The General Data Protection Regulation (Regulation (EU) 2016/679) also known as the "GDPR" is widely known to be one of the strictest data protection and security laws in the world. It is an EU Regulation therefore, all EU member states are bound by it directly. It came into effect in May 2018, with the aim of ensuring the protection and security of personal data within the EU. The need for a new law governing personal data was due to the shortcomings of the previous laws. The previous laws were created before smartphones and other modern technologies began collecting large amounts of information for data-focused companies such as Google, hence the need for reform.

The GDPR has had a wider impact than its predecessor (EU Privacy Directive) as it applies to all businesses which engage in processing personal information of EU citizens or residents (data subjects) while conducting commercial or business activities. This means that even a foreign company that is not located within the EU, must ensure that it is abiding by the Regulation as long as it collects/processes personal data from any person who is a citizen or resident of the EU.

The general public benefits from this Regulation for many reasons. Organisations are restricted on what they can do with people’s personal data for instance. Businesses must also provide clarity to data subjects as to what data is collected and how it is used. In addition, to make this process more understandable, all of the data must be written in a clear and simple way. For example, in 2020 the Spanish Supreme Court even held that a company had to inform its employees of the existence of GPS geolocators in company vehicles in order to be in compliance with the GDPR.

When the Regulation came into force, it required all member states to designate a new or existing body known as the supervisory authority, to regulate and enforce the GDPR within the country. In Cyprus, this task is performed by the Office of the Commissioner for Personal Data Protection. If a company is found to be in breach of the Regulation, severe penalties could be applicable. This is up to 4% of its gross global revenue or 20 million euros, whichever is greater. For example, WhatsApp was fined €225 million by Ireland due to what was referred to as a failure of explaining their data processing practices in the App privacy notice. It was explained that the fine could have been avoided if the format had been more accessible and easier to understand. Therefore, due to such hefty fines and the widespread application of the law, organisations are encouraged to abide by the GDPR with extreme caution.

Note that the GDPR applies to a large variety of instances and its scope covers a lot more than merely large organisations. Examples of cases where the GDPR applies:

• A social media platform based in the US: the data of its users are the personal data here and if the company processes any personal data from EU residents, it must ensure compliance with the GDPR.

• A bank: while deciding on whether or not to permit a loan to an individual, the bank may require background checks on its subjects which is technically personal data again. In addition, if you have a bank account, the bank most definitely has your personal data and is required to comply with the GDPR.

• A private or public hospital: since medical records are considered personal data, the hospital must abide by the GDPR guidelines and not, for example, reveal any patient’s medical records without the GDPR requirements being met. Hospitals are also subject to stricter laws as the data they collect, i.e. health data, is considered as a special category of personal data under the GDPR.

• A local clothing store with a loyalty card scheme: the name, address, and whatever data that can identify you, collected throughout the registration for the scheme are considered personal data for the purposes of the GDPR.

Do you require advice in relation to Data Protection Laws in Cyprus? If so, find a Cyprus lawyer through Efkolaw by clicking here.

Please note that Efkolaw is not a law firm and it does not offer any legal advice. Any content hosted on our site is meant to be informative and does not constitute or substitute advice from a qualified legal professional.