Newsletter No.2 – November 2018

New Regulation on the Protection of Personal Data (GDPR)

Both the technological evolution of recent years and the social and economic integration achieved through the internal market, have led to a rapid increase in the volume of personal data that is stored, processed and trafficked globally. As a result of these developments, it has become imperative to introduce new rules on the protection of personal data.

The European Union has recognised this need, and after years of consultation has adopted, on 27 April 2016, a new Regulation (EC) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of data and on the free movement of such data or the General Data Protection Regulation (hereinafter referred to as "GDPR") as is widely known.

The GDPR has been directly applicable in all Member States of the European Union since 25 May 2018 without the need to vote on local national legislation and by repealing the existing laws and regulations. In Cyprus, the national law providing for the protection of natural persons regarding the processing of personal data and for the free movement of such data (Law 125(I)/2018), was published on the 31st July 2018. The national legislation was adopted for the effective implementation of certain provisions of the GDPR, which applies as of 25 May 2018.

The new EU GDPR is the biggest change in data protection legislation for almost 20 years, introducing both new obligations and new rights, and aiming at a consistent and uniform regulation of the right to protection of personal data across Europe.

Where does the GDPR apply?

The GDPR applies to individuals, companies or public or private law organisations (the "controllers") who collect, process, register, organise, store, distribute "personal data" relating to natural persons within the European Union, either the processing takes place within the European Union or outside. Where the processing takes place outside the European Union, the GDPR applies when processing activities relate to the supply of goods or services to persons in the European Union or the monitoring of behaviour of individuals, only to the extent that such behaviour takes place within the European Union.

The GDPR does not apply to the processing of personal data by a natural person in the context of a purely personal or domestic activity. Also, the GDPR does not cover the processing of personal data of deceased persons or legal entities.

What is "personal data"?

"Personal data" includes any information relating to a natural person (the "data subject") through which the identity of that person can be identified, directly or indirectly. This information includes the name, identity number, location data, online identity card or one or more factors relevant to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

Rights of the "data subject"

The GDPR incorporates innovative rights of the 'data subject', that is, the person whose personal data are processed. Enhanced rights provide individuals with more control over their personal data through the right to withdraw the consent of the person concerned (when it is given), easier access to his / her personal data, rights of rectification, erasure, the right to object, the right to request restriction of processing and the right of data portability.

Obligations of "controllers"

If any natural person or company or organisation registers and uses any information relating to natural persons who are alive in a computer or in a physical archive with folders for purposes other than personal or domestic activity, then that natural person or company or organisation has obligations under the GDPR.

The GDPR sets a series of restrictions and new obligations on businesses regarding the processing of personal data throughout their life cycle, from their collection to their destruction, the possibility of their transfer on to other countries, protecting the rights of natural persons, security (privacy, integrity, availability) of personal data and disclosure actions that the business should pursue in the event of a breach. The GDPR also establishes the obligation for data controllers to provide transparent, comprehensive and easily accessible information by 'data subjects' as regards the processing of their personal data.

Appointment of a Data Protection Officer

For companies and public authorities performing data processing operations, the GDPR establishes the obligation to appoint a Data Protection Officer in three cases:

-        where the processing is carried out by a public authority or a public body (irrespective of the type of data being processed),

-        where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or, and

-        where the core activities of the controller or the processor consist of processing on large scale of special categories of personal data or data relating to criminal convictions and offences.


The GDPR empowers the National Data Protection Authorities to impose administrative penalties of up to 4% of their annual worldwide turnover for infringements, taking into account seriousness and other factors, or EUR 20 million depending always on which is the biggest. The national legislation passed for the protection of personal data, Law 125(I)/2018, also prescribes several criminal offences and penalties in relation to matters concerning personal data.

Provision of Legal Support

The law firm of E. TZIONI & ASSOCIATES LLC with knowledge and experience on personal data protection matters provides legal services, including the following:

- Assessment of the level of personal data protection and the level of compliance of the company based on the provisions of the GDPR.

- Provision of legal advice on the preparation of a programme to strengthen the company's data protection framework and to comply with the GDPR and to prepare all necessary policy manuals and statements regarding the regulation of personal data protection issues, according to the needs of each business.

- Provision of services in relation to the duties and obligations of the Data Protection Officer.

- Provision of ongoing support and information on compliance issues with the GDPR.

- Communication with the Personal Data Protection Commissioner of Cyprus on behalf of clients regarding legal issues that need to be clarified, prior consultation process issues, third-country transfer permits, notifications and more.

- Seminars and sessions on support, training, education and understanding of the new legislative framework and the new rights and obligations arising from the GDPR.

For more information you can contact Eleni Tzioni at eleni@tzionilaw.com.cy and on +357 22932293.

More news