top of page
Writer's pictureAli Azarlouyeh

How does the GDPR protect your data privacy? (Cyprus)

Updated: Feb 19, 2022


Data Privacy has high importance to every single one of us. Data breaches such as the one related to the Facebook–Cambridge Analytica data scandal can have a huge impact on people, and the public outcry is never light. In 2021 alone, fines related to data privacy exceeded €1 billion in the EU, illustrating the EU’s focus on protecting EU citizens’ data privacy rights.


The EU residents’ and citizens’ data privacy rights are shielded through laws and regulations focused on protecting individuals’ personal data from being used in a way which has not been agreed to by the individual. Legal protection, however, is not the only protection necessary, physical and cybersecurity are huge factors in the area of data protection. Unfortunately, data security is not only dependent on how many characters, caps, special characters and numbers we insert in our passwords. As the internet, and specifically company websites are filled with valuable data, there are all kinds of hostile and/or accidental threats that need to be considered which could lead to our personal data being stolen or leaked. Therefore, both the EU and local governments introduce laws that hold organisations accountable for not being prepared for and preventing such intrusions. The General Data Protection Regulation (GDPR) is the relevant EU wide Regulation that is designed to fit this exact purpose in the EU (to check out our GDPR article, click here)


The GDPR defines personal data as any information that is related to an identified or identifiable individual (‘data subject’). The definition of personal data is therefore undoubtedly broad. Therefore, fingerprints, IP addresses, location information and names are amongst the many kinds of personal data that are protected under the GDPR.


However, there are limitations to this. The information must ‘relate to’ the data subject to be considered as personal data. For instance, a simple statistic about the number of LinkedIn users and their age group is not a violation of your data privacy rights. Despite the fact that you are indirectly identifiable in this example, the content, purpose, and result differ from what the GDPR aims to protect as personal data.


Therefore, any unauthorised action relating to your personal data is considered a ‘personal data breach’. This includes any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Such actions are known as ‘data processing’ and can only legally occur when at least one of the below “Legal Bases of Processing” apply:

· consent is given by the data subject;

· the processing is part of a contractual obligation;

· there is a legal obligation for the processing of data;

· in circumstances where the vital interests of the data subject are at risk;

· when the personal data is breached to serve a public task;

· circumstances where the processing is to serve a legitimate interest of an organisation (e.g. security cameras at the lawful premises of an office).


So what happens when a data breach occurs? Well, data controllers (those who determine the use and purpose of personal data) must inform the ‘supervisory authority’ of the relevant member state regarding any data breach. The notification must be made within 72 hours after the breach occurred and without undue delay. In Cyprus, the Office of the Commissioner for Personal Data Protection is the relevant independent data protection body that must be informed of such breaches.


Additionally, the data subjects must be informed about the breach with no due delay in cases where a ‘high risk’ of impact is assessed on their rights and freedoms. This is wholly dependent on the relevant circumstances. For example, in a case where a customer support officer sends a troubleshooting explanation to another company instead of the person who asked for it, and immediately realised the mistake and asked the company to delete the email, the data subject would not need to be informed of the breach.


Finally, the GDPR also places the obligation of hiring a data protection officer (DPO) on specific organisations. This includes public authorities and bodies, data processors or controllers with the core activity of regularly monitoring data subjects on a large scale and businesses whose activities consist of handling sensitive personal data on a large scale. This ensures that most organisations dealing with sensitive personal data are equipped with an independent data protection assessor, answerable to the supervisory authority.


All in all, the GDPR takes an outstanding approach towards establishing what personal data is, what constitutes a personal data breach, and what actions are to be taken on behalf of the data controllers and data processors in cases of a breach. These mechanisms not only ensure that data subjects know their rights but also places serious procedural burdens on businesses with the risk of severe fines in cases of incompliance of data controllers and collectors.


Learn more about the GDPR by clicking here.


Do you require advice in relation to Data Protection Laws in Cyprus? If so, find a Cyprus lawyer through Efkolaw by clicking here.


Please note that Efkolaw is not a law firm and it does not offer any legal advice. Any content hosted on our site is meant to be informative and does not constitute or substitute advice from a qualified legal professional.

77 views0 comments

Recent Posts

See All

Comments


bottom of page