Data protection has become a major challenge for all kinds of organisations, both private and public, and it is one that needs to be addressed diligently. We now live in an era in which data are collected, stored, processed and used on an unprecedented scale, enabling individuals and organisations alike to carry out their day-to-day functions more efficiently. Therefore, individuals need to protect their privacy and personal data more than ever before.
Personal data relates to any type of personal information that can be used to establish your identity, either directly or indirectly. Examples of personal data are a persons’ name, passport number, e-mail address, place and date of birth. Personal data protection aims to protect the individual from the unauthorised collection and processing of such data.
In Cyprus, the Processing of Personal Data (Protection of Individuals) Law of 2001 transposes the provisions of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In May 2016, a comprehensive package of two EU data protection Acts came into force: the General Regulation (EU) 2016/679 which repeals Directive 95/46/EC (the GDPR) and Directive 2016/680, which applies specific data protection rules in the area of law enforcement. The Regulation will be implemented as of 25 May 2018 and the Directive must be transposed into national legislation by 6 May 2018.
How Are Administrative Service Providers (ASPs) Affected?
In their everyday work, ASPs inevitably collect and process the personal data of employees, clients or other individual business associates. For the purposes of the Processing of Personal Data Law, ASPs processing personal data are considered to be Data Controllers, whose obligations include ensuring that:
- Personal data is collected for specified and legitimate purposes and that it is not further used for incompatible purposes;
- This data is necessary and proportional to the purposes of ASPs;
- Personal data remains accurate and up-to-date and only for the period necessary;
- Confidentiality and security of the processing;
- The Commissioner for Personal Data Protection is notified of the processing of such data;
- A license is obtained from the Commissioner before any transfer of personal data takes place to third countries outside the EU and the EEA and to countries with an adequate level of protection.
How Do ASPs Ensure Compliance With Current Legislation?
For ASPs that simply collect personal data and keep a register:
- In these cases, the Commissioner of Personal Data Protection needs to be notified in writing of the keeping of such a register.
- The form found in Appendix I must be used for this purpose and all the details required on the form must be provided.
- For ASPs that, in addition to the keeping of a register as identified above, process data due to the nature of their work outside the EU or EU equivalent countries (e.g., providing passport copies of individuals for the opening and managing of a bank account),
- They must apply to the Commissioner of Personal Data Protection for the granting of a licence.
- The form found in Appendix II must be used for this purpose and all the details required on the form must be provided.
- A separate application needs to be made if the data is to be transferred to the USA. The form found in Appendix II is used.
- The license will usually only be granted if the Commissioner considers that the countries ensure an adequate level of protection for the individuals.
- A fee of €42.50 per application is payable to the Commissioner once permission is granted. The license has an expiry date where a renewal application needs to be filed accompanied by the fee of €42.50.
- In cases where the personal data of employees is being transmitted by the ASP, the ASP can request the employee’s consent, although this consent may not be accepted in court in the course of legal action. (Please refer to Appendix III for a specimen consent form.)
- It is also recommended that ASPs include special clauses on personal data protection in their employment contracts for new recruits, thus removing the need for written consent. Similar clauses can be also included in Customer Services agreements or engagement letters for new customers.
Your Rights As An Individual
The Law grants individuals the following rights (amongst others):
- The right to know that your personal data is being processed;
- The right of access to your personal data;
- The right to correct your personal data;
- The right to file a complaint with the Commissioner for Personal Data Protection.
The current Commissioner for Personal Data Protection is Mrs Irene Loizidou Nicolaidou. She may be contacted at:
1, Iasonos Street., 1082 Nicosia
P. O. Box 23378, 1682 Nicosia
Tel: (+357) 22818456
Fax: (+357) 22304565
 According to the European Commission, the EU equivalent countries are the following: Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
The information provided in this paper is for general guidance. While the author has made every attempt to ensure the accuracy of the information, the CFA and the author is not responsible for any errors, omissions or for the results obtained from the action taken from this paper. For a more detailed provision of the law, please refer to “The Processing of Personal Data (Protection of the Individuals) Law 138(I) 2001”.
Compliance Director, First Names (Cyprus) Ltd
Member of the CFA AML & Compliance Affairs Committee