Cyprus adopted the General Data Protection Regulation (GDPR) alongside the rest of the European Union when it became directly applicable in May 2018. To supplement the regulation with national provisions, Cyprus enacted Law 125(I)/2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data. Businesses operating in Cyprus — including the large financial services, shipping, tourism and technology sectors — must comply with both the GDPR and this national implementing law.
The Commissioner for Personal Data Protection
The supervisory authority in Cyprus is the Commissioner for Personal Data Protection (Επίτροπος Προστασίας Δεδομένων Προσωπικού Χαρακτήρα), an independent authority established under Law 125(I)/2018. The Commissioner's office is responsible for monitoring and enforcing compliance, handling complaints from data subjects, conducting investigations and issuing guidance to organisations.
The Commissioner has the power to impose administrative fines aligned with the GDPR's penalty framework: up to €10 million or 2% of global annual turnover for lower-tier infringements, and up to €20 million or 4% for more serious violations. Organisations that receive an inquiry or audit from the Commissioner should treat it as a significant compliance risk and engage legal counsel immediately.
What Law 125(I)/2018 Adds to the GDPR
While the GDPR applies directly across all EU member states, Law 125(I)/2018 exercises the national derogations permitted by the regulation in several important areas:
- Age of consent: Cyprus sets the age of digital consent at 14 years for information society services, meaning parental consent is required for processing the personal data of children under 14
- Employee data: The law provides a legal basis for employers to process employee data where necessary for the employment contract, employment law obligations and occupational health requirements
- Special categories of data: The law specifies the conditions under which sensitive data (health, genetic, biometric, political opinions, religious beliefs) may be processed in the Cypriot context
- Freedom of expression: Specific provisions balance data protection rights with freedom of expression and journalism
- Public interest: Conditions for processing in the public interest, research and archiving contexts are clarified
Key GDPR Obligations for Businesses in Cyprus
Cyprus businesses must fulfil all standard GDPR obligations. The following are the areas most commonly identified as gaps during assessments:
Records of Processing Activities
Every organisation with 250 or more employees — and those processing data that is likely to result in a risk to data subjects, processing special categories of data, or processing criminal conviction data — must maintain a Record of Processing Activities (ROPA). In practice, even smaller organisations in Cyprus should maintain a ROPA as a baseline compliance measure and to facilitate responses to regulatory inquiries.
Data Processor Agreements
Any organisation that engages a third party to process personal data on its behalf must have a written Data Processing Agreement (DPA) in place. This is particularly relevant for Cyprus businesses using cloud services, payroll providers, marketing platforms and IT outsourcing partners. Many SMEs in Cyprus lack DPAs with their technology providers — this is frequently identified in Commissioner investigations.
Data Subject Rights
Organisations must have documented procedures for responding to data subject requests — including access, rectification, erasure, restriction and portability — within the required one-month timeframe. Failure to respond within the deadline is a common source of complaints to the Commissioner.
Data Breach Notification
Personal data breaches that are likely to result in a risk to individuals must be reported to the Commissioner within 72 hours of becoming aware. Breaches posing a high risk to individuals must also be communicated directly to those affected. Cyprus businesses should have a documented breach detection and notification procedure in place before an incident occurs.
Sectors at Heightened Risk in Cyprus
Certain sectors in Cyprus face elevated data protection risk due to the volume and sensitivity of data they handle:
- Financial services and investment firms: CySEC-regulated entities process significant volumes of client financial and identity data. GDPR obligations layer on top of MiFID II and AML documentation requirements.
- Healthcare providers: Health data is a special category requiring explicit consent or another qualifying condition. Private clinics and hospitals in Cyprus must implement correspondingly robust protections.
- Tourism and hospitality: Hotels, travel agencies and airlines collect extensive personal data. Cross-border data transfers and loyalty programme data raise specific compliance considerations.
- Legal and professional services: Law firms, accountants and auditors in Cyprus handle sensitive client data and must assess their processing activities carefully, particularly where they act as data controllers in their own right.
- Technology and fintech startups: Cyprus has a growing technology sector in Limassol and Nicosia. Product-based companies must embed privacy by design from the outset.
Cross-Border Data Transfers from Cyprus
Cyprus businesses frequently transfer personal data to non-EU countries, particularly in the context of financial services, shipping operations and technology outsourcing. Such transfers are only permitted where an adequate level of protection is ensured, either through an EU adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules or another approved mechanism. Organisations should map all cross-border data flows and confirm that an appropriate transfer mechanism is in place for each.
Practical Steps for Cyprus Businesses
- Conduct a data mapping exercise: Identify every category of personal data processed, the purpose, lawful basis, retention period and any third-party sharing
- Review and update your privacy notices: Notices must be concise, transparent and written in plain language accessible to data subjects
- Audit your supplier agreements: Ensure DPAs are in place with all data processors, including cloud platforms and SaaS providers
- Implement a data subject request procedure: Assign responsibility, set up a tracking mechanism and ensure responses are issued within one month
- Establish a breach response plan: Define roles, escalation paths and the 72-hour notification workflow
- Train your staff: All employees who handle personal data should receive regular data protection awareness training
- Assess your DPO requirement: Determine whether your processing activities require a DPO and consider outsourced DPO services if a full-time appointment is not feasible
Conclusion
GDPR compliance in Cyprus requires organisations to address both the regulation itself and the national provisions of Law 125(I)/2018. The Commissioner for Personal Data Protection has demonstrated a willingness to investigate complaints and initiate proceedings against non-compliant organisations. A structured compliance programme — supported by proper documentation, trained staff and the right technology — is the most effective way to manage this risk and build lasting trust with customers and partners.