GDPR Implementation Guidelines: Cyprus Edition

GDPR Implementation Guidelines: Cyprus Edition

In Cyprus, the processing of personal data is primarily governed by the EU General Data Protection Regulation (GDPR) and the national law implementing GDPR, Law 125(I) of 2018. However, the GDPR does not apply to the personal data of deceased persons, as it covers only "natural persons" who are alive.

This means that while the GDPR framework is applied for processing personal data of living individuals, there is no explicit provision in GDPR or Cypriot law directly regulating data processing of deceased persons.

Organisations processing personal data often update their privacy statements to clarify how they handle various categories of data, but these statements typically do not specify rules for deceased data specifically. Instead, handling information of deceased persons is often covered by other legal domains such as inheritance law, probate procedures, and confidentiality obligations under national law, rather than data protection law per se.

For estate and succession matters, Cyprus will apply civil law rules and EU succession regulations. These govern property and inheritance rather than personal data processing directly. Therefore, specific rules for processing the personal data of deceased persons in Cyprus are limited.

In practice, such processing would be guided by general principles of confidentiality, legal obligations linked to estate administration, and potentially relevant professional or sectoral guidelines rather than explicit data protection laws.

It is advisable to consult with a Cypriot legal expert in data protection and inheritance law if precise legal rules for handling data of deceased persons in Cyprus are required. Publicly accessible sources do not provide detailed or standalone data protection provisions relating to deceased persons.

Additionally, in certain circumstances in Cyprus, an Impact Assessment and consultation with the Office of the Commissioner for Personal Data Protection (DPA) must be carried out (as specified in Q11). The DPA, located at Iasonos 1, 1082 Nicosia, Cyprus, has the right to obtain access to any premises of the controller or processor, seize documents or electronic equipment by virtue of a search warrant, and impose terms and conditions in relation to the application of measures for the restriction of the rights of data subjects, among other powers.

References: [1] Law 125(I) of 2018, the Data Protection Law of Cyprus [2] Regulation of Electronic Communications and Postal Services Law (Law 112(I) of 2004, as amended) [3] The Office of the Commissioner for Personal Data Protection, Cyprus's DPA

1. With the GDPR not applying to the personal data of deceased persons, the processing of such data in Cyprus is guided by general principles of confidentiality and legal obligations linked to estate administration.
2. Organisations may update their privacy statements to clarify how they handle various categories of data, but rules for deceased data are often missing from these statements.
3. In estate and succession matters, Cyprus employs civil law rules and EU succession regulations, which govern property and inheritance rather than personal data processing directly.
4. For precise legal rules on handling data of deceased persons in Cyprus, consulting with a Cypriot legal expert in data protection and inheritance law is advisable.
5. Publicly accessible sources do not provide detailed or standalone data protection provisions relating to deceased persons.
6. In certain circumstances, an Impact Assessment and consultation with the Office of the Commissioner for Personal Data Protection (DPA) must be carried out as specified in Q11.
7. The DPA, located at Iasonos 1, 1082 Nicosia, Cyprus, has the right to obtain access to any premises of the controller or processor, seize documents or electronic equipment by virtue of a search warrant, and impose terms and conditions in relation to the application of measures for the restriction of the rights of data subjects.
8. Specific rules for processing the personal data of deceased persons in Cyprus are limited, leaving handling information of deceased persons often covered by other legal domains such as inheritance law, probate procedures, and confidentiality obligations under national law.
9. In terms of intellectual property, the regulatory practice and health-and-wellness sector, data protection laws may still apply to the deceased persons' data, depending on the context and relevance.
10. Associates and teams within Cypriot law firms offering LLP services like legal dispute resolution, regulatory advice, and science-related publications can provide further guidance on data protection matters related to deceased persons.
11. Clients seeking legal advice or attorneys in Cyprus related to medical-conditions, health-and-wellness, or compliance should be aware that certain circumstances may require an Impact Assessment and consultation with the Office of the Commissioner for Personal Data Protection (DPA).

Read also: