Cyprus's data protection authority has shifted from a guidance-focused posture to an active enforcement mode. The Επίτροπος Προστασίας Δεδομένων Προσωπικού Χαρακτήρα (Commissioner for Personal Data Protection. The Cypriot DPA) issued a series of formal decisions in late 2024 and early 2025 imposing administrative fines on both local operators and international companies processing Cypriot residents' data. Businesses that have treated Cyprus as a lower-risk EU jurisdiction should reassess that assumption immediately.
The Cypriot DPA has intensified its enforcement of GDPR compliance obligations, targeting failures in consent mechanism design, unlawful data transfer to third countries, and deficient data processor contracts. Affected organisations – including financial services firms, e-commerce operators, and technology platforms – face administrative fines under data protection legislation, with the most serious infringements attracting penalties in the higher tier. Companies with any processing activity touching Cypriot residents should complete a gap assessment before the end of Q2 2026.
This alert explains what changed, which business categories are directly in scope, and the five immediate actions international companies should take now.
What the DPA has changed and why it matters now
The Cypriot DPA's recent enforcement cycle marks a clear departure from prior practice. Earlier rounds of regulatory activity focused on issuing warnings and requiring corrective action. The current cycle has moved to direct financial penalties and public disclosure of decisions.
Three specific enforcement themes have emerged from the published decisions. First, the DPA found that a significant share of organisations examined lacked a valid legal basis for processing. Reliance on broadly worded consent mechanism language – common in cookie banners and marketing opt-ins – was found insufficient under the requirements of data protection legislation. Consent that is bundled with terms of service, or pre-ticked by default, does not meet the standard demanded.
Second, the DPA scrutinised cross-border data transfer arrangements. Several decisions cited the absence of adequate transfer mechanisms for personal data sent to processors and sub-processors outside the European Economic Area. Standard contractual clauses were in place in a number of cases, but the required transfer impact assessment had not been completed. The DPA treated this gap as a standalone infringement, not merely a procedural oversight.
Third, the regulator examined the contractual relationship between data controller and data processor. Agreements that failed to specify the subject matter, duration, nature, and purpose of processing – as required under data protection legislation – were cited in multiple decisions. Controllers were held responsible for deficiencies in processor contracts even where the processor was based in another EU member state.
The decisions became effective upon notification to the respective organisations. Ongoing non-compliance from the date of notification has, in several cases, been treated as a continuing infringement, attracting additional liability.
Companies with an established presence in Cyprus, as well as those relying on the EU one-stop-shop mechanism with Cyprus as their lead supervisory authority, are directly within scope. For cross-border matters touching multiple EU jurisdictions, see also our analysis of data protection enforcement developments in Portugal, which shares several enforcement patterns with the Cypriot experience.
Which businesses are affected and what thresholds apply
The DPA's current enforcement priorities are not limited to large corporations. The decisions examined to date cover organisations of varying sizes, across multiple sectors. The following categories face the most immediate exposure.
Financial services and fintech operators processing Cypriot customer data – whether for KYC, transaction monitoring, or marketing purposes – are a primary target. The DPA has indicated that financial sector processors are subject to heightened scrutiny given the sensitivity of the data involved.
E-commerce and digital marketing companies that collect behavioural data from Cypriot users face direct exposure under the consent mechanism findings. Any organisation relying on cookie-based tracking without a compliant consent architecture is at risk.
Technology platforms and SaaS providers that process data on behalf of Cypriot business clients sit in scope both as data processors and, where they determine processing purposes, as data controllers. The DPA's examination of processor contracts is particularly relevant for this category.
Employers with Cyprus-based staff are also affected. Processing of employee data – including HR records, monitoring systems, and payroll data shared with third-party providers – falls squarely within the enforcement scope identified in recent decisions.
There is no minimum transaction volume or headcount threshold that removes an organisation from scope. GDPR compliance obligations apply to any data controller or data processor that processes personal data of individuals in Cyprus, regardless of the organisation's size or primary place of establishment.
For companies already advising on or building AI-driven data processing systems, the intersection with Cyprus's emerging AI regulation adds a further layer of compliance complexity. Organisations in that position should also consult our guidance on AI law in Cyprus.
To receive an expert assessment of your organisation's data protection exposure in Cyprus, contact us at info@ferrazwhitmore.com.
Immediate actions required before the compliance deadline
The DPA has not announced a blanket grace period. Organisations identified through complaints or proactive audits will be assessed on the state of their compliance at the time of investigation. The practical compliance deadline for organisations seeking to reduce enforcement risk is the end of Q2 2026. The following five actions should be treated as urgent.
Audit all consent mechanisms. Review every consent collection point – including website cookie banners, marketing opt-in forms, and app permissions – against the requirements of data protection legislation. Consent must be freely given, specific, informed, and unambiguous. Any pre-ticked boxes or bundled consent language must be removed and replaced with granular, affirmative consent flows.
Map and document all data transfers. Identify every transfer of personal data to recipients outside the EEA. Confirm that a valid transfer mechanism is in place for each route – whether standard contractual clauses, adequacy decisions, or binding corporate rules. For each transfer relying on standard contractual clauses, complete a transfer impact assessment and retain it on file.
Review all data processor agreements. As a data controller, you are responsible for ensuring that every processor agreement meets the minimum content requirements under data protection legislation. Agreements that pre-date 2021, or that were signed without legal review, are likely to require amendment. Pay particular attention to sub-processor authorisation clauses and the obligation to assist the controller in responding to data subject rights requests.
Update your records of processing activities. The DPA has used gaps in records of processing activities as evidence of systemic non-compliance. Ensure that your record covers all processing operations, reflects current data flows, and has been reviewed within the past twelve months.
Appoint or confirm your Data Protection Officer status. If your organisation is required to designate a Data Protection Officer under data protection legislation. because it carries out large-scale processing of special categories of data. Alternatively. Engages in systematic monitoring. confirm that the appointment is formally documented, the DPO has been notified to the Cypriot DPA. Additionally, the DPO has access to the resources needed to perform the role.
For a tailored strategy on GDPR compliance and DPA enforcement readiness in Cyprus, reach out to us at info@ferrazwhitmore.com.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our Data Protection practice supports international companies, technology businesses, and financial institutions in managing GDPR compliance, responding to DPA investigations, and building defensible data governance systems across EU and non-EU markets. Engaging a lawyer in Cyprus with cross-border data protection experience matters when enforcement activity is escalating and timelines are short. As an international law firm in Cyprus and across Europe, we combine Portuguese civil law expertise with English common law tradition to deliver practical, jurisdiction-specific advice. Our team includes practitioners with experience before data protection authorities across multiple EU member states, and we support clients in structuring consent mechanisms, data transfer programmes, and processor contract frameworks that withstand regulatory scrutiny. To discuss your organisation's data protection position in Cyprus, contact us at info@ferrazwhitmore.com.
For a comprehensive overview of our data protection advisory services in Cyprus, visit our Data Protection in Cyprus service page.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.