Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


II. Surveillance policies

National security, government surveillance and law enforcement

Wiretapping, access to, and interception of communications

The Protection of Secrecy of Private Communications (Call Interception) Law of 1996 mandates that the Attorney General file for a court order before using wiretaps.1 In 2006 a parliamentary committee amended Chapter 17 of the island's Constitution. Under the amended language, the Attorney General can authorise phone tapping if it is necessary to save time. The amendment also allows the police to monitor Web logs, downloads and emails as admissible evidence for criminal investigations.2

National security legislation

Nothing to report under this section.

Data retention

Nothing to report under this section.

National databases for law enforcement and security purposes

In 2005, the Road Traffic Offences (Use of Automatic Detection Devices and Other Relevant Matters) Law of 2001 was also implemented. The Law authorises certain traffic offences to be recorded automatically under the supervision of the Cyprus Council of Ministers and the Deputy Chief of Police.3

National and international data disclosure agreements

Cyprus has recently agreed to participate in the cooperation procedure concerning the transmission of complaint and intelligence information relevant for the enforcement of Article 13 of the Privacy and Electronic Communication Directive, or any other applicable national law pertaining to the use of unsolicited electronic communications (also called "spam").

A Contact Network of spam authorities has put in place a cooperation procedure by which an authority will forward complaints to the authority of the country from which the emails originate so it can lead the investigations.4 Cyprus has also agreed to take part in the "Operation Spam Zombies" initiative of the United States Federal Trade Commission. The Operation is a new global effort to combat spam email sent through hijacked computers, known as "zombies."5


Nothing to report under this section.

Critical infrastructure

Nothing to report under this section.

Video surveillance

In June 2007, the United Nations Peacekeeping Force in Cyprus (UNFICYP) announced it would "significantly" increase the number of surveillance cameras located on the island's ceasefire buffer zone.6 The cameras will operate 24 hours a day, according to a UNFICYP spokesman, with the aim of positively affecting peoples' behaviour in a manner similar to the justification that traffic cameras improve driving.7

The COPPD has issued a Directive on Video Surveillance to provide good practice guidance in relation to the application of the Data Protection Law ("the Law") to this kind of personal data processing, since images captured by CCTV systems are in some cases considered personal data.

The Directive covers two categories of premises in which video surveillance can be carried out: private ones, such as banks, shops and football fields, which are privately owned but freely accessible to the public; and public places, such as roads and parks, where the public expects greater privacy. Although not legally obliged to do so, people who are responsible for the operation of CCTV systems should consult with the COPPD before installing them, and follow its instructions. People responsible for the operation of CCTV systems that record individuals must be in a position to justify their action as if they were collecting personal data. The person responsible for the operation of a CCTV system must file a written notification with the COPPD, in accordance with Section 7 of the Law, unless it falls within one of the exemptions to the Law.

As in the case of CCTV operation, individuals whose images have been recorded by CCTV are unlikely to have given their express consent. Legitimate reasons that could be given for using CCTV could be the identification, investigation, and prosecution of crimes, public safety, the protection of premises, national defence or security, road traffic monitoring, and the like. The use of CCTV on private premises can usually be justified by the owners on the grounds of prevention or detection of crime, or ensuring the security of their property.

However, in order to justify CCTV monitoring in public places, a stricter justification is necessary. CCTV system owners must be in a position to demonstrate that monitoring is necessary and that its benefits outweigh any resulting harm to the rights, interests, and basic freedoms of monitored individuals. CCTV systems should only be installed where there is no other alternative and a less intrusive method to achieve its purpose, provided, however, that such an alternative method will not entail a highly disproportionate cost.

The individuals who will be recorded must be informed about it and given the right to decline to enter the building or public premises in which the recording takes place.

Images should only be retained for as long as necessary to achieve the purposes of the recording.8 It is not possible to determine a fixed period covering all cases but it is important that the persons responsible for the operation of CCTV cameras (the "data controllers") have in place a specific retention policy for the recording of media and be in a position to justify the reasons why this retention period is considered necessary.

All appropriate technical and organisational measures should be taken to ensure the security and confidentiality of any recordings, which should be accessible only to those who can demonstrate a legitimate interest (e.g., the possibility for the general public to assist in identifying a criminal or a victim).

Individuals recorded on CCTV (the "data subjects") have the right to request that the videos concerning them be destroyed, not used or not shown, in part or in whole, where they believe that the recording has not been carried out in accordance with the Law.

In July 2007, Cypriot police investigated a breach of privacy claim into the government's Commission for the Protection of Competition (CPC). The probe came after complaints and strikes from the CPC's staff, which accused the Competition Commissioner of pervasive workplace surveillance. According to employees, the monitoring system included CCTV cameras and microphones throughout the offices, including restrooms, which could be remotely accessed through the Commissioner's personal computer.9 In their ongoing investigation, the police accessed the Commissioner's computer and discovered about 600 pictures, freeze-frames from video recordings, including some 400 of a particular female employee.10 The COPPD stated that the CPC should have notified them of the monitoring system, but failed to do so. (See more details under the "Workplace Privacy" section.)

In September 2006, a network of traffic cameras was installed on Cyprus. The programme had been delayed nearly a year, in part due to privacy concerns. Originally the photographs were saved in a centralised database indefinitely, for "research and statistical purposes", but the Cyprus House Legal Affairs Committee stated in January 2006 that it would not accept the surveillance programme unless the photographs were destroyed immediately after the fine had been paid.11 The system has since been installed, beginning with 40 cameras, with plans to deploy 450 across Cyprus in the next four years.12 In addition to capturing speeders and drivers running red lights, the cameras can also tell if motorists are breaking other laws, such as failing to wear a seatbelt or talking on a mobile phone.13 At first, offenders caught on camera received a hand-delivered ticket at their homes, but the cameras caught so many offenders that the police did not have the manpower to personally deliver each ticket; the tickets now arrive via post.14 The first 40 cameras caught about 367 offenders every day, one out of six motorists, and the addition of 120 more cameras was planned for October 2007.15 The COPPD expressed concern for personal privacy in October 2006, citing the claim of a private television station that it had received information from a police officer that a traffic camera had caught the chief of police committing a traffic offence. The chief of police responded to the COPPD that no data breach had occurred and that the database storing offenders' information was "totally secure".16

Location privacy (GPS, mobile phones, location based services, etc.)

Nothing to report under this section.

Travel privacy (travel identification documents, biometrics, etc.) and border surveillance

The COPPD has adopted the document on biometrics issued by the Article 29 Working Party on 1st August 2003.17

National ID and smart cards

In March 2009, the Cyprus Government initiated the procedures to introduce "e-ID" ("electronic identity" smart cards) to be used for electronic identification and authentication in public services.18 This project will be undertaken in cooperation with other EU Member States in order to achieve seamless access to public services across national borders. E-ID standardisation or interoperability is essential in order to put in place key pan-European services such as cross-border company registration, electronic public procurement, job search, e-voting and e-health.19 A prepared proposal is awaiting approval by the Ministry of Interior, and the Council of Ministers.20

RFID tags

Nothing to report under this section.

Bodily privacy

Nothing to report under this section.