News
The days after the GDPR – The Cyprus Law on the Protection of Natural Persons against the Processing of Personal Data and the Free Movement of this Data
This year, on the 25th of May 2018, the highly anticipated and monumental EU General Data Protection Regulation (henceforth “the GDPR”) was fully enforced and applied in all Member States of the EU, replacing the previous Data Protection Directive 95/46/EC.
Even though, undoubtedly, one of the main objectives of the GDPR is harmonising data protection rules throughout the EU, it also provides for certain areas where Member States could determine and further set exceptions within the articles of the GDPR. Because of this, Cyprus, like many other Member States, has put in place a GDPR implementation law.
Cyprus’ Protection of Natural Persons Against the Processing of Personal Data and the Free Movement of this Data Law 125(I) of 2018 (henceforth “the Law"), in some manner implements elements of the GDPR, and in another, it could be viewed as ancillary and supplementary to the GDPR. Here we outline and highlight 6 key aspects of the Law which portray the direction of Cyprus’ exercise of legislative discretion in relation to the parameters presented in the GDPR.
Children and the Age of Consent – Article 8 of the Law
Consent, in its various facets, has always been a widely and heatedly discussed matter around the globe. The source of infringement of various human rights of many women, men and children, boils down to lack of their consent. The age of consent in both the GDPR and the Law, becomes relevant in relation to the offer of information society services directly to a child.
Article 8 of the GDPR sets the age of consent at 16 years with discretion granted to Member States to set a lower age, within the range of 13-16 years. The matter of consent has undeniably been a key discussion point for all Member States when implementing their respective national GDPR implementing laws, paralleling the wider conversation on consent occurring worldwide. Some Member States have decided not to lower the age of consent from 16 years in an effort to preserve and protect underage children from not making an informed decision when providing consent.
Pursuant to the Law, the processing of the child’s personal data will be lawful when the child is at least 14 years old. Under this Law, a lower age for which the child may lawfully consent to processing has been set. Where the child is younger than 14 years, processing of their personal data shall be lawful only if, and to the extent, consent or authorisation has been given by the child’s holder of parental responsibility.
Genetic, Biometric and Health Related Data – Article 9 of the Law
As Article 9 of the GDPR provides, Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
Under the Law it is provided that the processing of genetic and biometric data for the purposes of life and health insurance is prohibited. When the processing of genetic and biometric is based on the data subject’s consent, any further processing of this data requires the separate consent of the data subject.
Restriction of rights – Article 11 of the Law
Regarding the restriction of rights under the Law, two aspects which have proven to be of great interest is the role of the Commissioner for Data Protection (henceforth “the Commissioner”) and the limitations chosen by the Parliament in transposing the restriction of rights into national law.
Article 11 of the Law holds that, subject to Article 23(1) of the GDPR, the data controller may implement measures restricting the rights described under Articles 12 and 18-20 of the GDPR, wholly or partly, provided that where such measures are implemented, in the context of processing by a data processor, they are implemented subject to the provisions of Article 28 of the GDPR. Additionally, Article 11(4) of the Law provides that subject to the provisions of Article 14(5) of the GDPR, the data controller must notify the data subjects concerned of the implementation of any restrictive measures relating to Articles 12 and 18-20 of the GDPR.
What could undoubtedly be a cause for concern, is that Article 11 of the Law chooses to apply the restriction of rights on only 4 Articles of the GDPR as opposed to the total of 11 as provided under Article 23 of the GDPR. Therefore the scope of restricting rights has been limited in its potential range of application. What is especially interesting is the fact that rather than restricting rights by way of a legislative measure which would define the scope of obligations and rights, the legislative decision was to grant to data controllers, not to data processors, the ability of implementing the measures of restricting rights, expanding in some regard the powers of the data controllers while at the same time leaving the data processors with more responsibilities as a result.
On the other hand, it must be noted that under Article 11(2) of the Law an impact assessment and consultation with the Commissioner is required prior to the implementation of any measures restricting the rights derived from Articles 12 and 18-20 of the GDPR, which undoubtedly restricts the actions of the data controllers when implementing measures restricting rights.
The aforementioned impact assessment must include the information provided under Articles 23(2) and 35(7) of the GDPR and, as could be required, a description of the appropriate technical and organisational measures described under Articles 24, 25, 28 and 32 of the GDPR.
Within the powers of the Commissioner is the ability to impose terms and conditions for the implementation of such restrictive measures and the notification of the data subject concerned.
Discharge of the Responsibility to Communicate a Personal Data Breach – Article 12 of the Law
The controller may be partly or wholly discharged of the responsibility to communicate a personal data breach to the data subject on any of the grounds set out under Article 23(1) of the GDPR.
For the controller to be discharged from the responsibility to communicate a breach to the data subject an impact assessment and prior consultation of the Commissioner is required. The Commissioner may impose terms and conditions on the discharge of responsibility for the implementation of such restrictive measures and the communication of the data subject concerned.
With Article 12 of the Law the Parliament, seem to have exercised their GDPR-appointed power to exercise their discretion when choosing to exercise their scope of application of Article 23 of the GDPR.
Data Protection Officers (DPOs) – Article 14 of the Law
The fact that a DPO is not required in all circumstances, as evident from the GDPR, provides the Commissioner with a discretion as to the extension of the potential DPO appointments in various situations. Under Article 14(2) of the Law, the Commissioner may publish a list of processing operations in which a DPO must be appointed, in addition to the processing operations set out under Article 37 of the GDPR.
DPOs, appointed in harmony with Article 37 of the GDPR, shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, subject to any laws regulating such matters. A list of data controllers and processors who have appointed DPOs may be published on the website of the Commissioner subject to their consent.
Penalties and Criminal Offences – Articles 32 and 33 of the Law
The Commissioner may impose administrative fines in accordance with and subject to the conditions of Article 83 of the GDPR. Under the Law various criminal offences are provided for both data processors and controllers who may be found guilty of the offences and face penalties in a number of circumstances.
Furthermore the Law also provides for criminal offences in 12 particular circumstances, punishable by imprisonment of up to 3 years and/or a fine of €30,000 and with 4 out of those circumstances, if such offence hinders the interests of the Republic or raises risks for the seamless operation of Government or threatens national security, could be punishable by imprisonment of up to 5 years and/or a fine of €50,000. Additionally, in 2 other particular circumstances the criminal offences are punishable by imprisonment of up to 1 year and/or a fine of €10,000.
Where the data controller or processor is an undertaking or a group of undertakings, criminal liability rests with the chief executive body of the undertaking or group of undertakings concerned.
Conclusion
Τhe Law provides some derogations from the GDPR, including the limited scope of application of the restriction of rights and the lowering of the protections relating to the age of consent, in comparison to the GDPR. Greater enforcing powers have been granted to the national GDPR supervisory authorities and the potential for significant fines for regulatory infringement affects both data controllers and processors in the event of a breach of their respective obligations.
Article provided by: Alexia Kountouri & Constantinos Andronicou (Tassos Papadopoulos & Associates)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010