National Data Protection Law


    National Data Protection Law

    Law 125(I)/2018

    Law 125(I)/2018 was enacted on 31 July 2018 to ensure effective implementation of certain provisions of the GDPR in Cyprus.

    Last Updated: July 30, 2019

  • General

    As with the other EU Member States that have passed their Data Protection Laws, this law:

    1. mirrors the GDPR in general; and
    2. adds provisions regulating specific aspects.

    Derogations and opening clauses

    It is of particular interest that this law introduces:

    • rules for the processing of biometric and genetic data;
    • limitations to the rights of data subjects;
    • exemptions to the controllers’ obligation to notify data breaches;
    • lays down rules for the accreditation of certification bodies;
    • limits the transfer of special categories of data to third countries;
    • sets a limit to the maximum fines to be paid by public authorities processing data for non-profit activities; and,
    • defines criminal offences (such as not keeping proper records) that are punishable with up to 3 years imprisonment.
  • DatabreachPedia


    In Cyprus, there is a general requirement under the General Data Protection Regulation for data controllers to notify personal data breaches to their regulator and in cases of likely high risk to the rights and freedoms of natural persons, also to them.

    Is it Mandatory to Notify Individuals?

    Yes, if the personal data breach is likely to result in a high risk to their rights and freedoms.

    Is it Mandatory to Notify Regulator?

    Yes, if the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.

    Notification Deadline

    72 hours

    Responsible Regulator

    Office of the Commissioner for Personal Data Protection
    1 Iasonos Street
    1082 Nicosia

    P.O. Box 23378, CY-1682 Nicosia

    Tel. +357 22 818 456
    Fax +357 22 304 565
    E-mail: [email protected]

    Breach Notification Format

    Minimum requirements: nature of the breach, categories and approx. number of data subjects concerned, name and contact details of the DPO, likely consequences, measures taken/proposed to be taken. Cypriot regulator provides an online breach notification form both in Greek and English to be submitted via email.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.