skip to content
 

Data Protection Laws and Freedom of Expression Report:  Cyprus File:Flag of Cyprus.svg

 

 

I. First-Generation Statutory Law

Cyprus did not adopt a first-generation data protection statute.
 

II.Second-Generation Statutory Law

Cyprus adopted its Data Protection Act on 23 November 2001 with a view to implementing Directive 95/46 into domestic law. It joined the European Union 1 May 2004.
 
Special Expression Derogations
Cyprus did not exclude the special expression from the application of the data quality principles. It did, however, unconditionally exempt the media from compliance with the proactive direct and indirect transparency rules (art. 11(5)). The reactive transparency rule (subject access), in contrast, remained fully applicable. Cyprus constructed the scope of the derogation more narrowly than the Directive by excluding literary (but not artistic) expression. As regards sensitive data, the Cypriot Data Protection Law contained an open-textured exemption based on a strict public interest test (art. 6(2)(i)). No specific derogation was provided from the legitimating ground condition, the notification of processing condition or the data export condition.
 
Broad Expression Derogation
No special provision was adopted.
 
Personal Exemption
The processing of personal data, which is performed by a natural person in the course of a purely personal or household activity was excluded from the application of the Act (art. 3(2)).
 
Knowledge Facilitation Framework
No derogations were provided from the data quality principles for knowledge facilitation purposes. However, the law stated that the Commissioner might, by a reasoned decision, allow the preservation of personal data for historical, scientific or statistical purposes ʻif he considers that the rights of the data subjects or third parties are not affected’ (art. 4(1)(e)). Furthermore, no exemptions were granted from the proactive direct or indirect or the reactive transparency rules, the need for a legitimating ground, notification of processing or data export conditions. Exemption from proactive transparency in the case of indirect collection on grounds of disproprotionate effort required a license and statistical, historical and scientific research purposes were explicitly mentioned in this regard (art. 11(3)(b)).  The processing of sensitive data was allowed under the condition that ‘all the necessary measures are taken for the protection of the data subjects’ (art. 6(2)(h)).  
Parliamentary and Legislative Debates
There were no parliamentary debates found on either the special or broad expression derogation, the personal exemption or the knowledge facilitation framework.
 

III.Third-Generation Statutory Law

 Cyprus adopted the ‘Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018 (125(1)/2018)’ implementing the GDPR on 31 July 2018 and repealed the ‘Processing of Personal Data Law’ of 2001.
 
Special Expression Derogation
Cypriot law provides for an exemption from the proactive transparency rule where data has not been collected from the data subjects themselves and also from reactive transparency rule (subject access) which depends on a threshold of minimal substantive strictness. In sum, an exemption will apply whenever these provisions even affect the right to freedom of expression and information (art. 29(2)). Otherwise, the law sets out an overarching derogation whose precise relationship with the GDPR’s provisions remains somewhat unclear. This derogation establishes that processing of both ordinary and sensitive personal data is ‘lawful’ provided that it is ‘analogous’ to the intended objective and it respects the ‘essence’ of the rights defined in the EU Charter, European Convention on Human Rights, and the national constitution. As a result of its reference to lawfulness, this balancing test clearly applies directly both to the general need for a legal basis for processing and, in relation to sensitive data, the rules which require a special legal basis to lift the presumptive ban which otherwise may apply here (art. 29(1)).  These provisions only ambiguously establish the priority of the special expression derogation over the knowledge facilitation framework.
 
Broad Expression Derogation
No special provision adopted.
 
Personal Exemption – see GDPR, art. 2(2)(c)
 
Knowledge Facilitation Framework - see also GPDR, art. 5(1)(b) (compatibility), art. 5(1)(e) (time limits) and art. 89(1) (appropriate safeguards)
Art. 31 appears to require that processing for the purpose of public interest archiving, scientific and historical research, and statistical purposes not be used for taking a decision which produces legal effects concerning the data subject or similarly significantly affects him or her. Beyond what is established in the GDPR itself, no derogation in favour of knowledge facilitation is set out.
Parliamentary and Other Legislative Debates
In its report on the implementation law, the Parliamentary Committee on Legal Affairs made no mention of the balancing of freedom of expression and data protection. It only observed that the processing of personal data would be permitted where necessary for purposes of preventive or professional medical assessment within health and social care or treatment.[1]
Later on in the legislative process, the Parliamentary Committee on Legal Affairs reviewed the implementation law after it was referred to it by the Cypriot President due to a number of incompatibilities between the implementing law and the GDPR.[2] One of the incompatibilities concerned art. 7 of the draft law, which dealt with the ‘Processing for the Prevention, Detection, Investigation or Prosecution of Offenses or Fraud’. This provision was excluded from the GDPR, as it falls within the scope of Directive 2016/680. Another incompatibility concerned the exception for processing for insurance purposes, which the President deemed to be in violation of articles 7 and 8 of the European Convention on Human Rights as well as art. 26 of the Cypriot Constitution.[3] Freedom of expression issues were, however, not discussed.
 
In the introduction to the parliamentary debate on the implementation law, a number of measures were mentioned which the law aims to take. Although the balance between freedom of expression and data protection was not explicitly mentioned, it was stated that certain mechanisms would need to be included in the law in order to limit certain rights under the Regulation.[4]
 
The House of Representatives voted on two amendments, both proposed by the ‘AKEL-Left-New Forces parliamentary groups’ to (i) permit processing in the criminal investigation/ prosecution process, and in relation to insurance contracts and (ii) to require the data controller to correct inaccurate personal data and delete it under certain conditions. Both amendments were approved without discussions on the balance between freedom of expression and data protection. It was, moreover, discussed that the processing of personal data for the purpose of issuing or publishing judicial decisions should be permissible.[5]
 
No mention was made of the knowledge facilitation framework.[6]
 

[1] ‘Report of the Parliamentary Committee on Legal Affairs on the Bill “On the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of this Data of 2018”’ (11 July 2018) http://www2.parliament.cy/parliamentgr/008_5h/008_05_5337.htm (last accessed 24 January 2020).
[2] Parliamentary Committee on Legal Affairs, ‘Report of the Parliamentary Committee on the Referred Law “Act on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of such Data of 2018”’ (27 July 2018) http://www2.parliament.cy/parliamentgr/008_01/008_02_IAB/praktiko2018-07... (last accessed 24 January 2020).
[3] Ibid.
[4] Parliamentary Debates (13 July 2018) http://www2.parliament.cy/parliamentgr/008_01/008_02_IAB/praktiko2018-06... (last accessed 5 March 2021).
[5] Ibid.
[6] Ibid.