Privacy Laws

Cyprus' data protection in comparison to the GDPR

The flag of Cyprus with the sea and coastline in the background.
© Fotokon / | #571353630

General overview

In Cyprus, the primary legislative framework for data protection is established by the General Data Protection Regulation (GDPR), implemented through Law 125(I) of 2018. This comprehensive approach ensures the protection of personal data across various sectors.

GDPR opening clauses

The implementation of the GDPR in Cyprus was formalized with the introduction of Law 125(I) of 2018, which came into effect on July 31, 2018. This law not only aligns with the overarching principles of the GDPR but also repeals previous regulations, ensuring a streamlined and consistent approach to data protection.

Key differences and national specifics

  1. Repeal of previous regulations: The introduction of Law 125(I) of 2018 led to the repeal of the Processing of Personal Data (Protection of Individuals) Law 138 (I) 2001, signifying a clear shift towards a more GDPR-centric approach.
  2. Guidelines and opinions by the commissioner: The Office of the Commissioner for Personal Data Protection plays a pivotal role in guiding the application of the GDPR within Cyprus. This includes the adoption of guidelines initially issued by the Article 29 Working Party and the European Data Protection Board, as well as the development of its own guidelines and opinions.
  3. Specific areas covered by guidelines: The Commissioner's guidelines cover a broad spectrum of data protection aspects, including but not limited to, data protection officers, Data Protection Impact Assessments, personal data breach notifications, and codes of conduct. These comprehensive guidelines extend to various sectors and specific issues, such as employment relations, use of the internet and mobile phones, and direct marketing.
  4. Public announcements and additional guidance: Beyond formal guidelines, the Commissioner also issues public announcements and additional guidance on various topics. These communications serve to clarify the Commissioner's stance on specific issues, provide practical advice, and ensure transparency and understanding of data protection practices.


Cyprus demonstrates a strong commitment to data protection through its robust implementation of the GDPR via national law. The active role of the Commissioner's office is evident in the extensive range of guidelines and opinions issued, addressing a multitude of data protection aspects. This proactive approach ensures that individuals' rights are safeguarded, organizations are well-informed, and compliance with data protection obligations is upheld within the country.