The General Data Protection Regulation (GDPR), applies to the whole or partial processing of personal data by automated means as well as non-automated processing if it is part of a structured filing system (structured hard copy records). The data subject is the people whose data is being processed. They are the ‘users’.

But what exactly constitutes data processing?

The term “processing” covers a wide range of operations performed on personal data including the:

  • Collection
  • registration
  • organization
  • structure
  • analyzing
  • storage
  • adaptation or alteration
  • retrieval
  • information retrieval
  • use
  • disclosure by transmission
  • dissemination or any other form of disposal
  • association or combination
  • limitation
  • deletion or destruction of personal data

Some examples of Processing are:

  • personnel management and payroll
  • access/search for information in a contact database that includes personal data
  • send promotional emails
  • shredding documents containing personal data
  • publish/upload a person’s photo on a website
  • storing IP addresses or MAC addresses
  • filming by closed circuit television

As of May 2018, it is mandated that all relevant organizations be compliant with the General data protection regulation (GDPR) which was passed through the European parliament in April 2016. GDPR secures that all personal data is collected in a fair and legal process, along with the acquiescence of the users. 

At the core of GDPR, lies personal data. Personal data, is defined as any information that can be beneficial to directly or indirectly identify and / or recognize a human being. Personal data usually name, gender, email address, location information, IP addresses, web cookie information, and biometric data.

The GDPR enforces restrictions on collecting and processing certain kinds of personal data. Sensitive data such as Race, Ethnic origin, Political opinions, religious beliefs, Philosophical beliefs, Trade union membership, Genetic data, Biometric data, Health, and/ or Sexual orientations, should generally not be collected or processed. The only exceptions or special circumstances where collection or processing personal data becomes permissible, are collecting it with explicit consent and a specific purpose, or in order to comply with certain laws or court cases.

It is remarkable that, the number of applications recording a user’s personally identifiable information (PII) has increased. According to IBM Security’s 2021 global study, PII data, have undergone in as much as 44% of data breaches.  Furthermore, a consumer privacy survey which has been conducted by CISCO in 2021, revealed that many users have stopped using an application or a service due to personal data disclosures.

How can a business comply with GDPR:

Applying strong data protection measures and safeguards not only protects individuals’ or customers’ personal data, but also your organization’s data.

To begin with, the strategy of collection of personal data by a business, must cross the threshold that there is a legal reason to do so. For instance, a sales contract, or the request by a customer for provision of information on products or services.

In all cases, the businesses should clarify in which way the personal data will be used for and only be used for this specific purpose.

In addition, user contracts and terms and conditions, should be straightforward, clear and easy to understand and not consist complicated legal terminologies.

It is important that the customers can use their right to ask the company to delete all stored personal data about them, unless the company needs to keep that information for legal reasons, such as tax and the company shall secure their right by doing so.

Individuals can request a digital copy of their personal data to use however they like, including transitioning to a new service provider.

Last but not least, a business is obliged to report certain types of data breach to the relevant supervisory authority.

GDPR also governs where companies store personal data, and what safeguards you must have in place in order to store and process that personal data outside of the EU.

For how long can data be kept?

Data must be stored for the shortest time possible. Every company and/ or organization should frame time limits to erase or review the data stored.

Failure to comply with general data protection regulations can result in a fine which falls under two tiers (whichever is greater).


AML regulations establishes the obligation of saving and keeping data and transactions in the projection of suspicious activity, for five years. Non-compliance will lead to fines.

At the same time, one of the main pillars of GDPR is the right of EU citizens to have their data erased from the data processor’s systems forever.

In the face of a clash between the two regulations, GDPR protects both data controllers and data processors, during the execution of supporting “legitimate interests”, namely, to detect suspicious activity and this is in order to enable them to comply with AML regulations.

More specifically, legal requirements take precedence over the right to erasure. As such, if a regulation requires you to save the data, as AML regulations do, the right to erasure does not take effect until after that legal period ends in accordance with the AML regulation time-period.

National Derogations:

GDPR does not apply to areas of law that are outside the scope of Union law, such as national security, and does not apply to purely personal or household activity.

In Cyprus, it is legal to process for journalistic or academic purposes or for the purposes of artistic or literary expression provided that, such processing is proportional in relation to the intended purposes and respecting the data subjects’ fundamental rights and freedoms. Indubitably, the right to freedom of expression and the confidentiality of journalistic sources shall not be violated by the rights of the users to be provided with information on their personal data.

Finally, yet importantly, processing for achieving purposes in the public interest, scientific or historical research purposes or statistical purposes precludes the use of personal data for the purpose of decision making which produces legal effects concerning the users or which similarly significantly affects them.

To Top