Cyprus Public Sector under Audit for GDPR compliance

The Cyprus Commissioner for personal data protection assessed the level of compliance of public sector with the General Data Protection Regulation (EU) 2016/679 (GDPR) and National legislation (Cyprus Law 125 (I)/2018).

The article 58 of the GDPR provides that the supervisory authorities have the power to carry out investigations in the form of data protection audits. In this context, the Commissioner sent questionnaires to all Public Authorities and Ministries in July 2019 and the deadline to submit the answers was fixed on the 13^rd of September. Although the submission of answers was obligatory given that the Commissioner’s power derives from the Regulation, only 89 answers were received. Many Ministries and Departments processing personal data on a large scale did not respond to these questionnaires.

According to the statistical data, a great part of the public authorities has fulfilled their legal obligation to appoint a Data Protection Officer (DPO), however it was observed that the appointed DPOs have not been provided with the necessary resources and time to fulfil their role and in some cases the personnel was not informed of the DPO’s appointment and the DPO was not educated or trained on data protection.
It is notable that the 80% of the public authorities which replied to the questionnaires maintain records of processing activities, complying with their obligation under GDPR, while about half of them have already created a privacy policy and procedures to reply to the data subjects requests. Finally, the 63% have been trained on data protection issues.

The Commissioner’s general note is that despite that some measures have already been taken by the public sector to comply with their GDPR obligations, persistent and intense effort is required in order to safeguard the quality of the management and procedural systems on data protection and respect of data subjects’ rights.
The Commissioner intends to proceed with on-the-spot audits to verify public sector’s compliance with GDPR and based on the audits’ results, it may be decided that corrective measures must be taken and, possibly, fines may be imposed on the authorities which did not adequately comply with their obligations.