WorldLII [Home] [Databases] [WorldLII] [Search] [Feedback]

EPIC --- Privacy and Human Rights Report

You are here:  WorldLII >> Databases >> EPIC --- Privacy and Human Rights Report >> 2006 >>

[Database Search] [Name Search] [Recent Documents] [Noteup] [Help]

EPIC --- Privacy and Human Rights Report 2006

Title Page Previous Next Contents | Country Reports >Republic of Cyprus

Republic of Cyprus

Constitutional Privacy Framework

The Constitution of the Republic of Cyprus[1909] was established in July 1960 and has the following two provisions regarding privacy:

Article 15: (1) Every person has the right to respect for his private and family life; (2) There shall be no interference with the exercise of this right, except such as is in accordance with the law and is necessary in the interests of the security of the Republic, constitutional order, public safety, public order, public health, public morals or the protection of the rights and liberties guaranteed by this Constitution to any person.

Article 17: Every person has the right to respect for, and to the secrecy of, his correspondence and other communication, if such other communication is made through means not prohibited by law.

Statutory Rules on Privacy

The Processing of Personal Data (Protection of Individuals) Law of 2001[1910] came into force on November 23, 2001. The Law was introduced in the context of the harmonization process with the European Data Protection.[1911]

The Law applies to living natural persons and covers automated, partially automated, and in some cases, non-automated processing operations, both in the public and the private sectors. It defines rights and obligations of controllers and data subjects, and sets the parameters for lawful processing of data. In order for the Law to be applicable, a data controller resident in the Republic must carry out the processing of personal data. The Law also applies at a place where Cyprus law is applied by virtue of public international law or by a data controller who is not resident in the Republic, who, for the purpose of processing personal data, has recourse to automated or other means existing in the Republic, unless they were used only for the purpose of transmitting the data through the Republic. The Law does not apply to the processing of personal data that is carried out by a natural person for the exercise of exclusively personal or domestic activities.

In 2005 the European Commission notified the Office of the Commissioner for Personal Data Protection that certain sections of its Processing of Personal Data Law of 2001 did not fully comply with European Data Protection Directive. The discordant provisions dealt with the right of information, transfer of data to third countries and some procedural mechanisms. The Cyprus Office is preparing legislation to further harmonize these regulations with Directive 95/46/EC.[1912]

In April 2004, the Regulation of Electronic Communications and Postal Services Law of 2004,[1913] was enacted. Part 14 of the Law transposing the provisions of the Directive on Privacy and Electronic Communications (2002/58/EC),[1914] regulates the secrecy of communications and the use of traffic and location data, telephone directories and unsolicited communications. It particularizes and complements the provisions of the Law for the Processing of Personal Data and provides for the protection of the legitimate interests of subscribers of electronic communications networks and services who are legal persons.

Section 98 of the Law provides for the appropriate technical and organizational measures to be taken by providers of publicly available electronic communications services and networks to safeguard the security of their services and networks. Section 99 provides for the confidentiality of the communications and related traffic data. With regards to traffic data, Section 100 provides that such data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication.

However, the necessary secondary legislation for the Law on Electronic Communications has not yet been adopted. In 2004, Cyprus adopted the modification of the 2002 Law on Radio communications in order to transpose the new EU regulatory framework and introduced four pieces of secondary legislation in the field of radio communications.

To regulate the field of electronic commerce, Cyprus adopted in 2004 the Law on Certain Aspects of Information Society, and specifically Electronic Commerce, and Relevant Matters (the Electronic Commerce Law),[1915] as well as the Law on the Conclusion of Distance Contracts of 2000.[1916] The Electronic Commerce Law implements Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on Electronic Commerce). The Law aims at ensuring the free movement of information society services between the Republic and the Member States of the European Union relating to the establishment of service providers, commercial communications, the conclusion of electronic contracts, the liability of intermediaries, codes of conduct, out-of-court dispute settlements, means of legal protection and the cooperation between Member States.

Also in 2004, Cyprus adopted a Law on a Legal Framework for Electronic Signatures and Relevant Matters.[1917] It establishes the legal framework governing electronic signatures and certain certification-services for the purpose of facilitating the use of electronic signatures and their legal recognition. It does not, however, cover aspects related to the conclusion and validity of contracts or other legal obligations that are governed by requirements as regards their form. Moreover, it does not affect rules and limitations in relation to the use of documents provided by other applicable legislation in force. The Law grants power to the Minister of Commerce, Industry and Tourism (the Competent Authority) to exercise control over and ensure the effective application of this Law.[1918]

In 2005, the Road Traffic Offences (Use of Automatic Detection Devices and Other Relevant Matters) Law of 2001 was implemented. The Law authorizes certain traffic offenses to be recorded automatically, under the supervision of the Cyprus Council of Ministers and the Deputy Chief of Police.[1919]

Furthermore, the Cyprus Government intends to introduce "e-ID," or "electronic identity" smart cards to be used for electronic identification and authentication in public services. This project will be done in cooperation with other EU Member States in order to achieve a seamless access to public services across national borders. E-ID standardization or interoperability is essential in order to put in place key pan-European services such as cross-border company registration, electronic public procurement, job search, e-voting and e-health.[1920]

Data Protection Authority

The Commissioner's Office was established in Nicosia on May 1, 2002.[1921] The Commissioner is an Independent Administrative Authority. The Commissioner deals with the protection of personal information relating to an individual, against its unauthorized and illegal collection, recording and further use. The Commissioner also grants the individual certain rights, i.e. the right of information and access.[1922] The Commissioner is responsible for monitoring the application of the Processing of Personal Data Law.[1923]

Section 23 of the Law sets out the functions of the Commissioner. These include: the assistance to the drawing up of codes of conduct; the reporting of any contraventions to the law to the relevant authorities; the conduct of inquiries following complaints or on his own initiative. The Commissioner is also competent to keep the Registers and grant the Licenses provided by the Law, issue directions, rules and recommendations, conduct administrative inquiries and impose sanctions for breaches of the Law. In 2004, with the enactment of Law 112(I)/2004, the responsibilities of the Commissioner were extended to cover the regulation of the use of traffic data, location data, telephone directories and unsolicited communications.[1924] Moreover, the Commissioner maintains cooperation with the data protection authorities of European Union and Council of Europe Member States.[1925]

The total number of complaints in 2005 reached 153, of which 41 were against public sector controllers, 112 were against private sector controllers, and 93 related to unsolicited communications.[1926] In 2005 the Office also received 16 applications to transfer data to third countries. The Office granted two applications, refused three, and the others are still pending.[1927]

The Commissioner's Office has issued two booklets with guidelines for the public. One educates the public about how to protect their personal data on the Internet and recommends data controllers create Web sites that comply with data protection rules. The other includes guidelines about the lawful use of video surveillance cameras.[1928]

In 2005, the Office engaged in numerous public awareness efforts. The Office organized seminars on the rights of data subjects, the lawful use of personal data and workplace monitoring. Office employees delivered presentations to various government departments, including the Police Academy, and also issued informational statements to the media and the University of Cyprus.[1929]

The Cyprus Office for Personal Data Protection, as well as their counterparts in other EU member-states, is set to undertake an investigation regarding private health insurance carriers’ processing of personal data. The objective is to determine whether this processing complies with EU data protection regulations. The results of the investigation will be published in 2007.[1930]

Wiretapping and Surveillance Rules

The Protection of Secrecy of Private Communications (Call Interception) Law of 1996 mandates that the Attorney General file for a court order before using wiretaps.[1931] In 2006 a Cyprus parliament committee amended Chapter 17 of the island’s Constitution. Under the amended language, the Attorney General can authorize phone tapping if it is necessary to save time. The amendment also allows the police to monitor web logs, downloads and emails as admissible evidence for criminal investigations.[1932] In June 2007, the United Nations Peacekeeping Force in Cyprus (UNFICYP) announced it would “significantly” increase the number of surveillance cameras located on the island’s ceasefire buffer zone. UNFICYP was established in 1964 to prevent hostilities between the Greek and Turkish Cypriot communities, and the buffer zone extends over 180 kilometers, approximately three percent of the island. The cameras will operate 24 hours a day, according to UNFICYP spokesman, with the aim of positively affecting peoples’ behavior in a manner similar to the way traffic cameras improve driving.[1933]

In September 2006, a network of traffic cameras was installed on Cyprus. The program had been delayed nearly a year, in part due to privacy concerns; originally the photographs were saved in a centralized database indefinitely, for “research and statistical purposes,” but the Cyprus House Legal Affairs Committee stated in January 2006 that it would not accept the surveillance program unless the photographs were destroyed immediately after the fine had been paid.[1934] The system has since been installed, beginning with 40 cameras, with plans to deploy 450 across Cyprus in the next four years. [1935] In addition to capturing speeders and drivers running red lights, the cameras can also tell if motorists are breaking other laws, such as failing to wear a seatbelt or talking on a mobile phone.[1936] At first, offenders caught on camera received a hand-delivered ticket at their homes, but the cameras caught so many offenders that the police did not have the manpower to personally deliver each ticket; the tickets now arrive via post.[1937] The 40 initial cameras caught about 367 offenders every day, one out of six motorists, and the addition of 120 more cameras is planned for October 2007.[1938] The Office of Personal Data Protection expressed concern for personal privacy in October 2006, citing the claim of a private television station that it had received information from a police officer that a traffic camera had caught the chief of police committing a traffic offense. The chief of police responded to the Office that no data breach had occurred and that the database storing offenders’ information was “totally secure.”[1939]

In July 2007, Cypriot police investigated a breach of privacy claim into the government’s Commission for the Protection of Competition (CPC). The probe came after complaints and strikes from the CPC’s staff, which accused the Competition Commissioner of pervasive workplace surveillance. According to employees, the monitoring system included CCTV cameras and microphones throughout the offices, including restrooms, which could be remote-accessed through the Commissioner’s personal computer. The employees further claimed that their emails and telephone conversations have been monitored. The Commissioner’s denied some of these claims, countering that the system was not secret and was necessary to keep his employees on task.[1940] In their ongoing investigation, the police accessed the Commissioner’s computer and discovered about 600 pictures, freeze-frames from video recordings, including some 400 of a particular female employee.[1941] Cyprus’ Data Protection Commissioner stated that the CPC should have notified them of the monitoring system, but failed to do so; the Data Protection Commissioner also noted that since the CPC surveillance scandal broke, her office had received numerous similar complaints from across the island.[1942]

Unsolicited Commercial E-mails ("Spam")

Cyprus transposed in April 2004 the European Directive on Privacy and Electronic Communications. As a result, the Commissioner's Office is the appropriate authority for enforcing anti-spam provisions.[1943] The Commissioner is discussing with Internet Service Providers about ways to cooperate in the fight against spam.

Cyprus has recently agreed to participate in the cooperation procedure concerning the transmission of complaint and intelligence information relevant for the enforcement of Article 13 of the Privacy and Electronic Communication Directive, or any other applicable national law pertaining to the use of unsolicited electronic communications. A Contact Network of spam authorities has put in place a cooperation procedure by which an authority will forward complaints to the authority of the country from which the e-mails originate for it to lead the investigations.[1944] Cyprus has also agreed to take part in the "Operation Spam Zombies" initiative of the United States Federal Trade Commission. The Operation is a new global effort to combat spam e-mail sent through hijacked computers, known as "zombies."[1945]

The Cyprus Office for Personal Data Protection reported that they had received very few complaints regarding email spam in 2005, but received many complaints regarding spam sent via mobile phone text messages. The Office conducted an audit of a company that engaged in unsolicited text message advertising. The audit revealed that the company’s actions had breached the Regulation of Electronic Communications and Postal Services Law of 2004. The Commissioner imposed a 1500 CYR (2,569 EUR) fine upon the company. The Office reported that its 2005 spam investigations met with substantially more cooperation from telecommunication companies than they had in 2004.[1946]

Recent Developments

In September 2006, the Cyprus Neuroscience and Technology Institute launched an Internet safety awareness campaign called the CyberEthics project. The CyberEthics project includes a consortium comprised of the University of Cyprus Department of Social and Political Sciences, the Cyprus Broadcasting Corporation, the Family Planning Association, the Cyprus Youth Council, and the Olive Tree Branch. The project is focused on Cyprus’ northern, rural and minority populations, but is intended to serve the entire population of the island. The project will address issues relating to pornography, racism, gender discrimination, the inappropriate use of peoples’ images, and peer-to-peer file transfer. The CyberEthics project will also endeavor to inform users of European filtering software and services that enhance online privacy and filter unethical or illegal content. The project is to run until September 2008.[1947]

International Obligations

The Republic of Cyprus is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data No. 108.[1948] Cyprus is a signatory to the European Convention for the Protection of Human Rights and Fundamental Freedoms and its Additional Protocols.[1949] Cyprus has also signed and ratified the Additional Protocol to the Convention, regarding supervisory authorities and transborder data flows[1950] and the Council of Europe's Convention on Cybercrime.[1951] The Law ratifying the Cybercrime Convention provides for the establishment of criminal offences of the acts described in Chapter II of the Convention, such as illegal access, illegal interception, data interference, system interference, etc. and their respective penalties.

[1909] Constitution of the Republic of Cyprus, of July 1960, non-official English version available at <>.

[1910] Law No. 138(I)/2001.
[1911] Directive 1995/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281/31, available at <>.

[1912] Article 29 Working Party on Data Protection, Ninth Annual Report (2006), available at <> at 23.

[1913] Law No. 112(I)/2004.
[1914] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications), available at <>.

[1915] Law No. 156(I)/2004.
[1916] Law No. 14(Ι)/2000.

[1917] Law No. 188(I)/2004.
[1918] See <>.

[1919] Article 29 Working Party on Data Protection, Ninth Annual Report (2006), supra at 23.

[1920] EGovernment Fact Sheet – Cyprus – National Infrastructure (February 2007), available at <>.

[1921] E-mail from Michalis Kitromilides, Office of the Personal Data Protection Commissioner, Cyprus, to Ula Galster, International Policy Fellow, Electronic Privacy Information Center (EPIC), June 23, 2005 (on file with EPIC). See also Commissioner for Personal Office for Personal Data Protection, Year Review 2005, available at <$FILE/Year%20review%202005.pdf> at 3.
[1922] Commissioner's homepage <>.
[1923] Processing of Personal Data Law, Section 18 (1).

[1924] Id.
[1925] E-mail from Michalis Kitromilides, supra.

[1926] Office for Personal Data Protection, Year Review 2005, supra at 2.
[1927] Article 29 Working Party on Data Protection, Ninth Annual Report (2006), supra at 24.

[1928] See Commissioner’s homepage, supra.

[1929] Office for Personal Data Protection, Year Review 2005, supra at 4.

[1930] Office for Personal Data Protection, Year Review 2005, supra at 5.

[1931] Law No. 92(I)/1996.
[1932] Xinhua News Agency, “Cyprus parliament committee gives green light for police phone tapping,” Xinhua General News Service, Oct. 27, 2006.
[1933] Leo Leonidou, “UNFICYP steps up buffer zone surveillance,” Cyprus Mail, June 6, 2007, available at <>.

[1934] Jacqueline Theodoulou, “Privacy concerns over traffic camera pictures,” Cyprus Mail, January 13, 2006, available at <>.
[1935] Leo Leonidou, “Traffic cameras switched on at last,” Cyprus Mail, September 19, 2006, available at <>.
[1936] Leo Leonidou, “Traffic cameras start for real,” Cyprus Mail, October 10, 2006, available at <>.
[1937] Jacqueline Theodoulou, “Police swamped by traffic camera fines,” Cyprus Mail, December 6, 2006, available at <>.
[1938] Leo Leonidou, “One in six caught on camera,” Cyprus Mail, May 17, 2007, available at <>.
[1939] Leo Leonidou, “325 snapped by the cameras,” Cyprus Mail, October 13, 2006, available at <>.

[1940] Elias Hazou, “Police probe ‘big brother’ claims at CPC offices,” Cyprus Mail, July 7, 2007, available at <>.
[1941] Elias Hazou, “Staff walkout leaves CPC boss on his own,” Cyprus Mail, July 18, 2007, available at <>.
[1942] Elias Hazou, “Either Big Brother boss goes or we do,” Cyprus Mail, July 11, 2007, <>.

[1943] E-mail from Michalis Kitromilides, supra.

[1944] Id.
[1945] See <>.

[1946] Office for Personal Data Protection, Year Review 2005, supra at 2-3.

[1947] See CyberEthics, available at <>. See also European Commission Information Society, Awareness node for Cyprus, available at <>.

[1948] Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data No. 108, signed: July 25, 1986, ratified: February 21, 2002, entered into force on June 1, 2002, available at <>.
[1949] Council of Europe, Cyprus’ Treaties signed and ratified or having been the subject of an accession as of 10/07/07, available at <>.
[1950] Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows, signed on October 3, 2002; ratified on March 17, 2004; entered into force July 1, 2004.
[1951] Signed on November 23, 2001; ratified on January 19, 2005; entered into force on May 1, 2005. Ratification Law No. 22(III)/2004.

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback