Data & Privacy ยท Cyprus
Data protection & GDPR compliance in Cyprus (2026)
Cyprus shaded by its data & privacy status
Data protection in Cyprus: comprehensive law, under GDPR (Regulation 2016/679) directly applicable; national supplementing legislation: Law 125(I)/2018 (Protection of Physical Persons Against the Processing of Personal Data and Free Movement of Such Data); Law 44(I)/2019 for law-enforcement processing (Directive 2016/680). Supervisory authority: Office of the Commissioner for Personal Data Protection (Nicosia)..
As an EU member state, Cyprus applies the GDPR directly and has enacted Law 125(I)/2018 to exercise permitted national derogations and specify the powers of its independent supervisory authority, the Commissioner for Personal Data Protection. The Commissioner enforces GDPR rights and obligations, including transparency, data-subject rights, DPO appointment, DPIA requirements, and 72-hour breach notification, and has issued over โฌ1 million in cumulative fines since 2018. A new Commissioner, Maria Christofidou, was appointed by the Council of Ministers in September 2025.
GDPR & data protection in Cyprus
In Cyprus, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Office of the Commissioner for Personal Data Protection.
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the Office of the Commissioner for Personal Data Protection
- Applies to
- any organisation processing the personal data of people in Cyprus, wherever the organisation is based
- Maximum fine
- โฌ20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Cyprus supplements it with a national data-protection act and its own supervisory authority.
GDPR in Cyprus: FAQ
Yes. As an EU/EEA member, Cyprus applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Office of the Commissioner for Personal Data Protection.
The Office of the Commissioner for Personal Data Protection.
Up to โฌ20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
GDPR (Regulation 2016/679) is directly applicable. Law 125(I)/2018, in force since 31 July 2018, supplements the GDPR by exercising national margins of appreciation and establishing the supervisory authority. It repealed the previous Law 138(I)/2001.
The Commissioner for Personal Data Protection is the independent national DPA. Maria Christofidou was appointed Commissioner by the Council of Ministers in September 2025, succeeding Irene Loizidou Nicolaidou (who served simultaneously as EDPB Vice-President). The Commissioner has powers to investigate, issue corrective measures, and impose administrative fines.
Cyprus set the age of digital consent for information-society services at 14 years (below which parental consent is required). Law 125(I)/2018 also prohibits the processing of genetic and biometric data for life and health insurance purposes, a stricter position than the GDPR baseline.
Controllers must observe GDPR principles (lawfulness, purpose limitation, data minimisation), conduct DPIAs for high-risk processing, appoint a DPO where mandated, and notify the Commissioner of personal data breaches within 72 hours. DPO contact details must be registered via the Commissioner's online portal.
Individuals hold the full suite of GDPR rights: access, rectification, erasure ('right to be forgotten'), restriction of processing, data portability, and the right to object. These may be restricted by national law only where necessary to safeguard specified public-interest objectives.
The Cyprus DPC has issued over โฌ1 million in cumulative administrative fines since GDPR took effect. A notable 2025 action saw two fines totalling โฌ58,400 imposed on Aylo Freesites Ltd (formerly Mindgeek) for GDPR breaches (decision dated 28 March 2025). Enforcement has focused on tourism, financial services, telecoms, marketing, and employment contexts.
Cyprus - other topics
Data & Privacy in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ