“Personal data has become the currency of the digital age,” Maria Christofidou tells Phileleftheros in her first interview since becoming Personal Data Protection Commissioner, explaining what drives hackers to launch cyberattacks.
Technological advances, she explains, create new challenges. Her office receives complaints from citizens about data breaches on social media and unwanted advertisements or electoral campaign material.
One such complaint has been filed against Fidias Panayiotou by a Paralympic athlete. “A complaint has been lodged and is currently under investigation,” the Commissioner says, referring to the case involving the use of a photograph in a video posted by MEP Fidias Panayiotou as an apology for inaccurate statements about Paralympic athletes with intellectual disabilities. “The basic principle is clear: when we use someone’s image or data, we must respect their dignity and rights,” she stresses, adding that each case is assessed on its own merits.
Christofidou also addresses how citizens can protect themselves, emphasising that it comes down to daily habits and offering practical advice.
“Personal data has become the currency of the digital age and is used as payment for free services,” she remarks, commenting on the recent hacker attack on the Bank of Cyprus Oncology Centre.
“Cyberattacks are malicious, unauthorised attempts to exploit vulnerabilities in information systems, networks and other infrastructure. They’re not limited to healthcare. Their primary aims are damaging organisations’ reputations and extracting financial gain. They represent a broader challenge of the digital era,” she explains.
Patient data receives special protection, she says, as it falls within the special categories under the relevant Regulation. “As a rule, collecting and processing such data is prohibited, though specific exceptions allow this processing. The value of health data is indisputable—it’s timeless, stable and permanent, like medical history,” she notes.
A person behind every complaint
“Behind every complaint there’s a person who felt a boundary was violated,” Ms Christofidou emphasises.
In Cyprus, she notes, “we often receive complaints about unwanted promotional messages sent without consent—a phenomenon that intensifies during election periods. Many cases also involve personal data published on social media without lawful basis.”
Most complaints involve organisations violating citizens’ fundamental rights, such as the right to access or delete their data.
However, Ms Christofidou states, complaints received by the Authority show that social media issues more frequently concern adults rather than minors.
The age limit debate
“The discussion about age limits is important and reasonable. However, experience shows that meaningful protection doesn’t depend on a number alone. It requires strengthening digital literacy, cultivating critical thinking, and cooperation between family, school and the State. Online protection isn’t about strictness—it’s about information, dialogue and shared responsibility.”
Regarding elections, she says, processing of personal data for political communication increases. “The key challenge is balancing freedom of political expression with citizens’ right to privacy and data protection.”
The Commissioner’s Office reminds parties and candidates in advance of their obligations under the General Data Protection Regulation and has already sent them relevant guidance.
“The most common mistakes are sending mass unwanted promotional messages—SMS, email and so on—without prior consent, using outdated or questionable contact lists, and publishing photographs or personal details of third parties without lawful basis. Democracy requires dialogue, but dialogue must respect privacy boundaries,” she states.
How citizens can protect themselves
Protecting personal data begins with daily habits, Ms Christofidou notes. “Careful use of security settings in apps and on social media, controlling who accesses our information, and understanding terms of use are important steps,” she says.
A simple example, she continues, is regularly reviewing privacy settings, which can significantly reduce the risk of data leaks. “Choosing organisations that operate transparently and have clear data protection policies creates trust. Information gives power, and awareness is the best form of protection,” she stresses.
Paralympic athlete’s complaint against Fidias under evaluation
“A complaint has been lodged and is currently under investigation,” the Commissioner said regarding the complaint filed by an athlete over MEP Fidias Panayiotou’s use of his photograph in a video posted as an apology for inaccurate statements about Paralympic athletes.
“Each complaint is investigated based on its particular circumstances—we evaluate all factual and legal aspects of each case,” she explains, stressing: “The basic principle, however, is clear: when we use someone’s image or data, we must respect their dignity and rights.”
Complaints to the Police
Those who breach data protection laws face consequences.
If a complaint is made and a breach of the relevant Regulation is established, the Commissioner has the power “to impose administrative sanctions, including fines, as provided by the legislative framework,” Ms Christofidou said.
When a matter may constitute a criminal offence, the Authority can refer it to the Police for investigation or conduct a full administrative investigation itself and potentially impose sanctions. “Administrative and criminal procedures are independent and can proceed in parallel,” she notes. Citizens also “have the right to approach the Police directly. What’s important is that the institutional framework provides protection and accountability mechanisms, ensuring each case is examined seriously and with institutional competence,” she stressed.
Intense challenges in Cyprus
Data breaches on social media and cyberattacks
After nearly four and a half months as Commissioner, Ms Christofidou emphasises that personal data protection isn’t static. Rather, it evolves continuously alongside technology, society and citizens’ needs.
The most common challenges in Cyprus are:
- Frequent, uncontrolled sharing of personal data on social media
- Rising cyberattacks and data breach incidents
- Growing misuse of personal data legislation, which some turn into a weapon in personal disputes. “Repeated or abusive complaints are problematic and certainly affect the Authority’s smooth operation,” she says, explaining that some people exploit this legislation to settle personal grievances
- Raising the age limit from 14 to 16 years for children to consent themselves to personal data processing. For minors below this age, consent would be provided by parents or guardians
This concerns a draft law amending Article 8 of the Protection of Natural Persons with Regard to the Processing of Personal Data and the Free Movement of Such Data Law, currently under parliamentary examination.
However, the Commissioner’s Office has expressed concerns and reservations about the proposed amendment, noting that the existing 14-year limit is balanced, aligned with Cyprus’s criminal and educational framework, and compatible with the European average.
The Authority believes the current 14-year limit is appropriate and sufficient within the GDPR framework, and that protecting children online isn’t achieved through blanket bans but through education, responsible guidance, technological age verification and strengthening digital literacy.
Challenges in Europe:
At European level, one of the most significant challenges, she states, is the Commission’s Digital OMNIBUS Package—a reform aimed at reducing bureaucracy and compliance costs for businesses whilst maintaining high protection levels for citizens and consumers.
These amendments are expected to save resources and boost innovation in artificial intelligence and cybersecurity whilst reducing administrative burden by at least €5 billion by 2029.
GDPR compliance exists
Further data protection legislation coming
The Commissioner expresses satisfaction that “we’re on the right track and there’s a good level of awareness and GDPR compliance amongst the majority of organisations and businesses in Cyprus.”
This particularly applies, she says, to key economic sectors: insurance, banking, health, education, pharmaceuticals, hospitality, transport and general commerce.
“The Authority works continuously to train and educate organisations and businesses and monitor their compliance through sectoral administrative audits,” she states, adding: “Compliance isn’t a destination—it’s an ongoing obligation requiring internal policies, staff training, regular evaluation of data processing practices and constant vigilance.”
Meanwhile, new data protection legislation is in development.
Ideas being discussed within the Digital Omnibus framework include possible clarification of the definition of personal data. Specifically, authorities are examining whether data that controllers cannot use to identify individuals—because they lack practical means to do so—should not be considered personal data. This remains under discussion and requires careful consideration to ensure innovation coexists with citizens’ rights protection.
At national level, she says, data protection legislation evolves constantly “and that’s positive. It shows society is trying to keep pace with the digital age without sacrificing fundamental rights.”