Skip to content
World Watch/Cyprus/Data & Privacy

Data & Privacy ยท Cyprus

Data protection & GDPR compliance in Cyprus (2026)

Comprehensive lawGDPR (Regulation 2016/679) directly applicable; national supplementing legislation: Law 125(I)/2018 (Protection of Physical Persons Against the Processing of Personal Data and Free Movement of Such Data); Law 44(I)/2019 for law-enforcement processing (Directive 2016/680). Supervisory authority: Office of the Commissioner for Personal Data Protection (Nicosia).Country index 96 ยท A+

Cyprus shaded by its data & privacy status

Data protection in Cyprus: comprehensive law, under GDPR (Regulation 2016/679) directly applicable; national supplementing legislation: Law 125(I)/2018 (Protection of Physical Persons Against the Processing of Personal Data and Free Movement of Such Data); Law 44(I)/2019 for law-enforcement processing (Directive 2016/680). Supervisory authority: Office of the Commissioner for Personal Data Protection (Nicosia)..

As an EU member state, Cyprus applies the GDPR directly and has enacted Law 125(I)/2018 to exercise permitted national derogations and specify the powers of its independent supervisory authority, the Commissioner for Personal Data Protection. The Commissioner enforces GDPR rights and obligations, including transparency, data-subject rights, DPO appointment, DPIA requirements, and 72-hour breach notification, and has issued over โ‚ฌ1 million in cumulative fines since 2018. A new Commissioner, Maria Christofidou, was appointed by the Council of Ministers in September 2025.

GDPR & data protection in Cyprus

In Cyprus, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Office of the Commissioner for Personal Data Protection.

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the Office of the Commissioner for Personal Data Protection
Applies to
any organisation processing the personal data of people in Cyprus, wherever the organisation is based
Maximum fine
โ‚ฌ20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Cyprus supplements it with a national data-protection act and its own supervisory authority.

GDPR in Cyprus: FAQ

Does the GDPR apply in Cyprus?

Yes. As an EU/EEA member, Cyprus applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Office of the Commissioner for Personal Data Protection.

Who enforces data protection law in Cyprus?

The Office of the Commissioner for Personal Data Protection.

What are the GDPR fines in Cyprus?

Up to โ‚ฌ20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Cyprus?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Cyprus?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Primary legal framework

GDPR (Regulation 2016/679) is directly applicable. Law 125(I)/2018, in force since 31 July 2018, supplements the GDPR by exercising national margins of appreciation and establishing the supervisory authority. It repealed the previous Law 138(I)/2001.

Supervisory authority

The Commissioner for Personal Data Protection is the independent national DPA. Maria Christofidou was appointed Commissioner by the Council of Ministers in September 2025, succeeding Irene Loizidou Nicolaidou (who served simultaneously as EDPB Vice-President). The Commissioner has powers to investigate, issue corrective measures, and impose administrative fines.

National derogations under Law 125(I)/2018

Cyprus set the age of digital consent for information-society services at 14 years (below which parental consent is required). Law 125(I)/2018 also prohibits the processing of genetic and biometric data for life and health insurance purposes, a stricter position than the GDPR baseline.

Key controller/processor obligations

Controllers must observe GDPR principles (lawfulness, purpose limitation, data minimisation), conduct DPIAs for high-risk processing, appoint a DPO where mandated, and notify the Commissioner of personal data breaches within 72 hours. DPO contact details must be registered via the Commissioner's online portal.

Data subject rights

Individuals hold the full suite of GDPR rights: access, rectification, erasure ('right to be forgotten'), restriction of processing, data portability, and the right to object. These may be restricted by national law only where necessary to safeguard specified public-interest objectives.

Enforcement record

The Cyprus DPC has issued over โ‚ฌ1 million in cumulative administrative fines since GDPR took effect. A notable 2025 action saw two fines totalling โ‚ฌ58,400 imposed on Aylo Freesites Ltd (formerly Mindgeek) for GDPR breaches (decision dated 28 March 2025). Enforcement has focused on tourism, financial services, telecoms, marketing, and employment contexts.

Cyprus - other topics

Data & Privacy in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’