GDPR Compliance for Cyprus Companies 2026: DPO, Breach Reporting & EU Enforcement

GDPR is not a paperwork exercise that you stamp once and forget. For a Cyprus-incorporated company — even one whose customers all sit outside the EU — it is a live, day-one obligation policed by the Office of the Commissioner for Personal Data Protection, with fines that reach 4% of global turnover and a 72-hour clock that starts the moment someone in your team realises a laptop has gone missing. This 2026 guide walks through the law as it actually applies on the ground in Cyprus: who needs a DPO, what a credible ROPA looks like, how to handle breaches and transfers, where the new NIS2 cybersecurity layer fits, and what the Cyprus Commissioner has actually been fining people for.

The article is written for founders, operations leads and in-house counsel of Cyprus SaaS, fintech, e-commerce and professional-services companies. It is not a substitute for a Cyprus Bar-licensed advocate or an ICPAC-licensed accountant — Zeno coordinates those independent specialists where named legal advice is required.

Why GDPR matters for a Cyprus company

The General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") has applied directly in Cyprus since 25 May 2018. Cyprus did not need to transpose the substance of GDPR — as an EU Regulation it has direct effect — but it did pass an implementing statute, Law N.125(I)/2018, to deal with the national derogations and to designate the supervisory authority. The supervisory authority is the Office of the Commissioner for Personal Data Protection (the "Commissioner"), an independent constitutional body headquartered in Nicosia.

Three things make GDPR particularly load-bearing for Cyprus companies in 2026:

• Cyprus is an EU jurisdiction. The reason a Cyprus company is attractive — EU passporting, EU bank access, EU client contracts — is the same reason that EU data-protection law sits on top of every operation.
• Cross-border B2B contracts demand it. Almost every enterprise procurement form now asks for a controller/processor declaration, a DPO contact, a sub-processor list, an SCC schedule, and a security-questionnaire response. You cannot win EU enterprise contracts without these artefacts.
• The Cyprus Commissioner is active. Cyprus has issued enforcement decisions every year since 2018, including the headline €925,000 fine against an airline carrier in 2022, and routine decisions on cookies, employee surveillance and breach notification.

The legal framework: GDPR + N.125(I)/2018

Three layers operate in parallel:

1. GDPR (Regulation (EU) 2016/679). The core. Directly applicable. Contains all the substantive rights and obligations.
2. Cyprus Law N.125(I)/2018. The Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of Such Data. Sets the age of digital consent at 14, governs employee processing (Article 27), processing for journalistic and academic purposes (Article 29), and the powers and procedure of the Commissioner. Adds Cyprus-specific administrative fines and criminal offences alongside GDPR fines.
3. The ePrivacy Directive (2002/58/EC) as transposed in Cyprus through the Regulation of Electronic Communications and Postal Services Law. Governs cookies, electronic marketing and traffic data.

Sector-specific overlays may also apply: PSD2 for payments, MiFID II / EMIR for investment firms, the EU AI Act (in phased application through 2026), the Digital Services Act for online platforms, and NIS2 for cybersecurity. Crypto businesses should also see our Cyprus CASP / MiCA licence guide — MiCA brings its own customer-data obligations on top of GDPR.

Controller vs processor: which are you?

Almost every GDPR question begins with this classification, because the obligations differ.

A Cyprus SaaS company is almost always a controller for its own employee and prospect data, and a processor for the customer data its users push into the platform. Both hats need to be documented.

The six core obligations

Strip the regulation down and a controller has six operational obligations to discharge every quarter:

1. Lawful basis & transparency. For each processing activity, identify a lawful basis under Article 6 (consent, contract, legal obligation, vital interests, public task, legitimate interests). Document it. Publish a privacy notice that meets Articles 13/14.
2. Data minimisation & retention. Collect only what you need. Define and enforce retention periods. Delete on schedule.
3. Security. Article 32 — appropriate technical and organisational measures: encryption, access control, MFA, logging, tested backups, incident-response playbooks.
4. Vendor due diligence. Article 28 DPA in place with every processor; sub-processor list; periodic security questionnaires.
5. Data-subject rights. Process for handling access, rectification, erasure, restriction, portability and objection requests, with a one-month response window (extendable by two months for complex requests).
6. Accountability. ROPA, DPIA where required, training records, internal policies, breach log. You must be able to demonstrate compliance, not merely claim it (Article 5(2)).

When do you need a DPO?

Article 37 GDPR makes a Data Protection Officer mandatory in three cases:

• You are a public authority or body (other than courts acting in their judicial capacity).
• Your core activities consist of regular and systematic monitoring of data subjects on a large scale.
• Your core activities consist of large-scale processing of special-category data (Article 9) or criminal-conviction data (Article 10).

"Core activities" excludes ancillary HR or finance processing. "Large scale" is qualitative (volume, geographic reach, duration, number of data subjects) — the WP29 / EDPB guidance gives factors rather than thresholds.

Even where not mandatory, appointing a Privacy Lead (sometimes labelled "DPO" voluntarily, sometimes "Privacy Officer" to avoid the Article 38–39 statutory regime) is normal market practice for any Cyprus company doing enterprise B2B.

ROPA, DPIA and the Article 30 register

ROPA (Article 30)

The Record of Processing Activities is the single most important document the Commissioner will ask for on an inspection. It must list, per processing activity:

• Name and contact details of the controller (and DPO, where applicable).
• Purposes of the processing.
• Categories of data subjects and personal data.
• Categories of recipients (including sub-processors and third-country recipients).
• International transfers and the safeguards used.
• Retention periods.
• General description of security measures (Article 32).

The Article 30(5) carve-out for entities with fewer than 250 employees is narrow: it does not apply where processing is not occasional, includes special-category data, or risks data-subject rights. Almost no real operating company satisfies all three exemption conditions, so in practice the ROPA is universal.

DPIA (Article 35)

A Data Protection Impact Assessment is required where processing is "likely to result in a high risk" to data subjects. Article 35(3) lists three automatic triggers (systematic and extensive automated decision-making with legal effect; large-scale special-category data; systematic monitoring of publicly accessible areas). The Cyprus Commissioner has also published a national list of processing operations that always require a DPIA — including large-scale biometric identification, employee monitoring beyond ordinary access logs, and wide-scale AI profiling.

The 72-hour breach notification rule

Article 33 obliges the controller to notify the Cyprus Commissioner of any personal-data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If notification is delayed beyond 72 hours, the notification must explain the delay.

Where the breach is likely to result in a high risk to data subjects, Article 34 also requires the controller to inform the affected individuals without undue delay, in clear and plain language. Processors notify their controllers without undue delay — typically with a contractual SLA of 24–48 hours in the DPA.

Maintain a written breach register (Article 33(5)) of every personal data breach, including those you assessed as not notifiable. The Commissioner asks to see this on inspection and the absence of one is itself a compliance finding.

International transfers after Schrems II

Chapter V (Articles 44–50) governs transfers of personal data outside the EEA. After the CJEU's Schrems II judgment (C-311/18, July 2020), SCCs alone are no longer enough where the destination country's law gives public authorities disproportionate surveillance powers — a Transfer Impact Assessment (TIA) and, where necessary, supplementary measures (encryption, pseudonymisation, contractual restrictions, no plaintext access) are required.

The 2026 toolkit:

• Adequacy decisions. Transfers to countries with an adequacy decision (UK, Switzerland, Israel, Japan, South Korea, New Zealand, Canada commercial, Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Jersey, Uruguay) require no further mechanism.
• EU-US Data Privacy Framework (DPF). Adopted 10 July 2023. Allows transfers to DPF-certified US importers as if to an adequate jurisdiction. Verify the importer's certification on the dataprivacyframework.gov list before relying on it.
• Standard Contractual Clauses (2021 SCCs). The Commission's modular SCCs, signed by both parties, with the appropriate Module (1 C2C, 2 C2P, 3 P2P, 4 P2C) and Annexes I-III filled in. Add a TIA covering the importer's domestic law (FISA 702, EO 12333 for the US; similar surveillance frameworks for other destinations).
• Binding Corporate Rules (BCRs). Intragroup mechanism — heavyweight, approved by a lead supervisory authority, worth it for global groups with frequent intragroup transfers.
• Article 49 derogations. Explicit consent, contract necessity, important reasons of public interest. Narrow, last-resort.

Document the chosen mechanism per transfer in the ROPA, attach the SCCs and TIA to the vendor file, and refresh the TIA at least annually or on material change.

Cookies, marketing and the ePrivacy overlay

The ePrivacy Directive (2002/58/EC), as transposed in Cyprus through the Regulation of Electronic Communications and Postal Services Law, governs cookies, similar tracking technologies, and electronic direct marketing. The rules sit on top of GDPR, not instead of it.

• Non-essential cookies need prior consent. Analytics, marketing, social-media pixels, ad-tech, fingerprinting. Strictly- necessary cookies (session, security, load-balancing) do not.
• Reject-all must be as prominent as accept-all. The EDPB cookie-banner taskforce report (January 2023) and Cyprus Commissioner guidance both confirm this.
• No pre-ticked boxes, no bundled consent, no scroll-to-consent.
• Granular control. Consent should be category-by-category; a single "OK" for all non-essential categories is challenged.
• Cookie audit. The Cyprus Commissioner has conducted sweep audits of Cypriot websites and issued fines for non-compliant banners — typical penalties €5,000–€15,000.

For email and SMS marketing, the soft-opt-in for existing customers (similar to the UK PECR regime) is recognised, but B2C cold marketing requires prior opt-in consent. B2B marketing to corporate email addresses can rest on legitimate interests with a clear opt-out, subject to local nuances.

NIS2 and the cybersecurity overlay

Directive (EU) 2022/2555 ("NIS2") replaces the original NIS Directive and dramatically expands the universe of EU companies subject to a formal cybersecurity-and-incident-reporting regime. Cyprus transposed NIS2 through Law 89(I)/2024 with implementing rules adopted in 2025. The Cyprus competent authority is the Digital Security Authority (DSA), operating within the Office of the Commissioner of Communications.

NIS2 applies to medium and large entities in:

• Essential entities — energy, transport, banking, financial-market infrastructure, healthcare, drinking water, digital infrastructure (TLD registries, DNS, cloud providers, data centres, CDNs, trust services), ICT service management, public administration, space.
• Important entities — postal, waste, chemicals, food, manufacturing (medical devices, computers, electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networks), research.

Many Cyprus SaaS companies fall into the "important entity" bucket (online marketplace, cloud computing, managed services). NIS2 obligations include:

• Risk-management measures (Article 21) covering policies, incident handling, business continuity, supply chain, vulnerability handling, encryption, MFA.
• Early-warning incident notification within 24 hours, full notification within 72 hours, final report within 1 month.
• Management-body accountability — directors can be personally liable for non-compliance.
• Registration with the competent authority.

The GDPR/NIS2 overlap is intentional but partial: a security incident affecting personal data triggers both clocks (Article 33 GDPR and the NIS2 24/72-hour regime). Build a single incident-response runbook that feeds both notifications.

Cyprus Commissioner enforcement record

The Office of the Commissioner publishes annual reports and individual decisions. Recurring themes since 2018:

• Largest publicised fine: approximately €925,000 against an airline carrier following a 2018 breach affecting customer data — one of the largest GDPR fines issued by the Cyprus Commissioner to date.
• Cookie-banner sweeps: recurring decisions in the €5,000–€20,000 range against websites with deceptive cookie banners (no reject-all, pre-ticked boxes, vague purposes).
• Employee monitoring: CCTV without proportionate justification, audio recording of employee calls without lawful basis, excessive geolocation tracking of company vehicles — fines and enforcement orders.
• Subject-access failures: failure to respond within the one-month window, or providing redacted/incomplete responses.
• Breach-notification failures: notifying outside the 72-hour window without justification; failing to notify affected individuals where the threshold for Article 34 was met.

Founder checklist: from zero to compliant

Practical sequencing for a newly-incorporated Cyprus company doing real operations. Pair this with the broader incorporation flow in our Cyprus company registration guide and the people-side issues in hiring your first employee in Cyprus.

1. Map your data. Customer, employee, prospect, supplier, website-visitor. List systems (CRM, billing, HRIS, helpdesk, analytics) and where each system stores data geographically.
2. Classify roles per system. Controller, processor or joint. This drives downstream paperwork.
3. Identify lawful basis per processing activity. Do not default to consent — it is the weakest basis and the easiest to challenge. Contract or legitimate interests usually fits B2B better.
4. Build the ROPA. A spreadsheet is fine to start. Keep it living.
5. Publish a privacy notice that covers Articles 13/14.Plain language, layered if needed.
6. Sign Article 28 DPAs with every processor. Insist on standard EU DPA terms; refuse vendor-specific drafts that water down sub-processor controls.
7. Decide on a DPO (or document why none is required).Either way write down the assessment.
8. Stand up an incident-response runbook. Single on-call rota covering GDPR Article 33 and NIS2 24/72-hour windows.
9. Configure transfers. SCCs + TIA on file for every non-adequate destination; DPF certification verified for US counterparties.
10. Cookie consent. Reject-all parity, granular categories, consent logged with timestamp and version.
11. Train. One short, annual, recorded session for all staff with role-specific add-ons for engineering, sales and HR.
12. Re-test annually. Tabletop the breach runbook, refresh the TIA, re-walk the ROPA. If your sectors are NIS2-in-scope, layer the NIS2 measures over the top.