Competition
Company
European Union
Telecommunications
IT & Ecommerece
Data Protection
Intellectual Property
Human Rights
Aliens & Immigration
Energy
Trusts
Insurance Law
Banking Law
Litigation

Data Protection



Introduction

In view of the Republic of Cyprus’ negotiations for accession to the European Union, the enactment of the Processing of Personal Data Law is the outcome of the Republic of Cyprus’ efforts to specific legislation in order to harmonise Cyprus law to the acquis communautaire. As a result, Cyprus Law is now essentially in line with European Union’s Directives on the protection of individuals with regard to the processing of personal data and the free movement of such data.


Applicable Law

Legislation for the Processing of Personal Data

The processing of personal data in Cyprus is governed by the Processing of Personal Data (Protection of the Person) Law of 2001 ("the Law") which entered in force on November 23, 2001. The Commissioner for the Protection of Personal Data was appointed on March 1, 2002 and she took up office in May 2002.

The Law has been amended in 2003 for the purpose of harmonising Cypriot legislation with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Secondary legislation in the form of Regulations has been enacted, namely, the Processing of Personal Data (Permits and Fees) Regulations of 2002, which were issued on November 8, 2002.

The Law applies to automated and non-automated processing of personal data, which is included or will be included in a record. In order for the Law to apply, the processing of personal data must be carried out by a data controller resident in the Republic or at a place where Cyprus law is applied by virtue of public international law or by a data controller who is not resident in the Republic, who, for the purpose of processing personal data, has recourse to automated or other means existing in the Republic, unless they were used only for the purpose of transmitting the data through the Republic. The Law does not apply to the processing of personal data, which is carried out by a natural person for the exercise of exclusively personal or domestic activities.


Summary of main provisions

The Law sets out the conditions which data controllers have to ensure for the legal processing of personal data and defines what kind of processing of personal data is allowed. As a general rule, the collection and processing of sensitive data is prohibited, subject to various exceptions. With regard to the notification requirements concerning the operation of a record or the start of processing under the Law, it defines precisely what details the data controller must notify to the Commissioner.

The Law also provides for the right of confidentiality and security of processing. Furthermore, it states the rights of data subjects such as the right of information, the right of access to personal data, which concern them personally, the right to temporary judicial protection and the right to damages. Furthermore, the Law provides for the appointment and the rights and obligations of the Commissioner for the Protection of Personal Data. It establishes his Office and sets out the competence, operation and decision-making powers of the Commissioner.


Impact of the Data Protection Law

One of the most important effects of the Data Protection Law is the obligation imposed on persons who hold personal data to notify the Commissioner in writing of the establishment and operation of a record or the start of processing according to certain rules and subject to some exceptions. Such exceptions apply for example where the processing concerns clients or suppliers of the data subject as long as the data are not transmitted or disclosed to third parties, where the processing is carried out by an institution, club, company or political party and concerns their members’ data, as long as these members have given their consent and the data are not transmitted or disclosed to third parties or where the processing is carried out by doctors or other persons offering health services and concerns medical data, as long as the data controller is bound by medical confidentiality or any other confidentiality which any law or code of ethics provides and as long as the data are not transmitted or disclosed to third parties. Such an exception also applies where the processing is carried out by lawyers and concerns the provision of legal services to their clients, as long as the data controller is bound by the obligation of confidentiality and the data are not transmitted or disclosed to third parties, except in cases where this is necessary and it is connected directly with the fulfilment of instructions of the client.

It should be noted that insurance companies, pharmaceutical companies, information trading companies and financial credit institutions such as banks and credit card issuing companies are not discharged from the obligation to notify. Furthermore, persons offering health services such as clinics, hospitals, rehabilitation centres, insurance funds and insurance companies, as well as data controllers of personal data are not discharged from the obligation to notify when the processing is carried out in the framework of telemedicine programs or the provision of medical services through a network.


Data Protection and the Electronic Communications Law

The Law Regulating Electronic Communications and Postal services of 2004 (the Electronic Communications Law) has been enacted for the purpose of harmonisation with certain European Directives, including Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). It particularises and complements the provisions of the Law for the Processing of Personal Data and provides for the protection of the legitimate interests of subscribers of electronic communications networks and services who are legal persons.

The Law applies to the processing of personal data in connection with the provision of publicly available electronic communications services in communications networks in Cyprus. According to section 18 of the Law, the Commissioner of Electronic Communications has an obligation to promote the interests of the citizens of Cyprus and of the European Union by, inter alia, contributing to ensuring a high level of protection of personal data and privacy.

Section 98 of the Law provides for the appropriate technical and organisational measures to be taken by providers of publicly available electronic communications services and networks to safeguard the security of their services and networks. Section 99 provides for the confidentiality of the communications and related traffic data. With regards to traffic data, section 100 provides that such data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication.

Sections 101 to 107 contain provisions on location data other than traffic data, the presentation and restriction of calling and connected line identification, automatic call forwarding, directories of subscribers and unsolicited communications. In particular, sections 102, 103 and 104 apply to subscriber lines connected to digital exchanges and, where technically possible and if it does not require a disproportionate economic effort, to subscriber lines connected to analogue exchanges.


Direct Marketing & Unsolicited Communications

The Data Protection Law provides that personal data cannot be processed by anyone for the purpose of the promotion, sale of goods or the provision of services at a distance, unless the data subject has notified his consent to the person responsible for processing in writing. The person responsible for processing who wishes to carry out the processing of personal data for the above purposes can use his name and surname was well as his address for the purpose of receiving the consent of the data subject, on the condition that such data has been taken from sources which are accessible to the public.

As a result, companies conducting marketing campaigns may not send any form of marketing information, either in electronic or non-automated form such as e-mail, sms, mms, letters, etc, if the person receiving the said information has not explicitly consented prior to this. Furthermore, marketing companies acting on behalf of customers who wish to inform their clients or other persons of their products, must ensure that the said customers have acquired personal data such as mobile or fixed telephone numbers, e-mails and addresses in a manner that does not violate the obligations set out by the Law. This means that they have acquired the said personal data with the consent of their clients, either by signing a specific document or by giving their consent through registering in a website which contains specific data protection provisions.

According to the Electronic Communications Law, the use of automated calling systems without human intervention (automatic calling machines) or facsimile machines (fax) or electronic mail or SMS messages for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent. Automated calls for the purposes of direct marketing by any other means than these, are prohibited without the consent of the subscribers concerned.

The aforementioned rights apply to subscribers who are natural persons. Nevertheless, the Commissioner of Electronic Communications, following consultations with the Commissioner for the Protection of Personal Data, has an obligation to ensure, by means of the issuing of an Order, that the legitimate interests of subscribers other than natural persons with regard to unsolicited communications are sufficiently protected.

Notwithstanding the rights of subscribers as described above, where a natural or legal person obtains from its customers their electronic contact details for electronic mail, sms, fax, etc. in the context of the sale of a product or a service, the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services on condition that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details when they are collected and on the occasion of each message in case the customer has not initially refused such use.

In any event, the practice of sending electronic mail or sms messages or fax messages for purposes of direct marketing disguising or concealing the identity of the sender on whose behalf the communication is made, or without a valid address to which the recipient may send a request that such communications cease, is prohibited.


back to top..

 
terms of use | privacy | © Lellos P. Demetriades Law Office 2004  
designed and developed by manicbox ::