Articoli

, ,

Cyprus GDPR implementation: local peculiarities

The implementing Law and the interplay with GDPR

by Christiana Markou

Another EU country has adopted a GDPR implementation law: the Law on the Protection of Natural Persons with regard the Processing of Personal Data and on the Free Movement of such Data, Law 125(I)/2018 ( “the Law”) was published in the Official Gazette of the Republic of Cyprus on the 31st July 2018.

The purpose of the Law is the effective application (or implementation) of some of the provisions of the General Data Protection Regulation (GDPR). The Law responds to Recital 8 of the GDPR, which allows Member States to implement elements of the Regulation into their national law and to provisions in the GDPR allowing or obligating Member States to expand upon, adapt or deviate from the rules of the Regulation. It only comprises thirty-seven (37) provisions and must be read together with the Regulation, which remains the main piece of legislation governing data protection in Cyprus.

Key features and peculiarities of the Law

Data Processing by Courts & judgements databases

There are a few provisions in the Law that deserve to be highlighted. One of them is Section 5(a), which specifically renders the data processing performed by courts in the exercise of their duties for the purposes of the administration of justice (including the processing necessary for the issuance and publication of their judgements) permissible and lawful. This however does not cover the processing inherent in the operation of databases of judgements by private parties who offer a service to lawyers or the public at large. These entities must ensure that the processing they perform can come under one of the lawful bases of processing listed in Article 6(1), GDPR.

Minors lawful consent

Additionally, the Law, through Section 8(1), takes a rather liberal approach in relation to children deeming them as capable of offering valid consent at a younger age than the one specified by the GDPR, which is 16 years. Notably, the chosen age of 14 years in the Law coincides with the age over which children can be criminally liable in Cyprus as per Section 14 of the Cyprus Criminal Code, Cap. 154.

Biometric data processing

Another provision of the Law, namely Section 9(1) explicitly introduces a prohibition for the processing of genetic and biometric data for the purpose of health and life insurance and also clarifies that when the processing of such data is based on consent, separate consent must be secured for any further processing. This mirrors the Cypriot legislator deeming genetic and biometric data of increased sensitivity. Notably, the Insurance Association of Cyprus has suggested the inclusion in the Law of another derogation from the prohibition of Article 9(1) GDPR, specifically one permitting the processing of special categories of personal data for the purposes of conclusion and performance of insurance contracts. The particular suggestion has not been taken up by the Cypriot legislator and it seems that the GDPR places significant restrictions; insurance companies have to be secure the explicit consent of data subjects in order to process health data concerning them (despite the fact that such processing is strictly necessary for the conclusion and performance of the insurance contract requested by the data subject). Explicit consent entails significant administrative burden, which insurance companies would prefer to avoid. Most certainly, the GDPR is eligible to an interpretation that achieves a fair balance between the interests of the insurance companies and sufficient data protection, yet this requires the co-operation of all relevant stakeholders.

Data transfers outside EU

Section 17(1) is another notable provision. It introduces an obligation for controllers and processors to inform the Commissioner about their intention to transfer special categories of data (such as health data) to third countries (outside the EU) in certain cases. This is important for organisations or businesses in the medical sector which often send blood (or other) samples outside the EU for testing. When the country to which the data is exported is not one for which the European Commission has issued an adequacy decision based on Article 45, GDPR, the Cyprus Commissioner will have to be informed prior to each such transfer. This entails considerable administrative burden, which can be avoided by eliminating the health data exported or through anonymozation, amongst others.

GDPR 1st year implementation report: how is it going?

It is noteworthy that the Cyprus Data Protection Commissioner (“the Commissioner”) has recently published certain statistics on the application of the GDPR during the first year of its life.

According to those statistics, the Commissioner has received 464 complaints (146 of which concerned unsolicited commercial communications) and 55 data breach notifications. The authority has issued 20 decisions, nine of which imposed fines of a total of nearly €37,000 Euros. Furthermore, the Commissioner conducted nine 9 investigations on its own initiative.

These numbers reflect Cyprus as a small Member State of the EU; in other Member States, there have been much more enforcement actions, some of which have led to multi-million fines.

This post is part of TechnoLawgy Guest Post series and has been written by the brilliant  Christiana Markou, Practising lawyer  & Assistant Professor at the European University Cyprus School of Law. For a more in-depth report on Cyprus GDPR implementation click here.

If you are a interested in sharing your expertise with TechnoLawgy international readers hit the Contact button above.   

, , ,

📧#GDPR: come aggiornare la firma delle email📧

Come tutti sappiamo il 25 Maggio 2018 è finalmente diventato direttamente applicabile il GDPR. Si tratta di un aggiornamento molto importante in tema di Privacy e Protezione dei dati personali, un vero e proprio update 2.0. Negli altri articoli parlo di quali sono i cambiamenti principali e come adeguarsi.

Ecco di seguito un utile suggerimento per iniziare ad adeguare la firma della propria email  (anche alla luce del decreto 101/2018 che recepisce il GDPR e modifica il caro vecchio Codice Privacy)

Continua a leggere

, , ,

DPO: errata notifica al Garante? Ora disponibile il modello di revoca

Il dilemma del DPO, lo nomino o non  lo nomino?

Continua a leggere

, , ,

Facebook fan page admin: what liability under #GDPR?

Facebook fan page operations might lead to considerable privacy compliance issues for companies running them after a recent decision of the ECJ.

Continua a leggere

, , ,

Profilare i clienti senza il loro consenso: le nuove opportunità introdotte dal GDPR

Si possono profilare i clienti senza il loro consenso?

Il nuovo Regolamento privacy europeo 2016/679, a differenza del Codice privacy, disciplina espressamente la profilazione  e prevede diversi scenari applicabili in base al contesto e alle finalità della profilazione. Tra le varie novità introdotte, grazie ad una nuova base legale è possibile profilare i clienti senza il loro consenso, ma a patto che siano rispettate certe condizioni…

Continua a leggere

, ,

How to #PIA: nuovo software, nuova metodologia e caso pratico dal Garante francese!

Ultimamente il CNIL, il Garante privacy francese, si sta dimostrando particolarmente prolifico: il 26 Febbraio 2018 ha pubblicato una versione aggiornata della propria metodologia di#PIA, quali sono le novità?

Continua a leggere

,

Codice #PIA: Privacy Impact Assessment, di che si tratta?

L’art. 35 del Regolamento Privacy #GDPR introduce la valutazione d’impatto privacy o privacy impact assessment (PIA), a che serve e come va effettuata? Continua a leggere

, ,

Trasferimenti verso paesi terzi: pubblicate le Linee Guida del WP 29 sull’art. 49

Deroghe al GDPR, come interpretare l’art 49?

Lo scorso 12 Febbraio il Gruppo di Lavoro ex art. 29 ha pubblicato al seguente link le linee guida (open) relative all ‘art. 49 del Reg.UE 679/2016 “Deroghe inspecifiche situazioni” che regola per l’appunto le possibili deroghe alla disciplina dei trasferimenti verso paesi terzi prevista dal GDPR.

Di seguito alcuni punti focali delle linee guida:  Continua a leggere