Data Protection in Cyprus

Breach notification in Cyprus

EU regulation

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to affected data subjects. A "personal data breach" is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4).

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the breach and the measures taken to mitigate harm (Article 33(3)).

Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory authority) and permit audits of the record by the supervisory authority.


Cyprus regulation

According to the Law, the data controller may be exempted, in whole or in part, from his obligation to notify data subjects for breaches of personal data for one or more of the purposes listed in Article 23(1) of the GDPR, including inter alia, national security, defense, public security, prevention, investigation, detection or prosecution of criminal offences etc. In order for the foregoing to apply, an impact assessment and a prior consultation with the Commissioner need to be conducted. The Commissioner may also set out specific terms and conditions for such exemption.

Continue reading

  • no results

Previous topic
Back to top