data Protection Regulation (GDPR). The Law responds to Recital 8 of the GDPR, which allows Member States to implement elements of the Regulation into their national law and to provisions in the GDPR allowing or obligating Member States to expand upon, adapt or deviate from the rules of the Regulation. It only comprises thirty-seven (37) provisions and must be read together with the Regulation, which remains the main piece of legislation governing data protection in Cyprus.

Key features and peculiarities of the Law

Data Processing by Courts & judgements databases

There are a few provisions in the Law that deserve to be highlighted. One of them is Section 5(a), which specifically renders the data processing performed by courts in the exercise of their duties for the purposes of the administration of justice (including the processing necessary for the issuance and publication of their judgements) permissible and lawful. This however does not cover the processing inherent in the operation of databases of judgements by private parties who offer a service to lawyers or the public at large. These entities must ensure that the processing they perform can come under one of the lawful bases of processing listed in Article 6(1), GDPR.

Minors lawful consent

Additionally, the Law, through Section 8(1), takes a rather liberal approach in relation to children deeming them as capable of offering valid consent at a younger age than the one specified by the GDPR, which is 16 years. Notably, the chosen age of 14 years in the Law coincides with the age over which children can be criminally liable in Cyprus as per Section 14 of the Cyprus Criminal Code, Cap. 154.

Biometric data processing

Another provision of the Law, namely Section 9(1) explicitly introduces a prohibition for the processing of genetic and biometric data for the purpose of health and life insurance and also clarifies that when the processing of such data is based on consent, separate consent must be secured for any further processing. This mirrors the Cypriot legislator deeming genetic and biometric data of increased sensitivity. Notably, the Insurance Association of Cyprus has suggested the inclusion in the Law of another derogation from the prohibition of Article 9(1) GDPR, specifically one permitting the processing of special categories of personal data for the purposes of conclusion and performance of insurance contracts. The particular suggestion has not been taken up by the Cypriot legislator and it seems that the GDPR places significant restrictions; insurance companies have to be secure the explicit consent of data subjects in order to process health data concerning them (despite the fact that such processing is strictly necessary for the conclusion and performance of the insurance contract requested by the data subject). Explicit consent entails significant administrative burden, which insurance companies would prefer to avoid. Most certainly, the GDPR is eligible to an interpretation that achieves a fair balance between the interests of the insurance companies and sufficient data protection, yet this requires the co-operation of all relevant stakeholders.

Data transfers outside EU

Section 17(1) is another notable provision. It introduces an obligation for controllers and processors to inform the Commissioner about their intention to transfer special categories of data (such as health data) to third countries (outside the EU) in certain cases. This is important for organisations or businesses in the medical sector which often send blood (or other) samples outside the EU for testing. When the country to which the data is exported is not one for which the European Commission has issued an adequacy decision based on Article 45, GDPR, the Cyprus Commissioner will have to be informed prior to each such transfer. This entails considerable administrative burden, which can be avoided by eliminating the health data exported or through anonymozation, amongst others.

GDPR 1st year implementation report: how is it going?

It is noteworthy that the Cyprus Data Protection Commissioner (“the Commissioner”) has recently published certain statistics on the application of the GDPR during the first year of its life.

According to those statistics, the Commissioner has received 464 complaints (146 of which concerned unsolicited commercial communications) and 55 data breach notifications. The authority has issued 20 decisions, nine of which imposed fines of a total of nearly €37,000 Euros. Furthermore, the Commissioner conducted nine 9 investigations on its own initiative.

These numbers reflect Cyprus as a small Member State of the EU; in other Member States, there have been much more enforcement actions, some of which have led to multi-million fines.

This post is part of TechnoLawgy Guest Post series and has been written by the brilliant  Christiana Markou, Practising lawyer  & Assistant Professor at the European University Cyprus School of Law. For a more in-depth report on Cyprus GDPR implementation click here.

If you are a interested in sharing your expertise with TechnoLawgy international readers hit the Contact button above.   

0 commenti

Lascia un Commento

Vuoi partecipare alla discussione?
Fornisci il tuo contributo!

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.