Cyprus: Data Protection in the Financial Sector
1. Governing Texts
Following the 2008 Financial Crisis and the adoption of numerous legislative instruments aiming to restore confidence in the financial sector, the activities and business of financial services providers, markets, market participants, and investors have been greatly scrutinised and closely supervised ever since. The new and stricter rules that have been put in place relating to matters such as client categorisation, regulatory reporting, data management, record keeping, and transaction monitoring, involve, to a great extent, the processing of personal data. This note provides an overview of financial services regulation in the Republic of Cyprus from a data privacy perspective and draws on the interrelation between the two.
The following EU legislation, among others, is applicable:
- the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is applicable to financial services with regard to their personal data processing activities;
- the Payment Services Directive (Directive (EU) 2015/2366) ('PSD2');
- the Fourth Anti-money Laundering Directive (Directive (EU) 2015/849) ('the Fourth AML Directive');
- the Fifth Anti-Money Laundering Directive (Directive (EU) 2018/843) ('the Fifth AML Directive');
- the Sixth Anti-Money Laundering Directive (Directive (EU) 2018/1673) ('the Sixth AML Directive');
- the Capital Requirements Regulation (EU) 575/2013 of 26 June 2013 on Prudential Requirements for Credit Institutions and Investment Firms ('the Capital Requirements Regulation');
- the Capital Requirements Directive 2013/36/EU of 26 June 2013 on Access to the Activity of Credit Institutions and the Prudential Supervision of Credit Institutions and Investment Firms ('the Capital Requirements Directive');
- the Commission Delegated Regulation (EU) 2017/565 on Organisational Requirements and Operating Conditions for Investment Firms ('MiFID Regulation');
- the Directive 2014/65/EU of 15 May 2014 on Markets in Financial Instruments ('MiFID2');
- the Directive 2009/138/EC on the Taking-up and Pursuit of the Business of Insurance and Reinsurance (Solvency II) ('the Solvency II Directive');
- the Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 on the Taking-up and Pursuit of the Business of Insurance and Reinsurance (Solvency II) ('the Solvency Regulation');
- the Directive on Privacy and Electronic Communications (2002/58/EC) ('the ePrivacy Directive'); and
- the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive').
The European Data Protection Board ('EDPB') has issued the following relevant Opinion:
- Opinion 4/2019 on the draft Administrative Arrangement for the Transfer of Personal Data between the European Economic Area ('EEA') Financial Supervisory Authorities and non-EEA Financial Supervisory Authorities;
- Guidelines 06/2020 on the Interplay of the Second Payment Services Directive and the GDPR;
- Guidelines 2/2019 on the Processing of Personal Data under Article 6(1)(b) of the GDPR in the context of the Provision of Online Services to Data Subjects ('Guidelines 2/2019'); and
- Letter regarding the PSD2 Directive.
The Article 29 Working Party ('WP29') has issued the following relevant guidance:
- Opinion 14/2011 on Data Protection Issues related to the Prevention of Money Laundering and Terrorist Financing;
- Opinion 1/2006 on the Application of EU Data Protection Rules to Internal Whistleblowing Schemes in the Fields of Accounting, Internal Accounting Controls, Auditing Matters, Fight against Bribery, Banking and Financial Crime ('WP29 Opinion on Whistleblowing');
- Letter of the Chair of the Article 29 Working Party to FATCA;
- Guidelines on Transparency under Regulation 2016/679 ('the Guidelines On Transparency').
- Guidelines on Consent under the GDPR ('WP29 Guidelines on Consent'); and
- Guidelines on Personal Data Breach Notification under the GDPR ('WP29 Guidelines on Breach Notification');
The European Banking Authority ('EBA') has issued, among others, the following relevant guidance:
- Recommendations on Outsourcing to Cloud Service Providers (20 December 2017);
- Guidelines on Major Incident Reporting under Directive (EU) 2015/2366 (PSD2) (27 July 2017) ('EBA Guidelines on Major Incident Reporting');
- Guidelines on Reporting Requirements for Fraud Data under Article 96(6) PSD2 ('EBA Guidelines on Fraud Reporting');
- Guidelines on ML/TF Risk Factors under Articles 17 and 18(4) of Directive (EU) 205/84;
- Final Report on EBA Guidelines on Outsourcing Arrangements ('the EBA Guidelines on Outsourcing'); and
- Guidelines on ICT and Security Risk Management.
The applicable domestic legislation includes the following:
- Law 125(I) of 2018 Providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of Such Data ('the Law'), which implements certain provisions of the GDPR into domestic law and applies alongside the GDPR with regard to:
- transfers of special categories of personal data to a third country outside the EU or to an international organisation; and
- notification of data breaches to the Office of the Commissioner for Personal Data Protection ('the Commissioner'); and
- Law 112(I)/2004 on the Regulation of Electronic Communications and Postal Services, as amended, which transposes the ePrivacy Directive into domestic law, and applies to:
- most electronic marketing activities (whether via voice call, email, or text message); and
Financial services legislation includes, but is not limited to:
- the Investment Services and Activities and Regulated Markets Law of 2017, as amended, transposing MiFID2 into domestic law ('the Investment Services Law');
- the Business of Credit Institutions Law of 1997, as amended, transposing the Capital Requirements Directive into domestic law ('the Business of Credit Institutions Law');
- the Provision and use of Payment Services and Access to Payment Systems Law of 2018, as amended, transposing PSD2 into domestic law ('the Payment Services Law');
- the Insurance and Reinsurance Services and Related Matters Law 38(I)/2016, as amended (only available in Greek here) ('the Insurance Law') transposing the Solvency II Directive into domestic law;
- Security of Network and Information Systems Law of 2017 (only available in Greek here) and Regulations 218/2019 (only available in Greek here) enacted pursuant thereto, transposing the NIS Directive into domestic law ('the NIS Law'); and
- the Prevention and Suppression of Money Laundering and Terrorist Financing Law 188(I)/2007, as amended, transposing into domestic law the AML Directive and subsequent AML directives of the EU ('the AML Law').
Directives and decisions issued pursuant thereto, which apply with regard to, among others, data retention, management, confidentiality and protection, and other data privacy-related matters are discussed below.
1.2. Supervisory authorities
The GDPR requires every Member State to establish a supervisory authority (Article 54 of the GDPR). In addition, the GDPR provides for a system of cooperation and transparency among all Member States' supervisory authorities in order to ensure consistent application of the GDPR throughout the EU.
The Commissioner is the supervisory authority in the Republic of Cyprus responsible for monitoring the implementation of the GDPR and its enforcement, along with other applicable data protection laws and regulations.
The Cyprus Securities and Exchange Commission ('CYSEC') is the regulator of, among other things, investment firms, funds, fund managers, issuers, and crypto-asset service providers. The CYSEC is entrusted with the power to monitor compliance of such firms and providers with applicable financial services laws and regulations. CYSEC's mission is to exercise effective supervision to ensure investor protection and the healthy development of the securities market in the Republic of Cyprus with the aim of establishing the Republic of Cyprus as a reliable, safe, and attractive destination for investments.
The Central Bank of Cyprus ('CBC') is the regulator of, among other things, credit institutions, payment services providers, and e-money institutions. The CBC is responsible for implementing monetary policies, maintaining financial stability, and ensuring growth of the financial sector in the Republic of Cyprus.
The Insurance Companies Control Service ('ICCS') is the regulator of, among other things, insurance and reinsurance undertakings. The ICCS exercises the powers granted to it under the Insurance Law for the purpose of protecting the interests and rights of insurance policyholders and beneficiaries alike.
Investor and consumer protection are of primary importance to all four regulators and, as evidenced by practice so far, such regulators take a strict approach on firms and providers that fail to adopt and implement measures ensuring the protection of investors and consumers alike. It is in this context that personal data becomes relevant from a financial services perspective.
2. Personal and Financial Data Management
2.1. Legal basis for processing
According to the GDPR, personal data must be processed in accordance with the principles of fairness, lawfulness and transparency (Article 5(1)(a) of the GDPR). In addition, processing shall only be lawful if (Article 6(1) of the GDPR):
- the data subject has given consent to the processing for one or more specific purpose;
- the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering a contract;
- the processing is necessary for the compliance with a legal obligation to which the controller is subject;
- the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Moreover, under Article 9 of the GDPR, processing of special categories of personal data is prohibited unless one of the conditions in Article 9(2) applies.
A discussion of the above-mentioned bases for processing that are most relevant to financial services is set out below.
Article 6(1)(a) of the GDPR - consent
Consent is defined under Article 4(11) of the GDPR as 'any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.'
Recital 42 of the GDPR, which deals with the burden of proof and requirements for consent, states, among other things, that 'consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.' Recital 43 of the GDPR provides the following with regard to freely given consent: 'consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller […]. On a similar note, the EDPB has endorsed the WP29 Guidelines on Consent, which provide a detailed analysis of the type of consent that will, for the purposes of the GDPR, be considered valid, and identifying, among other things, that where there exists an imbalance referred to under the Recital 43 of the GDPR (such as in an employer–employee relationship, or between public authority and an individual), consent will not be an appropriate legal basis for processing. The Commissioner has fully adopted the WP29 Guidelines on Consent.
Given the above and the various elements of consent that will have to be satisfied in order for it to be valid under the GDPR, financial services firms will only rely on consent to justify processing of personal data where no other legal basis would be relevant. Commonly, this would be the case when financial services firms carry out marketing activities.
Article 6(1)(b) of the GDPR – necessary for the performance of a contract
From a data privacy perspective, this legal basis of processing facilitates the establishment of contractual relationships between financial services providers and individuals (whether for business or employment purposes), and constitutes, arguably, one of the most relied upon legal bases for processing of personal data by financial services firms.
Although not financial services specific, in its Guidelines 2/2019 the EDPB points out that the scope of Article 6(1)(b) of the GDPR is relatively narrow, and consideration should be given to each of the core elements of this legal basis before opting to rely upon it, i.e. the processing in question must be objectively necessary for the performance of a contract with a data subject, or the processing must be objectively necessary in order to take pre-contractual steps at the request of a data subject. In both instances, the element of 'necessity' is central.
Therefore, even though, generally speaking, this legal basis could, on the face of it, be the most relevant from a financial services perspective, financial services firms should nonetheless consider whether another legal basis (e.g., consent) might, under the circumstances of each case, be of more relevance and applicability. This is because consent and the performance of a contract or steps to enter into one are two distinct concepts that have different implications for data subjects' rights and expectations.
Article 6(1)(c) of the GDPR – necessary for compliance with a legal obligation
This legal basis applies where processing is required in order for a controller to comply with its obligations deriving under EU or Member State law. In particular, Recital 41 of the GDPR states, '[W]here this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise, and its application should be foreseeable to persons subject to it, in accordance with the case law of the Court of Justice of the European Union and the European Court of Human Rights.'
From a financial services perspective, this legal basis would be relevant, among others, in the context of the Investment Services Law, Business of Credit Institutions Law, PSD2 and the AML Law, e.g., where a financial services firm needs to make certain regulatory disclosures, for Know Your Customer ('KYC') purposes, and otherwise to assess the suitability and/or qualifications of a potential client or employee.
Article 6(1)(f) of the GDPR – legitimate interests
This legal basis applies where the controller processes personal data on the basis of its or a third party's legitimate interests provided that such interests override the interests and fundamental rights of the data subject.
Recital 47 of the GDPR provides that 'such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.' However, Recital 47 emphasises that the existence of a legitimate interest needs careful assessment, highlighting that the interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data is processed in circumstances where data subjects do not reasonably expect further processing. Of particular relevance to financial services, Recital 47 specifically highlights the processing of personal data strictly necessary for the purposes of preventing fraud as an example of processing constituting a legitimate interest of the data controller concerned.
It is also helpful to look at Recital 48 of the GDPR which states that 'controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.'
For a financial services firm, processing pursuant to this legal basis will be relevant when there exists a client or employer-employee relationship and such processing is necessary for, among others, internal administration purposes (e.g. where data is transmitted to the headquarters of the financial services group for HR purposes), improving customer support services and interaction of the client or employee with the firm, detection and prevention of fraud, and to ensure network and information security of IT systems and property.
Processing special category data and criminal conviction and offence data
According to Article 9 of the GDPR, processing of special categories of personal data is prohibited unless one of the conditions in Article 9(2) applies. Generally, from a financial services perspective, such processing would be permitted where:
- the data subject has given consent to the processing for one or more specific purpose;
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment and social security and social protection law;
- processing is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity; and/or
- processing is necessary for reasons of substantial public interest, on the basis of EU or Member State law.
Article 10 of the GDPR limits processing of data relating to criminal convictions and offences only where such processing is carried out 'under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.'
It is worth noting that, according to the Law, genetic and biometric data cannot be processed for the purposes of obtaining life insurance even if the data subject has consented.
In terms of relevance and applicability to financial services, firms may find themselves required to process special categories of personal data, primarily, for ensuring compliance with AML requirements, preventing fraud, running pre-employment checks for a position that justifies processing of previous criminal convictions and/or data relating to health, employment related purposes, insurance related purposes and for establishing, exercising, or defending legal actions.
Commonly, financial services firms (and controllers in general) ensure compliance with the above requirements by incorporating their privacy notices and policies in their contractual relationships with clients and employees alike. By way of example, such privacy notices will explain in plain language (whether in English and/or Greek) that the investment firm or bank or insurance undertaking will, for the purposes of deciding whether to accept the application of prospective client to receive a particular service, have to be transmitted to a credit reference agency (such as the Artemis Bank Information Systems Ltd credit bureau or the Central Information Register maintained by the CBC) to assess such a data subject's creditworthiness.
Taking into account the costs of implementation, nature, scope, context and purposes of processing, as well as the level of risk to the rights and freedoms of natural persons, data controllers and processors in the financial sector must implement technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 of the GDPR).
Where a data controller appoints a data processor to carry out processing activities on its behalf, (e.g. where an investment firm appoints a payments provider to process payments for the clients of the former), such appointment and processing should be performed in accordance with the GDPR.
The security obligations under the GDPR, including those referred to under Article 32 thereof, are not industry-specific. Nonetheless, financial services firms must not overlook the importance and influence of the myriad of requirements found in other laws and regulations that regulate and/or are otherwise concerned with data security and risk management (and by consequence, personal data). For example, the Capital Requirements Regulation, Business of Credit Institutions Law, Investment Law, and Payment Services Law highlight the key role that data management and security plays for compliance, and to that end, require firms to implement and maintain:
- policies and controls on effective risk and data management;
- sound security mechanisms to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access, and prevent information leakage/unauthorised access maintaining confidentiality at all times;
- security control and mitigation measures taken to adequately protect payment service users against the risks identified, including fraud and illegal use of sensitive and personal data;
- a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services they provide; and
- effective internal control systems ensuring compliance with regulatory requirements including, among others, the integrity and confidentiality of communications and data.
Whilst the GDPR is a heavyweight in the personal data category, data privacy and protection have long played and continue to play an important role in financial services legislation constituting, whether directly or indirectly, an important element for regulatory compliance.
Personal data must not be retained in a form which permits the identification of the data subject for longer than what is necessary (Article 5(1)(e) of the GDPR). The period for which the personal data is stored should be limited to a minimum and time limits should be established by the controller for erasure or a periodic review (Recital 39 of the GDPR).
The GDPR provides little insight as to the relevant retention period apart beyond the above-stated provision and the storage limitation principle referred to under Article 5(1)(e) of the GDPR. Financial services providers will have to determine the relevant retention period for the different types of personal data they are handling (e.g. employee and client data) having regard to the principle of data minimisation under the GDPR as well as any prescribed period under applicable law period (e.g. five years under the Payment Services Law, six years under the Companies Law, up to seven years under the Investment Law, up to ten years under the AML Law, and up to 15 years and over for health data within the insurance industry). If no such period is prescribed under the law, or where retention exceeds the period prescribed under the law, financial services providers will have to determine, and be able to justify, the retention of data for any such period. This could be the case where, for example, there is a threatened or ongoing legal action by or against the data subject(s).
For the purposes of AML and countering the financing of terrorism ('CFT') financial services providers are required to maintain copies of the documents and information obtained for KYC purposes, supporting evidence and records of transactions, and relevant communications documents with clients and other persons with whom a business relationship is maintained for a period of five years after the end of the business relationship with their customer or after the date of an occasional transaction. The period of five years may be extended to an additional five-year period where further retention is reasonably justified for AML/CFT purposes.
Banking secrecy and confidentiality constitute an essential component for an effective and efficient relationship between banks and clients and have for decades enjoyed a sacred untouchable status. However, the 2008 Financial Crisis and those that followed within the EU, instigated a constant drive for greater transparency in the banking sector. As a result, whilst banking secrecy and confidentiality continues to be recognised and enforced, it has been qualified and limited by the introduction of a number of pieces of legislation within the EU (e.g., AML, banking, and tax-related).
In the Republic of Cyprus, banking secrecy and confidentiality is codified in Section 29(1) of the Business of Credit Institutions Law which states that 'no member of the management body, chief executive, manager, officer, employee or agent of an authorised credit institution ('ACI') and no person who has by any means access to the records of an ACI, shall provide, divulge, communicate, reveal or for his own benefit use any information whatsoever regarding the account of any individual customer of the ACI, either while being under the employment or in a professional relationship with the ACI, as the case may be, or after the termination of such employment or professional relationship.'
Section 29(2) of the Business of Credit Institutions Law sets out the instances where the duty to maintain banking secrecy and confidentiality will not apply. In particular, banks are relieved from their duty to maintain banking secrecy and confidentiality where:
- the client provided written consent for disclosure;
- the client has been declared bankrupt or if a corporate entity, it is being wound up;
- court proceedings have been commenced between the bank and the client or the latter's guarantor;
- disclosure is made to the police or to a public officer (where it is so permitted by the provisions of any law) or to the courts pursuant to the investigation or prosecution of a criminal offense under any such law;
- a garnishee order is served on the bank;
- the information is required by a bank employee or a holding or subsidiary company of the bank or an approved auditor or legal counsel of the bank in the course of their duties;
- the information is required to assess the creditworthiness of a customer reference to a bona fide commercial transaction, provided such information is of a general nature;
- the information is provided to the CBC, in its capacity as the local regulator, or in relation to the Central Information Register on bankrupt or liquidated persons and persons issuing bounced cheques;
- the information is provided to limited recipients on covered bonds matters;
- the information is disclosed for AML compliance or tax evasion purposes;
- the provision of the information is imposed by reasons of public interest or for the protection of the interests of the bank;
- the disclosure of information is necessary for the appropriate assessment of the bank's or any part of its assets in relation to a bona fide trade act or future trade act;
- the bank assigns its operations, services and/or activities to an associate and/or purchases and/or acquires products and/or services provided by an associate; and/or
- disclosure is required in order to conclude and/or implement any of the acts referred to in the immediately preceding two bullet points provided that such disclosure is made solely to specific categories of persons and entities referred to in Section 29 (2)(i)(c) of the Business of Credit Institutions Law.
Banking secrecy and confidentiality is also recognised under common law, most notably in the English law decision of Τournier ν. Νational Provincial and Union Bank of England Ltd (1923) All E.R. 550 which has been referenced and used by the courts in Cyprus in a number of cases concerned with breaches of banking secrecy.
There are no specific provisions included in the Insurance Law or other guidance by the ICCS with regard to data collection and processing in the insurance industry. Having said that, insurance and reinsurance undertakings are required to have in place effective internal control systems, which at least include administrative and accounting procedures, an internal control framework, appropriate reporting arrangements at all levels, and a compliance function. Such control systems should be able to address relevant data privacy challenges and ensure compliance with various aspects of the GDPR.
Furthermore, the importance of personal data within the insurance industry has been highlighted by the Commissioner throughout the years. In particular, through a directive addressed to, among others, insurance undertakings, highlighting the GDPR from a health data perspective, announcements, recommendations, an audit, and a speech made at the annual insurance conference in 2019, the Commissioner has called the insurance industry to improve its policies and procedures (including, among other things, appointment of processors, disclosures to data subjects, incident reporting, data subjects' rights), as it was lagging behind the expectations relating to the implementation of and compliance with the GDPR. In this regard, it is helpful to note that the Commissioner has imposed fines on insurance undertakings in relation to marketing practices carried out without the consent of data subjects and without having a prior business relationship with them.
Providers of payment services are regulated under the Payment Services Law, which contains a number of specific provisions that are not entirely aligned with the GDPR.
According to the Payment Services Law, 'payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user' (Section 94(3) of the Payment Services Law). Therefore, whilst on the one hand data controllers must, under the GDPR, rely on one of the numerous legal bases provided under Article 6, under the Payment Services Law reliance is, strictly speaking, only possible on the basis of consent (that satisfies both the GDPR consent requirements but also the 'necessity' element attached to it under the Payment Services Law). This raises a higher standard than that under the GDPR and renders, from a payment services perspective, processing of personal data on a legal basis other than consent (e.g., on a contractual or legitimate interest basis), as unlawful. Arguably, no consent should be required by a user/client of a payment service when such a user wishes to carry out a particular transaction since the driving force behind any processing of data would, predominantly, be that of necessity to comply with contractual obligations rather than consent.
Furthermore, interesting questions arise when a user/client withdraws consent and whilst the rights to withdraw consent and erasure of data are not absolute, they nonetheless pose challenges for the payment services industry. There are additional instances where the Payment Services Law is not entirely aligned with the GDPR such as incident reporting, access to customer account data, and relationship status between banks and third-party providers.
There is currently no guidance or other clarification by the local regulators on this issue. Financial services providers should ensure compliance with both pieces of legislation and potentially treat the Payment Services Law as a matter of lex specialis.
In this regard, it is helpful to note the clarifications provided by the EDPB in its Guidelines 06/2020. In brief, the EDPB made, among others, the following clarifications:
- Given that payment services are always provided on a contractual basis, the main legal basis that would apply to payment services providers is that under Article 6(1)(b) of the GDPR.
- PSD2 considerably restricts the possibilities for processing for a purpose other than payment services related unless the data subject has given consent pursuant to Article 6(1)(a) of the GDPR or the processing is laid down by EU or Member State law (e.g., for AML purposes) to which the controller is subject pursuant to Article 6(4) of the GDPR.
- Explicit consent under the PSD2 is different to that under the GDPR, i.e., such notion under the PSD2 constitutes an additional requirement of a contractual nature.
- Silent party data can be processed by the payment services provider on the basis of legitimate interest grounds and further processed where the said provider is subject to a legal obligation.
- Third-party providers accessing payment data should process such personal data as is strictly required for the provision of payment services. Such access should also be strictly limited to the specific account information necessary and should not include other accounts unrelated with the particular payment service.
- Service providers have to implement limited retention periods. In this regard, personal data should not be stored by the service provider for a period longer than is necessary in relation to the purposes requested by the payment service user.
- 'Sensitive payment data' under PSD2 is different to that under the GDPR. Sensitive personal data under PSD2 includes 'data, including personalised security credentials which can be used to carry out fraud'.
See Chapter V of the GDPR for the general requirements regarding transfers of personal data to third countries or international organisations.
By way of derogation to the GDPR, according to the Law, prior to special categories of personal data being transferred to a third country or an international organisation on the basis of either Article 46 or 47 of the GDPR, the data controller or the processor needs to inform the Commissioner of its intention to transfer such data. The Commissioner may impose express restrictions for such transfer. Similarly, when special categories of personal data are to be transferred to a third country or an international organisation on the basis of a derogation for specific situations provided for under Article 49 of the GDPR, the Commissioner may impose express restrictions for such transfer.
In addition, there are specific requirements in place with regard to the transfers of data from a financial services perspective, particularly when outsourcing arrangements are concerned. Such requirements for outsourcing arrangements will ultimately depend on the type of financial services entity concerned. Indicatively:
Insurance and reinsurance undertakings
Insurance and reinsurance undertakings should have written policies in relation to outsourcing arrangements and are required to notify, in a timely manner, the ICCS 'prior to the outsourcing of critical or important functions or activities as well as of any subsequent material developments with respect to those functions or activities' (Section 50(3) of the Insurance Law).
Furthermore, the Solvency Regulation includes additional requirements on outsourcing that will have to be taken into account by insurance and reinsurance undertakings including, among others, pre-contractual obligations as well as specific provisions that are to be included in the outsourcing agreement.
Payment services providers
The Payment Services Law provides that when a payment services provider intends to outsource operational functions of payment services it should inform the CBC (Section 19 of the Payment Services Law). There are a number of conditions that will have to be satisfied for the purposes of outsourcing including, among others, for the outsourcing not to result in a delegation by senior management of its responsibilities, internal controls of the payment services provider are not impaired, and the obligations towards clients are not undermined. Similar obligations apply to e-money institutions under the Electronic Money Law of 2012, as amended.
Banks and investment firms
The Investment Services Law and the MiFID Regulation requirements on outsourcing are similar to those that apply to insurance and reinsurance undertakings, and payment services providers. Banks and investment firms must, among other things:
- have in place sound security mechanisms to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access, and prevent information leakage, maintaining the confidentiality of the data at all times;
- exercise due skill, care and diligence when entering into, managing or terminating any arrangement for the outsourcing to a service provider of critical or important operational functions; and
- ensure that the conditions outlined in Article 31(2) of the MiFID Regulation are satisfied.
Where the service provider to whom outsourcing is to be made is located in a third country, in addition to the foregoing, the conditions set out in Article 32 of the MiFID Regulation should be satisfied, i.e. that such service provider is authorised or registered in its home country to provide that service and is effectively supervised by a competent authority in that third country, and that there is a cooperation agreement between CYSEC or CBC, as the case may be, and the supervisory authority of the service provider.
Other financial services providers (e.g. fund managers, consumer credit firms, and insurance brokers)
In general, all such other financial services providers are subject to similar outsourcing requirements as those set out above. The relevant framework should each time be consulted depending on the type of the service provider.
Further to the above, financial services providers should also take into account the EBA Guidelines on Outsourcing Arrangements, which aim to, among others, assist in the proper identification, assessment, management, and mitigation of risk associated with outsourcing of critical or important functions, ensure effective and efficient internal control and allow competent authorities to properly supervise institutions, and protect customer data across the whole institution, including outsourced functions.
An outsourcing arrangement will not affect a financial services provider's obligations under the GDPR and the Law and as such, financial services providers should be careful to consider the implications of any purported outsourcing arrangement – particularly when the service provider to whom outsourcing will be made is in a third country.
As a general rule, it is mandatory for a data controller to notify the competent supervisory authority of any suffered personal data breach (Article 33(1) of the GDPR). For further information on general data breach requirements, see EU – GDPR – Data Breach.
In addition to notifications under the GDPR, a financial services provider that is an operator of essential services, i.e., the entities that are referred to in Annex II of the NIS Directive, such as a bank and operators of a trading venue (regulated market, a multilateral trading facility, or an organised trading facility under MiFID2), should be aware of their incident reporting obligations under the NIS Directive. In particular, operators of essential services are required to notify the Digital Security Authority, the local authority under the NIS Law, of any security incidents (which, as recognised by Recital 63 of NIS Directive, may include personal data) having a significant or substantial impact on a service that they offer. Such notification should include, among other things, information on the number of users affected by the disruption of the service, duration, and the geographical spread with regard to the area affected by the incident (if any).
Furthermore, providers of payments services and e-money institutions will have to consider the incident reporting requirements under the Payment Services Law. In particular, pursuant to the Payment Services Law and the EBA Guidelines on Major Incident Reporting, payment services providers should make an initial notification to their home competent authority within four hours from the moment a major operational or security incident is first detected. Where such incident has or may have an impact on the financial interests of its clients, the service provider should inform the clients about the incident and of all the measures that they can take to mitigate the adverse effects of the incident. According to the EBA Guidelines on Major Incident Reporting, 'operation or security incident' means 'singular event or a series of linked events unplanned by the payment service provider which has or will probably have an adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment related services,' and such incident will be considered 'major' where it meets one or more criteria at the 'higher impact level' or three of more criteria at the 'lower impact level' threshold. The relevant thresholds to be considered in order to determine whether high- or low-level criteria have been engaged, are set out in the EBA Guidelines on Major Incident Reporting.
At the EU level, there is currently no harmonised framework for FinTech regulation. In March 2018 the European Commission adopted an action plan on FinTech in addition to publishing discussion papers on the same. Further to this, in September 2020 the European Commision followed up on this with a 2020 Action plan on fintech including a strategy on an integrated EU payments market. The plan and strategy were included in the European Commission's digital finance package. Moreover, many EU financial regulators have signalled support for the development of a more comprehensive regulatory FinTech framework.
Fintech has seen quite a rise in Cyprus over the past years, both in terms of operational substance by the numerous locally established fintech firms, and support from the business community, as well as the CYSEC and other private and public initiatives and programs, including:
- a number of fintech expos and summits held and intended to continue to be held locally with renowned industry speakers and attendees;
- CYSEC's fintech and regtech focused Innovation Hub, aiming to address and better understand the benefits and risks of the fintech and regtech industry and associated technologies;
- the Innovate Cyprus program of the Government, whereby increased expenditure on developing technology and research on a national level has been proposed; and
- the National Strategy on Decentralised Ledger Technologies (Blockchain) aiming to promote the development of blockchain technology in Cyprus.
Having said that, Cyprus lacks a fintech regulatory framework; partly because this specific industry is relatively new and its advantages and disadvantages have yet to be fully explored and understood.
Similarly, at the EU level, there have been certain initiatives, action plans, consultations and communications, including the most recent one being the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on a Digital Finance Strategy for the EU ('the Digital Finance Strategy Communication'), laying down general lines on how the EU can support the digital transformation of finance over a four year period, while regulating its risks. In the Digital Finance Strategy Communication, the European Commission noted, among other things, that the EU's economic recovery and growth (to the benefit of people and businesses) can be achieved through the digitalisation of finance.
A fintech regulatory framework across the EU seems unavoidable as the idea and need for the same has gained and continues to gain traction from all involved players, including the EU institutions and Member States. The impact of such framework on data privacy and correlation with the GDPR remains to be seen.
The GDPR provides for administrative fines of up to (Article 83 of the GDPR):
- €10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringing provisions on the obligations of a controller, processor, certification body or monitoring body; and
- €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover for the preceding financial year, whichever is higher, for infringing provisions on the basic principles for processing, data subjects’ rights, transfer of personal data to a recipient in a third country or international organisation, or non-compliance with an order or a limitation on processing by the supervisory authority.
In addition to civil liability under the GDPR, with regard to breaches of, among other things, Articles 30, 31, 33, 34, 35, and 42, and of Chapter V, of the GDPR, the Law provides that any such breach constitutes a criminal offence which may result in the imposition of imprisonment of up to three years and/or a monetary fine of up to €30,000, where the breach was due to negligence or imprisonment of up to five years and/or a monetary fine of up to €50,000, where the breach was intentional.
The Commissioner follows a strict enforcement policy and, to date, has issued several fines (albeit not as high as those imposed by other EU data protection authorities), warnings, and other announcements relating to GDPR enforcement.
Financial services regulators
The regulators have been strict and active in monitoring compliance of financial services providers established and operating in the Republic of Cyprus, such as banks, investment firms, payment services providers, and insurance and reinsurance undertakings. The nature and extent of the sanctions will depend, among other things, on the type of the financial services provider and/or the regulated services/products concerned, and seriousness and continuity of the breach.
From an AML perspective, the sanctions that can be imposed for breaches of the AML requirements referred to in this guidance note can lead to, among other things, criminal liability, fines, amendment, suspension or revocation of licences, cessation, or removal of directors, managers, or officials from their positions, and other corrective measures.
A breach of the banking secrecy requirement can lead to, among other things, administrative and criminal liability for institutions and/or any other person liable for the breach.
Furthermore, with regard to entities providing financial services on a cross-border basis, it is likely that, in addition to any local enforcement action, the financial services provider may face enforcement and other corrective measures (which can potentially lead to reputational damage) in their home State on account of co-operation between regulators within the EU.
11. Additional Areas of Interest
Grigoris Sarlidis Partner
A.G. Erotocritou LLC, Limassol