I. Legal framework
Constitutional privacy and data protection framework
The Constitution of the Republic of Cyprus1 was established in July 1960 and has the following two provisions regarding privacy:
Article 15: (1) Every person has the right to respect for his private and family life; (2) There shall be no interference with the exercise of this right, except such as is in accordance with the law and is necessary in the interests of the security of the Republic, constitutional order, public safety, public order, public health, public morals, or the protection of the rights and liberties guaranteed by this Constitution to any person.
Article 17: Every person has the right to respect for, and to the secrecy of, his correspondence and other communication, if such other communication is made through means not prohibited by law.
Privacy and data protection laws and regulations
While the right to respect for the individual's private and family life has been enshrined in the Constitution since the Republic of Cyprus' independence in 1960, laws relating specifically to data protection are a relatively new development, with the first law specifically relating to the processing of personal data enacted as recently as 2001.
The Processing of Personal Data (Protection of Individuals) Law of 20012 (the "Law") came into force on 23 November 2001. The Law was introduced in the context of the harmonisation process with the European Data Protection Directive.3 The Law was amended again in 2003 in order to better align domestic legislation with Directive 95/46/EC.
The Law applies to living natural persons and covers automated, partially automated, and in some cases, non-automated processing operations, in both public and private sectors. It defines the rights and obligations of controllers and data subjects, and sets the parameters for lawful processing of data. In order for the Law to be applicable, a data controller resident in the Republic must carry out the processing of personal data. The Law also applies at a place where Cyprus law is applied by virtue of public international law or by a data controller who is not resident in the Republic, who, for the purpose of processing personal data, has recourse to automated or other means existing in the Republic, unless they were used only for the purpose of transmitting the data through the Republic. The Law does not apply to the processing of personal data that is carried out by a natural person for the exercise of exclusively personal or domestic activities.4
The collection and processing of sensitive data is generally prohibited, although there are a number of exceptions to this general principle. Sensitive personal data may be processed provided that the data subject has explicitly consented to it. Consent from the data subject may not be obtained unlawfully or be contrary to morals, custom, or a specific law.
The Law provides that the Council of Ministers can issue regulations providing for the processing of sensitive personal data in cases other than those mentioned above, when there are important reasons of public interest. No such regulation has been issued so far.
The international transfer of personal data in itself is an activity which falls within the definition of "processing of personal data" as provided under Section 2 of the Law.
By virtue of Section 9 of the Law, the transfer of processed data, or data that will be processed when they are transferred to another country which is not an EU member state, is allowed only when the COPPD has granted a permit for such transfer. The COPPD will only grant the permit if he thinks that the other country ensures a sufficient level of protection.
There is a general obligation under the Law for the data controller to notify the DPA in writing about international transfers. The data controller is discharged from the obligation to submit that notification in cases where a transfer is performed solely for purposes directly connected with the work to be done, and is necessary for the fulfilment of a legal obligation or the performance of a contract, but provided that the data subject has been previously informed.
However, insurance, pharmaceutical, and data provider companies as well as financial institutions such as banks and credit cards issuers, are not excluded from the obligation to notify.
The following factors may be accepted by the COPPD as sufficient guarantees that ensure a satisfactory level of protection of the transferred data to the recipient third country as to grant a transfer license: 1) standard contractual clauses (such clauses must be submitted to the COPPD for approval so that a licence can be issued before any international transfer of personal data takes place); 2) the "Safe Harbour" Agreement (transfer of data to the United States may be allowed if the company to which the data is transferred certifies itself as complying with the Safe Harbour Agreement; 3) binding corporate rules (they can be used after being approved in advance by the COPPD).
The Regulation of Electronic Communications and Postal Services Law of 20045 was enacted in April 2004. The Law, which transposes the provisions of the Directive on Privacy and Electronic Communications (2002/58/EC),6 regulates the secrecy of communications and the use of traffic and location data, telephone directories, and unsolicited communications. It particularises and complements the provisions of the Data Protection Law, and provides for the protection of the legitimate interests of subscribers of electronic communications networks and services who are legal persons.
The Law provides for the appropriate technical and organisational measures to be taken by providers of publicly available electronic communications services and public communications networks to safeguard the security of their services and networks.7 It also provides for the confidentiality of the communications and related traffic data,8 and mandates that such traffic data -- which relates to subscribers and users -- be erased or made anonymous when no longer needed for the purpose of the transmission of a communication.9
Data protection authority
The Commissioner's Office for the Protection of Personal Data (COPPD) was established in Nicosia on 1st May 2002.10 The COPPD is an independent administrative authority. The COPPD deals with the protection of personal information relating to an individual, against its unauthorised and illegal collection, recording, and further use. The COPPD also grants the individual certain rights, i.e. the right of information and access.11 The COPPD is responsible for monitoring the application of the Processing of Personal Data Law.12
The COPPD is appointed by the Council of Ministers following the recommendation of the Minister of the Interior and after consultation with the House Committee of European Affairs. The COPPD must be a person who holds or has held in the past the qualifications for appointment as judge of the Supreme Court of Justice. The COPPD cannot be discharged during the term of his service except for reasons of mental or physical disability or incapacity that renders him incapable of fulfilling his duties. As soon as the Council of Ministers ascertains the existence of one of these conditions, it publishes a notification in the Official Gazette of Cyprus that from a specific date he will no longer hold the position. The COPPD holds office for a term of four years, which may be renewed for one additional term.
Section 23 of the Law sets out the functions of the COPPD. These include: assisting in drawing up codes of conduct; reporting any contraventions to the law to the relevant authorities; and conducting inquiries following complaints or on his own initiative. The COPPD is also competent to keep the registers and grant the licences provided by the Law, issue directions, rules, and recommendations, conduct administrative inquiries, and impose sanctions for breaches of the Law. In 2004, with the enactment of Law 112(I)/2004, the responsibilities of the COPPD were extended to cover the regulation of the use of traffic data, location data, telephone directories, and unsolicited communications.13 Moreover, the COPPD maintains cooperation with the data protection authorities of European Union and Council of Europe Member States.14
The total number of complaints in 2005 reached 153, of which 41 were against public sector controllers, 112 were against private sector controllers, and 93 related to unsolicited communications.15 In 2005 the Office also received 16 applications to transfer data to third countries. By 2006, the Office had granted two applications and refused three, while the others were still pending.16
The COPPD's Office has issued two booklets with guidelines for the public. One educates the public about how to protect their personal data on the Internet and recommends that data controllers create Web sites that comply with data protection rules. The other includes guidelines about the lawful use of video surveillance cameras (see more under the section on "Video Surveillance").17
Since its establishment in 2002, the Office has been engaged in numerous public awareness efforts. The Office organised seminars on the rights of data subjects, the lawful use of personal data, and workplace monitoring. Office employees delivered presentations to various government departments including the Police Academy, and also issued informational statements to the media and the University of Cyprus.18
In 2005, the European Commission notified the COPPD that certain sections of its Processing of Personal Data Law of 2001 did not fully comply with the European Data Protection Directive (1995/46/EC). The discordant provisions dealt with the right of information, transfer of data to third countries, and some procedural mechanisms. The COPPD is preparing legislation to further harmonise these regulations with the Directive.19
In 2005, the COPPD, as well as its counterparts in other EU member states, undertook an investigation regarding private health insurance carriers' processing of personal data. The objective was to determine whether this processing complies with EU data protection regulations.20 (See more details under the "Health privacy" section.)
An audit the COPPD conducted in 2008 at the Land Registry Department found, among other things, that the Department collected information from third parties and did not inform them accordingly, and that certain documents it used included excessive and irrelevant information.21 In response, the COPPD issued guidance relating to the collection of fingerprints to check the arrival and departure times of employees, stating that the use was prima facie contrary to the law and should only be used in exceptional cases.22
The COPPD reported that it had received very few complaints regarding email spam in 2005, but received many complaints regarding spam sent via mobile phone text messages. The Office conducted an audit of a company that engaged in unsolicited text message advertising. The audit revealed that the company's actions had breached the Regulation of Electronic Communications and Postal Services Law of 2004. The COPPD imposed a CYR1500 (€2,569) fine upon the company. The Office reported that its 2005 spam investigations met with substantially more cooperation from telecommunications companies than in 2004.23
In 2007, after receiving several complaints, the COPPD investigated a spam case involving the sending of unsolicited communications to mobile phones relating to horse racing results. The messages had been sent using prepaid telephone cards. The sender of the messages never responded to the COPPD's letters nor answered its questions. After following the prescribed procedure, the COPPD imposed a fine of £2,000.
In 2007, the COPPD investigated a case regarding the introduction of a biometric system by a data controller who was using employees' fingerprints for time registration purposes. The COPPD decided that the collection and use of fingerprints for this purpose was not in accordance with the Law and demanded that the controller discontinue this kind of processing and destroy the fingerprints already collected. (See more details under the "Workplace Privacy" section.)
Major privacy and data protection case law
The most recent reported case on the right to privacy and communications is the 1992 criminal case The Police v Christodoulou Yiallourou,24 in which the Court affirmed the ruling from The Police v Georgiades (1983),25 where the Court had held that "...evidence obtained in breach of a person's right to respect of his private life and confidential communications, under Articles 15 and 17 of the Constitution, could not be admissible." According to Judge Pikis: "the discretion given to English Courts of whether to admit or reject such evidence is unthinkable of in Cyprus, where the basic human rights are specifically guaranteed by the Constitution, which is not subject to judicial interference.26
In the 1992 case, the defendant, who was the director of the Sewage Board of Nicosia, was monitoring and recording a number of teleconferences between an employee of the Board and a third person. During the trial, the issue of the admissibility of the recordings was raised. The Court held that the content of the tapes is a product of the violation of the rights of those involved, and as those rights are protected by the Constitution, therefore inadmissible as evidence.
This matter was also considered much later, this time in the civil case of Takis Yiallouros v Engenios Nicolaou in 2001.27 This case was based on the same facts, and the defendant in the criminal case was also the defendant-appellant in this case. As in the criminal case, the Supreme Court confirmed the violation of the defendant's civil rights, as protected by the Constitution and the European Convention for the Protection of Human Rights and Fundamental Freedoms,28 and awarded general damages (aggravated and exemplary), taking into account the purpose of the violations, their duration, and the humiliation to which the individual was subjected.
- 1. Constitution of the Republic of Cyprus, of July 1960, non-official English version available at http://kypros.org/Constitution/English/.
- 2. Law No. 138(I)/2001.
- 3. Directive 1995/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281/31, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:E....
- 4. Article 4, Directive 1995/46/EC.
- 5. Law No. 112(I)/2004.
- 6. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications), available at http://www.dataprotection.ie/documents/legal/directive2002_58.pdf.
- 7. Section 98 of Law No. 112(I)/2004.
- 8. Section 99 of Law No. 112(I)/2004.
- 9. Section 100 of Law No. 112(I)/2004.
- 10. Email from Michalis Kitromilides, Office of the Personal Data Protection Commissioner, Cyprus, to Ula Galster, International Policy Fellow, Electronic Privacy Information Center (EPIC), 23 June 2005 (on file with EPIC). See also Commissioner's Office for the Protection of Personal Data, Year Review 2005, available at http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/697e7...$FILE/Year%20review%202005.pdf at 3@@.
- 11. Commissioner's homepage http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/index....
- 12. Processing of Personal Data Law, Section 18 (1).
- 13. Id.
- 14. Email from Michalis Kitromilides, supra.
- 15. Commissioner's Office for the Protection of Personal Data, Year Review 2005, supra at 2@@.
- 16. Article 29 Working Party on Data Protection, Ninth Annual Report (2006), supra at 24.
- 17. See Commissioner's Office for the Protection of Personal Data's homepage, supra.
- 18. Commissioner's Office for the Protection of Personal Data, Year Review 2005, supra at 4.
- 19. Article 29 Working Party on Data Protection, Ninth Annual Report (2006), available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/9th_annual... at 23.
- 20. Commissioner's Office for the Protection of Personal Data, Year Review 2005, supra at 5.
- 21. Article 29 Data Protection Working Party, Eleventh Annual Report (2008), supra at 28.
- 22. Article 29 Data Protection Working Party, Eleventh Annual Report (2008), supra at 28.
- 23. Commissioner's Office for the Protection of Personal Data, Year Review 2005, supra at 2-3.
- 24. 2 C.L.R., at 147.
- 25. 2 C.L.R. at 33.
- 26. Free translation.
- 27. 8 May 2001, Civil Appeal 9931.
- 28. The European Convention for the Protection of Human Rights and Fundamental Freedoms is also part of Cyprus national law by Law 89/62, Article 13, and its interpretation by the European Court of Justice in Klass v FRG, A 28, para. 64 (1979).