How Cyprus companies stay GDPR-compliant in 2026 — when a DPO is mandatory, what goes in the Article 30 ROPA, when a DPIA is required, the 72-hour breach-notification clock, international data transfers under SCCs 2021, and what the Cyprus Data Protection Commissioner is enforcing.
Written by the Nexora Cyprus editorial team · reviewed by an ICPAC-registered tax adviser engaged by Nexora.
TL;DR
Cyprus companies are subject to the EU GDPR (Regulation 2016/679) plus the Cyprus implementation Law 125(I)/2018. The Cyprus Office of the Commissioner for Personal Data Protection enforces. Mandatory DPO triggers, ROPA documentation, breach reporting in 72 hours, and the new SCCs 2021 framework for international transfers are the four operational pillars of compliance. Penalties: up to €20m or 4% of global turnover.
GDPR (Regulation EU 2016/679) applies directly in Cyprus as EU law. The Cyprus implementation legislation, Law 125(I)/2018 (the Personal Data Protection Law), supplements GDPR with Cyprus-specific provisions on derogations (employment data processing, health-data processing, scientific research) and the establishment of the Office of the Commissioner for Personal Data Protection.
The Commissioner is the Cyprus supervisory authority for GDPR and ePrivacy enforcement. Recent regulatory priorities: cookie compliance, employee monitoring, international data transfers post-Schrems II, and AI / automated decision-making.
Article 6 GDPR enumerates six lawful bases for processing personal data:
Special category data (Article 9 GDPR — health, biometrics, religion, sexual orientation, political opinions, etc.) requires an additional lawful basis under Article 9 — typically explicit consent, employment / social-protection law, or substantial public interest. Cyprus Law 125(I)/2018 Article 9 elaborates the employment-context derogation.
Article 37 GDPR mandates appointment of a Data Protection Officer (DPO) where:
'Large scale' is not numerically defined but the EDPB guidance suggests considering data volume, geographic reach, duration, and number of data subjects. Cyprus Commissioner has not published a numeric threshold; case-by-case assessment is the norm. Voluntary DPO appointment is permitted and creates the same statutory protections (independence, no conflict of interest) as a mandatory DPO. The DPO must be reachable; their contact details must be published and registered with the Commissioner.
The Record of Processing Activities (ROPA) is the foundational documentation requirement. Article 30 GDPR requires every controller and processor (with limited exemptions for sub-250-employee organisations whose processing is occasional and low-risk) to maintain a written record covering:
Many Cyprus SMEs incorrectly conclude they fall within the small-company exemption. The exemption is narrow — any processing of employee data, customer data, or marketing data is generally regular and outside the exemption. The pragmatic answer for almost all Cyprus operating companies: maintain a ROPA.
A Data Protection Impact Assessment (DPIA) is required under Article 35 GDPR when processing is 'likely to result in a high risk' to data subjects. The Cyprus Commissioner has published a DPIA blacklist (operations always requiring DPIA) and a whitelist (operations not requiring DPIA in normal cases).
Common triggers requiring DPIA:
Article 33 GDPR requires notification of personal-data breaches to the supervisory authority (Cyprus Commissioner) within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to data subjects. Where notification is later than 72 hours, the reasons for the delay must be provided.
Article 34 requires notification to data subjects without undue delay where the breach is likely to result in a high risk. Exemptions: encryption rendering the data unintelligible; subsequent measures eliminating the risk; or where direct notification would involve disproportionate effort (in which case public communication suffices).
Practical clock
The 72-hour clock starts when the controller becomes aware of the breach — not when the breach occurs. 'Awareness' has a technical meaning: a reasonable degree of certainty that a breach has occurred. Initial detection followed by investigation does not necessarily start the clock; confirmed breach does.
Personal data transfers from Cyprus / EU to third countries (non-EEA) require a transfer mechanism under Chapter V GDPR:
Post-Schrems II (CJEU 2020), SCCs alone are insufficient for transfers to countries with surveillance regimes (notably the US). A Transfer Impact Assessment (TIA) is required, and supplementary measures (encryption with EU-held keys, pseudonymisation, contractual additional commitments) may be necessary. The EU-US Data Privacy Framework (DPF, 2023) restored a streamlined transfer mechanism for US recipients certified under the framework — but only to certified US recipients, and the framework is under live legal challenge.
The Cyprus Commissioner has issued multiple fines since 2018 for GDPR breaches — primarily focused on cookie consent, marketing without lawful basis, and employee-monitoring overreach. Penalty levels (Article 83 GDPR): up to €10m or 2% of global turnover for procedural breaches; up to €20m or 4% for substantive breaches.
Recent enforcement themes:
Related Guides
Depends on scale and processing activities. A SaaS company with significant employee monitoring, behavioural analytics, or large-scale special-category-data processing typically needs a DPO. Pure B2B SaaS with minimal personal data may not. Voluntary appointment is common for credibility.
Article 30(5) exempts organisations with fewer than 250 employees, but only if processing is occasional, not high-risk, and does not include special category data. In practice the exemption is narrow — most operating companies maintain a ROPA regardless.
The DPF is operative and recognised. It restored streamlined US transfers for certified recipients but faces live legal challenges (Schrems III). Maintain SCCs as a fallback. Monitor for CJEU action.
Generally no — consent in an employment context is rarely 'freely given' due to the power imbalance. Employee data processing typically relies on contract necessity, legal obligation, or legitimate interests (with documented LIA). Cyprus Law 125(I)/2018 Article 11 details the employment-context derogations.
Up to €10m or 2% of global turnover under Article 83(4) — the procedural-breach tier. The Cyprus Commissioner has applied fines below the cap based on cooperation, mitigation, and severity. Late notification also factors into the substantive-breach analysis.
Cookie compliance follows the EU ePrivacy framework. A single GDPR-compliant banner covering all EU/EEA visitors typically suffices. The Cyprus Commissioner endorses the EDPB cookie guidelines — explicit opt-in for non-essential cookies, easy withdrawal, no pre-ticked boxes.
Disclaimer: This article is for informational purposes only and does not constitute legal, tax, or financial advice. Tax laws change frequently. Consult a qualified Cyprus adviser for guidance specific to your situation. The information on this page is general guidance only and does not constitute legal, tax, accounting, immigration or financial advice. Specific advice should be obtained based on the facts of each case.
Our experts are ready to answer your questions.
Free consultation · No obligation · Reply within 2 hours