III. Privacy topics
Internet and consumer privacy
In April 2004 Cyprus transposed the European Directive on Privacy and Electronic Communications.
In order to regulate the field of electronic commerce, Cyprus adopted in 2004 the Law on Certain Aspects of Information Society, and specifically Electronic Commerce, and Relevant Matters (the Electronic Commerce Law),1 as well as the Law on the Conclusion of Distance Contracts of 2000.2 The Electronic Commerce Law implements the "Directive on Electronic Commerce" (2000/31/EC).3 This Law is aimed at ensuring the free movement of information society services between the Republic of Cyprus and the Member States of the European Union. It deals in particular with the establishment of service providers, commercial communications, the conclusion of electronic contracts, the liability of intermediaries, codes of conduct, out-of-court dispute settlements, means of legal protection, and cooperation between Member States.
In 2004, Cyprus also adopted a Law on a Legal Framework for Electronic Signatures and Relevant Matters.4 It establishes the legal framework governing electronic signatures and certain certification services for the purpose of facilitating the use of electronic signatures and their legal recognition. It does not, however, cover aspects related to the conclusion and validity of contracts or other legal obligations that are governed by requirements as regards their form. Moreover, it does not affect rules and limitations in relation to the use of documents provided by other applicable legislation in force. The Law grants power to the Minister of Commerce, Industry, and Tourism (the Competent Authority) to exercise control over and ensure the effective application of this Law.5
The COPPD is the appropriate authority for enforcing anti-spam provisions.6 The COPPD's Commissioner is discussing with Internet service providers ways to cooperate in the fight against spam. Cyprus has recently agreed to participate in the cooperation procedure concerning the transmission of complaint and intelligence information relevant for the enforcement of Article 13 of the Privacy and Electronic Communication Directive, or any other applicable national law pertaining to the use of unsolicited electronic communications (also called "spam"). (See more details under the "National and international data disclosure agreements" section.)
In 2007, after receiving several complaints, the COPPD investigated a spam case involving the sending of unsolicited communications to mobile phones relating to horse racing results. The COPPD imposed a fine of £2,000.
In September 2006, the Cyprus Neuroscience and Technology Institute launched an Internet safety awareness campaign called the CyberEthics project. The CyberEthics project includes a consortium comprised of the University of Cyprus Department of Social and Political Sciences, the Cyprus Broadcasting Corporation, the Family Planning Association, the Cyprus Youth Council, and the Olive Tree Branch. The project is focused on Cyprus' northern, rural, and minority populations, but is intended to serve the entire population of the island. The project addresses issues relating to pornography, racism, gender discrimination, the inappropriate use of peoples' images, and peer-to-peer file transfer. The CyberEthics project will also endeavour to inform users of European filtering software and services that enhance online privacy and filter unethical or illegal content.7
Nothing to report under this section.
Online behavioural marketing and search engine privacy
Nothing to report under this section.
Online social networks and virtual communities
Nothing to report under this section.
Online youth safety
In 2009 Cyprus launched SafeWeb, a new Web site designed to provide concerned users with the online means to anonymously report various illegal matters.8 As part of the Safer Internet-Plus Programme, SafeWeb is funded by the EU to combat the illegal use of the Internet. The Web site hopes to help fight the problems of Internet piracy and child pornography in Cyprus.9
There is an exception to the general regime of the Law where the processing of sensitive data is necessary for the data controller to fulfil his obligations or to carry out his duties under employment law and the Commissioner's Office for the Protection of Personal Data (COPD) has granted a derogation for this purpose. Under Section 11 of the COPPD's Employment Order, the employer may maintain data concerning an employee's previous convictions, such as traffic accidents made by a professional driver. The collection and processing of such data must be absolutely necessary for purposes connected to the employment relationship or where it is imposed by law. Where the collection is deemed necessary, employers must nevertheless inform employees of its purpose in advance.10
According to the COPPD's Employment Order, every employee has the right to access his personal file and the right to know whether, and which of, his personal data are or have been the subject of processing by his employer.11 This right involves information on all personal data relating to him, as well as their source. The employee is entitled to know not only the content but also the source of the information. For example, in the case of an employee's negligence committed within the scope of his work contract, the source of his employer's information, e.g. video recording or email monitoring, would have to be disclosed.
The employee's right of access also imposes an obligation for the employer to reply in writing to the employee within four weeks upon his request, to inform him of the following:
(a) all of the personal data the employer keeps on the employee;
(b) the sources of the personal data, if it has not been collected directly from the employee himself;
(c) the employer's purpose in processing the data;
(d) the recipients to whom the employee's personal data may be communicated;
(e) how the processing of the employee's personal data has progressed since the last time the employee was informed of all of the above by his employer; and
(f) the logic by which the employer made any decision concerning the employee and that was based on any automated processing of personal data concerning that particular employee.
If the employer does not reply within four weeks from the time that the employee submits the request to exercise the right of access or where the employee considers that the response given to him by his employer is unsatisfactory, the employee has the right to appeal to the COPPD. If the COPPD considers the employee's request justifiable under the Law, it may compel the employer to allow the employee to have access to the information requested.
The data subject has the right, for imperative and lawful reasons relating to his specific circumstances, to object to the processing of data that relates to him.
The right to object is implemented in the field of employment -- as it clarified in the COPPD's Employment Order -- consists of the employee's right to ask his employer to take a specific action relating to the processing of his personal data at any given time.
It is self-evident that within a labour relationship, personal data pursuant to law or the contractual arrangement are duly collected and the employee is generally not in a position to raise an objection, given that it would be unlawful and would contravene his employment contract. In consequence, the right to object, in order to have a legal basis, must concern any processing taking place beyond lawful and contractual purposes.
Upon his employer's failure to reply satisfactorily within 15 days, the employee has the right to apply to the COPPD to request that his objections be examined. The COPPD may then order the immediate suspension of the employer's data processing pending a final decision.
If a public authority or any other person carries out processing that concerns the evaluation of the data subject's personality, his productivity in his employment, his financial solvency reliability, or his behaviour in general, the data subject can apply to a court for it to issue a preliminary injunction against the processing.
The COPPD's Employment Order regulates the assignment by employers of the hiring or candidate selection procedure to job-finding agencies that carry out this task on their behalf. Job-finding agencies usually operate in one of two ways. They either act on the employer's orders by publicising posts for which candidates apply, or they act on behalf of interested employees by applying to potential employers engaged in the sectors in which the employees are interested. Both ways presuppose the transfer of data concerning candidates, making the Employment Order directly applicable to job-finding agencies.
Despite the fact that job-finding agencies collect personal data that are processed exclusively for purposes connected to the employment relationship, when these data are communicated to third parties (potential employers), job-finding agencies are under an obligation, as data processors,12 to notify the COPPD of said processing.
According to the COPPD's Employment Order, monitoring at work is a very important issue in the context of employment relationships, and must be given the appropriate attention by employers. When monitoring includes the collection, examination and storage of personal data of employees, the Law and Employment Order apply.
Complaints received by the COPPD usually concern the automated monitoring methods employers use in the workplace. Such methods include email, fax or Internet browsing monitoring, the tracking of phone calls or their recording, CCTV surveillance and GPS tracking.
Such monitoring is allowed under the Law provided that the employer is in a position to justify its legitimacy and need and that there is no other, less intrusive way of achieving its intended purposes. Such purposes, to be justified, must be such as to take priority over the employees' rights, interests and fundamental freedoms. An employer who would use a CCTV system to monitor the workplace for security reasons may not use that system for the purpose of monitoring employees during their breaks. The employer must choose the lowest level of monitoring which is sufficient to satisfy his purposes, with the aim of the minimum possible intrusion into the personal life of employees.
The voice, picture, email address, and phone number of employees are considered personal data, and if collected through monitoring systems installed by an employer in the workplace, must be used only for the specific purposes for which they were gathered, and destroyed or deleted after these purposes have been accomplished.
The employer must on all occasions notify his employees in advance about the purpose, manner, and duration of the control that he intends to apply. It is considered good practice to adopt a written policy that determines the parameters for the use of telephones, computers, and other means of communication and equipment by employees, and the ways in which the employer will control or monitor their use. Secret monitoring or monitoring without previous notice is prohibited under any circumstances. Employers wishing to install monitoring systems at the workplace are recommended to consult employees or their trade union or other representatives to discuss the intended methods and consequences of monitoring. However, an employer is not allowed to access the personal emails of employees in any event but has the right to inform them that the use of workplace equipment for purposes unrelated to their work is not allowed and to penalise them for such use.
Under the Law, personal data may be processed without the data subject's consent where processing is necessary for the performance of a contract to which the data subject is a party. The COPPD has recognised that due to the nature of an employment relationship, an employee's personal data may on certain occasions be lawfully processed without his consent. Under the Employment Order, no consent is required for the processing of personal data by the employer in relation to the performance of a legal obligation or in the context of the performance of an employment contract.
In particular, the Employment Order suggests that individual consent by employees may not be required in order to transfer employees' personal data internationally in the case of payment of taxes or social insurance contributions (legal obligation), or when carrying out a performance evaluation or reporting an accident in the workplace (contract performance). However, such transfers should always take into account the general principles for processing personal data of the Law.
In 2007, a case was investigated by the COPPD regarding the introduction of a biometric system by a data controller who was using employees' fingerprints for time registration purposes. The employer had used other systems before but found them to be open to fraud and misuse. It was decided by the Commissioner that the collection and use of fingerprints for this purpose was not in accordance with the Law as this method should only be used in exceptional circumstances, e.g., where additional security measures to control access to premises are deemed necessary. The controller was asked to discontinue this kind of processing and destroy the fingerprints already collected.
An audit the COPPD conducted in 2008 at the Land Registry Department found, among other things, that the Department collected information from third parties and did not inform them accordingly, and that certain documents it used included excessive and irrelevant information.13 In response, the COPPD issued guidance relating to the collection of fingerprints to check arrival and departure times of employees, stating that the use was prima facie contrary to the law and should only be used in exceptional cases.14
In July 2007, Cypriot police investigated a breach of privacy claim into the government's Commission for the Protection of Competition (CPC). The probe came after complaints and strikes from the CPC's staff, which accused the Competition Commissioner of pervasive workplace surveillance. According to employees, the monitoring system included CCTV cameras and microphones throughout the offices, including restrooms, which could be remotely accessed through the Commissioner's personal computer. The employees further claimed that their emails and telephone conversations had been monitored. Trade unions became actively involved and the case became the main topic in the local media for many weeks, leading to the resignation of the CPC President, which finally put an end to the strike. The Commissioner denied some of these claims, countering that the system was not secret and was necessary to keep his employees on task.15 In their ongoing investigation, the police accessed the Commissioner's computer and discovered about 600 pictures, freeze-frames from video recordings, including some 400 of a particular female employee.16 Cyprus' Data Protection Commissioner stated that the CPC should have notified them of the monitoring system, but failed to do so; the Data Protection Commissioner also noted that since the CPC surveillance scandal broke, her office had received numerous similar complaints from across the island.17
Health and genetic privacy
The COPPD, as well as its counterparts in other EU member-states, undertook an investigation regarding private health insurance carriers' processing of personal data. The objective was to determine whether this processing complies with EU data protection regulations.18 The results of the investigation were published in a "Working Document on the Processing of Personal Data Health Relating to Health in Electronic Health Records" in February 2007.19
Nothing to report under this section.
Nothing to report under this section.
- 1. Law No. 156(I)/2004.
- 2. Law No. 14(Ι)/2000.
- 3. Directive of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market ("Directive on Electronic Commerce"), available at http://europa.eu/legislation_summaries/consumers/protection_of_consumers....
- 4. Law No. 188(I)/2004.
- 5. See http://www.ldlaw.com.cy/services/it_ecommerce.htm.
- 6. Email from Michalis Kitromilides, supra.
- 7. See CyberEthics, available at http://www.cyberethics.info/. See also European Commission Information Society, Awareness node for Cyprus, available at http://ec.europa.eu/information_society/activities/sip/projects/complete....
- 8. SafeWeb, available at http://www.safeweb.org.cy.
- 9. John Leonidou, "Fighting the Illegal Use of the Internet," EDRI-gram, 13 February 2008, available at http://www.cyprus-mail.com/news/main.php?id=22120&cat_id=9.
- 10. In any event, its collection must be in accordance with Section 10 of the Police Law (Law 73(I)/2004) that provides that the Head of Police shall issue a certificate concerning the employee's clean record to include any sentencing, but only upon an application made by the employee or his employer.
- 11. Section 17.3, op. cit.
- 12. A "data processor" is any person who processes personal data on behalf of a controller.
- 13. Article 29 Data Protection Working Party, Eleventh Annual Report (2008), supra at 28.
- 14. Article 29 Data Protection Working Party, Eleventh Annual Report (2008), supra at 28.
- 15. Elias Hazou, "Police Probe 'Big Brother" Claims at CPC Offices," Cyprus Mail, 7 July 2007, available at http://www.cyprus-mail.com/news/main.php?id=33448&catid=1.
- 16. Elias Hazou, "Staff Walkout Leaves CPC Boss on His Own," Cyprus Mail, 18 July 2007, available at http://www.cyprus-mail.com/news/main.php?id=33652&cat_id=1.
- 17. Elias Hazou, "Either Big Brother Boss Goes or We Do," Cyprus Mail, 11 July 2007, http://www.cyprus-mail.com/news/main.php?id=33525&archive=1.
- 18. Commissioner's Office for the Protection of Personal Data, Year Review 2005, supra at 5.
- 19. Article 29 Data Protection Working Party, Working Document on the Processing of Personal Data Relating to Health in Electronic Health Records (February 2007), available at http://www.dataprotection.gov.sk/buxus/docs/wp131_en.pdf?buxus=c33673afa....