Cyprus Recording Laws: All-Party Consent Rules and Penalties (2026)

Overview of Cyprus Recording Consent Laws

Cyprus enforces one of the strictest recording consent regimes in the European Union. The country operates under an all-party consent standard, meaning every person involved in a private conversation must give their consent before that conversation can be legally recorded.

This rule applies to telephone calls, in-person conversations, video calls, and any other form of oral or electronic communication. The person initiating the recording does not receive any exemption simply because they are a participant in the conversation. Even if you are part of the discussion, you must obtain clear agreement from all other parties before recording begins.

The legal framework protecting communications privacy in Cyprus draws from multiple sources: the Constitution of the Republic of Cyprus, Law 92(I)/1996 on the Protection of Confidentiality of Private Communication, EU regulations including the GDPR, and specialized statutes governing electronic communications and data protection.

Cyprus sits at the crossroads of European, Middle Eastern, and North African legal traditions. Its legal system is based on English common law but incorporates strong continental European privacy protections through EU membership. This combination produces a privacy framework that is both robust and strictly enforced.

Constitutional Foundation: Articles 15 and 17

The right to communications privacy in Cyprus has direct constitutional protection. Two articles of the Constitution of the Republic of Cyprus form the bedrock of recording law.

Article 15: Right to Private Life

Article 15 guarantees every person the right to respect for their private and family life. This provision covers all aspects of personal privacy, including conversations held in private settings, medical consultations, and other confidential exchanges.

Article 17: Secrecy of Correspondence and Communications

Article 17 establishes that every person has the right to respect for, and to the secrecy of, their correspondence and other communication, provided such communication is made through means not prohibited by law.

There may be no interference with this right except in accordance with the law and only when necessary in the interests of the security of the Republic, the constitutional order, public safety, public order, public health, public morals, or for the protection of the rights and liberties guaranteed by the Constitution.

This constitutional language is significant. Interference with communications privacy requires both a legal basis and a demonstration of necessity for one of the enumerated purposes. No private individual has the authority to override this constitutional protection for personal reasons.

Article 35: Duty to Protect Rights

Article 35 imposes a duty on all state authorities, including courts, to ensure the efficient application of constitutional rights. This provision plays a critical role in evidence law, as it prevents courts from exercising discretion to admit evidence obtained through constitutional violations.

Law 92(I)/1996: The Core Recording Statute

Law 92(I)/1996, formally titled the Protection of the Confidentiality of Private Communication (Interception of Conversations and Access to Recorded Content of Private Communication) Law, is the primary statute governing recording and interception in Cyprus. The law was amended in 2020 to address evolving telecommunications technology.

General Prohibition

Articles 3 and 16 of Law 92(I)/1996 establish that the interception of private communication is prohibited in all cases. The content of unlawfully intercepted communications cannot be used in any criminal or civil proceeding.

The prohibition covers all forms of private communication, including telephone calls (landline and mobile), in-person conversations in private settings, electronic messaging and email, video conferencing, and any other medium of private exchange.

Lawful Interception Exceptions

The law provides narrow exceptions allowing lawful interception only under strictly controlled conditions.

Under Article 6 of Law 92(I)/1996, the Attorney General of the Republic may request an ex parte court order for surveillance of private communications. This request must be based on a recommendation from either the Chief of Police (or Deputy Chief of Police) or the Chief of the Cyprus Intelligence Service.

The court may authorize interception only for investigations involving serious criminal offenses, including murder and attempted murder, human trafficking, drug trafficking, corruption, terrorism, and espionage. The authorization must specify the scope, duration, and targets of the surveillance.

In emergency situations, the law permits interception to proceed with a court order issued within 24 hours after the surveillance begins, but a proper judicial ruling must follow promptly.

Penalties Under the Current Framework

Illegal interception, monitoring, or access to private communications is a criminal offense under Law 92(I)/1996. Offenders face imprisonment and criminal fines. The proposed 2026 reform bill would increase the maximum penalty for unlawful surveillance to up to 10 years imprisonment, reflecting the gravity with which Cyprus treats violations of communications privacy.

Under the GDPR framework implemented through Law 125(I)/2018, criminal penalties for data protection violations include imprisonment of up to 5 years and fines ranging from 10,000 to 50,000 euros.

The Georghiades Case: Landmark Supreme Court Ruling

The case of Police v. Georghiades (1983) 2 CLR 33 is the foundational precedent on recording law in Cyprus. Decided on November 16, 1982, with reasons published on February 21, 1983, this unanimous Supreme Court ruling established principles that remain binding law today.

Facts of the Case

Andreas Georghiades, a psychologist, conducted an examination of a patient named Eracleous in connection with civil proceedings. Without the knowledge of either Georghiades or his patient, lawyers for the plaintiff in the civil case installed a hidden electronic transmitter in the examination room. An advocate listened to and recorded the entire private conversation.

When Georghiades later testified in civil court, he was charged with perjury. The prosecution attempted to introduce the secretly recorded conversation as evidence to prove his testimony was false.

The Court's Ruling

The Supreme Court unanimously declared the secretly recorded evidence inadmissible. The justices found that overhearing and recording the conversation violated both Article 15 (right to private life) and Article 17 (secrecy of communications) of the Constitution, as well as Articles 34 and 35 (protection and enforcement of constitutional rights).

Key Legal Principles Established

The court established several principles that continue to shape Cyprus recording law.

No judicial discretion to admit. Unlike the English common law approach, which allows judges to exercise discretion in admitting illegally obtained evidence, the Cyprus Supreme Court held that constitutional violations create an absolute bar to admission. Articles 34 and 35 impose a mandatory duty on courts to exclude such evidence.

Broad interpretation of communication. Article 17 was interpreted to cover all forms of communication, not just written correspondence. Oral conversations in private settings fall within its protective scope.

Protection against private parties. The court held that fundamental rights protect individuals against violations by anyone, not solely state actors. A private citizen who secretly records another person's conversation violates constitutional rights just as a government agent would.

Medical consultations are protected. The court specifically noted that medical consultations are inherently private matters deserving constitutional protection.

GDPR and Cyprus Data Protection Law

As a member of the European Union, Cyprus is subject to the General Data Protection Regulation (GDPR), which applies directly. Cyprus implemented the GDPR through Law 125(I)/2018, which entered into force on July 31, 2018.

Voice Recordings as Personal Data

Under GDPR and Cyprus law, voice recordings are personal data. A recording that can identify a person through their voice, name, phone number, or other identifying details falls within the scope of data protection regulation. Businesses and individuals who collect or store voice recordings are data controllers subject to GDPR obligations.

Audio Recording: Generally Prohibited

The Commissioner for Personal Data Protection has determined that recording audio data (conversations) is highly invasive and intrusive and is generally prohibited. The Commissioner's position is that individuals have reasonable expectations that their conversations are not being recorded and will remain confidential. Audio recording is considered more intrusive than video recording because it captures private conversations.

Legal Bases for Processing

Before recording and storing a voice conversation, a data controller must identify a valid legal basis under GDPR Article 6. The most commonly relevant bases in Cyprus are:

• Consent: Freely given, specific, informed, and unambiguous agreement from all recorded parties.
• Legal obligation: Processing required by law, such as regulatory requirements for financial services call recording.
• Legitimate interest: The controller's legitimate interest, balanced against the data subject's rights. This requires a documented balancing test and is difficult to establish for audio recording given the Commissioner's position on its invasive nature.

Enforcement

The Commissioner for Personal Data Protection enforces GDPR and Law 125(I)/2018. Since the GDPR came into effect, Cyprus has handled over 2,500 complaints and imposed more than 1.7 million euros in administrative fines through 2025.

Maximum penalties under the GDPR reach up to 20 million euros or 4% of worldwide annual turnover, whichever is higher. Administrative fines on public authorities not engaged in profit-making activities are capped at 200,000 euros.

Criminal penalties under Law 125(I)/2018 include imprisonment of up to 5 years and fines of 10,000 to 50,000 euros for specific offenses.

Recording Phone Calls in Cyprus

All phone call recording in Cyprus requires the consent of every party on the call. This applies to landline calls, mobile phone calls, VoIP and internet-based calls (Viber, WhatsApp, Zoom, Teams), and conference calls with multiple participants.

For conference calls, consent must be obtained from every participant. A single party who does not consent makes the recording unlawful.

There is no exception for recording your own calls. A participant who records without the consent of other parties commits the same type of offense as a third-party interceptor. Cyprus law treats participant recording and third-party interception with equal seriousness.

Business Call Recording

Businesses operating in Cyprus that record customer calls must comply with both Law 92(I)/1996 and the GDPR. Financial services firms may have regulatory obligations to record certain calls, but they must still inform all parties and obtain consent or identify an alternative lawful basis under Article 6 of the GDPR.

The standard practice of playing a "this call may be recorded" message followed by the caller's continued participation may satisfy consent requirements only if the caller is given a genuine opportunity to refuse and is informed of the purpose, duration, and their rights regarding the recording.

Recording In-Person Conversations

In-person conversations in Cyprus receive strong protection under both the Constitution and Law 92(I)/1996. Recording a private oral conversation without the consent of the participants is a criminal offense.

The key distinction is whether the conversation takes place in a setting where participants have a reasonable expectation of privacy. A conversation in a private home, a closed office, a medical facility, or any other setting where the speakers expect confidentiality is fully protected.

Covert recording devices placed in private spaces, including audio bugs, hidden microphones, or smartphone recording apps running in the background, all fall within the scope of this prohibition.

Public Spaces and Photography

Cyprus does not impose a blanket prohibition on photography or filming in public spaces. According to the Cyprus Press and Information Office, there is no general restriction on photographing or filming people, shops, or public scenes, provided you obtain permission from any relevant authority or person.

Recording in genuinely public spaces where there is no expectation of privacy is generally permissible. Street photography, tourism photography, and general public documentation are allowed.

However, the GDPR still applies when recordings capture identifiable individuals. The Commissioner for Personal Data Protection has issued guidance stating that even dash cam recordings require the prior consent of affected individuals to have a lawful basis for processing under GDPR principles of legality, purpose limitation, and data minimization.

CCTV surveillance of private property perimeters that is confined to the property falls outside data protection laws, but cameras must not record material outside the property boundaries.

Workplace Surveillance and Employee Monitoring

Cyprus places strict limits on workplace surveillance through the Commissioner's opinions and GDPR enforcement.

CCTV in the Workplace

The Commissioner's Opinion (24/04/2024) established that employee consent for workplace monitoring is not valid due to the inherent power imbalance between employers and employees. This means employers cannot rely on employee consent as a legal basis for surveillance.

Video surveillance may be permitted in limited circumstances when justified by specific working conditions, necessary to protect employees' health and security, or necessary to ensure safety in critical working environments such as banks.

Permitted camera locations: Building entrances and exits, elevator exteriors (focused on doors, not passengers), parking areas, and areas where safes or cash are stored.

Prohibited camera locations: Employee offices, conference rooms, corridors, kitchens, restrooms, dressing rooms, dining areas, and waiting areas.

Audio Recording at Work

Recording both image and sound in the workplace is considered by the Commissioner to be excessive for achieving any stated purpose. Workplace audio recording is prohibited as a general rule. Employers cannot install hidden microphones to record employee conversations, and employees cannot secretly record meetings with supervisors.

Transparency Requirements

Warning signs must be prominently displayed to inform individuals that they are being recorded. Signs must identify the data controller, state the purpose of the recording, and enable data subjects to exercise their rights.

A Data Protection Impact Assessment (DPIA) is mandatory before implementing any surveillance system that presents high risks to individual rights and freedoms.

The 2026 Surveillance Reform Bill

In February 2026, the Cyprus Cabinet approved a significant draft bill to reform the country's telecommunications interception framework. The legislation is being fast-tracked through parliament with the intention of passing before the April 23, 2026, dissolution ahead of May parliamentary elections.

Why Reform Is Needed

The existing framework under Law 92(I)/1996, even with 2020 amendments, has faced practical challenges. These include technical limitations, ambiguous legal definitions, procedural gaps, and the failure of telecommunications providers to implement the necessary technical infrastructure. A 2020 legislative attempt at reform failed because telecom providers lacked the required systems.

Key Changes Proposed

The 2026 bill introduces several major changes.

Expanded crime coverage. The list of offenses justifying interception is broadened to include terrorism, espionage, organized cybercrime, child sexual exploitation, money laundering, and criminal organization participation.

Attorney General authorization without court order. In a significant and controversial provision, the Attorney General would be authorized to approve interception directly, without prior judicial approval, in exceptional circumstances linked to state security. This would be the first time a court is fully bypassed in the surveillance process in Cyprus.

Stricter penalties for unlawful surveillance. Any individual found to have conducted unlawful surveillance would face penalties of up to 10 years imprisonment.

Three-member supervisory committee. A new oversight body would monitor compliance with interception procedures.

Telecom provider obligations. Providers (Cyta, Cablenet, Epic, Primetel) must maintain traceable records of every interception request and execution, and provide immediate technical access upon warrant issuance.

Constitutional Amendment Required

Because the bill would modify the conditions under which communications secrecy may be lifted, a constitutional amendment to Article 17 is required. Passage needs at least 38 parliamentary votes. Critics warn that expanding surveillance powers without adequate judicial oversight risks undermining fundamental rights.

Penalties Summary

Violation	Law	Penalty
Illegal interception of private communication	Law 92(I)/1996	Criminal imprisonment and fines
Unlawful surveillance (proposed 2026 bill)	Draft reform bill	Up to 10 years imprisonment
GDPR violation (processing audio without lawful basis)	GDPR / Law 125(I)/2018	Up to 20 million euros or 4% worldwide turnover
Criminal data protection offense	Law 125(I)/2018	Up to 5 years imprisonment, 10,000-50,000 euro fine
Using illegally obtained recording as evidence	Constitution Arts. 15, 17	Evidence excluded; potential criminal liability

Business Compliance Checklist

Companies operating in Cyprus that handle voice communications or recordings must take specific steps to comply with the law.

Obtain consent from all parties before any recording. This is required by both Law 92(I)/1996 and the GDPR. Inform all parties that recording will occur, state the purpose, and obtain clear affirmative consent before the recording begins.

Document the legal basis under GDPR. Identify which Article 6 basis applies to your recording activity. In most cases, this will be consent. Record the legal basis in your processing register.

Provide transparent notice. Tell callers or meeting participants who is recording, why, how long the recording will be stored, who will have access, and what rights they have regarding the recording. This must happen before the recording starts.

Define and enforce retention periods. Establish written policies specifying how long recordings are kept. Implement automated deletion at the end of the retention period.

Restrict access to recordings. Limit access to stored recordings to personnel with a documented, legitimate need. Maintain access logs.

Conduct a Data Protection Impact Assessment (DPIA). If your recording involves systematic monitoring of individuals, a DPIA is required under GDPR Article 35.

Train employees. Staff must understand that unauthorized recording is a criminal offense in Cyprus. Training should cover the consent requirement, proper data handling, and consequences of non-compliance.

Review cross-border data transfers. If recordings are stored or processed outside Cyprus or the EU, ensure transfers comply with GDPR Chapter V requirements.

How Cyprus Compares to Other Countries

Cyprus's all-party consent requirement places it firmly among the strictest jurisdictions in the world for recording laws.

Most EU member states require all-party consent for recording private conversations, but enforcement vigor and penalty severity vary. Cyprus's constitutional framework, reinforced by the Georghiades precedent, makes its protections particularly strong because courts have no discretion to admit illegally obtained recordings.

Countries like the United Kingdom, Canada, and Australia follow one-party consent rules, making them significantly more permissive for participant recording. In those jurisdictions, a person who is part of a conversation can generally record it without the other party's knowledge.

The United States varies by state. Some states follow one-party consent while others, such as California, Florida, and Illinois, require all-party consent. Even in strict U.S. states, the constitutional bar on admitting illegal recordings is not as absolute as in Cyprus.

Greece, which shares cultural and geographic proximity with Cyprus, also enforces all-party consent with penalties reaching 10 years imprisonment under its 2022 amendments. Turkey, another neighbor, has similar strict provisions under its Penal Code.

For travelers, journalists, and businesses operating across borders, understanding Cyprus's strict requirements is essential. Recording practices that are perfectly legal in your home country may constitute a serious criminal offense in Cyprus.