Data protection law - An Introduction
Objects of and constitutional grounds for data protection legislation
THE PROCESSING OF PERSONAL DATA
1. This Law may be cited as the Processing of Personal Data (Protection of Individuals) Law 2001.
2. In this Law unless the context otherwise requires:
"Commissioner for the Protection of Data" or "Commissioner" means the Commissioner appointed by virtue of Section 18;
"combination" means a form of processing which involves the possibility of connection of the data of one filing system with the data of a filing system or systems kept by another controller or other controllers or kept by the same controller for another purpose;
"consent" means consent of the data subject, any freely given, express and specific indication of his wishes, clearly expressed and informed, by which the data subject, having been previously informed, consents to the processing of personal data concerning him;
"controller" means any person who determines the purpose and means of the processing of personal data;
"data subject" means the natural person to whom the data relate and whose identity is known or may be ascertained, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, political or social identity;
"Minister" means the Minister of Interior;
"person" means any natural person or any public or private corporate body whether or not it has legal personality and includes the Government of the Republic;
"personal data" or "data" means any information relating to a living data subject; consolidated data of a statistical nature, from which the data subject cannot be identified, are not deemed to be personal data;
"personal data filing system" or "filing system" means any structured set of personal data which constitute or may constitute the subject of processing and which are accessible according to specific criteria;
"processing" or "processing of personal data" means any operation or set of operations which is performed by any person upon personal data, whether or not by automatic means, and includes the collection, recording, organization, preservation, storage, alteration, extraction, use, transmission, dissemination or any other form of disposal, connection or combination, blocking, erasure or destruction;
"processor" means any person who processes personal data on behalf of the controller;
"recipient" means the person to whom data are communicated or transmitted, whether a third party or not; authorities which may receive data in the framework of a particular research shall not be regarded as recipients;
"Republic" means the Republic of Cyprus;
"sensitive data" means data concerning racial or ethnic origin, political convictions, religious or philosophical beliefs, participation in a body, association and trade union, health, sex life and erotic orientation as well as data relevant to criminal prosecutions or convictions;
"third party" means any person, other than the data subject, the controller the processor and the persons who, under the direct supervision or on behalf of the controller, are authorised to process the personal data;
3.(1) The provisions of this Law shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.
(a) by a controller established in the Republic or in a place where Cyprus law applies by virtue of public international law;
(b) by a controller not established in the Republic who, for the purposes of the processing of personal data, makes use of means, automated or otherwise, situated in the Republic, unless such means are used only for purposes of transmission of data through the Republic. In such a case, the controller must designate, by a written statement submitted to the Commissioner, a representative established in the Republic, who is vested with the rights and undertakes the obligations of the controller, the latter not being discharged of any special liability.
4.(1) The controller shall ensure that the personal data are:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and are not further processed in a way incompatible with those purposes;
(c) relevant, appropriate and not excessive in relation to the purposes of processing;
(d) accurate and, where necessary, kept up to date;
(e) kept in a form which permits identification of data subjects for no longer than is necessary, in the Commissioner's discretion, for the fulfillment of the purposes for which they were collected and processed. After the expiry of this period, the Commissioner may, by a reasoned decision, allow the preservation of personal data for historical, scientific or statistical purposes if he considers that the rights of the data subjects or third parties are not affected.
(2) The controller shall be responsible for the destruction of personal data which have been collected or which are further processed in contravention of the provisions of subsection (1). If the Commissioner ascertains, either on his own initiative or following a complaint, that a contravention of the provisions of subsection (1) has occurred, he shall order the interruption of the collection or processing and the destruction of the personal data already collected or processed.
5.(1) Personal data may be processed only if the data subject has unambiguously given his consent.
(a) processing is necessary for compliance with a legal obligation to which the controller is subject;
(b) processing is necessary for the performance of a contract to which the data subject is party, or in order to take measures at the data subject's request prior to entering into a contract;
(c) processing is necessary in order to protect the vital interests of the data subject,
(d) processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority vested in the controller or a third party to whom the data are communicated;
(e) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party to whom the personal data are communicated, on condition that such interests override the rights, interests and fundamental freedoms of the data subjects.
(3) The Council of Ministers may, on the Commissioner's recommendation, make special rules for the processing of the most common categories of processing and filing systems.
6.(1) The collection and processing of sensitive data is prohibited.
(a) the data subject has given his explicit consent, unless such consent has been obtained illegally or is contrary to accepted moral values or a specific law provides that consent does not lift the prohibition;
(b) processing is necessary so that the controller may fulfill his obligations or carry out his duties in the field of employment law;
(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent;
(d) processing is carried out by a foundation, association or other non-profit-making organisation which has political, philosophical, religious or trade-union aims, and relates solely to its members and such other persons with whom the said association, foundation or organisation retains relations by reason of its purposes. Such data may be communicated to third parties only if the data subject gives his consent;
(e) the processing relates solely to data which are made public by the data subject or are necessary for the establishment, exercise or defence of legal claims before the Court,
(f) the processing relates to medical data and is performed by a person providing health services by profession and has a duty of confidentiality or is subject to relevant codes of conduct, on condition that the processing is necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or the management of health-care services;
(g) processing is necessary for the purposes of national needs or national security, as well as criminal and reform policy, and is performed by a service of the Republic or an Organisation or Foundation authorized for this purpose by a service of the Republic and relates to the detection of crimes, criminal convictions, security measures and investigation of mass destructions;
(h) processing is performed solely for statistical, research, scientific and historical purposes, on condition that all the necessary measures are taken for the protection of the data subjects;
(i) processing is performed solely for journalistic purposes or in the framework of artistic expression and as long as the right to privacy and family life is not violated;
(3) The Council of Ministers may on the Commissioner's recommendation, make regulations for the processing of sensitive data, in cases other than those referred to in subsection (2) when serious matters of public interest concur.
7.(1) The controller must notify the Commissioner in writing about the establishment and operation of a filing system or the commencement of processing.
(a) his full name, business name or title and his address. If the controller is not established in the Republic, he must state, in addition, the full name, business name or title and address of his representative in the Republic;
(b) the address where the filing system is established or the main equipment necessary for the processing is installed;
(c) a description of the purpose of the processing of the data which are or are intended to be processed or which are included or intended to be included in the filing system;
(d) a description of the category or categories of data subjects;
(e) the categories of data which are or are intended to be processed or which are included or intended to be included in the filing system;
(f) the period of time for which he intends to carry out the processing or to keep the filing system;
(g) the recipients or categories of recipients to whom he communicates or may communicate the data;
(h) the proposed transmissions of data to third countries and the purpose thereof;
(i) the basic characteristics of the system and the measures for the security of the filing system or of the processing.
(3) Where the processing or the filing system falls within one of the categories for which the Council of Ministers has issued special rules for processing, the controller shall submit to the Commissioner a statement confirming that processing will be performed or the filing system will be kept in accordance with the special rules issued by the Council of Ministers, which will also specify particularly the form and content of the statement.
(a) processing is performed solely for purposes directly connected with the work to be done and is necessary for the fulfillment of a legal obligation or for the performance of a contract provided that the data subject has been previously informed,
(b) the processing concerns customers or suppliers of the data subject provided that the data are neither transferred nor communicated to third parties. For the purposes of application of this provision, the Courts and the public authorities are not regarded as third parties, provided that the transmission or communication is provided by law or Court decision. The insurance companies for all types of insurance, the pharmaceutical companies, the data provision companies and the financial institutions such as banks and the companies that issue credit cards are not excluded from the obligation to notify,
(c) processing is performed by a society, association, company or political parties and concerns data related to their members, provided that these members have given their consent and the data are neither transferred nor communicated to third parties. Members are not regarded as third parties when the notification is made to them for the aims of the abovementioned societies, associations, companies or political parties, neither are the Courts and public authorities, when the communication is provided by law or a Court decision.
(d) processing is performed by doctors or other persons who provide health services and concerns medical data, provided that the controller is bound by medical confidentiality or other kind of confidentiality required by law or code of conduct and the data are neither transferred nor communicated to third parties. Persons who provide health services such as clinics, hospitals, health centers, recovery and detoxication centers, insurance funds and insurance companies as well as the controllers of personal data when the processing is performed in the framework of programs relating to telemedicine operations or provision of medical services through a network, are not excluded from this provision,
(e) processing is performed by advocates and concerns the provision of legal services to their clients, provided that the controller is bound by confidentiality required by law and the data are neither transmitted nor communicated to third parties, except in cases where it is necessary and is directly connected with a request from their clients.
Combination of filing systems.
8.(1) The combination of filing systems is permitted only in accordance with the conditions referred to in section 5 and in this section.
(i) the purpose for which the combination is considered necessary;
(ii) the category of personal data to which the combination relates;
(iii) the period of time for which the combination is permitted; and
(iv) any terms and conditions which may be imposed in order to protect the rights and liberties, especially the right to privacy of the data subjects or third parties.
(c) The license for combination may be renewed following an application by the controllers.
9.(1) Subject to the provisions of this Law, transmission of data which have undergone processing or are intended for processing after their transmission to any country shall be permitted after a license of the Commissioner. The Commissioner shall issue the license only if he considers that the said country ensures an adequate level of protection. For this purpose, he shall take into consideration the nature of the data, the purposes and duration of the processing, the relevant general and special rules of law, the codes of conduct and the security measures for the protection of data, as well as the level of protection in the countries of origin, transmission and final destination of the data. (2) The transmission of personal data to a country which does not ensure an adequate level of protection is permitted exceptionally after a license of the Commissioner, where one or more of the following conditions are fulfilled:
(a) the data subject has given his consent to the transmission, unless his consent has been obtained in a way that contravenes the law or accepted moral values;
(b) the transmission is necessary:
(i) in order to protect the vital interests of the data subject, or
(ii) for the conclusion and performance of a contract concluded in the interest of the data subject between the data subject and the controller or between the controller and a third party, or
(iii) for the implementation of pre-contractual measures which have been taken in response to the data subject's request;
(c) the transmission is necessary in order to deal with an exceptional necessity for the safeguard of a superior public interest, especially for the performance of conventions of co-operation with the public Authorities of the other country,
(d) the transmission is necessary for the establishment, exercise or defense of legal claims before a Court;
(e) the transmission is made from a public register which, according to the law, provides information to the public and is open to the public or to any person who can show legitimate interest, to the extent that the legal requirements for access to the register are satisfied in the particular case.
(3) Notwithstanding the provisions of subsection (2), the Commissioner may also allow the transmission of data to a country which does not ensure an adequate level of protection, provided that the controller provides sufficient guarantees, for the protection of privacy and fundamental liberties and the exercise of relevant rights and such guarantees may result from appropriate contractual clauses. (4) Notwithstanding the provisions of subsection (1), the transmission of data to Member-States of the European Union is free. (5) In the cases referred to in subsections (2) and (3), the Commissioner shall inform the European Commission and the respective Authorities of the other Member States, where he considers that a country does not ensure an adequate level of protection. (6) A license under this section shall be in the prescribed form and shall be issued upon payment of the prescribed fees.
10.(1) The processing of data is confidential. It shall be carried out only by persons acting under the authority of the controller or the processor and only upon instructions from the controller.
11.(1) The controller shall, at the time of collection of the personal data from the data subject, provide the latter, in an appropriate and explicit way, with at least the following information:
(a) his identity and the identity of his representative, if any;
(b) the purpose of the processing;
(2) The controller shall also inform the data subject about the following:-
(a) the recipients or the categories of recipients and of the data; and
(b) the existence of the right of access to and rectification of the data;
(c) whether the data subject is obliged to provide assistance, by virtue of which provisions, and the consequences of his refusal, if any; provided that this notification is necessary for securing in each case, the legitimate processing.
(3)(a) The provisions of subsection (1) shall also apply where the data are collected from third parties or where it is anticipated that they will be communicated to third parties, and the data subject shall be informed during their recording or at their first communication, as the case may be.
12.(1) Every person has the right to know whether the personal data relating to him are or were processed. To this end, the controller must reply to him in writing.
(a) Information about:
(i) all the personal data relating to him which have undergone processing, as well as any available information as to their source;
(ii) the purposes of the processing, the recipients or the categories of recipients, as well as the categories of data which are or are to be processed;
(iii) the progress of the processing since his previous briefing;
(iv) the logic which every automated process of data in relation to the data subject, is based, in cases of decisions taken by virtue of section 16(1).
(b) The rectification, erasure or blocking of the data, the processing of which has not been performed in accordance with the provisions of this Law, especially due to inaccuracies or shortages.
(c) The notification to third parties, to whom the data have been communicated, of every rectification, erasure or blocking which is done by virtue of paragraph (b), unless this is impossible or it requires disproportionate efforts.
13.(1) The data subject has the right to object, at any time, on compelling legitimate grounds relating to his particular situation, to the processing of data relating to him. The objection shall be in writing and addressed to the controller, and must contain a request for specific action to be taken, such as rectification, temporary abstention from use, blocking, abstention from transmission or erasure. The controller must reply in writing on these objections within fifteen days from the submission of the request. In his reply, he must inform the data subject about the actions he has taken or the reasons for not satisfying the request, as the case may be. In case of rejection of the objections, the reply must also be communicated to the Commissioner.
Exercise of rights of access and objection.
14. The rights of access and objection shall be exercised by the submission of an application to the controller and the payment, at the same time of a sum, the amount and manner of payment of which, as well as any other relevant matter shall be prescribed by Regulations issued under this Law. This sum shall be returned to the applicant if his request for rectification or erasure of data is considered by the controller or the Commissioner, in case of recourse to him, as well-founded. The controller must, in such a case, grant to the applicant, without delay and without the payment of any fee, in intelligible language, a copy of the rectified part of the processing which concerns him.
Processing for direct marketing.
15.(1) Personal data can not be processed by anyone for purposes of direct marketing or provision of services, unless the data subject notifies his written consent to the controller.
(2) If a controller wishes to carry out processing of personal data for the purposes referred to in subsection (1), he may, for the purpose of obtaining his consent, use the name and address of the data subject provided that the data has been obtained from sources accessible to public.
16.(1) Every person has the right to apply to the competent court for the immediate suspension or non-performance of an act or decision affecting him, which has been done or made by an administrative authority or a public or private corporate body, a union of persons or a natural person by processing of data, where such processing aims to evaluate certain personal aspects relating to him and, in particular, his efficiency at work, his financial solvency, his credibility and his behaviour in general. (2) The right to temporary judicial protection may be satisfied in accordance with the Courts of Justice Law, the Civil Procedure Law or any other law which provides for the issue of provisional orders.
17. The controller shall compensate a data subject who has suffered damage by reason of violation of any provision of this Law, unless he proves that he is not responsible for the event that caused the damage.
Appointment of the Commissioner.
18.(1) There shall be appointed a Commissioner for the Protection of Personal Data (hereinafter referred to as "the Commissioner") who shall be responsible for monitoring the application of this Law and other provisions relating to the protection of individuals with regard to the processing of personal data and who shall exercise the functions assigned to him from time to time by this or any other law.
19.(1) A person who exercises managerial duties in a business which promotes, transforms, provides or trades in materials used in information technology, telecommunications or who provides services related to information technology, telecommunications or the processing of personal data, or a person related to such business by a contractual connection may not be appointed as the Commissioner.
(a) acquires any of the capacities which constitute a disqualification for appointment under subsection (1);
(b) does any act or undertakes any work or acquires any other capacity which is incompatible with his duties as the Commissioner;
(c) is convicted for an offence in violation of subsection (3) of section 21,
shall cease to be a Commissioner;
Term of office.
20. The term of office of the Commissioner shall be for a period of four years and may be renewed for one more term.
Obligations and rights of the Commissioner.
21.(1) In the exercise of his duties, the Commissioner shall act according to his conscience and in accordance with the law. He shall be subject to a duty of confidentiality, which shall continue to exist even after he ceases to be the Commissioner. As a witness or expert witness he may only give on matters which relate to the compliance by the controllers with the provisions of this Law.
Office of the Commissioner.
22.(1) The Commissioner, in the performance of his functions shall have an Office, the personnel of which shall consist of officers possessing such qualifications and serving under such terms, as may be prescribed.
Functions, operation and decisions of the Commissioner.
23. The Commissioner shall have the following functions:
(a) To issue directions for the uniform application of provisions concerning the protection of individuals with regard to the processing of personal data.
(b) To call and assist professional associations and other unions of natural or legal persons which keep filing systems of personal data, in drawing up codes of conduct so as to better protect private life and the rights and fundamental liberties of natural persons in their field of activity.
(c) To submit recommendations and suggestions to controllers or their representatives, if any, and to give, in his discretion, publicity thereto.
(d) To grant the licenses provided by this Law.
(e) To report any contraventions of the provisions of this Law to the competent authorities.
(f) To impose the administrative sanctions provided by section 25.
(g) To assign to a member of his Office the conduct of administrative inquiries.
(h) To conduct, on his own initiative or following a complaint, an administrative inquiry on any filing system. For this purpose, he shall have a right of access to personal data and of collection of any information, including confidential information, except information covered by the confidentiality between advocate and client. Exceptionally, the Commissioner shall have no access to the particulars of identity of collaborators whose names are contained in filing systems kept for reasons of national security or for the detection of particularly serious crimes. The inquiry shall be conducted by the Commissioner or by a member of his Office authorised for this purpose by the Commissioner. The Commissioner shall be present in person during an inquiry relating to filing systems kept for reasons of national security.
(i) To reach a decision on any regulation relating to the processing and protection of personal data.
(j) To issue rules, directions and instruments for the regulation of specific, technical and detailed matters to which this Law refers.
(k) To draw up an annual report on his activities during the preceding calendar year. The report shall also indicate the necessary legislative amendments, that may be required, in the field of protection of individuals with regard to the processing of personal data. The report shall be submitted by the Commissioner to the Minister, who shall give it the publicity he considers necessary.
(l) To examine complaints relating to the application of this Law and the protection of the rights of the applicants, when these are affected by the processing of data concerning them, and applications requesting the control and ascertainment of the legality of such processing and to inform the applicants of his action thereon.
(m) To keep the Registers provided by this Law.
(n) To co-operate with the corresponding Authorities of other Member States of the European Union and the Council of Europe in relation to the exercise of his functions.
24.(1) The Commissioner shall keep the following Registers:
(a) A Register of Filing Systems and Processing, which shall include the filing systems and processing notified to the Commissioner.
(b) A Register of Combination, which shall include the statements and licenses issued by the Commissioner for the combination of filing systems.
(d) A Register of Transmission Licenses, in which the licenses for the transmission of personal data shall be filed.
(e) A Register of Confidential Filing Systems, in which there shall be recorded, after an application of the controller and a decision of the Commissioner, the filing systems kept by the Ministers of Justice and Public Order and Defense and the Public Information Office, for purposes of national security or the detection of particularly serious crimes. Combinations with at least one such fling system shall also be filed in the Register of Confidential Filing Systems.
(2) Every person shall have access to the Registers referred to in paragraphs (a), (b), (c) and (d) of subsection (1). On the application of the interested party, and after a decision of the Commissioner, access to the Register of Confidential Filing Systems may be permitted wholly or partly. On the application of the controller or his representative and after a decision of the Commissioner, access to the Register of Transmission Licenses, may be prohibited, wholly or partly, where such access might involve a risk to the privacy of a third party, national security, the detection of particularly serious crimes and the fulfillment of the obligations of the state which arise from International Conventions.
25.(1) The Commissioner may impose on the controllers or their representatives, if any, the following administrative sanctions in case of contravention of their obligations which arise from this Law and from every other regulation concerning the protection of individuals with regard to the processing of personal data:
(a) a warning with a specific time-limit for termination of the contravention;
(b) a fine of up to L5000;
(c) temporary revocation of a license;
(d) permanent revocation of a license;
(e) the destruction of a filing system or the cessation of processing and the destruction of the relevant data.
(2) The administrative sanctions provided in (b), (c), (d) and (e) of subsection (1), shall be imposed following a hearing of the controller or his representative. They shall be proportionate to the seriousness of the relevant contravention. The administrative sanctions under paragraphs (c), (d) and (e) shall be imposed in cases of a particularly serious or a continuous contravention. A fine may be imposed cumulatively and in conjunction with the sanctions provided in (c), (d) and (e) above. If the sanction of destruction of a filing system is imposed, the controller shall be responsible for the destruction, and a fine may be imposed on him for failure to comply.
Offences and penalties.
26.(1) An offence is committed by any person who:
(a) omits to notify to the Commissioner, in contravention of section 7, the establishment and operation of a filing system, the carrying out of the processing or any change in the terms and conditions for the grant of the license provided by subsection (5) of section 7;
(b) in contravention of section 7, keeps a filing system without a license or in contravention of the terms and conditions of the license granted by the Commissioner;
(c) in contravention of section 8, proceeds to a combination of filing systems without notifying the Commissioner;
(d) makes a combination of filing systems without a license issued by the Commissioner, where such a license is required, or in contravention of the terms of the license already granted to him;
(e) without being entitled to do so, intervenes in any way in a filing system of personal data or acquires knowledge thereof, or removes, alters, damages, destroys, processes, transmits, communicates the data, or renders them accessible to persons not entitled to access or permits such persons to acquire knowledge of the said data or makes use of them in any way;
(f) being a controller, does not comply with the provisions of this Law during the processing;
(g) being a controller, does not comply with the decisions of the Commissioner which are issued for the exercise of the right of access pursuant to subsection (3) of section 12, for the exercise of the right of objection pursuant to subsection (2) of section 13, as well as with actions taken for the imposition of the administrative sanctions provided by paragraphs (c), (d) and (e) of subsection (1) of section 25;
(h) being a controller, transmits personal data in contravention of section 9, or being a controller does not comply with a decision of the Court issued by virtue of section 16.
(2) Where the person responsible for the acts referred to in paragraphs (a) to (e) of subsection (1) intended to obtain for himself or anyone else an unlawful financial benefit or cause injury to a third party, he shall be liable to imprisonment for a term not exceeding five years or to a fine not exceeding five thousand pounds or to both such imprisonment and fine.
27.(1) The Council of Ministers shall, on the Commissioner's recommendation, make Regulations for the better implementation of this Law. (2) Without prejudice to the generality of subsection (1), Regulations made under this section may:
(a) provide for the processing of a specific category of data;
(b) prescribe the form of licenses issued by virtue of this Law, as well as the fees for these licenses.
Obligations of controllers.
28.(1) The controllers of filing systems which are in operation on the date of coming into operation of this Law as well as controllers who carry out the processing on the date of coming into operation of this Law shall submit to the Commissioner the notification provided by section 7 within six months from the day of appointment of the Commissioner.
Resumption of functions of the Commissioner.
29.(1) The Commissioner shall be appointed within sixty days from the entry into force of this Law.
Entry into force.
30. This Law shall come into operation on the date of its publication in the Official Gazette of the Republic, with the exception of subsections (4) and (5) of section 9, which shall come into operation by decision of the Council of Ministers to be published in the Official Gazette of the Republic.