What is a Data Protection Officer, commonly known as the DPO?

A DPO is responsible for ensuring that an organization manages personal data in compliance with the GDPR and local data protection laws. 

This includes data related to employees, customers, and other individuals the organization interacts with.

Who Needs to Appoint a DPO?

Organizations must appoint a DPO if:

• They are a public authority or body.
• Their main activities involve monitoring individuals on a large scale, such as tracking behaviour or profiling users.
• They process significant amounts of sensitive data, including health records, financial data, or criminal records.

 

What are the Key Responsibilities of a DPO?

• Ensuring Compliance to the GDPR and Cyprus data protection laws when handling personal data.
• Advising the Organization on data protection obligations and best practices, including training staff and raising awareness about data privacy.
• Conducting Data Protection Impact Assessments (DPIAs) to identify and reduce risks associated with personal data processing, particularly for new projects and technologies.
• Serving as a Point of Contact between the organization and the Office of the Commissioner for Personal Data Protection in Cyprus. Additionally, a DPO handles inquiries from individuals regarding their data rights, such as requests to access or delete their personal information.
• Monitoring and Auditing the organization’s data processing activities and ensures internal policies, including privacy policies and data retention schedules, are up to date.
• Managing Data Breaches via assessing the impact, notifying the relevant authorities within 72 hours, and informing affected individuals if necessary.
• Managing Documentation & Reviewing of Policies by keeping records of processing activities, reviewing and updating related policies and ensuring that such policies comply with legal requirements.
• Maintaining Independence and Confidentiality in all matters related to personal data.

 

What are the necessary skills and expertise of a DPO?

1. Expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR.
2. Understanding of the processing operations carried out by the data controller.
3. Understanding of information technologies and data security.
4. Knowledge of the business sector and the organisation.
5. Ability to promote a data protection culture within the organisation – data controller.

 

Is it possible to appoint an external DPO?

Yes, it is possible to appoint an external DPO on the basis of a service contract concluded with an individual or an organisation. In this case, a team of individuals working for that entity may effectively carry out the DPO’s tasks as a team, under the responsibility of a designated lead contact and ‘person in charge’ of the client. It is however, essential that each member of the external organisation exercising the functions of a DPO fulfils all relevant requirements of the GDPR.

What is the Legal Framework and Liabilities in Cyprus?

The DPO’s role is governed by:

• The GDPR (Regulation (EU) 2016/679); and 
• The Cyprus Data Protection Law of 2018 (Law 125(I)/2018), which supplements the GDPR with specific national provisions.

 

Is the DPO personally responsible for non-compliance with the GDPR?

No, the DPO is not personally responsible for non-compliance with the GDPR. 

The GDPR makes it clear that data protection compliance is the controller or the processor’s responsibility are required to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation’ (Article 24(1)). 

What are the penalties of non-compliance with the GDPR?

Organizations can face significant fines if they fail to comply with data protection regulations. These include:

• Fines of up to €20 million or 4% of the company’s global annual revenue for major violations;
• Administrative penalties for failing to appoint a DPO when required or not providing them with sufficient resources to perform their role effectively.

The DPO must operate independently, and organizations are prohibited from dismissing or penalizing them for carrying out their duties.

 

What is the role of the Office of the Commissioner for Personal Data Protection in Cyprus?

In Cyprus, the Office of the Commissioner for Personal Data Protection serves as the independent public authority responsible for overseeing the application of data protection laws, including the General Data Protection Regulation (GDPR). 

The Commissioner's duties encompass monitoring compliance, investigating complaints, and imposing sanctions for data protection violations. 

The Office actively enforces data protection regulations and highlights the importance for organizations to ensure compliance to avoid substantial penalties. 

The Office has handled over 2,500 complaints (including going after the State Health Services Organization, Social Insurance Services, newspapers, doctors, private companies, etc.) and imposed more than €1.5 million in administrative fines since the GDPR came into effect in 2018. 

Conclusion

A DPO is essential and required for organizations handling personal data in Cyprus, ensuring compliance with the GDPR and national data protection laws. 

Their role includes advising, monitoring, and liaising with authorities, helping businesses avoid regulatory penalties while protecting individuals' privacy. 

Ensuring a capable DPO is in place is essential for upholding trust and adhering to legal requirements in today's data-centric environment.  │Find more information here. 

About us

CYAUSE Audit Services is an Audit & Assurance firm with offices in Nicosia and Limassol in Cyprus regulated by the UK ICAEW, International ACCA and the Cyprus ICPAC. Our firm has extensive knowledge and experience in relocation consultation, international tax planning solutions and licensing of investment firms, funds and insurance agents / brokers. Our routine day to day services include accounting, audit, tax and advisory services to international businesses interested in relocating or establishing presence to Cyprus.

Our Partnership with  BKR International  (No 10 Global Accounting Network with offices everywhere in the world), ACCACE Circle (European Network) and 3E Accounting International, a Hong Kong Network, ensures that we are wired and closely connected in all jurisdictions, getting the latest corporate and tax news ensuring our tax planning is accurate and validated before finalisation. Being part of international networks ensures seamless collaboration with overseas experts and access to fast and accurate information on overseas tax and corporate legislations.

Feel free to contact us at enquiries@cyprusaccountants.com.cy or call us at +357 99 428 543.