Cyprus Data Privacy Laws: Law 125(I)/2018 and GDPR Guide (2026)

Overview of Cyprus Data Protection Law

Cyprus's data protection regime combines the directly applicable EU General Data Protection Regulation (GDPR) with national implementing legislation. Law 125(I)/2018, formally titled the Protection of Natural Persons with Regard to the Processing of Personal Data and the Free Movement of Such Data Law, entered into force on 31 July 2018. It replaced the earlier Law 138(I)/2001 and brought Cyprus into alignment with the GDPR framework.

As an EU Member State, Cyprus is bound by the GDPR in its entirety. Law 125(I)/2018 does not duplicate GDPR provisions but supplements them in areas where national legislation is permitted or required. These supplementary provisions address the establishment of the supervisory authority, specific processing situations, criminal penalties, and certain derogations from GDPR standards.

The law applies to all processing of personal data by controllers and processors established in Cyprus, as well as to organizations outside Cyprus that process the personal data of individuals located in the country through the offering of goods or services or the monitoring of behavior.

Law 125(I)/2018: Key Provisions

Structure and Scope

Law 125(I)/2018 is structured to complement rather than replace the GDPR. It addresses areas including the legal basis for processing by public authorities, conditions for processing special categories of data, rules for processing in the context of employment, provisions on the processing of national identification numbers, and the establishment and powers of the Commissioner for the Protection of Personal Data.

The law covers both automated and manual processing of personal data that forms part of a filing system. It applies across the private and public sectors, with specific provisions for law enforcement processing that transpose the EU Law Enforcement Directive (Directive 2016/680).

Legal Bases for Processing

Cyprus follows the six legal bases established by Article 6 of the GDPR: consent, contractual necessity, legal obligation, vital interests, public interest, and legitimate interests. Law 125(I)/2018 provides additional detail on how certain bases apply in the Cypriot context, particularly for public sector processing.

For special categories of data, including health data, genetic data, biometric data, and data revealing racial or ethnic origin, processing requires one of the conditions set out in Article 9 of the GDPR as supplemented by national law.

Children's Data and Consent Age

One of the most notable choices made by Cyprus in implementing the GDPR concerns the age of digital consent. While the GDPR sets a default age of 16 for consent to information society services, it allows Member States to lower this to as young as 13. Cyprus has set the threshold at 14 years of age.

This means that in Cyprus, a child aged 14 or above can provide valid consent for the processing of their personal data in relation to information society services (such as social media platforms and online services). For children below 14, consent must be given or authorized by the holder of parental responsibility.

Processing of National Identification Numbers

Law 125(I)/2018 includes specific provisions on the processing of national identification numbers and other identifiers of general application. Such processing is permitted only when it is clearly justified by the purpose of the processing, the importance of secure identification, or another significant reason, and only where appropriate safeguards are in place to protect the rights of data subjects.

The Commissioner for the Protection of Personal Data

Independence and Appointment

The Commissioner for the Protection of Personal Data is the independent supervisory authority responsible for monitoring and enforcing data protection law in Cyprus. The office was originally established under the 2001 law and continued under Law 125(I)/2018 with expanded powers aligned with the GDPR.

The Commissioner acts with complete independence and is free from external influence. The office represents Cyprus on the European Data Protection Board and participates in the GDPR's consistency mechanism for cross-border enforcement.

Investigative and Corrective Powers

The Commissioner exercises the full range of powers available to supervisory authorities under Articles 57 and 58 of the GDPR. These include the power to order controllers to provide information, to carry out investigations (including data protection audits and access to premises), to issue warnings and reprimands, to order compliance with data subject requests, to impose temporary or permanent processing bans, and to issue administrative fines.

The office also has advisory powers, issuing opinions on legislative proposals, codes of conduct, and certification mechanisms.

Enforcement Track Record

The Commissioner has built an increasingly active enforcement record since the GDPR took effect. As of 2025, the office has handled over 2,500 complaints and imposed more than EUR 1.5 million in cumulative administrative fines.

Notable enforcement decisions include fines imposed for unauthorized direct marketing, inadequate security measures, and failures to comply with data subject access requests. In one case involving a healthcare organization, fines of EUR 1,500 and EUR 3,000 were imposed for separate violations. In a land registry case, the Commissioner issued a reprimand along with an order to strengthen security measures.

The Commissioner has also addressed Google Analytics compliance, issuing compliance orders to organizations whose use of the service resulted in unlawful transfers of personal data to the United States.

Data Subject Rights

Individuals in Cyprus benefit from the complete set of data subject rights provided by the GDPR. These rights are directly enforceable before the Commissioner and the courts.

Right of Access

Data subjects have the right under Article 15 of the GDPR to obtain confirmation of whether their data is being processed and to receive a copy of that data, along with information about the purposes of processing, categories of data, recipients, retention periods, and the source of the data.

Right to Rectification and Erasure

Under Articles 16 and 17 of the GDPR, individuals may request the correction of inaccurate data and the deletion of data that is no longer necessary, that was processed unlawfully, or where consent has been withdrawn. The right to erasure is subject to exemptions for freedom of expression, legal obligations, public health, and the establishment or defense of legal claims.

Right to Restriction and Portability

Data subjects may request the restriction of processing under Article 18 in specified circumstances, such as when the accuracy of data is contested. The right to data portability under Article 20 allows individuals to receive their data in a structured, machine-readable format and to transmit it to another controller.

Right to Object

Individuals may object to processing based on public interest or legitimate interest grounds under Article 21. They also have an absolute right to object to processing for direct marketing purposes. When an objection is raised, the controller must cease processing unless it can demonstrate compelling legitimate grounds that override the individual's interests.

Cross-Border Data Transfers

Transfer Mechanisms

Cyprus follows the GDPR's framework for international data transfers. Personal data may only be transferred to countries outside the European Economic Area (EEA) through recognized mechanisms: adequacy decisions adopted by the European Commission, appropriate safeguards such as standard contractual clauses (SCCs) or binding corporate rules (BCRs), or derogations for specific situations under Article 49.

Special Notification Requirement

Law 125(I)/2018 introduces an additional requirement not found in all EU Member States. Under Section 17(1), controllers or processors who intend to transfer special categories of personal data to a third country or international organization on the basis of appropriate safeguards (Article 46 GDPR) or binding corporate rules (Article 47 GDPR) must inform the Commissioner before the transfer takes place.

This prior notification requirement applies specifically to sensitive data categories and provides the Commissioner with advance visibility into high-risk international transfers. Organizations processing health data, biometric data, or other special categories should factor this notification step into their transfer planning.

Penalties and Sanctions

Administrative Fines

The GDPR's two-tier fine structure applies directly in Cyprus. Lower-tier violations (such as failures in record-keeping or impact assessments) can attract fines of up to EUR 10 million or 2% of worldwide turnover. Upper-tier violations (such as processing without a legal basis or unlawful international transfers) can result in fines of up to EUR 20 million or 4% of worldwide turnover.

In addition to the GDPR fines, Law 125(I)/2018 allows the Commissioner to impose fines of up to EUR 200,000 for violations related to non-profit activities or other areas specified in national law. This provision ensures enforcement tools are available even where the GDPR's turnover-based fines may not apply effectively.

Criminal Penalties

Law 125(I)/2018 establishes criminal offenses for certain data protection violations. These include unauthorized access to personal data systems, unlawful disclosure of personal data, and obstruction of the Commissioner's investigations. Criminal penalties can include fines and imprisonment, providing an enforcement layer beyond administrative sanctions.

Data Breach Notification

Notification to the Commissioner

Under Article 33 of the GDPR, controllers must notify the Commissioner of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. The notification must include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address it.

Notification to Data Subjects

Where a breach is likely to result in a high risk to individuals' rights and freedoms, the controller must also notify affected data subjects without undue delay under Article 34. This notification must describe the nature of the breach in clear and plain language and provide recommendations for mitigating potential adverse effects.

Cyprus has seen increasing attention to breach notification compliance, particularly in the context of cybersecurity incidents. Organizations in critical sectors must also consider obligations under the NIS2 Directive, which may impose additional notification requirements.

Special Processing Situations

Employment Data

Law 125(I)/2018 includes provisions governing the processing of personal data in the employment context. Employers must ensure they have an appropriate legal basis for processing employee data, provide transparency about workplace monitoring, and implement measures to protect employee privacy. The Commissioner has issued guidance on specific issues including CCTV monitoring in workplaces and the processing of employee health data.

Journalism and Freedom of Expression

The law provides exemptions for processing carried out for journalistic purposes and for the purposes of academic, artistic, or literary expression. These exemptions balance data protection rights with freedom of expression, as required by Article 85 of the GDPR. The specific scope of these exemptions has been defined by Cypriot law to reflect national constitutional protections.

Health and Research Data

Processing of health data for medical treatment, public health, and research purposes is subject to specific safeguards. Research processing may benefit from derogations from certain data subject rights where appropriate safeguards are in place, consistent with Article 89 of the GDPR.

Compliance Guidance for Organizations

Organizations processing personal data in Cyprus should be aware of several practical considerations. The Commissioner maintains an accessible website with guidance documents, complaint forms, and breach notification templates. Organizations in sectors such as financial services, tourism, shipping, and technology should pay particular attention to sector-specific guidance issued by the Commissioner.

The requirement to notify the Commissioner before transferring special categories of data internationally is a distinctive feature of Cypriot law that organizations should incorporate into their data transfer procedures. Failure to provide prior notification could result in enforcement action even where the underlying transfer mechanism is valid.

Given the Commissioner's increasing enforcement activity and the expansion of regulatory requirements through instruments such as the NIS2 Directive and the EU AI Act, organizations in Cyprus should regularly review their compliance programs and maintain open communication with the supervisory authority.

This article is for informational purposes only and does not constitute legal advice. Data protection laws are subject to change, and organizations should consult with a qualified attorney for advice specific to their situation.