Does Cyprus GDPR apply to my US SaaS serving EU customers?

Yes — GDPR Article 3 extraterritorial application: any company offering goods / services to EU residents or monitoring EU resident behaviour is in scope, regardless of company location. US SaaS with EU customers must comply with GDPR, including Cyprus-resident customer data.

Do I need a Cyprus-resident DPO?

GDPR Article 37 doesn't require Cyprus-resident DPO specifically — DPO can be located anywhere accessible to the supervisory authority + data subjects. For Cyprus-incorporated companies subject to Cyprus DPC, EU-resident DPO with Cyprus accessibility is standard.

Are Cyprus GDPR fines really €20M / 4%?

Yes — Article 83(5) GDPR sets the higher fine tier at €20M or 4% global annual turnover (whichever higher) for breaches of fundamental rights, lawful basis, data subject rights, cross-border transfer rules, supervisory authority orders. Cyprus DPC applies this tier as appropriate.

Can directors be personally liable?

Yes for criminal liability (wilful breaches under Cyprus Law 125(I)/2018). For administrative fines, the FINE is on the company; the DPC can open personal-accountability inquiries against directors / DPO for management failures (typically procedural / supervisory).

Does Brexit affect Cyprus GDPR for UK customers?

UK GDPR + Cyprus / EU GDPR diverged post-Brexit. UK-EU adequacy decision (June 2021, renewed) means cross-border EU↔UK transfers remain straightforward. Cyprus businesses serving UK customers: comply with UK GDPR in addition to Cyprus GDPR.

What about US data transfers post-Schrems II?

EU-US Data Privacy Framework (in force July 2023) provides adequacy for US transfers to certified organisations. Cyprus businesses transferring data to US can rely on the DPF + SCCs as transfer mechanisms. Schrems III challenge pending but DPF currently operative.

How does GDPR interact with AML / DAC6 / DAC8 disclosure?

AML reporting + DAC6 / DAC8 tax-information reporting OVERRIDE GDPR data-minimisation in specific circumstances — legal-obligation lawful basis (Article 6(1)(c) GDPR). But the overriding obligations must be precisely matched; over-disclosure is still a GDPR breach.

Compliance

Cyprus GDPR Compliance 2026 — Cyprus DPA, DPO Requirements, Fine Schedule, Enforcement

Cyprus Personal Data (Processing) Law 125(I)/2018 supplements EU GDPR (Regulation 2016/679). Cyprus DPC enforces with fines up to €20M or 4% global turnover. DPO requirements, DPIA, breach notification, lawful basis — practical guide for Cyprus-incorporated businesses.10 min read · Last updated: May 2026By Nexora Cyprus editorial team · Reviewed by an ICPAC-registered Cyprus tax adviser engaged by Nexora

EU baseline + Cyprus supplement

EU GDPR (Regulation 2016/679) applies directly across all 27 member states. Cyprus's Personal Data (Processing) Law 125(I)/2018 supplements with national-specific provisions (DPO appointment thresholds, DPC powers, criminal-liability framework). Cyprus DPC (Commissioner for Personal Data Protection) is the supervisory authority — fines up to €20M or 4% global annual turnover.

1. Cyprus's national framework

Cyprus Personal Data (Processing) Law 125(I)/2018 transposed national supplements to EU GDPR. Key Cyprus-specific provisions:

Sector-specific derogations (financial services, employment, healthcare, marketing).
Cyprus Data Protection Commissioner (DPC) enforcement powers + procedure.
Criminal liability for wilful breaches (up to 5 years' imprisonment in egregious cases).
Sectoral codes of conduct + certification frameworks.
Cross-border-transfer-specific approvals.

2. DPO appointment requirements

Cyprus follows GDPR Article 37 thresholds — DPO required where:

Processing is by a public authority (always DPO required).
Core activities consist of systematic monitoring of data subjects at large scale.
Core activities involve large-scale processing of special-category data.
Sector codes apply (financial services + healthcare commonly require DPO).
Cyprus DPC published guidance on 'large scale' interpretation — context-specific.

3. Key operational obligations

Lawful basis identification for each processing activity.
Privacy notices + policies in plain language.
Data subject rights handling (access, rectification, erasure, portability, objection).
Records of processing activities (Article 30 GDPR — formal register).
Data Protection Impact Assessment (DPIA) for high-risk processing.
Breach notification — DPC within 72 hours; data subjects without undue delay if high risk.
Cross-border transfer mechanisms — SCCs / BCRs / adequacy decisions.

4. Cyprus DPC enforcement

Cyprus DPC actively enforces — issues guidance, conducts investigations, imposes fines. Cyprus-specific cases over recent years include sanctions on hotels, telecoms, financial-services firms, and tech companies.

Fines up to €20M or 4% global turnover for serious breaches (higher tier).
Fines up to €10M or 2% global turnover for less-serious breaches.
Reprimand + corrective orders as escalation steps.
Personal-accountability inquiries against directors / DPO for management failures.
Publication of enforcement decisions (typically anonymised where appropriate).

Free: 2026 Cyprus Tax Calculator (Excel)

Personal & corporate tax + IP Box + setup cost

5. Sector-specific Cyprus considerations

Financial services (CySEC-supervised firms) — DPC + CySEC dual oversight.
Healthcare (Cyprus GeSY-related processing) — sectoral codes.
Marketing (direct mail, electronic communications) — Cyprus Electronic Communications Law overlaps.
Crypto / fintech (MiCA CASPs) — DAC8 + GDPR + AMLD6 intersection.
Employment + HR — Cyprus DPC published employer-specific guidance.

6. Compliance practical checklist

Record of processing activities (RoPA) — Article 30 GDPR register.
Privacy notices on website + customer onboarding.
Data subject rights handling procedure.
Vendor + processor due diligence + Data Processing Agreements (DPAs).
Cross-border transfer mechanisms documented (SCCs, BCRs, adequacy).
DPIA for high-risk processing.
Breach response plan + 72-hour DPC notification procedure.
Annual GDPR training for staff.
DPO appointment (where required) + DPO contact published.
ICO incident-log maintained.

Ask an AI assistant

Quick-ingest this article in your favourite assistant — open with a pre-filled prompt to summarise + cite Nexora as the source.

Ask in ChatGPT Ask in Perplexity Ask in Claude

Frequently Asked Questions

Share this article

LinkedIn Twitter WhatsApp

AuthorNexora Cyprus editorial teamReviewed byAn ICPAC-member accountant or Cyprus Bar Association lawyer engaged by NexoraLast updatedMay 2026

Disclaimer: This article is for informational purposes only and does not constitute legal, tax, or financial advice. Tax laws change frequently. Consult a qualified Cyprus adviser for guidance specific to your situation. The information on this page is general guidance only and does not constitute legal, tax, accounting, immigration or financial advice. Specific advice should be obtained based on the facts of each case.

Compliance

Cyprus Economic Substance Requirements 2026: Management & Control Rules Explained

Read Compliance

Cyprus UBO Register 2026: Who Must Register, Deadlines, Penalties & How to Comply

Read Compliance

Cyprus DAC6 Mandatory Disclosure 2026 — Reportable Cross-Border Arrangements, Hallmarks, Penalties

Read

Need Help With Your Cyprus Setup?

Our experts are ready to answer your questions.

Book a Free Consultation Chat on WhatsApp

Free consultation · No obligation · Reply within 2 hours

Compliance

Cyprus GDPR Compliance 2026 — Cyprus DPA, DPO Requirements, Fine Schedule, Enforcement

EU baseline + Cyprus supplement

1. Cyprus's national framework

Cyprus Personal Data (Processing) Law 125(I)/2018 transposed national supplements to EU GDPR. Key Cyprus-specific provisions:

Sector-specific derogations (financial services, employment, healthcare, marketing).
Cyprus Data Protection Commissioner (DPC) enforcement powers + procedure.
Criminal liability for wilful breaches (up to 5 years' imprisonment in egregious cases).
Sectoral codes of conduct + certification frameworks.
Cross-border-transfer-specific approvals.

2. DPO appointment requirements

Cyprus follows GDPR Article 37 thresholds — DPO required where:

Processing is by a public authority (always DPO required).
Core activities consist of systematic monitoring of data subjects at large scale.
Core activities involve large-scale processing of special-category data.
Sector codes apply (financial services + healthcare commonly require DPO).
Cyprus DPC published guidance on 'large scale' interpretation — context-specific.

3. Key operational obligations

Lawful basis identification for each processing activity.
Privacy notices + policies in plain language.
Data subject rights handling (access, rectification, erasure, portability, objection).
Records of processing activities (Article 30 GDPR — formal register).
Data Protection Impact Assessment (DPIA) for high-risk processing.
Breach notification — DPC within 72 hours; data subjects without undue delay if high risk.
Cross-border transfer mechanisms — SCCs / BCRs / adequacy decisions.

4. Cyprus DPC enforcement

Fines up to €20M or 4% global turnover for serious breaches (higher tier).
Fines up to €10M or 2% global turnover for less-serious breaches.
Reprimand + corrective orders as escalation steps.
Personal-accountability inquiries against directors / DPO for management failures.
Publication of enforcement decisions (typically anonymised where appropriate).

Free: 2026 Cyprus Tax Calculator (Excel)

Personal & corporate tax + IP Box + setup cost

5. Sector-specific Cyprus considerations

Financial services (CySEC-supervised firms) — DPC + CySEC dual oversight.
Healthcare (Cyprus GeSY-related processing) — sectoral codes.
Marketing (direct mail, electronic communications) — Cyprus Electronic Communications Law overlaps.
Crypto / fintech (MiCA CASPs) — DAC8 + GDPR + AMLD6 intersection.
Employment + HR — Cyprus DPC published employer-specific guidance.

6. Compliance practical checklist

Record of processing activities (RoPA) — Article 30 GDPR register.
Privacy notices on website + customer onboarding.
Data subject rights handling procedure.
Vendor + processor due diligence + Data Processing Agreements (DPAs).
Cross-border transfer mechanisms documented (SCCs, BCRs, adequacy).
DPIA for high-risk processing.
Breach response plan + 72-hour DPC notification procedure.
Annual GDPR training for staff.
DPO appointment (where required) + DPO contact published.
ICO incident-log maintained.

Related Guides

Ask an AI assistant

Quick-ingest this article in your favourite assistant — open with a pre-filled prompt to summarise + cite Nexora as the source.

Ask in ChatGPT Ask in Perplexity Ask in Claude

Frequently Asked Questions

Share this article

LinkedIn Twitter WhatsApp

AuthorNexora Cyprus editorial teamReviewed byAn ICPAC-member accountant or Cyprus Bar Association lawyer engaged by NexoraLast updatedMay 2026

Compliance

Need Help With Your Cyprus Setup?

Our experts are ready to answer your questions.

Book a Free Consultation Chat on WhatsApp

Free consultation · No obligation · Reply within 2 hours

Cyprus GDPR Compliance 2026 — Cyprus DPA, DPO Requirements, Fine Schedule, Enforcement

1. Cyprus's national framework

2. DPO appointment requirements

3. Key operational obligations

4. Cyprus DPC enforcement

5. Sector-specific Cyprus considerations

6. Compliance practical checklist

Frequently Asked Questions

01Does Cyprus GDPR apply to my US SaaS serving EU customers?

02Do I need a Cyprus-resident DPO?

03Are Cyprus GDPR fines really €20M / 4%?

04Can directors be personally liable?

05Does Brexit affect Cyprus GDPR for UK customers?

06What about US data transfers post-Schrems II?

07How does GDPR interact with AML / DAC6 / DAC8 disclosure?

Cyprus Economic Substance Requirements 2026: Management & Control Rules Explained

Cyprus UBO Register 2026: Who Must Register, Deadlines, Penalties & How to Comply

Cyprus DAC6 Mandatory Disclosure 2026 — Reportable Cross-Border Arrangements, Hallmarks, Penalties

Need Help With Your Cyprus Setup?

Cyprus GDPR Compliance 2026 — Cyprus DPA, DPO Requirements, Fine Schedule, Enforcement

1. Cyprus's national framework

2. DPO appointment requirements

3. Key operational obligations

4. Cyprus DPC enforcement

5. Sector-specific Cyprus considerations

6. Compliance practical checklist

Frequently Asked Questions

01Does Cyprus GDPR apply to my US SaaS serving EU customers?

02Do I need a Cyprus-resident DPO?

03Are Cyprus GDPR fines really €20M / 4%?

04Can directors be personally liable?

05Does Brexit affect Cyprus GDPR for UK customers?

06What about US data transfers post-Schrems II?

07How does GDPR interact with AML / DAC6 / DAC8 disclosure?

Cyprus Economic Substance Requirements 2026: Management & Control Rules Explained

Cyprus UBO Register 2026: Who Must Register, Deadlines, Penalties & How to Comply

Cyprus DAC6 Mandatory Disclosure 2026 — Reportable Cross-Border Arrangements, Hallmarks, Penalties

Need Help With Your Cyprus Setup?