Law: Law 125(I) of 2018 Providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of Such Data ('the Law') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: Office of the Commissioner for Personal Data Protection ('the Commissioner')

Summary: The Law is the main piece of privacy regulation in Cyprus and implements the GDPR into national law. The Law establishes the Commissioner as the supervisory authority for the purposes of the GDPR, responsible for monitoring the application of the GDPR and of the Law, and stipulates measures relating to the processing of personal data. In addition, the Law sets out provisions on, among other things, the processing of sensitive data, international transfers of the same, and Data Protection Impact Assessments. The Law specifically forbids the processing of genetic and biometric information for life insurance purposes. Furthermore, the Commissioner has issued several guidelines covering key topics such as the protection of children's data, cookies, breach notifications, data protection officer appointments, and direct marketing. Legislation in Cyprus also provides for criminal penalties, such as five years imprisonment, for certain violations of the Law or the GDPR.