Book an Appointment

After these several years of working in law firms. This decision was driven by a the ability to shape my own practice, and the opportunity to provide personalized services to my clients.

This Year’s DataGuidance Contribution: Data Breach Notifications in Cyprus

Updated DataGuidance analysis on Cyprus data breach notifications: GDPR-NIS2-DORA convergence, Article 12 of Law 125(I)/2018, and recent Commissioner decisions from 2024-2025.

Book me

One year after my research contribution to OneTrust’s compliance platform DataGuidance regarding data breach notifications in Cyprus, I have updated this year’s white paper with significant developments.

The Convergence of GDPR, NIS2 and DORA

The most significant change concerns the interconnection of GDPR with new European legislation. In Cyprus, the NIS2 Directive was transposed through Law 89(I)/2020, while the DORA Regulation applies directly to financial entities through CySEC Circular C700 (April 2025).

This means that in cases of data breaches involving cybersecurity incidents, organizations must examine not only GDPR but also whether more specific frameworks such as NIS2 (for critical sectors) or DORA (for financial services) apply, which may impose additional or more stringent notification obligations.

Cyprus-Specific Exception: Article 12

My updated analysis examines in depth Article 12 of Law 125(I)/2018, which maintains the same substantive requirements as Article 34(3) of GDPR for exceptions from the obligation to notify data subjects (such as encryption, subsequent measures, or disproportionate effort).

However, in Cypriot practical application, data controllers in the majority of cases consult with the Commissioner’s Office before deciding not to notify data subjects, receiving guidance on a case-by-case basis.

Additionally, Article 12 provides data controllers with the possibility to request formal exemption from the Commissioner in sensitive cases involving national security, public safety, or judicial independence (based on Article 23 GDPR), through a formal procedure that includes an impact assessment and prior consultation.

This Year’s Commissioner Decisions

The updated article includes five recent decisions that shape practical application:

  • Doctor Case (77/21): Unlawful access to medical data through the GESY System with a fine of €1,500.
  • Land Registry Case (21/12/2023): Cyberattack without data breach but with inadequate security measures – imposition of reprimand and order to strengthen security.
  • Google Analytics Cases (28/2/2024): Unlawful international data transfers to the USA without fines but with compliance order within one month.
  • Health Insurance Organization Case (18/12/2024): Double fine (€1,500 for incomplete response to access request + €3,000 for non-cooperation with the Authority).
  • GESY Doctor Case (3/9/2024): Processing beyond purpose with reprimand without fine.
Conclusion.

The update reflects a more complex reality: organizations in Cyprus can no longer examine GDPR in isolation. An integrated approach is required that takes into account sectoral legislation, particularly when a data breach is connected to a cybersecurity incident.

The full updated article is available on the OneTrust DataGuidance platform. If you have any questions regarding data breach notifications or data protection law in Cyprus, please do not hesitate to contact me.

Further Reading

For those interested in exploring data protection and GDPR topics further, I invite you to review my other articles. These cover a broad spectrum of topics, from social discussions to practical applications and critical analyses: