Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
The Children’s Law provides that a child shall mean a person under the age of 18.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
Yes.
The UNCRC has been adopted in Cyprus with the European Convention on the Exercise of Children’s Rights (Ratifying) Law of 2005.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
The Commissioner for Children’s Rights.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
No.
The mission of the Commissioner for Children’s Rights is to protect and promote the rights of the child. Her role is to represent children and their interest at all levels, to promote public awareness and sensitivity so that children’s rights in the family, at school and in the community are safeguarded, to identify and promote the views of children where they themselves cannot be heard, to monitor legislation relating to children and to submit proposals aimed at harmonisation with the Convention on the Rights of the Child, to carry out public awareness campaigns, to appoint a representative of the child in judicial proceedings affecting him/her, and to represent children in procedures affecting them.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
Yes.
When the parental care of a minor child under the age of 14 is exercised by both parents jointly, both parents must consent to the processing of the minor's personal data. The parent who opposes, for example, posting photos of the child on the internet and relevant social media can either go to the Family Court by filing a relevant request for the issuance of a decree, which will prohibit the other parent from posting photos of their minor children on social media, or file a complaint to the Commissioner for Personal Data Protection.
When parental care of a minor child under the age of 14 is exercised exclusively by one parent, then that parent must provide consent to any processing of the minor's personal data in order for it to be lawful. If the other parent does not take into account the lack of consent of the parent, who is in charge of parental care of the minor, then the latter may submit a complaint to the Commissioner for Personal Data Protection.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
Article 8 of the Cyprus Law on GDPR provides that the age of digital consent is 14 years of age.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. While Article 8(2) of the GDPR does not set out an approved method for the collection of parental consent, it does require organisations to “make reasonable efforts” to verify such consent by a holder of parental responsibility over a child taking into account available technology. No such methods are expressly approved by the Cyprus Law for the Protection of Personal Data.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. Article 12(1) of the GDPR applies, which emphasises the particular importance of the requirement for clear and plain language when providing information to children.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
Each data subject has the right to lodge a complaint with the Commissioner for Personal Data Protection if he/she considers that the processing of personal data concerning him/her infringes the GDPR.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
While there are no national law requirements in this regard, such requirements arise from the Commissioner of the Personal Data Protection and its relevant publications and decisions, which in general follows the relevant EU decisions and guidelines:
a. processing specific types of children’s personal data; Public-by-default processing by a service of personal data enabling children to be contacted/ contactable by third parties should generally not be undertaken. b. carrying out specific processing activities involving children’s personal data; and/ or Both the GDPR and Cyprus Law place particular importance on the protection of children's personal data. Among other things, it is mandatory that, for the use of information society services, including social networking pages by children under the age of 14, the consent of parents or legal guardians is obtained. In this regard, the Commissioner for Personal Data Protection (Commissioner) has previously decided that the use of a child’s photo on a social media platform was impermissible, specifically as the postings were made without the consent of the parent, who also had sole parental responsibility for her minor child. Furthermore, the Commissioner considered that providing information about her area of residence and information about her marital status was fraught with risks and was not in the child's best interests, so such postings were considered to be unfair and excessive processing of personal data. c. using children’s personal data for specific purposes. Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. Additionally, see more information on the EU-level requirements here.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
There has been a decision by the Commissioner for Personal Data Protection (Commissioner) concerning a mother's complaint about posting of minor's personal data of her child on social media (€1000 fine): The Commissioner decided that the use of a child’s photo on a social media platform was impermissible, specifically as the postings were made without the consent of the parent, who also had sole parental responsibility for her minor child. Furthermore, the Commissioner considered that providing information about her area of residence and information about her marital status was fraught with risks and was not in the child's best interests, so such postings were considered to be unfair and excessive processing of personal data.
Are there specific rules concerning electronic direct marketing to children?
No.
However, while these requirements are not specifically directed at communications made to children, electronic direct marketing communication is only permitted where the recipient has previously consented to it (i.e. has ‘opted in’). Consent should be affirmative, informed, freely given and unambiguous. Additionally, it should be communicated by the recipient of advertising himself and not by a third party. The recipient retains the right to withdraw his consent at any point.
Accordingly, the Commissioner for the Protection of Personal Data has pointed out that the implication of this requirement is that a direct marketing communication by means of SMS or email, where the SMS or email itself requests the recipient’s consent, is unlawful.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
A data protection impact assessment (DPIA) must be carried out when the data processing concerns vulnerable data subjects. This is due to the increasingly unequal power relationship between data subjects and the controller, in the sense that natural persons may not be able to easily consent or object to the processing of their data or to exercise their rights. Vulnerable data subjects may include children (who may be considered incapable of objecting or knowingly consenting to the processing of their data), and in any case ascertained unequal relationships between the position of the data subject and the controller.
Please see further information here.
Are there specific rules concerning online contextual advertising to children?
Yes.
Cyprus Advertising Control Agency (FED) has published a specific Code of Communication Ethics in which it states that:
The way children perceive and react to advertisements is influenced by their age and experience, as well as the context in which the message appears. Ads that are acceptable to young teenagers will not necessarily be acceptable to younger children. Products unsuitable for children should not be advertised in media aimed at them, and advertisements aimed at children should not appear in media where the general subject matter is inappropriate for them. Material unsuitable for children must be clearly identified as such. Advertisements should not take advantage of children's lack of experience or natural gullibility. Advertisements must not contain expressions, elements or visual representations, which could harm children intellectually, morally or physically. When children's personal data is collected, especially through electronic means, children should be encouraged to obtain parental or other competent adult permission before providing information, and reasonable steps should be taken to verify that this permission has been given. Only the personal data necessary for the child's participation in the displayed activity should be requested. Personal data provided by children must not be used to design advertising communications aimed at parents or other relatives without prior parental permission.
Additionally, see information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
The Cyprus Contract Law provides that 18 is the age that a person is capable of entering into a contract.
Do consumer protection rules apply to children?
Yes.
The Cyprus Law on Consumer Protection provides that a consumer means any natural person who, in relation to contracts covered by this Law, is acting for purposes which are outside that person's trade, business, craft, or profession. It further provides that consumer protection is applied to the ‘average consumer’ which means the consumer who has the usual information and is reasonably cautious and informed, taking into account social, cultural and linguistic factors, as well as consumer characteristics, which make them particularly vulnerable to unfair commercial practices.
Additionally, see information on the EU-level requirements here.
Are there any consumer protection rules which are specific to children only?
No.
There are no national-specific laws in this regard. The Cyprus Law on Consumer Protection provides protection for consumers in general but does not contain any provisions which are specific to children. However, it provides that consumer protection is applied to the ‘average consumer’ which means the consumer who has the usual information and is reasonably cautious and informed, taking into account social, cultural and linguistic factors, as well as consumer characteristics, which make them particularly vulnerable to unfair commercial practices.
Additionally, see information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
Online digital services are directed to consumers who have the capacity to enter into contracts, therefore that will be the age of 18 years old.
Requirements also arise from general restrictions on accessing certain goods and services:
- gambling
- alcohol, cigarettes, vaping; and
- pornography.
To the extent that such goods and services are accessed online by children, these restrictions will generally also apply.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
The Radios and Television Organisations Law provides that audiovisual media service providers have an obligation to take appropriate measures to ensure that their audiovisual media services which may harm the physical, mental or moral development of minors are made available only in such a way as to ensure that, under normal circumstances, minors neither hear nor see them.
The measures provided for in the relevant subsection may include the selection of the broadcast time, age verification means or other technical measures. These measures should be proportionate to the potential harm that the programme may cause. The most harmful content, such as gratuitous violence and pornography, is subject to the strictest measures.
The personal data of minors collected or otherwise produced by audiovisual media service providers shall not be processed for commercial purposes, such as direct marketing, “profile” analysis and behaviorally targeted advertising.
Audiovisual media service providers have an obligation to ensure that they provide viewers with adequate information about content that may harm the physical, mental or moral development of minors and, for this purpose, audiovisual media service providers must use a system that describes the potentially harmful nature of the content of the audiovisual media service. For the implementation of this subsection, the Radio- Television Authority encourages the use of the codes of conduct of the European Union.
For programmes which are transmitted in unencoded form, audiovisual media service providers have the obligation to ensure that they are preceded by an audible warning or are identified by the presence of a visual symbol throughout their duration.
In order to comply with this obligation, providers of on-demand audiovisual media services must provide (and inform the Radio-Television Authority to this end), in addition to signage and additional technical means, an easy-to-use content and code filtering system, which will be provided to parents and/or guardians of minors when they subscribe to a provider, so that they can ensure that minors are prevented from accessing services that could harm their physical, mental or moral development.
Additionally, see more information on the EU-level requirements here.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
Yes.
Further to the Radios and Television Organisations Law, audiovisual media service providers must take appropriate measures to protect minors from programmes, user-generated videos and audiovisual commercial communications which may impair their physical, mental or moral development. Please see further information here.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific laws in this regard; the AI Act (Regulation 2024/1689) applies in this context. See EU-level response here.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific requirements in this regard; see EU-level response here. Any such EU-level updates will also be applicable in Cyprus.
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes
There are no national-specific requirements in this regard; however, see information on the upcoming EU-level requirements here.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Contributors
Chloe Xenopoulou
