Personal data defines any information relating to a natural living person. Some illuminating examples are the number of our identity card, passport, date of birth, mailing address, email, etc. In many cases, individuals need to provide their personal data to third parties for many reasons, such as to order a product online, to request a service, to answer a survey, to open a bank account, to watch a film online, to buy a flight ticket, etc. However, has anybody asked if this information is stored and how is it processed?
Obviously, personal data protection influence to a great extent many aspects of professional, social and business life. Moreover, privacy has an impact on the private life of citizens. As a result, personal data protection is an important matter that needs to be addressed by public and private organisations while performing their daily operations.
In Cyprus, ‘The Processing of Personal Data (Protection of the Individual) Law of 2001’ (138 (I) 2001) regulates the collection, the process and the use of personal data. The particular law entered into force in 2001 in order to address privacy issues related to collection, storage, processing, dissemination and use of personal data. Furthermore, the Law was amended in 2003 so that to harmonise the Cyprus legislation with the EU Directive 95/46 on the protection of individuals regarding the processing of personal data.
The business operations that are affected by Law 138(I)2001 are any operation that involves the collection, storage, organisation, preservation, extraction, use, dissemination and destruction of data. Hence, the provisions of this Law apply to the processing of personal data entirely or partly by automatic means, and to processing otherwise than by automatic means of personal data that constitute part of a filing system or are envisioned to be part of a filing system.
Which rights do individuals have concerning their personal data kept by third parties?
- The right to information;
- The right to access;
- The right to rectification;
- The right to object;
- The right to compensation;
Conditions for lawful processing of personal data:
According to the provisions of the Law, the processing of personal data is permitted only if an individual give his/her consent.
However, it is also permitted without the consent of the individual in the following cases:
- in case it is necessary for compliance with a legal obligation;
- for the performance of a contract the individual is a party to;
- to ensure the vital interests of the individual;
- for purposes of public interest;
- for the legitimate interests pursued by the controller or the third party, under the condition that such interests override the rights of the individual, interests and fundamental freedoms;
It should be pointed out that ‘sensitive data’ denotes any information concerning racial or ethnic background, political orientation, religious or philosophical convictions, participation in a body, association and trade union, health, sex life and erotic orientation as well as data concerning criminal prosecutions or convictions.
According to the Law, sensitive data enjoy a greater level of protection since it is easier for people to experience discriminations based on these data. As a result, the Law provides that the processing of sensitive data is prohibited.
Nevertheless, the processing of sensitive data is permitted under the following conditions:
- if the individual has given his/her explicit consent, unless such consent has been obtained illegally;
- in the case that data processing is necessary for the fulfilment of an obligation in the employment sector;
- for the safeguard of vital interests;
- within the context of the activities of an organisation or union the individual is a member of;
- for national or public security purposes;
- for statistical, research, scientific and journalistic purposes;
- in case data processing is associated with medical data and is performed by an individual who offers health services by profession and has a duty of confidentiality or is subject to relevant codes of conduct, under the condition that the processing is required for preventive medicine, medical diagnosis and the provision of health-care services.