As a full member of the European Union, Cyprus directly applies the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 — which took effect across the EU on 25 May 2018. Any business operating from Cyprus that collects, processes, stores, or transfers personal data of individuals in the EU must comply with GDPR's comprehensive requirements. This is not optional, and it applies equally to a one-person consulting business and a multinational corporation. For Non-Dom entrepreneurs establishing businesses in Cyprus, GDPR compliance should be built into your operations from the outset rather than treated as an afterthought.
This guide provides a practical overview of what GDPR requires, how the regulation is enforced in Cyprus, what steps you need to take to comply, and how to avoid the most common mistakes that trigger enforcement action.
GDPR: The Core Principles
GDPR is built on seven core principles that govern all processing of personal data. Understanding these principles is more important than memorising every article of the regulation, because they form the foundation against which compliance is assessed.
Lawfulness, fairness, and transparency: You must have a valid legal basis for processing personal data, treat data subjects fairly, and be transparent about what you do with their data. Purpose limitation: Collect data for specified, explicit, and legitimate purposes, and do not process it for incompatible purposes. Data minimisation: Only collect data that is necessary for the stated purpose — no more. Accuracy: Keep personal data accurate and up to date. Storage limitation: Do not keep personal data longer than necessary. Integrity and confidentiality: Protect data against unauthorised access, loss, or destruction. Accountability: You must be able to demonstrate compliance with all of the above principles.
Legal Bases for Processing
Every instance of personal data processing must be grounded in one of six legal bases defined by GDPR. The most commonly relevant for Cyprus businesses are consent (the individual has explicitly agreed to the processing), contractual necessity (the processing is necessary to perform a contract with the individual), legitimate interest (the processing is necessary for a legitimate business interest that does not override the individual's rights), and legal obligation (the processing is required by law, such as retaining employee records for tax purposes).
Choosing the correct legal basis is important because it determines what rights data subjects have and what obligations you bear. Consent, for example, can be withdrawn at any time, which means relying on consent for data processing that is essential to your business operations creates vulnerability. In many cases, contractual necessity or legitimate interest provides a more robust foundation.
Key GDPR Obligations for Cyprus Businesses
| Obligation | What It Requires | Deadline/Frequency |
|---|---|---|
| Privacy notice | Inform individuals how their data is collected, used, stored, and shared, in clear and plain language | Before or at the time of data collection |
| Data subject rights | Respond to requests for access, rectification, erasure, restriction, portability, and objection | Within 30 days of request |
| Records of processing | Maintain a written record of all processing activities (Article 30) | Ongoing; updated as activities change |
| Data Protection Impact Assessment | Conduct an assessment before any processing likely to result in high risk to individuals | Before the processing begins |
| Data breach notification | Report breaches to the Commissioner within 72 hours; notify affected individuals without undue delay if high risk | 72 hours from awareness of breach |
| Data protection by design | Build data protection into systems and processes from the start, not as a retrofit | Ongoing |
| Data Processing Agreements | Have written contracts with all third parties who process personal data on your behalf | Before sharing data with processors |
The Cyprus Data Protection Commissioner
The Office of the Commissioner for Personal Data Protection is the national supervisory authority for GDPR in Cyprus. The Commissioner has the power to investigate complaints, conduct audits, issue warnings, impose corrective measures, and levy administrative fines. Maximum fines under GDPR are up to EUR 20 million or 4% of global annual turnover, whichever is higher — though in practice, fines imposed in Cyprus have been more moderate, reflecting the proportionality principle.
The Commissioner's office has become increasingly active in recent years, conducting sector-specific audits and responding to a growing number of complaints from individuals exercising their data protection rights. Businesses operating in Cyprus should treat the Commissioner's guidance and decisions as authoritative and stay informed about enforcement trends.
Practical Steps for GDPR Compliance
Step 1 — Data mapping. Identify all personal data your business collects and processes. This includes customer data, employee data, marketing databases, website analytics, email lists, and any other data that relates to identified or identifiable individuals. Document where the data comes from, where it is stored, who has access to it, how long it is retained, and what legal basis supports the processing.
Step 2 — Privacy documentation. Draft a clear, accessible privacy policy for your website and business communications. If you have employees, create an internal privacy notice explaining how employee data is handled. Ensure all privacy notices are written in plain language — not legal jargon — and are easily accessible.
Step 3 — Security measures. Implement appropriate technical and organisational measures to protect personal data. For most small and medium businesses, this means using encryption for sensitive data, implementing access controls (not everyone in the company needs access to all data), maintaining regular backups, keeping software and systems updated, and training employees on data protection awareness.
Step 4 — Data subject request procedures. Establish a clear internal process for handling data subject requests. When an individual exercises their right to access, correct, delete, or port their data, you must respond within 30 days. Having a documented procedure — who receives the request, who verifies identity, who retrieves the data, and who responds — ensures you meet deadlines consistently.
Step 5 — Breach response plan. Create an incident response plan for potential data breaches. This should include how to detect and contain a breach, who to notify internally, how to assess the risk to affected individuals, how to notify the Commissioner within 72 hours, and how to notify affected individuals if the breach is likely to result in high risk to their rights and freedoms.
Step 6 — Third-party contracts. Review all relationships where third parties process personal data on your behalf — cloud service providers, email marketing platforms, payroll processors, CRM systems. Each must be governed by a Data Processing Agreement that meets GDPR requirements under Article 28.
Data Protection Officer: Do You Need One?
Under GDPR, appointing a Data Protection Officer (DPO) is mandatory if your core activities involve regular and systematic monitoring of data subjects on a large scale, or if you process special categories of data (health, biometric, racial/ethnic, political opinions, etc.) on a large scale. For most small and medium Cyprus companies, a DPO is not mandatory but may be advisable if data processing is central to your business model — for example, if you operate a SaaS platform, an e-commerce business with large customer databases, or a healthcare-related service.
If a DPO is not required, a good practice is to designate an internal data protection lead — someone who understands the basics, monitors compliance, and serves as the point of contact for data protection queries.
International Data Transfers
Transferring personal data outside the EU/EEA requires compliance with GDPR's international transfer rules. Common mechanisms include adequacy decisions (transfers to countries the EU has determined provide adequate data protection, such as the UK, Japan, and South Korea), Standard Contractual Clauses (SCCs) for transfers to countries without adequacy decisions, and Binding Corporate Rules for intra-group transfers within multinational organisations.
For most Cyprus businesses, the practical implication is to be aware of where your cloud services, email providers, and other technology platforms store data. If you use a US-based service (such as Google Workspace, Microsoft 365, or AWS), ensure that appropriate transfer mechanisms are in place — most major providers have updated their terms to include SCCs or rely on EU data centres.
Practical Tip
GDPR compliance does not have to be expensive or complicated for small businesses. Start with a clear privacy policy on your website, a simple data map documenting what personal data you hold and why, and basic security measures (encryption, access controls, backups). These foundational steps address 80% of compliance requirements for most small and medium businesses. If your business grows in data processing complexity, engage a data protection specialist to conduct a more detailed assessment.
Frequently Asked Questions
Yes. GDPR applies to all organisations that process personal data of individuals in the EU, regardless of size. There are no small-business exemptions. However, the scope of your obligations scales with the nature and volume of data processing — a small consulting firm has fewer obligations than a data-intensive tech company.
Personal data is any information relating to an identified or identifiable natural person. This includes obvious identifiers like names, email addresses, and phone numbers, but also IP addresses, cookie data, location data, and any other information that can be used — directly or indirectly — to identify an individual.
You must assess the breach's risk to affected individuals. If the breach is likely to result in a risk to individuals' rights, you must notify the Commissioner within 72 hours. If the risk is high, you must also notify the affected individuals directly. Document all breaches — even minor ones — as part of your accountability obligations.
You need a valid legal basis — typically consent or legitimate interest. For electronic marketing (email, SMS), the ePrivacy rules add additional requirements: generally, you need prior consent for marketing emails unless you have an existing customer relationship and the marketing relates to similar products or services. Always include an unsubscribe option and honour opt-out requests immediately.
Related: Company Formation Guide, E-Commerce in Cyprus, IT Companies in Cyprus, Anti-Money Laundering Rules.
Scope of GDPR in Cyprus
The General Data Protection Regulation (EU 2016/679) applies directly in Cyprus as an EU member state. It is supplemented by the national Processing of Personal Data (Protection of the Individual) Law of 2018 (Law 125(I)/2018), which addresses areas where the GDPR allows or requires national legislation. The supervisory authority is the Commissioner for Personal Data Protection, based in Nicosia.
GDPR applies to your Cyprus company if it processes personal data of individuals located in the EU, regardless of where the processing takes place. This means a Cyprus company with customers, employees, or contractors anywhere in the EU must comply with GDPR. Personal data includes any information that can directly or indirectly identify a living individual: names, email addresses, phone numbers, IP addresses, cookie identifiers, location data, financial information, and health data.
For most Cyprus companies, the practical impact of GDPR centres on several key areas: employee data processing (payroll, HR records, performance data), customer data management (contact details, transaction records, communication history), marketing activities (email newsletters, targeted advertising, cookie tracking), and data sharing with third parties (accountants, auditors, cloud service providers).
Key Compliance Requirements
Lawful basis for processing: You must have a valid legal basis for every category of personal data you process. The six lawful bases under GDPR are: consent, contract performance, legal obligation, vital interests, public interest, and legitimate interests. Most business data processing relies on contract performance (processing customer data to deliver services) or legitimate interests (processing employee data for business operations). Consent is required primarily for marketing communications and cookies.
Privacy notices: Every company must provide clear, accessible privacy notices that explain what data is collected, why it is processed, how long it is retained, who it is shared with, and what rights individuals have. You need separate privacy notices for your website, your employees, and your customers/suppliers. These notices must be written in plain language — legal jargon is not sufficient.
Data processing agreements: When you share personal data with third parties (your accountant, cloud hosting provider, email marketing platform, payroll processor), you must have a written data processing agreement (DPA) in place. This agreement must specify the scope of processing, security measures, data breach notification obligations, and the processor's duty to assist with data subject requests. CMC has standard DPA templates available for clients.
Records of processing activities: Companies with more than 250 employees must maintain a formal record of processing activities (ROPA). However, smaller companies must also maintain records if their processing involves sensitive data categories, regular monitoring of individuals, or processing on a large scale. In practice, CMC recommends that all clients maintain at least a basic ROPA as evidence of compliance.
Penalties and Enforcement in Cyprus
GDPR penalties can be severe: up to EUR 20 million or 4% of global annual turnover, whichever is higher, for the most serious violations. The Cyprus Commissioner has issued fines ranging from EUR 3,000 for minor administrative failures to EUR 30,000 for more significant violations. While Cyprus enforcement has been proportionate compared to some other EU jurisdictions, the trend is toward increasing scrutiny and higher fines.
Common triggers for enforcement action in Cyprus include failure to respond to data subject access requests within the required 30-day timeframe, sending marketing emails without valid consent, inadequate website cookie consent mechanisms, failure to report data breaches within 72 hours, and lack of a Data Protection Officer where one is required.
Beyond regulatory fines, non-compliance creates significant business risks. Data breaches can damage client trust and business reputation. Failure to have proper data processing agreements can disrupt relationships with EU business partners. Inadequate data protection practices can also lead to civil liability claims from affected individuals.
Practical Compliance Checklist
Start with these essentials: publish a GDPR-compliant privacy policy on your website, implement a cookie consent banner, create employee and customer privacy notices, review all third-party data sharing arrangements and put DPAs in place, establish a data breach response plan with clear internal responsibilities, and train your staff on basic data protection principles. These steps address the most common compliance gaps and reduce your risk exposure significantly.
GDPR and Non-Dom Business Structures
Non-Dom entrepreneurs operating through Cyprus companies face specific GDPR considerations that deserve attention. If your company serves customers across multiple EU countries, you must comply with GDPR in each jurisdiction where your customers are located. However, your Cyprus company's data protection supervisory authority — the first point of contact for any EU-wide processing — is the Cyprus Commissioner, which can be advantageous given the authority's proportionate approach to enforcement.
International data transfers are another key consideration. If your Cyprus company transfers personal data to countries outside the EU/EEA (for example, to service providers in the United States, India, or the UAE), you must implement appropriate safeguards. These include Standard Contractual Clauses (SCCs), binding corporate rules, or reliance on an adequacy decision. The EU-US Data Privacy Framework provides a mechanism for transfers to certified US companies, but transfers to other non-EU countries require individual assessment.
For e-commerce businesses, content creators, and digital service providers — common Non-Dom business types — the practical GDPR requirements include cookie consent management on websites, clear opt-in mechanisms for email marketing, data minimisation in customer databases, and regular review of data retention periods. Implementing these measures from the start is far easier and cheaper than retrofitting compliance into an established operation.
Frequently Asked Questions
Yes. GDPR applies directly in Cyprus as an EU member state. Any company processing personal data of EU residents must comply, regardless of company size or turnover.
A DPO is required only if your core activities involve regular and systematic monitoring of individuals on a large scale, or processing of sensitive data categories on a large scale. Most SMEs do not meet these thresholds but should still maintain documented GDPR policies.
Maximum fines under GDPR are EUR 20 million or 4% of global annual turnover. In practice, the Cyprus Commissioner has issued fines ranging from EUR 3,000 to EUR 30,000 for various violations. Common triggers include failure to respond to data subject requests and inadequate cookie consent.