Cyprus Data Privacy Laws: GDPR, Law 125(I)/2018 and OCPDP Guide (2026)

Cyprus data privacy law rests on two instruments: the EU GDPR (Regulation (EU) 2016/679), which applies directly in all EU Member States, and the national supplementing statute, Law 125(I)/2018, which sets the children's consent age at 14 and grants enforcement powers to the Office of the Commissioner for Personal Data Protection.

Cyprus Data Privacy Laws: GDPR, Law 125(I)/2018, and OCPDP Enforcement (2026)

Cyprus data privacy law is governed by the EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, which applies directly as law in every EU Member State, and by Law 125(I)/2018, the national statute that supplements the GDPR with Cyprus-specific provisions on the supervisory authority, children's consent age, criminal penalties, and cross-border transfer notifications. The Office of the Commissioner for Personal Data Protection (OCPDP) supervises and enforces both instruments.

Information last verified on 2026-05-19. This article presents general legal information and has not been reviewed by a licensed lawyer. Statutes cited reflect their in-force versions as of 2026-05-19.

Jurisdiction scope: This article addresses the data protection law of the Republic of Cyprus, covering the EU GDPR (Regulation (EU) 2016/679), Law 125(I)/2018, and OCPDP enforcement guidance and decisions. It does not address the data protection law of the Turkish-administered northern part of Cyprus. For the broader EU GDPR framework see EU Data Privacy Laws. For Cyprus recording consent rules see Cyprus Recording Laws.

---

Quick Answer: What Data Privacy Laws Apply in Cyprus?

Cyprus is an EU Member State. The GDPR applies directly and in full, covering every organization that processes the personal data of individuals in Cyprus, regardless of where the organization is established. Law 125(I)/2018 fills the GDPR's national-discretion spaces: it establishes the OCPDP and its powers, sets the children's consent age at 14, creates criminal offenses for certain data violations, adds a pre-transfer notification requirement for special-category data sent abroad, and addresses processing in specific contexts such as employment and journalism. Together, the GDPR and Law 125(I)/2018 form Cyprus's complete data protection framework. The OCPDP enforces both, handles complaints from individuals, and represents Cyprus on the European Data Protection Board (EDPB).

---

Constitutional Basis for Data Protection in Cyprus

Articles 15 and 17 of the Cyprus Constitution

Cyprus's 1960 Constitution does not contain an express right to the protection of personal data. The constitutional foundation for data privacy is built from two related but distinct provisions.

Article 15 of the Constitution protects the right to respect for private and family life. It guarantees every person the right to respect for their private and family life and prohibits interference with that right except where permitted by law and necessary in the interests of security, public safety, order, health, morals, or the rights of others. This provision has been interpreted by the Supreme Court of Cyprus to encompass informational privacy, providing the domestic constitutional grounding for legislative protection of personal data.

Article 17 protects the secrecy of correspondence and other communications. It prohibits interference with letters, communications, and correspondence except as authorized by law for criminal investigation purposes and under judicial oversight.

These two articles together underpin the legitimacy of the data protection framework. When Cyprus courts are asked to balance GDPR rights against competing interests, they draw on the Article 15 and Article 17 baseline in addition to the EU Charter of Fundamental Rights Articles 7 (private life) and 8 (personal data protection), which have primacy as EU law.

---

Law 125(I)/2018: Structure, Scope, and Key Provisions

The Relationship Between the GDPR and the National Law

Law 125(I)/2018, formally titled the Law on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, entered into force on 31 July 2018. It replaced the earlier Law 138(I)/2001, which had transposed Directive 95/46/EC.

The law does not replicate GDPR provisions. Because the GDPR is a directly applicable EU Regulation, Cyprus had no power or need to re-enact its substantive rules on lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity. Instead, Law 125(I)/2018 exercises the discretions that the GDPR leaves to Member States and creates the institutional architecture for enforcement. It covers:

• Establishment, independence, and powers of the OCPDP (Part III)
• Supplementary rules on processing by public authorities and for public interest tasks
• Derogations and conditions for processing special categories of data in specific contexts
• The consent age threshold for children and information society services
• Criminal offenses supplementing the GDPR's administrative penalty regime
• The mandatory pre-transfer notification for special-category data sent to third countries (Section 17(1))
• Rules on national identification number processing
• Provisions transposing Directive 2016/680 (Law Enforcement Directive) for processing by police and judicial authorities

The law applies to processing of personal data that is fully or partly automated and to non-automated processing of data forming part of a filing system. It covers both private-sector controllers and public-sector bodies established in Cyprus.

Legal Bases for Processing Under GDPR Article 6

Cyprus follows the six legal bases in Article 6 of the GDPR without modification. A controller may process personal data where: (1) the data subject has given consent; (2) processing is necessary for performance of a contract; (3) processing is necessary for compliance with a legal obligation; (4) processing is necessary to protect vital interests; (5) processing is necessary for a task carried out in the public interest or in the exercise of official authority; or (6) processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where overridden by the data subject's interests or fundamental rights.

For public-sector processing, Law 125(I)/2018 provides that the legal obligation and public interest bases are available to public authorities and bodies carrying out tasks assigned to them by law. The legitimate interests basis is not generally available to public authorities acting in their official capacity.

For special categories of data (health, genetic, biometric, racial, ethnic origin, political opinion, religious belief, trade union membership, sex life, sexual orientation), Article 9 of the GDPR applies, supplemented by the national law conditions that Cyprus has elected to adopt, including specific provisions for healthcare, scientific research, and employment.

Children's Consent Age: 14 Years

GDPR Article 8(1) permits Member States to lower the default age of 16 for digital consent to a minimum of 13. Cyprus chose 14 as the threshold. A child aged 14 or above can provide valid consent for the processing of their personal data in connection with information society services such as social media platforms, online marketplaces, and subscription services. For children below 14, consent must be provided or authorized by the holder of parental responsibility. Controllers offering services to children must make reasonable efforts to verify that consent is given or authorized by the appropriate party, taking account of available technology.

Processing of National Identification Numbers

Section 7 of Law 125(I)/2018 addresses the processing of national identification numbers and other general-application identifiers. Such processing is permitted only where it is clearly justified by the purpose, necessary for secure identification, or required by another significant reason, and only where appropriate safeguards protect data subjects. This provision is relevant for banking, telecommunications, healthcare, and government systems that use the national identity card number as a primary identifier.

Criminal Offenses Under Section 84

Law 125(I)/2018 creates criminal offenses that supplement the GDPR's administrative penalty regime. Criminal liability can arise for: unauthorized access to or interception of personal data processing systems; unlawful disclosure of personal data obtained in the course of professional duties; processing personal data in violation of provisions on criminal records; and obstruction of the OCPDP's inspections or investigations. Penalties include fines and, for the most serious offenses, imprisonment. Criminal prosecution is handled by the police and the Attorney General's office, separate from the OCPDP's administrative enforcement track.

---

The Office of the Commissioner for Personal Data Protection (OCPDP)

Independence, Appointment, and Current Leadership

The OCPDP was established under the predecessor 2001 law and continued with expanded powers under Law 125(I)/2018, consistent with the independence requirements of GDPR Article 52. The Commissioner is appointed by the Council of Ministers for a six-year term and operates without instruction from any government body, institution, or private entity.

Maria Manolis Christofidou was appointed Commissioner with effect from 28 September 2025, for a term ending 27 September 2031. She succeeded Commissioner Irenie Loizidou Nicolaidou, who led the office during the formative years of GDPR enforcement from 2018 to 2025.

The OCPDP is headquartered in Nicosia. It represents Cyprus as a full member of the European Data Protection Board and participates in the EDPB's consistency mechanism and joint enforcement actions. The office maintains an accessible website at dataprotection.gov.cy with guidance documents, complaint forms, breach notification templates, and the text of Law 125(I)/2018 in English translation.

Powers: Investigative, Corrective, and Advisory

The OCPDP exercises the full powers available to supervisory authorities under GDPR Articles 57 and 58.

Investigative powers include the ability to order controllers and processors to provide all information needed for the performance of the Commissioner's tasks; to carry out data protection audits; to notify controllers or processors of alleged violations; to obtain access to all personal data and all information necessary to carry out its functions; and to obtain access to any premises of controllers and processors, including data processing equipment and storage.

Corrective powers include the authority to issue warnings; to issue reprimands; to order compliance with data subject requests; to order rectification, erasure, or restriction of processing; to order temporary or permanent bans on processing; to order suspension of data flows to a recipient in a third country; and to impose administrative fines up to the GDPR maxima.

Advisory powers include issuing opinions on legislative proposals, consulting on codes of conduct, providing guidance to sectoral bodies, approving certification mechanisms, and publishing annual reports.

---

Data Subject Rights in Cyprus

Individuals in Cyprus hold the complete set of data subject rights provided by the GDPR. The OCPDP can be approached directly by any individual who believes a controller has infringed their rights, and it will investigate complaints free of charge.

Right of Access (Article 15 GDPR)

Data subjects may obtain confirmation of whether their personal data is being processed, and if so, receive a copy of that data together with information about the purposes of processing, categories of data, recipients or categories of recipients, the envisaged retention period, the source of the data if not collected directly from the subject, and information about any automated decision-making including profiling. Controllers must respond within one month, extendable by two further months for complex or numerous requests.

Right to Rectification and Erasure (Articles 16 and 17 GDPR)

Individuals may request correction of inaccurate data and erasure of data that is no longer necessary for the purpose for which it was collected, where consent has been withdrawn and no other legal basis exists, or where processing was unlawful. The right to erasure does not apply where processing is necessary for compliance with a legal obligation, for public health purposes, for archiving in the public interest, or for the establishment or defense of legal claims.

Right to Restriction and Portability (Articles 18 and 20 GDPR)

Data subjects may request restriction of processing during a period in which accuracy is contested, or while an objection is being considered. Portability allows individuals to receive their data in a structured, commonly used, machine-readable format and to transmit it to another controller where the processing was based on consent or a contract.

Right to Object (Article 21 GDPR)

Individuals may object to processing based on public interest or legitimate interest grounds. Controllers must cease processing unless they demonstrate compelling legitimate grounds that override the individual's interests. The right to object to direct marketing is absolute: controllers must stop all such processing immediately and without qualification when an objection is raised.

Rights Related to Automated Decision-Making (Article 22 GDPR)

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects them, unless the decision is necessary for a contract, authorized by EU or national law with appropriate safeguards, or based on explicit consent. This right is increasingly significant in Cyprus's financial sector and in employment contexts involving algorithmic screening.

---

Consent: Requirements and Practical Application

GDPR Article 7 Consent Standard

Consent in Cyprus must meet all four GDPR Article 7 requirements: it must be freely given, specific, informed, and unambiguous. Consent must be given by a clear affirmative act, such as ticking a box or clicking a button. Pre-ticked boxes, silence, and inactivity do not constitute consent. Where consent is bundled with other terms and conditions, the GDPR's requirement that consent be freely given will generally not be satisfied if the data subject cannot refuse consent without detriment.

Consent may be withdrawn at any time, and withdrawal must be as easy as giving consent. Controllers must be able to demonstrate that consent was obtained in a valid form.

Cookie Consent in Cyprus

The OCPDP has published specific guidance on cookie consent and has initiated enforcement actions against organizations whose websites failed to obtain valid consent before placing non-essential cookies. The Cyprus News Agency received a reprimand in February 2024 for unlawfully transferring personal data to the United States through use of Google Analytics without any valid legal basis. The Aylo Freesites decision of March 2025 included a EUR 10,400 fine specifically for unlawful use of cookies.

---

Data Breach Notification

72-Hour Notification to the OCPDP (Article 33 GDPR)

Controllers must notify the OCPDP of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. The notification must describe the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and the measures taken or proposed.

If a controller cannot provide all required information within 72 hours, it may provide the information in phases, with the initial notification sent within the deadline and further details provided without undue delay. A note must explain the reasons for the delay.

Notification to Affected Individuals (Article 34 GDPR)

Where a breach is likely to result in a high risk to individuals' rights and freedoms, controllers must notify affected individuals without undue delay. The notification must describe the nature of the breach, contact details for the data protection officer or other contact point, likely consequences, and recommended measures to mitigate potential harm.

Notification to individuals is not required if the controller has applied appropriate technical measures that render the data unintelligible to unauthorized persons, such as encryption, or if the controller has taken subsequent measures that ensure the high risk is no longer likely to materialize, or if individual notification would involve disproportionate effort, in which case a public communication or similar measure may be used instead.

The OCPDP's enforcement record shows that breach-related violations attract significant fines. In the Open University of Cyprus case, the OCPDP imposed a EUR 45,000 fine following a ransomware attack in March 2023 in which attackers published stolen data including student, graduate, and affiliate records after a failed ransom demand. The Commissioner's investigation found inadequate security measures and a breach of GDPR accountability obligations.

---

Data Protection Officers

When a DPO Is Mandatory

GDPR Article 37 requires designation of a Data Protection Officer in three circumstances: where processing is carried out by a public authority or body (with the exception of courts acting in a judicial capacity); where the core activities of the controller or processor consist of processing operations that, by their nature, scope, or purposes, require large-scale, regular, and systematic monitoring of individuals; or where the core activities consist of large-scale processing of special categories of data under Article 9 or personal data relating to criminal convictions and offenses under Article 10.

Law 125(I)/2018, Article 14(2) gives the OCPDP the additional power to publish a list of processing operations in which a DPO must be appointed beyond those categories in the GDPR. As of 2026, the OCPDP has not published such a list.

DPO Obligations and Confidentiality

DPOs in Cyprus are bound by the obligation of professional secrecy or confidentiality in the course of performing their duties under Law 125(I)/2018. They must be provided with resources necessary to carry out their tasks and to maintain their expert knowledge. The DPO must be involved in all matters relating to personal data protection from the earliest stage and must report directly to the highest level of management.

External DPO arrangements under a service contract are explicitly permitted by GDPR Article 37(6) and are widely used by small and medium enterprises in Cyprus.

---

Cross-Border Data Transfers

The GDPR Transfer Framework

Personal data may be transferred from Cyprus to a country outside the European Economic Area (EEA) only where the European Commission has adopted an adequacy decision for that country or territory, or where appropriate safeguards are in place, or where a specific derogation under GDPR Article 49 applies.

Adequacy decisions currently in force cover countries including the United Kingdom, Switzerland, Japan, South Korea, New Zealand, Canada (commercial organizations), and the United States under the EU-US Data Privacy Framework adopted in July 2023. Singapore received adequacy status in late 2024.

Appropriate safeguards include standard contractual clauses (SCCs) in the form adopted by the European Commission on 4 June 2021, binding corporate rules (BCRs) approved by a lead supervisory authority, codes of conduct with binding and enforceable commitments, approved certification mechanisms, and ad hoc contractual clauses or administrative arrangements authorized by the relevant supervisory authority.

Where no adequacy decision exists and no SCCs or BCRs are in place, controllers must carry out a Transfer Impact Assessment (TIA) to determine whether the level of protection in the third country is essentially equivalent to that within the EEA, taking into account the laws and practices of the third country.

Cyprus-Specific Pre-Transfer Notification for Special-Category Data

Section 17(1) of Law 125(I)/2018 establishes a requirement not present in the GDPR itself. Where a controller or processor intends to transfer special categories of personal data (health, genetic, biometric, racial or ethnic origin, political opinion, religious belief, trade union membership, sex life, or sexual orientation data) to a third country or international organization on the basis of GDPR Article 46 safeguards or Article 47 BCRs, they must notify the OCPDP before the transfer takes place.

This obligation applies in addition to the standard GDPR transfer requirements. Its purpose is to give the OCPDP advance visibility into high-risk transfers of sensitive data. Organizations that operate in healthcare, biometrics, HR, or financial services and that use SCCs or BCRs for cross-border transfers of special-category data must build this notification step into their transfer governance procedures. Failure to notify is a distinct GDPR violation in the Cypriot legal order, separate from any deficiency in the underlying transfer mechanism.

The OCPDP has enforced the Google Analytics issue in this cross-border context: the Cyprus News Agency received a reprimand in February 2024 after the Commissioner found that its website transmitted personal data to Google servers in the United States without any valid legal basis, following the style of enforcement actions taken across multiple EU Member States in the wake of the European Court of Justice ruling in Schrems II and subsequent EDPB guidance.

---

Penalties and Sanctions

GDPR Administrative Fines

The GDPR's two-tier fine structure applies directly in Cyprus without modification.

Lower-tier violations (such as failure to maintain records of processing activities, failure to cooperate with the supervisory authority, failure to notify a breach, or failure to appoint a DPO where required) can attract fines of up to EUR 10 million or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Upper-tier violations (such as processing without a legal basis, violating the conditions for valid consent, failing to respect data subjects' rights, and unlawful international transfers) can attract fines of up to EUR 20 million or 4% of total worldwide annual turnover, whichever is higher.

In addition, Law 125(I)/2018 allows the OCPDP to impose fines of up to EUR 200,000 for violations committed in connection with non-profit activities or other areas specified in national law where the GDPR's turnover-based calculation is not meaningful.

Criminal Penalties

Violations of the criminal provisions in Section 84 of Law 125(I)/2018 can attract fines and imprisonment. Criminal enforcement requires a police investigation and prosecution through the courts rather than an administrative proceeding before the OCPDP.

---

OCPDP Enforcement: Key Decisions and Trends

Enforcement Record 2018-2025

Since the GDPR became applicable in May 2018, the OCPDP has handled over 2,500 complaints and imposed cumulative administrative fines exceeding EUR 1.5 million. The following decisions illustrate the range and focus of enforcement.

Open University of Cyprus (November 2023) -- EUR 45,000. A ransomware attack in March 2023 compromised data of students, graduates, and affiliates. Attackers demanded ransom; when the deadline passed, the stolen data were published on the dark web. The OCPDP found that the university had inadequate security measures and violated the GDPR accountability principle, imposing a EUR 45,000 fine. The OCPDP separately fined the Ministry of Education EUR 8,000 for related violations.

Cyprus News Agency (February 2024) -- Reprimand. The OCPDP issued a reprimand to Cyprus's national news agency for unlawfully transferring personal data to the United States through the use of Google Analytics without a valid legal basis. The decision followed the pattern of similar decisions by data protection authorities across the EU.

Brivio Limited (July 2024) -- EUR 2,000. The online gambling platform failed to respond to a data subject access request within the one-month deadline under GDPR Article 12(3). The fine reflected the relatively limited scale of the violation and the company's subsequent compliance.

Housing Finance Corporation (2024-2025) -- EUR 10,000. The OCPDP fined the state-affiliated bank for retaining inaccurate personal data of a data subject beyond the statutory retention period and for failing to implement meaningful and effective measures to ensure GDPR compliance. The decision applied both the data accuracy principle (Article 5(1)(d)) and the accountability obligation (Article 5(2)).

Senira Limited / nicelocal.com (September 2024) -- EUR 3,000. The controller failed to comply with multiple erasure requests from data subjects and failed to respond to an OCPDP information request within the required timeframe, violating Article 17 and Article 31 GDPR. The decision highlighted the OCPDP's expectation that controllers engage promptly with both data subjects and the supervisory authority.

Aylo Freesites Ltd (March 2025) -- EUR 58,400. This is the most significant fine in the OCPDP's published enforcement record. The OCPDP conducted an ex officio on-site inspection at the company's premises. The investigation identified failures across accountability, transparency, lawfulness, data minimisation, storage limitation, and the requirement to have a legal basis. These failures had persisted for years after the GDPR became applicable. The OCPDP imposed a EUR 48,000 fine for the substantive data protection violations and an additional EUR 10,400 for the unlawful use of cookies. Aylo had implemented corrective measures following a compliance order, but the prior violations warranted the fine.

EDPB Coordinated Enforcement Participation

The OCPDP participates in the EDPB's Coordinated Enforcement Framework (CEF). In 2025, 32 DPAs across Europe took part in a coordinated enforcement action focused on the right to erasure under GDPR Article 17. Nine DPAs opened new formal investigations and 23 conducted fact-finding exercises. The EDPB's February 2026 report on the CEF 2025 action identified challenges including technical barriers to erasure, inconsistent data inventory practices, and delays in controllers' responses to erasure requests.

For 2026, the EDPB has launched a coordinated enforcement action focused on transparency and information obligations under the GDPR, in which DPAs across Europe including Cyprus are expected to participate.

---

The EU AI Act and Cyprus Data Protection

Overview of Regulation (EU) 2024/1689

The EU AI Act (Regulation (EU) 2024/1689) was published in the Official Journal of the European Union on 12 July 2024 and entered into force on 1 August 2024. It is the world's first comprehensive regulatory framework for artificial intelligence. The Act applies in Cyprus directly as EU law, without the need for national transposition of its substantive rules.

The Act's timeline applies as follows:

• Prohibitions on unacceptable-risk AI practices became applicable on 2 February 2025.
• General-purpose AI model obligations became applicable on 2 August 2025.
• Limited-risk AI transparency obligations apply from 2 August 2025.
• High-risk AI system obligations apply from 2 August 2026.

GDPR and AI Act Interaction

The EU AI Act and the GDPR interact in significant ways. AI systems that process personal data are subject to both frameworks simultaneously. Key areas of overlap include:

Data governance obligations for high-risk AI systems (Article 10 AI Act) require that training, validation, and testing datasets be relevant, sufficiently representative, and free of errors where practicable. These obligations complement the GDPR's accuracy and data minimisation principles.

Data protection impact assessments required under GDPR Article 35 will often be required alongside the conformity assessments mandated for high-risk AI systems under the AI Act. In practice, organizations should integrate these assessments into a single compliance workflow where possible.

Automated decision-making rights under GDPR Article 22 provide an individual-level safeguard against solely automated decisions with legal or similarly significant effects. Where a high-risk AI system makes or informs such decisions, both the AI Act governance requirements and the GDPR Article 22 rights apply.

The OCPDP is one of the three national public authorities designated by Cyprus to supervise compliance with fundamental rights obligations under the AI Act, following the Council of Ministers' designation decision of 22 January 2025. The Deputy Ministry of Research, Innovation and Digital Policy serves as the overall national coordinating body and as Cyprus's representative on the European Artificial Intelligence Board. The Commissioner of Electronic Communications has been designated as the Market Surveillance Authority for high-risk AI systems.

High-risk AI system obligations become applicable on 2 August 2026. Organizations in Cyprus deploying AI systems in healthcare, employment, education, critical infrastructure, law enforcement, or administration of justice should treat the period to August 2026 as a compliance preparation window.

---

NIS2 and Cybersecurity Obligations in Cyprus

On 25 April 2025, the Republic of Cyprus enacted the Network and Information Systems Security (Amendment) Law of 2025, transposing the EU's NIS2 Directive (Directive 2022/2555) into national law. The NIS2 framework operates alongside the GDPR and creates distinct but complementary obligations for cybersecurity risk management and incident notification.

The NIS2 Law covers organizations classified as "essential" or "important" based on a size threshold and sector. In Cyprus, the NIS2 Law brought approximately ten times more organizations into scope compared to the predecessor NIS1 regime, which covered only 70 entities.

Under NIS2, essential entities must report significant cybersecurity incidents within six hours of becoming aware (initial notification) and provide a full notification within 72 hours. Administrative fines for essential entities can reach EUR 10 million or 2% of global annual turnover, and for important entities EUR 7 million or 1.4% of global annual turnover.

Where a cybersecurity incident under NIS2 also constitutes a personal data breach, organizations face dual notification obligations: to the Digital Security Authority under the NIS2 Law and to the OCPDP under GDPR Article 33. Organizations in critical sectors should coordinate their incident response procedures to address both obligations simultaneously.

---

The Pegasus/Intellexa Backdrop: Privacy Governance and Surveillance

Cyprus as a Spyware Hub

The Intellexa consortium, which developed and marketed the Predator spyware, used Cyprus as a primary operational and export hub. Predator is a commercial surveillance tool capable of accessing personal data stored on or transmitted through a target device. The consortium's founder, Tal Dilian, established the business in Cyprus in part to bypass Israeli export controls while recruiting technical expertise from Israel's national security sector.

The International Consortium of Investigative Journalists (ICIJ) published extensive reporting on the Cyprus Confidential investigation, documenting how Intellexa's structure exploited Cyprus's corporate registry and licensing environment. In March and September 2024, the United States Treasury Department sanctioned Intellexa, Dilian, and associate Sara Hamou for enabling the proliferation of surveillance technologies to authoritarian regimes and for targeting US officials, journalists, and policy experts. The Greek courts convicted Dilian and three associates in a wiretapping scandal connected to Intellexa's operations.

Implications for Cyprus Data Privacy Governance

The Intellexa episode illuminated gaps between Cyprus's formal data protection legal framework and its practical privacy governance, particularly in export controls and corporate oversight. The European Parliament's PEGA Committee, which investigated the use of Pegasus and equivalent spyware across the EU, recommended that Cyprus repeal export licenses not aligned with EU legislation and strengthen oversight of surveillance technology companies operating under Cyprus registration.

The episode is relevant to any assessment of Cyprus data privacy law for three reasons. First, it demonstrates that formal compliance with the GDPR and Law 125(I)/2018 does not by itself ensure a high-trust privacy environment if corporate governance and export licensing regimes create opportunities for surveillance at scale. Second, it has sharpened political and regulatory attention to the intersection of data protection law, cybersecurity, and surveillance in Cyprus. Third, it provides context for understanding why the OCPDP and the EU institutions have applied increasing scrutiny to Cyprus-based technology businesses.

---

Special Processing Situations

Employment Data

Law 125(I)/2018 includes provisions on processing personal data in the employment context. Employers must identify an appropriate legal basis for each category of employee data processed. The legal obligation and contract bases are typically available for payroll, tax reporting, and social insurance purposes. Legitimate interests may support certain workplace monitoring activities, but must be balanced against employees' reasonable expectations of privacy.

The OCPDP has issued specific guidance on CCTV monitoring in workplaces, emphasizing that employers must inform employees of any monitoring, limit the scope of surveillance to what is necessary, and implement adequate security measures for footage storage. Processing of employee health data requires one of the Article 9 conditions, typically explicit consent or necessity for occupational health purposes.

Journalism, Research, and Freedom of Expression

Law 125(I)/2018 provides exemptions for processing carried out for journalistic, academic, artistic, or literary purposes, consistent with GDPR Article 85. These exemptions reflect the constitutional protection of freedom of expression in Cyprus and allow data controllers in the media sector to operate without the full weight of data subject rights in circumstances where those rights would undermine public-interest reporting. The scope of the exemptions is calibrated by Cypriot law to the specific protections afforded by the Constitution.

Health and Research Data

Processing of health data for medical treatment, public health, scientific research, and statistical purposes benefits from the Article 9(2) conditions and, in some cases, from specific provisions in Law 125(I)/2018. Research processing may be subject to derogations from certain data subject rights where appropriate safeguards are in place, including pseudonymisation, technical and organizational measures to minimize re-identification risk, and restrictions on access. The OCPDP must be satisfied that the research purpose could not reasonably be fulfilled by processing data that does not identify individuals.

---

Compliance Guidance for Organizations in Cyprus

Core Compliance Obligations

Organizations processing personal data in Cyprus under the GDPR and Law 125(I)/2018 should address the following core obligations:

Lawfulness mapping. Identify and document the legal basis for every processing activity. For consent-based processing, ensure consent meets all four GDPR Article 7 requirements. For legitimate interests, complete a legitimate interests assessment documenting the balance of interests test.

Records of processing activities. Maintain records under GDPR Article 30 covering all processing activities for which the organization is controller or processor. Records must be available to the OCPDP on request.

Privacy notices. Provide clear, transparent information to data subjects about all processing at the point of collection or within one month for data not obtained directly from the data subject.

Data subject rights procedures. Establish procedures for responding to access, rectification, erasure, portability, restriction, and objection requests within the GDPR deadlines.

Breach response. Maintain an incident response procedure that allows notification to the OCPDP within 72 hours of identifying a personal data breach.

Data protection by design and by default. Integrate privacy-protective measures into systems and processes from the outset rather than as an afterthought.

Cross-border transfer governance. For transfers of any personal data outside the EEA, verify the available transfer mechanism. For transfers of special-category data relying on GDPR Article 46 or Article 47 safeguards, complete the mandatory pre-transfer notification to the OCPDP under Section 17(1) of Law 125(I)/2018.

DPO designation. Appoint a DPO where the GDPR's mandatory criteria are met. Document the decision-making process whether or not a DPO is appointed.

Sector-Specific Priorities

Cyprus's economy includes significant tourism, shipping, financial services, technology, and professional services sectors. Each sector presents distinct data protection considerations.

Financial services firms holding large volumes of customer financial and identity data face elevated risk profiles and OCPDP scrutiny, as illustrated by the Housing Finance Corporation decision. Shipping companies that process seafarer personal data across jurisdictions must address both GDPR requirements and the pre-transfer notification obligation. Technology companies operating cookie-based advertising must obtain valid consent from users in Cyprus, as the Aylo Freesites and Cyprus News Agency decisions confirm.

---

---

This article presents general legal information about Cyprus data protection law as of 2026-05-19. It does not constitute legal advice. The GDPR and Law 125(I)/2018 are subject to amendment, and OCPDP enforcement practice continues to evolve. Organizations should consult a lawyer licensed in Cyprus for advice specific to their situation.