Personal data protection in Cyprus and compliance with the new regulation EC 2016/679

Introduction

Protection of personal data is a fundamental right that derives from Article 8 ECHR, which is the right to respect the private and family life. Both National and European law must provide safeguards in order to prevent the inconsistency with the Article, as well as to ensure that the processing and storing of personal data is not excessive in relation to the purpose they are processed and preserved.

Current legislation in Cyprus

The current legislation for the processing and protection of personal data in Cyprus is the Processing of Personal Data (Protection of the Individual) Law of 2001 (the “Law”).

The Law is based on the European Directive 95/46/EC of the European Parliament and of the Council of the 24^th of October 1995 (the “Directive”) and has a twofold purpose;

• the protection of the fundamental rights and privacy of individuals and ensure the free circulation of personal data in the Member States in order to achieve economic and social progress; and
• the technical and scientific cooperation in the ever-increasing information and telecommunication society.

New Regulation

The rapid technological developments and the increase of collection and sharing of personal data have brought new challenges for the protection of personal data. Technology has allowed both private companies and public authorities to use personal data in an unprecedent way. Also, natural persons are increasingly making available personal data both publicly and globally.

Although the objectives of the Directive remain sound, it has not managed to prevent legal uncertainty and the perception that there is a significant risk to the protection of natural persons still persists. Also, the differences in the level of protection of personal data and the processing of personal data in the Member States constitutes an obstacle in the pursuit of economic activities in the European Union.

These developments made more imminent the requirement for a stronger and more coherent data protection framework in the European Union.

The New Regulation (EU) 2016/679 of the European Parliament and of the Council of 27^th of April 2016 (the “Regulation”) provides the legal certainty and transparency for economic operators i.e. legal enterprises and natural persons of the Member States, are equipped with the same level of enforceable rights and obligations in order to ensure consistent monitoring of the processing of personal data.

Key Changes introduced by the Regulation

• Increased Territorial Scope

The new regulation applies to all companies that process personal data of data subjects, who reside within the territory of the European Union. The new Regulation will apply to the processing of personal data by controllers and processors in the EU regardless of whether the processing takes place in the EU or not. Also, non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.

• Penalties

With the new regulation, there is a stricter penalty policy:

• A fine up to 10 000 000 EUR or a 2% of total worldwide annual turnover of the preceding year, whichever is higher, for the breach of obligations set to data controllers and processors, including the conditions required for obtaining a child’s consent (article 8), failure to preserve the identification of data subjects when processing data (article 11), failure to apply protection of data mechanisms by design and by default (article 25), breach of the responsibilities of a data protection officer (article 39) and failure of supervisory authorities to monitor compliance with the code of conduct (article 41).
• A fine up to 20 000 000 EUR or a 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher will be imposed where there is infringement of basic conditions of data processing (articles 5, 6 and 7), breach of data subjects’ rights (articles 12 to 22) where there is a breach of requirements set out in the Regulation regarding the transfer of personal data to a recipient in a third country or an international organisation (article 44 to 49) or failure to comply with the indications of the supervisory authority pursuant to article 58.
• Consent

The Regulation sets a new definition of “consent of the data subject”; as the subject’s specific, freely given, informed and unambiguous of indication wishes by which he or she by statement or by a clear affirmative action, signifies agreement to the personal data processing relating to him or her.

The conditions for obtaining consent from data subjects, have been strengthened. Now a request for consent must be given in a written declaration in a distinguishable and easily accessible form with clear and plain language. Data subjects must be informed of the purpose of the data processing and must be informed of their right to withdraw such consent as it was given.

• Expansion of Data Subjects’ rights

The new Regulation has expanded data subjects’ rights with the most important examples set out below:

• Right of Access: the data subject has the ability to obtain confirmation by data controllers whether his or her personal data is being processed (article 15);
• Right of Rectification (article 16);
• Right of Erasure (“right to be forgotten”) (article 17);
• Right to Restriction of Processing under a specific number of occasions (article 18);
• Right to Data Portability: the data subject shall have the right to receive the personal data concerning him or her (article 20);
• Right to Object at any time to the processing of personal data concerning him or her (article 21);
• Right to be notified on a potential breach of personal data by the data controller (article 34).
• Data Protection Officers

A data protection officer (“DPO”) is the person designated by the data controller under certain circumstances: a) where the data processing is carried out by a public authority, b) where the processing activities of the data controller requires regular and systematic monitoring of data subjects on a large scale or c) where the processing activities of the controller consist of processing on a large scale of special categories of data (e.g. data revealing racial or ethnic origin, political opinions, religious beliefs etc.) and personal data relating to criminal convictions.

A DPO may be a member of staff of the controller and shall be designated on the basis of professional qualities (i.e. expert knowledge of data protection law and practices) and have the ability to fulfil his tasks listed below:

• To inform and advise the data controller, processor and the employees who carry out the data processing, their obligations pursuant to the data protection provisions of the new Regulation and any other EU provision;
• To monitor compliance of the controller or processor with the Regulation’s policies in relation to protection of personal data;
• To monitor and provide advice in regards to data protection impact assessments;
• To cooperate with the supervisory authority (in Cyprus the supervisory authority is the Office of the Commissioner for the Personal Data Protection);
• To act as a contact point between the supervisory authority relating to the processing of personal data;
• Special Categories of Personal Data

The Regulation provides under article 9 for the processing of special categories of personal data. Such categories of personal data may reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, and the processing of genetic data (e.g. DNA), biometric data (e.g. fingerprints), data concerning health or a natural person’s sex life or orientation. According to the Regulation, the processing of the abovementioned is prohibited unless the following conditions in article 9(2) apply:

1. The data subject has given explicit consent to the processing of his/her personal data for one or more specified purposes;
2. Where the processing is necessary for the purposes of carrying out the obligations and exercising of specific rights of the controller or the data subject in the field of employment, social security and social protection law;
3. Where the processing is necessary to protect the interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
4. Where the processing is carried out in the course of the legitimate activities and with appropriate safeguards by an association or a non-profit organisation with political, philosophical, religious or trade union aim and provided that the personal data is not disclosed outside that body without consent of the data subjects;
5. Where processing relates to personal data which are made public by the data subject;
6. Where processing is necessary for the establishment or defence of legal claims;
7. Where processing is necessary for reasons of substantial public interest;
8. Where processing is necessary for purposes of preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis and the provision of health or social care;
9. Where processing is necessary for reasons of public interest in the area of public health, safety of health care and medicinal products;
10. Where processing is necessary for archiving purposes in the public interest, scientific or historical research or statistical purposes;

What should be done

The Regulation will apply from the 24^th of May 2018, therefore by that date any controller established in the Republic of Cyprus must follow the provisions of the Regulation accordingly.

The Office of the Commissioner for Personal Data Protection in Cyprus will also promote the adoption of a draft law on the implementation of the Regulation. Likewise, in cooperation of Data Protection Offices in the other Member States there will be guidelines and codes of practice adopted and published order to comply with the provisions of the Regulation.

The Office of the Commissioner for Personal Data Protection in Cyprus has published a 10-step preparatory checklist for the smoother application of the Regulation:

• Be informed of the new Regulation and identify any aspects of the new Regulation that might affect the organisation;
• Keep record of the activities of the organisation that fall under the provisions of the new Regulation (such records will be useful both for internal purposes and for transparency purposes);
• To update clients and partners of the organisation, either in hardcopy or via a website of any changes to the policies of the organisation;
• To check whether the updated data subjects’ rights might affect the activities of the organisation and incorporate new policies in order to enable the use of such rights (where applicable);
• To ensure that the legal basis under which the organisation is operating is in compliance with the provisions of the new Regulation;
• To ensure that the requirement of consent by data subjects is in compliance with the Regulation and that such consent is “explicit”;
• To ensure that in case of infringement of personal data, proper safeguards are laid down and are in accordance to the Regulation in order to inform both the Data Protection Office and the influenced data subject;
• To identify high risk activities, in the case of big organisations and to appoint a DPO in order to assist with the implementation of the provisions of the Regulation. In case of the organisation using or developing new data processing mechanisms, the DPO must make sure that such mechanisms implement data protection tools by design and by default;
• In the case where the organisation is based in more than one Member State, the organisation is able to designate its place of business and by extension follow the guidelines of the Data Protection Office of that Member State. For organisations with cross border activities, the Regulation provides for a coherence mechanism in order to allow cooperation with various authorities.
• The new Regulation introduces new obligations for organisations that must be followed, such as record of data processing, the carrying out of assessment of impact of high risk situations, the application of codes of conduct, certification of data processes and the use of DPOs. It is important to note that each organisation must identify under which of the mentioned obligations is subject to.