Data protection & privacy laws in Cyprus (2026)

GDPR (Regulation 2016/679) is directly applicable. Law 125(I)/2018, in force since 31 July 2018, supplements the GDPR by exercising national margins of appreciation and establishing the supervisory authority. It repealed the previous Law 138(I)/2001.

The Commissioner for Personal Data Protection is the independent national DPA. Maria Christofidou was appointed Commissioner by the Council of Ministers in September 2025, succeeding Irene Loizidou Nicolaidou (who served simultaneously as EDPB Vice-President). The Commissioner has powers to investigate, issue corrective measures, and impose administrative fines.

Cyprus set the age of digital consent for information-society services at 14 years (below which parental consent is required). Law 125(I)/2018 also prohibits the processing of genetic and biometric data for life and health insurance purposes, a stricter position than the GDPR baseline.

Controllers must observe GDPR principles (lawfulness, purpose limitation, data minimisation), conduct DPIAs for high-risk processing, appoint a DPO where mandated, and notify the Commissioner of personal data breaches within 72 hours. DPO contact details must be registered via the Commissioner's online portal.

Individuals hold the full suite of GDPR rights: access, rectification, erasure ('right to be forgotten'), restriction of processing, data portability, and the right to object. These may be restricted by national law only where necessary to safeguard specified public-interest objectives.

The Cyprus DPC has issued over €1 million in cumulative administrative fines since GDPR took effect. A notable 2025 action saw two fines totalling €58,400 imposed on Aylo Freesites Ltd (formerly Mindgeek) for GDPR breaches (decision dated 28 March 2025). Enforcement has focused on tourism, financial services, telecoms, marketing, and employment contexts.