Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Cyprus - Data Protection Overview
Back

Cyprus - Data Protection Overview

June 2023

1. Governing Texts

Data protection in Cyprus is primarily governed by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') which has been implemented into Cypriot law by virtue of Law 125(I) of 2018 Providing For The Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of Such Data ('the Law').

1.1. Key acts, regulations, directives, bills

The Law which entered into force, on July 31, 2018, implemented certain provisions of the GDPR and repealed the Processing of Personal Data (Protection of Individuals) Law 138 (I) 2001, which had implemented Data Protection Directive (Directive 95/46/EC).

1.2. Guidelines

To ensure the proper application of the GDPR, the Office of the Commissioner for Personal Data Protection ('the Commissioner') has adopted certain guidelines issued by the Article 29 Working Party ('WP29') which has been replaced by the European Data Protection Board ('EDPB') and has also issued its own guidelines and opinions.

The Guidelines from the Commissioner cover in particular:

  • data protection officers ('DPO Guidance');
  • Data Protection Impact Assessments ('DPIA Guidance');
  • personal data breach notifications;
  • codes of conduct (only available in Greek here) and certification mechanisms (only available in Greek here);
  • security of processing (only available in Greek here) and the guidelines on the security of processing (available only in Greek here);
  • data transfers (only available in Greek here);
  • Guide to records of processing activities and Guide to complete the record of processing activities;
  • video-surveillance (only available in Greek here);
  • employment relations (only available in Greek here);
  • use of the internet and mobile phones (only available in Greek here);
  • direct marketing of goods and services (only available in Greek here);
  • directions to banking institutions about retention periods for personal data (only available in Greek here);
  • directions for political communications through phone calls (only available in Greek here);
  • transmission of messages and placing of calls with political content/promotion of candidates (only available in Greek here);
  • directions for the exercise of the right to access by public employees (only available in Greek here);
  • directions about retention periods for medical data (only available in Greek here);
  • Opinion 1/2018 addressed to Trade Unions in relation to the notification by the employers of lists with names of employees, their salaries and contributions (only available in Greek here);
  • Opinion 2/2018 on video surveillance at work and the use of biometric systems (only available in Greek here);
  • Opinion 1/2019 on the access to email accounts of employee and former employee (only available in Greek here);
  • interpretation of Article 10 GDPR (only available in Greek here);
  • Opinion 1/2020 on the supervision of long distance/ online exams by higher education institutions (only available in Greek here); and
  • Directive 4/2017 for right of access of employees or candidates in the Public Section (only available in Greek here).

In addition to the above Guidelines, the Commissioner has also issued guidance in the form of public announcements, inter alia, as follows:

  • consent in the context of direct marketing (SMS and emails) (only available in Greek here);
  • announcement in relation to existing transmission licenses;
  • sample of record of processing activities and directions for its completion (only available in Greek here);
  • renaming of Facebook groups/pages (only available in Greek here); and
  • announcement in relation to task automation and alternatives (only available in Greek here).

1.3. Case law

Since the entry into force of the GDPR in Cyprus, a number of cases have been investigated by the Commissioner against private organizations and public authorities, for which public announcements have been issued.

Summaries of the Commissioner's decisions are available in reports published throughout the year.

Notable decisions of the Commissioner under the GDPR to date include:

  • A reprimand, issued on May 22, 2018, against a credit institution for failing to provide adequate information, non-personalization of requests, lack of legal justification, non-observance of the principles of proportionality and minimization, as well as the inclusion of disproportionate measures, by requiring customers to update their personal data under the threat of having their accounts suspended or blocked in the event that they failed to submit such data (you can read the decision, only available in Greek here).
  • A €5,000 fine, issued on November 7, 2018, against a public hospital for misplacement of a patient's file and refusal of a subject access request (you can read the decision, only available in Greek, here).
  • A €5,000 fine, issued on April 12, 2019, against a media organisation for the processing of personal information without the data subject's consent. The case concerned the public broadcasting of the data subject's face in a video, regardless of the fact that anonymity was expressly requested (you can read the decision, only available in Greek, here).
  • A €4,000 fine, issued on March 13, 2019, against an insurance company for sending unsolicited SMS marketing to non-customers, whose phone numbers were chosen randomly. You can read a summary of the decision in the February-April 2019 Report (only available in Greek, here).
  • A number of fines ranging from €2,000 to €3,000, issued against political parties and persons for unsolicited political messages for the European Parliament Elections. You can read a summary of the decision in the July-September 2019 Report (only available in Greek here).
  • A reprimand, issued, against the Cyprus Police for failing to implement appropriate technical and organisational measures in order to ensure and be able to prove that the processing is carried out in accordance with the law by allowing information about a complainant's report to be leaked to newspapers and tv channels. You can read a summary of the decision in the July-September 2019 Report (only available in Greek here).
  • A reprimand, issued on June 12, 2019, against a district committee of the Ministry of Education, Culture, Sports and Youth for failing to implement appropriate technical and organisational measures in order to ensure and be able to prove that processing is carried out in accordance with the law by exposing files with personal information to third parties in open boxes and unlocked drawers. You can read the decision, only available in Greek, here.
  • Fines ranging from €2,000 to €70,000 and an order to cease processing activities, issued on October 25, 2019, against a group of companies for processing special category data without a legal basis, by implementing a system to manage and monitor sick leave absences from work using the 'Bradford Factor' (you can read the decision, only available in Greek here).
  • A number of instructions were issued by the Commissioner in 2020 to the Ministry of Education, Culture, Sports and Youth following an investigation by the Commissioner in secondary education schools, after concerns were expressed by parents, students, teachers, and organised representative groups regarding the operation of modern education and especially the visual recording of teaching by schools and its direct transmission to students at their house. In the Commissioner's opinion, while sound recording from teaching rooms were deemed to be justified on the basis of conventional education in the context of the employment relationship, there was no legal basis which would make the visual recording of teachers and students lawful. For the visual recording of students with physical presence in the classroom or absent students, the Commissioner considered that it is outside the legal framework and contrary to the fundamental principles of legal processing of personal data (you can read a summary of the decision, only available in Greek here).
  • A decision issued on January 12, 2021, cornered a complaint which was lodged in Germany against the company Sea Chefs Cruises Ltd, which was subsequently transmitted to the Commissioner for Personal Data Protection (Cyprus SA), under the cooperation mechanism. The complaint was about a general 'authorization' which the company requested its employees to sign, in order to access their medical records, so that in the event of a medical incident on board, to be able to offer medical care to employees, to arrange any associated travel and to handle any medical claim. Cyprus SA assessed all the information available in relation to this case and decided that the consent provided by employees to Sea Chefs Cruises Ltd is not in accordance with the rule of Article 4(11) and Article 7 of the GDPR. Cyprus SA considers that in the employment sector, consent should not be used as the lawful basis for the processing due to the imbalance of the relationship between employer and employee. In accordance with the minimisation/proportionality principle (Article 5(1)(c) of the GDPR), Cyprus SA considers that the controller should collect and generally process only data that are absolutely necessary to be able to assist the employees with medical care, to arrange any associated travel and to handle any medical claim, in line with relevant laws and the Collective Bargaining Agreement. The Cyprus SA instructed the Sea Chefs Cruises Ltd to discontinue the processing of employees medical records, which is based on consent, and to restore processing operations in accordance with the provisions of GDPR (you can read the decision, available in English here).
  • A decision issued on March 31, 2022, concerned a complaint against a doctor for operating CCTVs in a common area of two clinics, in which case the Commissioner placed an administrative fine of €1,500, for the breach of the obligation deriving from Article 31 of the GDPR (you can read the decision, only available in Greek here).
  • A reprimand, issued on September 7, 2022, against a Broadcasting Corporation for failing to promptly attend and comply with the Commissioner's Order dated February 21, 2022, within the set deadline. You can read the decision, only available in Greek here.

The Commissioner also publishes annual reports with all matters and cases examined in the relevant year. The latest annual report available is for 2021, which was handed over by the Commissioner on November 18, 2022 (only available in Greek here).

2. Scope of Application

2.1. Personal scope

No national variations from the GDPR.

2.2. Territorial scope

No national variations from the GDPR.

2.3. Material scope

No national variations from the GDPR.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The regulatory authority for data protection in Cyprus is the Commissioner, established in 2002. Apart from the Commissioner herself, the office is currently staffed by nine officers and five administrative members of staff.

3.2. Main powers, duties and responsibilities

The Commissioner carries out the duties and powers assigned to them under the provisions of the GDPR, the Law, and any other relevant regulation.

Subject to the provisions of Article 57 of the GDPR, and in addition to the duties provided for in that Article, the Commissioner carries out the following tasks (Article 24 of the Law):

  • may publish on the Office's website the means of lodging complaints and requests;
  • shall examine complaints and, where possible, depending on the complaint's nature and type, shall inform the complainant in writing for the progress and outcome of the complaint within 30 days of the submission of the complaint. If the complaint is deemed unfounded or does not fall within the competence of the Commissioner, the Commissioner shall inform the complainant in writing within 30 days of the submission of the complaint;
  • shall inform, where appropriate, the data subject, the controller, and processor of the time limits provided in Articles 60 to 66 of the GDPR;
  • may not investigate a complaint or discontinue its investigation for reasons of public interest and shall notify the data subject, within a reasonable period, the reasons for not investigating or for terminating the investigation of the complaint;
  • may establish  and make public the list of processing operations and cases requiring the appointment of a DPO, in accordance with the provisions of Article 14 of the Law; and
  • may publish on its website, the list of controllers and processors available, who have appointed a DPO as provided for in Article 14 of the Law.

Furthermore, subject to the provisions of Article 58 of the GDPR, and in addition to powers provided for in that article, the Commissioner exercises the following powers (Article 25 of the Law):

  • subject to the provisions of Article 58(1)(a) and 58(1)(e) of the GDPR, the Commissioner shall have access to all personal data and to all the information required for the performance of their duties and the exercise of their powers, including confidential information, except for information covered by legal professional privilege;
  • subject to the provisions of Article 58(1)(f) of the GDPR, the Commissioner shall have the power to enter, without necessarily informing the controller, the processor, or their representative in advance, in any office, professional premises, or means of transport, with the exception of residences;
  • for the exercise of the provisions of Article 58(a) of the GDPR and those of Article 25 of the Law, the Commissioner may be assisted by an expert and/or the police;
  • during the exercise of their investigative powers, the Commissioner may seize documents or electronic equipment by virtue of a search warrant, according to the provisions of the Criminal Procedure Law 1949 (only available in Greek here);
  • in addition to the corrective powers provided for in Article 58(2) of the GDPR, the Commissioner shall require the Cyprus Organization for the Promotion of Quality ('the Quality Promotion Organization') to revoke the accreditation of a certification body, when the Commissioner ascertains that the requirements for the certification are not or are no longer met or where actions taken by the certification body violate the provisions of the GDPR or of the Law;
  • the Commissioner shall denounce the Quality Promotion Organization to the European Commission, in the case where the Quality Promotion Organization does not revoke an accreditation of a certification body in accordance with subsections (3) and (4) of Article 16 of the Law; and
  • in addition to the authorization and advisory powers provided for in Article 58(3) of the GDPR, the Commissioner shall have the power to:
    • authorize the combination of filing systems provided for in Article 10 of the Law and impose terms and conditions for the materialization of the combination;
    • impose terms and conditions in relation to the application of the measures for the restriction of the rights referred to in Article 11 of the Law;
    • impose terms and conditions for the exemption to the obligation to communicate the data breach referred to in Article 12 of the Law; and
    • impose explicit limits for the transfer of special categories of personal data referred to in Articles 17 and 18 of the Law.

4. Key Definitions

Data controller: No national variations from the GDPR.

Data processor: No national variations from the GDPR.

Personal data: No national variations from the GDPR.

Sensitive data: No national variations from the GDPR.

Health data: No national variations from the GDPR.

Biometric data: No national variations from the GDPR.

Pseudonymisation: No national variations from the GDPR.

5. Legal Bases

5.1. Consent

National variations from the GDPR, according to the provisions of the Law:

The processing of genetic and biometric data for purposes of health and life insurance is prohibited.

Without prejudice to Article 5(1)(b) of the GDPR, where the processing of genetic and biometric data is based on a data subject's consent, the further processing of such data requires the separate consent of the data subject.

5.2. Contract with the data subject

No national variations from the GDPR.

5.3. Legal obligations

No national variations from the GDPR.

5.4. Interests of the data subject

No national variations from the GDPR.

5.5. Public interest

National provisions under the Law:

The processing of personal data which is vested by virtue of a Decision of the Council of Ministers to a public authority or body for the performance of a task carried out in the public interest or in the exercise of official authority shall be performed lawfully and fairly, in a clear, precise and transparent manner in relation to the data subject, in accordance with the provisions of Article 5(1)(a) and Article 6(1)(e) of the GDPR.

The combination of large-scale filing systems of two or more public authorities or bodies, is permitted only for reasons of public interest and provided that the provisions of Article 6(1)(c) or (e), or Article 9(2)(g),(h), or (i) of the GDPR are fulfilled.

Personal data in official documents held by a public authority or body for the performance of a task carried out in the public interest shall be disclosed in accordance with the provisions of the right of access to documents of the public sector law.

The processing which is carried out by a controller or a processor for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be used for taking a decision which produces legal effects concerning the data subject or similarly significantly affects them.

5.6. Legitimate interests of the data controller

No national variations from the GDPR.

5.7. Legal bases in other instances

Direct marketing

In Cyprus, the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the e-Privacy Directive') is implemented by the Electronic Communications and Postal Services Law 112 (I) of 2004 (only available in Greek here) ('the Electronic Communications Law'). Under the Electronic Communications Law, the use of electronic mail for the purposes of direct marketing is permissible only in the case of addressees who have given their prior consent.

The only exception in Cyprus where the principle of 'opt-out' applies is where a sender has been provided by a customer with an email address in the course of a sale of goods or services. Individuals or legal entities that obtain their customers' personal data (e.g. email addresses) in the course of the sale of a product or service, may use these data for direct promotion of their own similar products or services so long as customers are aware of this practice and given the opportunity to decline receipt of communications in the future.

Archiving in the public interest, scientific, historical research, or statistical purposes

Processing carried out by a controller or processor for archiving purposes in the public interest, for scientific purposes, historical research, or for statistical purposes excludes the use of personal data with the purpose of taking a decision, which produces legal effects vis-à-vis the data subject or significantly affects it in a similar way (Article 31 of the Law).

Processing genetic and biometric data for life insurance purposes

The processing of genetic and biometric data for life insurance purposes is forbidden under the Law. Notwithstanding the provisions of Article 5(1)(b) of the GDPR, when the processing of genetic and biometric data is based on the consent of the data subjects, separate consent of the data subject is required for the further processing of such data (Article 9 of the Law).

Journalistic, academic, artistic, or literary expression

The processing of personal data, special categories of personal data, or personal data relating to criminal convictions and offences carried out for journalistic or academic purposes or for purposes of artistic or literary expression, is lawful, provided that those purposes are analogous to the intended objective and respect the essence of the rights as defined in the Charter of Fundamental Rights of the EU, in the European Convention of Human Rights and Fundamental Freedoms, which has been ratified by the European Convention for the Protection of Human Rights (Ratification) Law, and in Part II of the Constitution of Cyprus 1960 (only available in Greek here) (Article 29(1) of the Law).

6. Principles

No national variations from the GDPR.

7. Controller and Processor Obligations

7.1. Data processing notification

The transfer to a third country of any special category personal data requires prior notification to the Commissioner (Article 17 of the Law).

The transfer of any special category personal data to a third country or to an international organisation, by a controller or processor on the basis of the derogations provided for in Article 49 of the GDPR for specific situations requires a DPIA as well as prior consultation with the Commissioner (Article 18 of the Law).

Other than the above, consultation with the Commissioner is also required when the rights of data subjects are restricted by the controller as well as in the event of a decision to not notify a data subject about a data breach (Articles 11(2) and 12(2) of the Law).

No official fees currently apply in relation to the above notification requirements.

7.2. Data transfers

Third countries and international organizations

In the absence of an appropriate legal measure by the European Commission, binding on Member States, the Commissioner may propose to the Minister of Justice and Public Order the conclusion of agreements with third countries or international organizations for the fulfillment of the purposes referred to in Article 50 of the GDPR (Article 35 of the Law).

Special categories of personal data

When the controller or the processor intends to transfer special categories of personal data to a recipient in a third country or to an international organisation and the intended transfer is based on appropriate safeguards provided for in Article 46 of the GDPR or on binding corporate rules ('BCRs') provided for in Article 47 of the GDPR, the controller or processor must inform the Commissioner of the intended transfer before the data are transferred (Article 17(1) of the Law).

Notwithstanding the provisions of Articles 46 and 47 of the GDPR, the Commissioner may, for important reasons of public interest, impose explicit limits to the controller or the processor for the transfer of the special categories of personal data referred to above (Article 17(2) of the Law).

In the case where the appropriate safeguards or the BCRs were adopted by the Commissioner or in accordance with the consistency mechanism provided for in Article 63 of the GDPR, before imposing the limits referred to above, the Commissioner shall consult, where appropriate, with the Commission, the lead authority and the other concerned authorities (Article 17(3) of the Law).

Furthermore, notwithstanding the provisions of Article 49 of the GDPR on carrying out an impact assessment and prior consultation with the Commissioner, the Commissioner may, for important reasons of public interest, impose explicit limits to the controller or the processor for the transfer of special categories of personal data (Article 18(3) of the Law).

Please see section on DPIAs below for further information on DPIAs when transferring special categories of personal data.

7.3. Data processing records

An offense shall be committed by a controller or a processor who:

  • does not maintain the record of processing activities provided for in Article 30 of the GDPR;
  • does not update this record;
  • does not make the record available to the Commissioner on request; or
  • provides false, inaccurate, incomplete, or misleading information to the Commissioner in relation to this record (Article 33(1)(a) of the Law).

7.4. Data protection impact assessment

A DPIA must be conducted when the processing is likely to create a high risk to the rights and freedoms of the persons concerned.

Under the Law, the following activities require a DPIA and prior consultation with the Commissioner:

  • measures to limit, in whole or in part, the rights referred to in Articles 12, 18, 19, and 20 of the GDPR (Article 11 of the Law);
  • exemption from the responsibility for data breach notification (Article 12 of the Law);
  • transfers of personal data to third countries or international organizations (Article 17 and 18 of the Law);
  • the combination of filing systems which concern special categories of personal data or data concerning criminal convictions or to be used with an identification card number or any other general application identity information (Article 10 of the Law); and
  • the enactment of laws or regulations pursuant to a law, which provide for a particular act or series of personal data processing acts (Article 13 of the Law).

In addition, a DPIA and prior consultation of the Commissioner is required for the implementation of limiting measures. The DPIA shall include the information provided in Article 23(2) and Article 35(7) of the GDPR and, where appropriate, a description of the information provided for in Articles 24, 25, 28, and 32 of the GDPR on technical and organizational security measures (Article 11(2) and (3) of the Law).

Subject to the provisions of Article 14(5) of the GDPR, the controller must inform the data subject about the application of such limiting measures. The Commissioner may impose conditions on the controller for the implementation of the limiting measures and for the data subject's information (Article 11(4) and (5) of the Law).

International transfers

A transfer carried out by a controller or processor, of special categories of personal data to a third country or an international organisation, which is based on derogations for specific situations provided for in Article 49 of the GDPR requires carrying out a DPIA and prior consultation with the Commissioner (Article 18(1) of the Law).

The DPIA referred to above shall contain the information provided for in Article 35(7) of the GDPR and, where applicable, a description of the technical and organizational security measures provided for in Articles 24, 25, 28, and 32 of the GDPR (Article 18(2) of the Law).

All activities other than the ones stated in this section above do not require prior consultation with the Commissioner.

7.5. Data protection officer appointment

A DPO shall be appointed, subject to the provisions of Article 37 of the GDPR (Article 14(1) of the Law).

The Commissioner may draw up and make public a list of processing activities and cases requiring the appointment of a DPO, additional to the activities referred to in Article 37(1) of the GDPR (Article 14(2) of the Law).

The Commissioner may make publicly available on its website a list of controllers and processors who have designated a DPO and their contact details, provided that the controller and the processor wish to be included in this list (Article 14(3) of the Law).

Subject to the provisions of any law governing professional matters of confidentiality or secrecy, in the performance of their duties, the DPO is bound by the obligation of confidentiality or secrecy (Article 15(1) of the Law).

Observance of confidentiality or secrecy by the DPO shall not affect the investigation powers of the Commissioner provided for in Article 58(1) of the GDPR and the powers of the Commissioner set out in Article 25(a)(b) of the Law (Article 15(2) of the Law).

7.6. Data breach notification

The controller may be exempted, in whole or in part, of the obligation to communicate a personal data breach to the data subject, for one or more purposes referred to in Article 23(1) of the GDPR. The exemption from the obligation for data breach notification requires a DPIA and prior consultation with the Commissioner. The DPIA shall include the information set out in Articles 23(2) and 35(7) of the GDPR. The Commissioner may impose terms and conditions on the controller for the exemption (Article 12 of the Law).

Data controllers in certain sectors may be required to inform sectoral regulators of any breach.

7.7. Data retention

No national variations from the GDPR.

7.8. Children's data

When providing information society services directly to a child based on the child's consent, the processing of personal data is lawful if the child is at least 14 years old (Article 8(1) of the Law).

For a child under the age of 14, the processing of personal data is lawful following consent provided or approved by the person having parental responsibility for the child (Article 8(2) of the Law).

7.9. Special categories of personal data

The processing of special categories of data laid down in Article 9 of the GDPR is permitted and is lawful when it is carried out for the purpose of publishing or issuing a decision of any court or when it is necessary for the purpose of delivering justice (Article 6 of the Law).

The combination of large-scale filing systems of two or more public authorities or bodies, is permitted only for reasons of public interest and provided that the provisions of Article 6(1)(c) or (e), or Article 9(2)(g),(h), or (i) of the GDPR are fulfilled (Article 10(1) of the Law).

In the case where the combination relates to special categories of personal data, to personal data relating to criminal convictions and offences, or is to be carried out with the use of the identity card number or any other identifier of general application, it is required to carry out a DPIA and a prior consultation with the Commissioner (Article 10(2) of the Law).

The DPIA shall be carried out jointly by the public authorities or bodies that intend to combine their filing systems and shall contain the information provided for in Article 35(7) of the GDPR and, where applicable, a description of the technical and organizational security measures provided for in Articles 24, 25, 28, and 32 of the GDPR (Article 10(3) of the Law).

Please see section on data transfers above for international transfers of special categories of personal data.

7.10. Controller and processor contracts

No national variations from the GDPR.

8. Data Subject Rights

Subject to the provisions of Article 23(1) of the GDPR, the controller may apply measures to limit, in whole or in part, the rights referred to in Articles 12, 18, 19, and 20 of the GDPR; provided that if the limitation of rights concerns a processing act entrusted to a processor, the measures shall apply subject to Article 28 of the GDPR (Article 11(1) of the Law).

8.1. Right to be informed

The provisions of Article 14 of the GDPR shall apply to the extent that they do not affect the right to freedom of expression and information and the press confidentiality (Article 29(2) of the Law).

8.2. Right to access

The provisions of Article 15 of the GDPR shall apply to the extent that they do not affect the right to freedom of expression and information and the press confidentiality (Article 29(2) of the Law).

8.3. Right to rectification

No national variations from the GDPR.

8.4. Right to erasure

No national variations from the GDPR.

8.5. Right to object/opt-out

No national variations from the GDPR.

8.6. Right to data portability

No national variations from the GDPR.

8.7. Right not to be subject to automated decision-making

No national variations from the GDPR.

8.8. Other rights

Authority powers

Subject to the provisions of Article 57 of the GDPR and in addition to the duties provided for in that article, the Commissioner may not investigate a complaint or discontinue its investigation for reasons of public interest and shall notify to the data subject, within a reasonable period, regarding the reasons for not investigating or for terminating the investigation of the complaint.

9. Penalties

Subject to the provisions of Article 83 of the GDPR, the Commissioner shall impose administrative fines. In case of failure to pay the administrative fine, this is collected as a civil debt due to the Republic. An administrative fine imposed on a public authority or public body in respect of non-profitable activities, shall not exceed €200,000 (Article 32 of the Law).

In addition to administrative fines, the Law creates a number of criminal offences for the violation of certain articles of the Law and of the GDPR (i.e. Articles 30, 31, 33(1) and (2), 34, 35(1), 42, Chapter V, etc.), punishable upon first conviction with imprisonment of one to five years and/or a fine ranging between €10,000 to €50,000, depending on the offence (Article 33 of the Law). For example, the offences listed below may give rise to imprisonment for a maximum of three years and/or to a fine which shall not exceed €30,000 (Article 33(2) of the Law) :

  • an offence is committed by a controller who does not carry out a DPIA, in breach of the provisions of Article 35(1) of the GDPR or of Section 13 of the Law (Section 33(1)(f) of the Law); and
  • an offence is committed by a controller or a processor who prevents a DPO from performing their tasks, in particular those relating to the cooperation with the Commissioner (Section 33(1)(g) of the Law).

For the purposes of determining liability, if the controller or processor is a business undertaking or group of business undertakings, legal responsibility lies with the person designated as the highest executive instrument or body of the undertaking or group of undertakings. If the controller or processor is a public authority or public body, the head or the person who exercises effective management of the public authority or public body is legally responsible (Article 33(5) of the Law).

9.1 Enforcement decisions

Please see section on case law above.

Feedback