Law: Law 125(I) of 2018 Providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of Such Data (the Law) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Office of the Commissioner for Personal Data Protection (the Commissioner)

Summary: Cyprus implemented the GDPR by means of Law 125(I) of 2018 Providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of Such Data (the Law), which entered into force on July 31, 2018. The Law presents some variations from the GDPR, such as in relation to the processing of genetic and biometric data for life insurance purposes, the international transfer of special categories of personal data, and the age of consent, which is set at 14 years old.

The Law establishes the Office of the Commissioner for Personal Data Protection (the Commissioner) as the supervisory authority responsible for monitoring the application of the GDPR and of the Law and stipulates measures relating to the processing of personal data. The Commissioner has issued several guidelines covering key topics such as the protection of children's data, cookies, breach notifications, data protection officer appointments, and direct marketing. Legislation in Cyprus also provides for criminal offenses, punishable with imprisonment, for certain violations of the Law and the GDPR.