All questions

Data protection

General framework

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. Under the GDPR, both employers and their employees have new responsibilities to consider to help ensure compliance with the GDPR principles.

Irrespective of the GDPR's direct effect, EU Member States were given power to legislate domestically in a few areas, one of which is employment. On 31 July 2018, new data protection legislation was enacted replacing the previous data protection legislation. The new law implements a number of provisions of the GDPR but it does not specifically deal with employee data and privacy. Employers must comply with all the principles that apply to the processing of personal data, including the principle of accountability. Accordingly, employees, as data subjects, enjoy enhance data protection rights as set out in the GDPR.

The Data Commissioner Authority stated that any guidance and directives issued by the Cyprus Data Protection Commissioner under the previous legislation remains in force until such is expired or replaced. Therefore, the recommendation issued by the Data Commissioner in 2005 that deals with personal data processing in the field of employment is still relevant for specific data protection issues that arise in the field of employment.