The days after the GDPR – The Cyprus Law on the Protection of Natural Persons against the Processing of Personal Data and the Free Movement of this Data
Even though, undoubtedly, one of the main objectives of the GDPR is harmonising data protection rules throughout the EU, it also provides for certain areas where Member States could determine and further set exceptions within the articles of the GDPR. Because of this, Cyprus, like many other Member States, has put in place a GDPR implementation law.
Cyprus’ Protection of Natural Persons Against the Processing of Personal Data and the Free Movement of this Data Law 125(I) of 2018 (henceforth “the Law"), in some manner implements elements of the GDPR, and in another, it could be viewed as ancillary and supplementary to the GDPR. Here we outline and highlight 6 key aspects of the Law which portray the direction of Cyprus’ exercise of legislative discretion in relation to the parameters presented in the GDPR.
Children and the Age of Consent – Article 8 of the Law
Consent, in its various facets, has always been a widely and heatedly discussed matter around the globe. The source of infringement of various human rights of many women, men and children, boils down to lack of their consent. The age of consent in both the GDPR and the Law, becomes relevant in relation to the offer of information society services directly to a child.
Article 8 of the GDPR sets the age of consent at 16 years with discretion granted to Member States to set a lower age, within the range of 13-16 years. The matter of consent has undeniably been a key discussion point for all Member States when implementing their respective national GDPR implementing laws, paralleling the wider conversation on consent occurring worldwide. Some Member States have decided not to lower the age of consent from 16 years in an effort to preserve and protect underage children from not making an informed decision when providing consent.
Pursuant to the Law, the processing of the child’s personal data will be lawful when the child is at least 14 years old. Under this Law, a lower age for which the child may lawfully consent to processing has been set. Where the child is younger than 14 years, processing of their personal data shall be lawful only if, and to the extent, consent or authorisation has been given by the child’s holder of parental responsibility.
Genetic, Biometric and Health Related Data – Article 9 of the Law
As Article 9 of the GDPR provides, Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
Under the Law it is provided that the processing of genetic and biometric data for the purposes of life and health insurance is prohibited. When the processing of genetic and biometric is based on the data subject’s consent, any further processing of this data requires the separate consent of the data subject.
Restriction of rights – Article 11 of the Law
Regarding the restriction of rights under the Law, two aspects which have proven to be of great interest is the role of the Commissioner for Data Protection (henceforth “the Commissioner”) and the limitations chosen by the Parliament in transposing the restriction of rights into national law.
Article 11 of the Law holds that, subject to Article 23(1) of the GDPR, the data controller may implement measures restricting the rights described under Articles 12 and 18-20 of the GDPR, wholly or partly, provided that where such measures are implemented, in the context of processing by a data processor, they are implemented subject to the provisions of Article 28 of the GDPR. Additionally, Article 11(4) of the Law provides that subject to the provisions of Article 14(5) of the GDPR, the data controller must notify the data subjects concerned of the implementation of any restrictive measures relating to Articles 12 and 18-20 of the GDPR.
What could undoubtedly be a cause for concern, is that Article 11 of the Law chooses to apply the restriction of rights on only 4 Articles of the GDPR as opposed to the total of 11 as provided under Article 23 of the GDPR. Therefore the scope of restricting rights has been limited in its potential range of application. What is especially interesting is the fact that rather than restricting rights by way of a legislative measure which would define the scope of obligations and rights, the legislative decision was to grant to data controllers, not to data processors, the ability of implementing the measures of restricting rights, expanding in some regard the powers of the data controllers while at the same time leaving the data processors with more responsibilities as a result.
On the other hand, it must be noted that under Article 11(2) of the Law an impact assessment and consultation with the Commissioner is required prior to the implementation of any measures restricting the rights derived from Articles 12 and 18-20 of the GDPR, which undoubtedly restricts the actions of the data controllers when implementing measures restricting rights.
The aforementioned impact assessment must include the information provided under Articles 23(2) and 35(7) of the GDPR and, as could be required, a description of the appropriate technical and organisational measures described under Articles 24, 25, 28 and 32 of the GDPR.
Within the powers of the Commissioner is the ability to impose terms and conditions for the implementation of such restrictive measures and the notification of the data subject concerned.
Discharge of the Responsibility to Communicate a Personal Data Breach – Article 12 of the Law
The controller may be partly or wholly discharged of the responsibility to communicate a personal data breach to the data subject on any of the grounds set out under Article 23(1) of the GDPR.
For the controller to be discharged from the responsibility to communicate a breach to the data subject an impact assessment and prior consultation of the Commissioner is required. The Commissioner may impose terms and conditions on the discharge of responsibility for the implementation of such restrictive measures and the communication of the data subject concerned.
With Article 12 of the Law the Parliament, seem to have exercised their GDPR-appointed power to exercise their discretion when choosing to exercise their scope of application of Article 23 of the GDPR.
Data Protection Officers (DPOs) – Article 14 of the Law
The fact that a DPO is not required in all circumstances, as evident from the GDPR, provides the Commissioner with a discretion as to the extension of the potential DPO appointments in various situations. Under Article 14(2) of the Law, the Commissioner may publish a list of processing operations in which a DPO must be appointed, in addition to the processing operations set out under Article 37 of the GDPR.
DPOs, appointed in harmony with Article 37 of the GDPR, shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, subject to any laws regulating such matters. A list of data controllers and processors who have appointed DPOs may be published on the website of the Commissioner subject to their consent.
Penalties and Criminal Offences – Articles 32 and 33 of the Law
The Commissioner may impose administrative fines in accordance with and subject to the conditions of Article 83 of the GDPR. Under the Law various criminal offences are provided for both data processors and controllers who may be found guilty of the offences and face penalties in a number of circumstances.
Furthermore the Law also provides for criminal offences in 12 particular circumstances, punishable by imprisonment of up to 3 years and/or a fine of €30,000 and with 4 out of those circumstances, if such offence hinders the interests of the Republic or raises risks for the seamless operation of Government or threatens national security, could be punishable by imprisonment of up to 5 years and/or a fine of €50,000. Additionally, in 2 other particular circumstances the criminal offences are punishable by imprisonment of up to 1 year and/or a fine of €10,000.
Where the data controller or processor is an undertaking or a group of undertakings, criminal liability rests with the chief executive body of the undertaking or group of undertakings concerned.
Τhe Law provides some derogations from the GDPR, including the limited scope of application of the restriction of rights and the lowering of the protections relating to the age of consent, in comparison to the GDPR. Greater enforcing powers have been granted to the national GDPR supervisory authorities and the potential for significant fines for regulatory infringement affects both data controllers and processors in the event of a breach of their respective obligations.
Article provided by: Alexia Kountouri & Constantinos Andronicou (Tassos Papadopoulos & Associates)