TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

CYPRUS

 

The Cyprian Office of the Commissioner for Personal Data Protection website: http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/index_en/index_en?opendocument

 

The Processing of Personal Data (Protection of the Individual) Law of 2001 (As amended by the 2003 Act):

http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/

697e70c0046f7759c2256e8c004a0a49/f8e24ef90a27f34fc2256eb4002854e7/$FILE/138(I)-2001_en.pdf

 

What needs to be done prior to collection?

 

CONTACT THE DATA SUBJECT

 

Section 11 – Right to be informed

 

(1)     The controller shall, at the time of collection of the personal data from the data subject, provide the latter, in an appropriate and explicit way, with at least the following information:

a.       His identity and the identity of his representative, if any;

b.       The purpose of the processing;

(2)     The controller shall also inform the data subject about the following:-

a.       The recipients or the categories of recipients of the data; and

b.       The existence of the right of access to and rectification of the data;

c.        Whether the data subject is obliged to provide assistance, by virtue of which provisions, and the consequences of his refusal, if any; provided that this notification is necessary for securing legitimate processing in each case

(3)     The provisions of:

a.       Subsection (1) shall also apply where the data is collected from third parties or where it is anticipated that they will be communicated to third parties, and the data subject shall be informed during its recording or at its first communication, as the case may be

b.       Paragraph (a) shall not apply, especially in cases where the processing is performed for statistical and historical purposes or for purposes of scientific research if it is impossible to inform the data subject or where disproportionate effort is necessary in order to inform him, or if the communication of data is provided by another law, provided that in each case a license is issued by the Commissioner.

(4)     The obligation to inform under subsections (1), (2) and (3) may, on the application of the controller, be waived wholly or partly, by decision of the Commissioner where the collection of personal data is performed for the purposes of defence, national needs or national security of the Republic or for the prevention, detection, investigation and prosecution of criminal offences

(5)     Without prejudice to the rights of the data subject referred to in sections 12 and 13, there is no obligation to inform where the collection is made solely for journalistic purposes.

 

NOTIFY THE DATA PROTECTION COMMISSIONER

 

Section 7 – Notification to the Commissioner

(1)     The controller must notify the Commissioner in writing about the establishment and operation of a filing system or the commencement of processing.

(2)     In the notification referred to in subsection (1), the controller must state:

a.       His full name, business name or title and his address. If the controller is not established in the Republic, he must state, in addition, the full name, business name or title and address of his representative in the Republic;

b.       The address where the filing system is established or the main equipment necessary for the processing is installed;

c.        A description of the purpose of the processing of the data which is or is intended to be processed or which is included or intended to be included in the filing system;

d.       A description of the category or categories of data subjects;

e.        The categories of data which are or are intended to be processed or which are included or intended to be included in the filing system;

f.         The period of time for which he intends to carry out the processing or to keep the filing system;

g.        The recipients or categories of recipients to whom he communicates or may communicate the data;

h.        The proposed transmissions of data to third countries and the purpose thereof

i.         The basic characteristics of the system and the measures for the security of the filing system or of the processing.

What needs to be done prior to shipping?

 

Section 9 – Transmission of Data to third Countries

 

(1)     Subject to the provisions of this Law, transmission of data which have undergone processing or are intended for processing after their transmission to any country shall be permitted after a license of the Commissioner. The Commissioner shall issue the license only if he considers that the said country ensures an adequate level of protection. For this purpose, he shall take into consideration the nature of the data, the purposes and duration of the processing, the relevant general and special rules of law, the codes of conduct and the security measures for the protection of data, as well as the level of protection in the countries of origin, transmission and final destination of the data.

(2)     The transmission of personal data to a country which does not ensure an adequate level of protection, is permitted exceptionally after a license of the Commissioner, where one or more of the following conditions are fulfilled:

a.       The data subject has given his consent to the transmission, unless his consent has been obtained in a way that contravenes the law or accepted moral values;

b.       The transmission is necessary:

                                                               i.      in order to protect the vital interests of the data subject, or

                                                             ii.      for the conclusion and performance of a contract concluded in the interest of the data subject between the data subject and the controller or between the controller and a third party, or

                                                           iii.      for the implementation of pre-contractual measures which have been taken in response to the data subject's request;

c.        The transmission is necessary in order to deal with an exceptional necessity for the safeguard of a superior public interest, especially for the performance of conventions of co-operation with the public Authorities of the other country,

d.       The transmission is necessary for the establishment, exercise or defence of legal claims before a court,

e.        The transmission is made from a public register which, according to the law, provides information to the public and is open to the public or to any person who can show legitimate interest, to the extent that the legal requirements for access to the register are satisfied in the particular case.

(3)     Notwithstanding the provisions of subsection (2), the Commissioner may also allow the transmission of data to a country which does not ensure an adequate level of protection, provided that the controller provides sufficient guarantees, for the protection of privacy and fundamental liberties and the exercise of relevant rights and such guarantees may result from appropriate contractual clauses,

(4)     Notwithstanding the provisions of subsection (1), the transmission of data to Member-States of the European Union, is free.

(5)     In the cases referred to in subsections (2) and (3), the Commissioner shall inform the European Commission and the respective Authorities of the other Member States, where he considers that a country does not ensure an adequate level of protection

(6)     A license under this section shall be in the prescribed form and shall be issued upon payment of the prescribed fees.

 

What are the sanctions for non-compliance?

 

Section 25 – Administrative Sanctions

 

The Commissioner may impose on the controllers or their representatives, if any, the following administrative sanctions in case of contraventions of their obligations which arise from this Law and from every other regulation concerning the protection of individuals with regard to the processing of personal data:

(a)     A warning with a specific time-limit for termination of the contravention;

(b)     A fine of up to £5,000[1];

(c)     Temporary revocation of a license;

(d)     Permanent revocation of a license;

(e)     The destruction of a filing system or the cessation of processing and the destruction of the relevant data

 

The administrative sanctions imposed in (b) – (e) of subsection (1) shall be imposed following a hearing of the controller or his representative. They shall be proportionate to the seriousness of the relevant contravention. The administrative sanctions under paragraphs (c) – (e) shall be imposed in cases of a particular serious or a continuous contravention. A fine may be imposed cumulatively and in conjunction with the sanctions provided for in subsections (c) – (e) above. If the sanction of destruction of a filing system is imposed, the controller shall be responsible for the destruction, and a fine may be imposed on him for failure to comply.

 

The fines imposed by the Commissioner shall be collected as a civil debt.

 

Section 26 – Offences and Penalties

 

(1)     An offence is committed by any person who:

-          Omits to notify to the Commissioner, in contravention of section 7, the establishment and operation of a filing system, the carrying out of the processing or any change in the terms and conditions for the grant of the license provided by subsection (5) of section 7;

-          In contravention of section 7, keeps a filing system without a license or in contravention of the terms and conditions of the license granted by the Commissioner;

-          Without being entitled to do so, intervenes in any way in a filing system of personal data or acquires knowledge thereof, or removes, alters, damages, destroys, processes, transmits, communicates the data, or renders them accessible to persons not entitled to access or permits such persons to acquire knowledge of the said data or makes use of them in any way;

-          Being a controller, transmits personal data in contravention of section 9

 

(2)     Where the person responsible for the acts referred to above intended to obtain for himself or anyone else an unlawful financial benefit or cause injury to a third party, he shall be liable to imprisonment for a term not exceeding five years or to a fine not exceeding £5,000[2] or to both such imprisonment and fine.

 

(3)     Where the acts referred to above endanger the free functioning of the Government of the Republic or national security, the person found guilty shall be liable to imprisonment for a term not exceeding five years or to a fine not exceeding £5,000[3] or to both such imprisonment and fine.

 

(4)     If the acts referred to above were caused by negligence, the person found guilty shall be liable to imprisonment for a term not exceeding three years or to a fine not exceeding £3,000[4] or to both such imprisonment and fine.

 

(5)     The offences committed in contravention of the provisions of this section for which no other penalty is expressly provided, are punishable with imprisonment for a term not exceeding one year or with a fine not exceeding £2,000[5] or by both such imprisonment and fine

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Please refer to the Cyprian Office of the Commissioner for Personal Data Protection website for further details on the Statute

 

 

 

 


 

[1] Cyprus has now joined the Euro – £5,000 = EUR 8,543

[2] As above

[3] As above

[4] £3,000 = EUR 5,125

[5] £2,000 = EUR 3,417
© TRILANTIC - All rights reserved. | Disclaimer | Client Login