Cyprus Data Protection Commissioner Issues Guidance on Use of Personal Mobile Phones at Work

20.01.2026

Few months ago, the Cyprus Data Protection Commissioner has issued Guidance on the use of personal mobile phones for work-related purposes, addressing the increasingly common practice known as Bring Your Own Device (BYOD).

Few months ago, the Cyprus Data Protection Commissioner has issued Guidance on the use of personal mobile phones for work-related purposes, addressing the increasingly common practice known as Bring Your Own Device (BYOD).

The Guidance applies to both the public and private sectors and provides important clarifications on employers’ obligations under the General Data Protection Regulation (GDPR)

 

Key Takeaways

No obligation to use personal devices

Employees cannot be required to use their personal mobile phones for work purposes. Any such use must be voluntary and must not result in adverse consequences if an employee refuses.

Permitted use only under strict conditions

Use of a personal device may be acceptable where:

  1. the employee freely chooses to use it,
  2. it facilitates the performance of their duties, and
  3. it does not involve processing of the employee’s personal data by or on behalf of the employer.


Employer duty to provide alternatives

Where an employee declines to use their personal device, employers must offer suitable alternatives, which may include:

  1. a work-issued device,
  2. reimbursement of relevant costs, or
  3. financial support for the purchase of a device.

 

Personal Data Processing and GDPR Compliance

Where the use of a personal mobile phone does involve processing personal data (e.g. time-tracking or leave-management applications), employers must ensure full compliance with the GDPR, including that:

  1. processing complies with the principles of lawfulness, necessity, and proportionality,
  2. a valid legal basis under Article 6 GDPR is relied upon (employee consent is not appropriate due to the imbalance of power),
  3. employees are informed in advance in a transparent manner,
  4. less intrusive alternatives are offered where feasible, and
  5. employees choosing alternatives are not subject to discrimination.


Where applicable, employers must also conduct a Data Protection Impact Assessment (DPIA) and engage in prior consultation with the Commissioner.

 

Requirement for a BYOD Policy

Where the use of personal devices is systematic, employers are required to adopt and communicate a formal BYOD policy. This policy should address practical scenarios, including what happens when the employee leaves the device at home, device malfunction, and situations where an employee no longer wishes to use their personal device for work.

 

Practical Impact

The Guidance reinforces that BYOD practices must support, not burden, employees, and that respect for privacy and freedom of choice is essential. Employers should review existing workplace practices, policies, and technical solutions to ensure alignment with the Guidance and the GDPR.

 

Article provided by INPLP member: Yiannis Karamanolis (Karamanolis & Karamanolis LLC, Cyprus)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.