GDPR Compliance for Cypriot Companies

The rapid pace of technological progress and the continuous increase in the volume of digital information make the issue of personal data protection more urgent than ever. In this context, the General Data Protection Regulation (GDPR) implemented by the European Union becomes a necessary step to ensure privacy and control over personal data. In this article, we will discuss the key aspects of GDPR compliance for companies and the national peculiarities of its application in Cyprus.

So what is personal data in the context of the General Data Protection Regulation??

To answer this question, we can take a few examples from the Information Commissioner's officer.

Tracking

Websites monitor users' actions to create their profiles based on Internet identifiers. For example, cookies can be used to track a user's activity on various resources and update his or her profile with new information about his or her actions. In this case, we are dealing with personal data.

Identification of a person to identify a subject?

Unique features of a particular person of a data subject are recorded to ensure the possibility of its identification and distinction from other subjects. This is a personal data processing.

Nickname

A social network allows users to register under fictitious names that may seem anonymous. For example, the name "Pink Unicorn" may seem insignificant and unrelated to the user's personal data. However, this nickname becomes an online identifier under the GDPR, which allows you to separate this user from others. Thus, such a nickname is considered personal data under the GDPR rules.

Therefore, we can conclude that the main criterion for determining personal data is the ability to distinguish a specific subject from others using online or offline identifiers.

Compliance

To ensure that the company's activities comply with compliance standards, it is necessary to create an access map to personal data at the initial stages of preparation. This map should include the following:?

1. ways to obtain personal data;?

2. routes of movement of personal data within the company;?

3. the right of access to personal data of specific employees, related controllers, processors, and third parties;?

4. Purpose and scope of personal data processing.?

The company needs to take into account all persons who may be considered related controllers and processors, as the General Data Protection Regulation (GDPR) imposes an obligation on the controller to inform data subjects about them. In addition, the company is obliged to identify all organizations/countries to which personal data is transferred, including those outside the European Union. If the data is transferred to third countries, it is important to check the existence of a decision on the compliance of security guarantees relating to the country of destination of personal data transfer. In the absence of such safeguards, the risks of data transfer should be assessed and mitigated, and the consent of the data subject to the transfer should be obtained or another legal basis for the transfer should be found. If necessary, you should also notify the relevant supervisory authority of the transfer.

Liability for non-compliance with GDPR requirements

After the GDPR requirements were implemented and came into force, some companies were rather skeptical about the liability for non-compliance with these requirements, since the Regulation itself is more declarative than practical. However, we already have examples of documented violations of the requirements, high-profile scandals on this issue, and bringing violators to justice based on practice. In addition, liability doesn't necessarily have to be expressed in fines, as the GDPR also provides for the issuance of a warning, ultimatum, restriction, or prohibition of activities.

One of the most striking examples was the scandal involving the Canadian company AggregateIQ, the British company Cambridge Analytica, and the American company Facebook.

The former analytical company Cambridge Analytica and AggregateIQ came into the spotlight in 2018 after a scandal exposed the illegal collection of personal data of Facebook users. Using the "This Is Your Digital Life" app, they managed to access millions of profiles without proper consent, including information about preferences, demographics, and even private messages. By collecting this data, Cambridge Analytica created detailed user profiles that were used to influence voter behavior through targeted political advertising.

These two companies worked not only with Donald Trump's campaign in 2016 but also exerted influence in different countries using these techniques to manipulate voter behavior.

AggregateIQ became the first company to be served with a formal notice by the UK Information Commissioner's Office for breaching the European Union's General Data Protection Regulation and could be subject to a fine of ￡17,000,000 on September 20, 2018. The company has filed an appeal against the notice.

This scandal has had profound consequences not only for Cambridge Analytica and AggregateIQ but also for Facebook, which has been severely criticized for its lack of user data protection. The issue of the ethics of personal data processing in the digital environment has become the subject of widespread debate and has provoked the introduction of new regulations on the protection of personal information. The incident also emphasized the importance of transparency and ethical treatment of personal data in a world where the Internet and social media are becoming a part of everyday life.

In August 2022, Facebook entered into a settlement agreement in this case.

Based on the above, we can highlight the main requirements and provisions of the General Data Protection Regulation (GDPR):

1. Universal principles of data protection: The GDPR establishes universal principles of data protection, such as legality, fairness, and transparency about the processing of personal data. These principles form the basis for any company operating in the European area.

2. Rights of data subjects: The GDPR provides individuals whose data is processed with several rights, including the right to access their data, the right to rectify inaccuracies, and the right to have their data processed in certain cases. These rights are universal and apply to all data subjects, regardless of their location.

3. Responsibility and reporting obligations: The GDPR imposes a duty of accountability on companies for data processing and requires reporting on this processing. This means that companies must be ready to provide information about their data protection measures and processing procedures upon request of the relevant supervisory authorities.

Specifics of GDPR compliance for Cypriot companies

After the adoption of the General Data Protection Regulation (GDPR) by the European Commission, Cyprus, as a member of the EU, amended its national legislation. Namely, the Data Protection Law came into force.?

Among the innovations are the following:?

Age

According to the GDPR, the age of minors is 13 to 16 years. This means that a controller who collects and processes the personal data of children under this age must obtain the explicit consent of their parents.?

In Cyprus, the age of explicit parental consent applies to the processing of personal data of children under the age of 14.

Sensitive data?

The GDPR stipulates that sensitive data (health, biometric, genetic, disclosing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership) may only be processed with the consent of the data subject. In Cyprus, it is strictly forbidden to process biometric and genetic data for health or life insurance purposes. Even if consent is obtained, it will not be considered a legal basis.?

Therefore, it is important to remember that the genetic and biometric data of Cypriots should not be taken into account even when deciding what type of insurance to take out.

Limitation of rights?

The GDPR allows data controllers in some specific cases to restrict the rights of data subjects where such restriction is in line with the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to ensure:

1. national security

2. defense

3. public safety;

4. prevention, investigation, detection, or prosecution of criminal offenses or execution of criminal penalties, including protection against and prevention of threats to public safety

5. other important purposes of general public interest of the European Union or a Member State, in particular important economic or financial interest of the European Union or a Member State, including monetary, budgetary, and tax matters, health and social security

6. protection of judicial independence and judicial proceedings;

7. preventing, investigating, detecting, and prosecuting ethical violations of regulated professions;

8. monitoring, inspection, or regulatory function;

9. protection of the data subject or the rights and freedoms of others;

10. fulfillment of civil law requirements.

On the same grounds, the controller has the right not to notify the data subject of the data leak. In other words, only when the controller has the right to restrict the rights of the data subject. However, an important nuance is that the decision to restrict the rights must be pre-approved by the Personal Data Protection Authority and an impact assessment on personal data protection must be conducted.?

Therefore, it can be concluded that the restriction of rights and the option not to report a data breach occurs only in exceptional cases.

Powers of the Data Protection Authority

The GDPR also provides for the establishment of supervisory authorities and gives them sufficiently broad powers to oversee compliance with the requirements of the Regulation. However, the GDPR regulates the process of exercising control in a rather abstract way, so national legislation regulates this issue in more detail.?

The main points are:?

1. The Commissioner shall have free access to all data necessary for the performance of his duties and exercise of his powers, except for data containing legal secrets.

2. to perform his/her duties, the Commissioner has the right to enter any office, business premises, or vehicle, except for the person's place of residence, at his/her discretion and without prior notice to the controller, operator, or their representatives.?

Transfer of a special category of personal data?

The transfer of personal data outside the EU is a highly complex process in itself, but when it comes to sensitive data, the Regulation provides additional safeguards.?

First of all, we need to define what kind of data is considered "sensitive" in the context of this process and responsibility.?

"Sensitive data is a category of personal data that may cause significant harm to the plaintiff if disclosed and inadequately maintained according to the practice of national and international courts. Therefore, they require a much higher level of protection than "ordinary" personal data."

Anatoliy Lytvynenko

Therefore, we can conclude that sensitive data is data the processing of which poses a particular risk to the rights and freedoms of the subject, including health data and biometric data.?

The ECHR is drowning in cases concerning negligent storage, disclosure, and retrieval of personal data.?

For example, in the case of I v. Finland (2008), the plaintiff filed a lawsuit against the negligent withholding of information about her HIV-positive status in the healthcare facility where the plaintiff worked, and in the case of Sommer v. Germany (2017), the plaintiff, a lawyer for a convicted criminal (the criminal was not a party to the proceedings in the ECHR), sued the German authorities for providing his bank account information to participants in criminal proceedings against the plaintiff's client.

Let us return to the regulation of this issue in Cyprus. As already mentioned, the genetic and biometric data of Cypriot citizens cannot be processed in any case. At the same time, other sensitive data may be transferred outside the EU only upon prior notification of the Commissioner. That is, the company is obliged to provide all the necessary documents (evidence of informed consent provided by data subjects) and confirm that it has taken appropriate security measures, both technical and organizational.

However, if the Commissioner thinks that the transfer of this data may harm the public interest, he has the right to restrict or even prohibit the transfer of such data.?

Penalties

Following the GDPR, to determine the amount of the administrative fine imposed, in each particular case, it is necessary to take into account:?

1. the nature, gravity, and duration of the violation, taking into account the nature, scope, or purpose of the relevant processing, as well as the number of data subjects concerned and the level of harm suffered by them;

2. the intentional or negligent nature of the breach;

3. any actions taken by the controller or processor to mitigate the harm suffered by the data subjects;

4. any relevant previous violations by the controller or processor;

5. the degree of cooperation with the supervisory authority to eliminate the violation and mitigate the possible negative consequences of the violation; etc. The full list of circumstances is specified in Art. 83 GDPR.?

In other words, the Commissioner must take into account any aggravating and mitigating circumstances when deciding on the imposition of an administrative fine.?

As for Cyprus, the fine for violation of the GDPR and the Personal Data Protection Law (125(I)/2018), according to the Law, may not exceed EUR 200,000.

Special requirements

Any EU country has its own Commissioner for Personal Data Protection. This includes Cyprus. The Commissioner is authorized to set requirements for the execution of documents to comply with the GDPR.?

Art. 30 of the GDPR states that each controller must keep a record of the activities related to the collection and processing of personal data and the available categories of information to be stored. The Commissioner also provides templates for this documentation and the ability to keep records in both Greek and English, which really simplifies the task for non-residents.?

The Commissioner's Office doesn't forget about data subjects, as there are also templates for them to file complaints regarding violations of data subjects' rights, complaints regarding unwanted emails (spam), and other issues related to violations of the Personal Data Protection Law.?

Violation of GDPR requirements in Cyprus

There have been many cases of violations of the provisions and regulations of these legal acts in Cyprus since the entry into force of the GDPR and the Personal Data Protection Law (125(I)/2018), but the largest fine was imposed on a Cypriot company that illegally used the Bradford factor. The company used this technology to track the number of sick days and create employee profiles. The Commissioner found that the Bradford factor violated Articles 6 of the GDPR (the legal basis for processing) and 9 of the GDPR (special categories of data). The company received three fines of EUR 70,000, EUR 10,000 and EUR 2,000.

To summarize, Cyprus is well-positioned to comply with the requirements of the General Data Protection Regulation (GDPR). The adoption of these requirements is an important step in ensuring the privacy and protection of the personal data of European Union citizens. Cyprus has taken significant steps to implement the GDPR, including mandatory staff training, the establishment of data management systems, and regular updates of data protection policies. However, there are challenges that businesses face on the way to full compliance with the GDPR, such as the volatility in legislation and the need to constantly monitor and improve data protection measures. The development of GDPR compliance practices in Cyprus is an ongoing process in which cooperation between the authorities, businesses, and the public plays an important role in ensuring that personal data is effectively protected and the highest privacy standards are met.