On 13 July 2020 the Commissioner for Personal Data Protection of the Republic of Cyprus (the Commissioner) announced that in accordance with the provisions 57(1)(a) and 58(1)(b) of the General Data Protection Regulation (EU) 2016/679 (the Regulation), the Commissioner will soon commence investigations on private companies in order to evaluate whether the Regulation is properly applied and whether there is adequate protection of the personal data.
According to provision 57(1)(a) of the Regulation, the Commissioner has the duty to monitor and enforce the application of the Regulation whilst according to provision 58 (1)(b) of the Regulation, the Commissioner has the power to perform investigations related to the protection of personal data. The main objective of the investigations is to assess the level of compliance of the private companies with the provisions of the Regulation. Other objectives of the investigations are the assessment of the practices used by the private companies as well as the recording of the procedures that are followed for compliance purposes.
The investigations form part of the general compliance control framework of specific sectors of the private sector and are related to small and medium sized companies, which occupy a significant percentage of the employment and economic activity of Cyprus. The investigations take the form of both legal and technical control and are carried out by the completion of an electronic questionnaire.
The Commissioner believes that by the end of the investigations and the analysis of their results, the office of the Commissioner for Personal Data Protection will have a clear picture regarding the level of compliance of the small and medium sized companies with the Regulation, which will be announced to public.
This information is important to all small and medium sized companies. According to section 58(2) of the Regulation in the course of the investigations the Commissioner has extensive powers, such as to issue warnings against the companies, impose administrative fines or, in extreme cases, impose a temporary ban on the processing of data. All small and medium sized companies should ensure compliance with the Regulation and lawful processing of personal data in accordance with the relevant provisions of the Regulation.