Data Protection: CCTV


The Commissioner for the protection of personal data in Cyprus (“The Commissioner”) has recently published an announcement dated 28/06/2019 (“the Announcement”) regarding the installation of CCTV in shops, malls, shopping centers and other public and private places.

The Commissioner reiterates that CCTV footage and any other recording of similar nature, constitutes processing of personal data and such processing must be in compliance with the provisions of the General Data Protection Regulation (“the GDPR”) and the Cyprus Data Protection Law.


Regarding the installation of CCTV in public places, the following examples are given in the Announcement on whether the installation of CCTV would be permissible or not:

  • Entrance of buildings;
  • Outside elevators focusing on the elevator only;
  • Over a card/cash machine focusing on such machine only;
  • Parking places.

NOT permissible

    • Corridors;
    • Inside elevators;
    • Waiting areas;
    • W.C.;
    • The interior and exterior areas of cafés/restaurants etc.

Individuals should be properly notified of the existence of CCTV by the placement of an adequate number of noticeable signs/warnings. Individuals should be given at least the following information:

  • That video recording takes place;
  • The person who determines the purposes for which personal data is processed; and
  • The purpose of the video recording.


The installation of CCTV in private places (i.e. houses) does not fall within the ambit of the relevant provisions of the GDPR and Domestic Legislation regarding personal data unless it captures images beyond the boundaries of the private property.

Installation of CCTV in Block(s) of apartment buildings by a tenant/owner should not infringe the rights of other tenants/owners in such buildings. If the CCTV is installed by the Administration Committee of each Building, it should only be installed in communal areas after a decision made by the tenants according to the Building’s Regulations.

In case of failure to comply with the GDPR and the Cyprus Data Protection Law, the Commissioner has the power, among others, to:

  • Issue warnings and reprimands;
  • Impose a temporary or definitive limitation including a ban on processing;
  • Order the rectification or erasure of personal data;
  • Restriction of processing; and/or
  • Administrative fines up to 20.000.000 EUR, or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher