Filenews 15 February 2026 - by Despina Psyllou
"Personal data is the modern 'currency' of the digital age," Maria Christofidou points out to "F" in her first interview from the position of Commissioner for Personal Data Protection, unfolding the hackers' motives behind the cyberattacks.
Technology developments, as she clarifies, create new challenges, with her Office receiving complaints from citizens related to data leaks on social media and receiving advertisements or even election materials.
One of these complaints is the one against Phidias Panagiotou on behalf of a para-athlete. "A relevant complaint has been submitted, which is at the stage of evaluation and investigation," the Commissioner points out about the complaint submitted for the use of a photo in a video of Phidias Panagiotou, during their apology for his erroneous references to para-athletes with intellectual disabilities. "The basic principle is clear: When we use a person's image or data, we must respect their dignity and rights," she underlines and clarifies that each case is judged on the basis of its facts.
Mrs. Christofidou also answers how to protect citizens, underlining that this is the daily attitude of each of us, giving relevant advice.
"Personal data is the modern 'currency' of the digital age, and is used as a means of exchange for the use of free services," says the Commissioner in response to the recent attack by hackers on the Oncology Department of the Bank of Cyprus.
"Cyberattacks are malicious, unauthorized attempts to exploit vulnerabilities in information systems and networks or other infrastructure. They are not limited to the health sector. They are mainly aimed at damaging the reputation of organisations and obtaining financial gain. They are a broader challenge of the digital age," underlines the Commissioner.
Especially for patient data, she said, increased protection is provided as they are included in the special data categories of the relevant Regulation. "As a general rule, the collection and processing of such data is prohibited, but there are specific exceptions that allow such processing. The value of health data is indisputable as these data are timeless, stable and permanent, e.g. medical history", she points out.
"Behind every complaint there is a person who felt that a boundary was violated," underlines Ms. Christofidou.
In Cyprus, she notes, "we often receive complaints about unsolicited promotional messages without consent, a phenomenon that is particularly intensified in pre-election periods. Also, several cases are related to publications of personal data on social media without a legal basis."
Most complaints concern the violation of basic citizens' rights by controllers, such as the right to access or delete their data.
However, Ms. Christofidou states, based on the data resulting from the complaints received by the Authority, most issues related to the use of social media often concern adults than minors.
"The debate on the age limit is important and reasonable. However, experience shows that essential protection does not depend solely on one number. It is linked to the strengthening of digital education, to the cultivation of critical thinking and to the cooperation of everyone — family, school and State. Online protection is not a matter of rigour, but a matter of information, dialogue and shared responsibility. Regarding election periods, she said that the processing of personal data for political communication purposes is increasing. "The main challenge is to balance freedom of political expression with citizens' right to privacy and the protection of their personal data."
The Commissioner's Office reminds parties and candidates in a timely manner of their obligations under the General Data Protection Regulation and has already forwarded them a relevant Directive.
"The most common mistakes observed are the sending of mass unsolicited promotional messages (sms, email, etc.) without prior consent, the use of old or dubious contact lists and the publication of photos or data of third parties without a legal basis for processing. Democracy requires dialogue. But dialogue must respect the boundaries of privacy," she says.
What citizens should watch out for
The protection of personal data starts from the daily attitude of each of us, says Ms. Christofidou. "Careful use of security settings in apps and social media, controlling who has access to our information, and a basic understanding of the terms of use are important steps," he says.
A simple example, the Commissioner continued, is the regular review of privacy settings, which can significantly reduce the risks of personal data leakage. "The selection of organizations that operate transparently and have a clear data protection policy creates a framework of trust. Information gives strength, and a conscious attitude is the best form of protection," she emphasizes.
Para-athlete's complaint against Phidias is being evaluated
"A relevant complaint has been submitted, which is at the stage of evaluation and investigation," said the Commissioner in relation to the complaint filed by an athlete for the use of his photo by MEP Phidias Panagiotou in a video he posted as an apology for incorrect reports about para-athletes.
"The investigation of each complaint/complaint is done on a case by case basis, where all the factual and legal facts of each case are evaluated," says the Commissioner and underlines that: "The basic principle, however, is clear: When we use a person's image or data, we must respect their dignity and rights."
Complaints to the Police
Offenders and those who violate personal data can find themselves in trouble.
If a complaint is made and a violation of the relevant Regulation is found, then the Commissioner has the power "to impose administrative sanctions, including administrative fines, as provided by the legislative framework", said Ms. Christofidou.
In cases where the case may constitute a criminal offense, then the Authority has the discretion to forward it to the Police for investigation or to proceed itself to a full administrative investigation and the possible imposition of an administrative sanction. "Administrative and criminal proceedings are independent and can evolve in parallel," notes the Commissioner. At the same time, "the citizen himself has the right to address the Police directly. The important thing is that the institutional framework provides protection and accountability mechanisms, so that every case is examined with seriousness and institutional adequacy," she underlined.
Intense challenges in Cyprus. Social media data leaks and cyberattacks
After almost 4.5 months in the role of Commissioner, Ms. Christofides emphasizes with certainty that the protection of personal data is not a static concept. On the contrary, it is constantly evolving along with technology, society and the needs of citizens.
The most common challenges in our country concern:
- The frequent and uncontrolled sharing of personal data on social media.
- The increase in cyberattacks and data leakage incidents.
- The growing trend of instrumentalization of personal data legislation, which some are turning into a tool of confrontation. "Repeated or abusive complaints are a problematic area and certainly affect the proper functioning of the Authority," says the Commissioner, clarifying that some people use this legislation to resolve their personal disputes.
- The increase of the age limit from 14 to 16 years old, so that children themselves can consent in relation to the processing of personal data. For minors under this age limit, consent will be provided by the parents/guardians.
This is a proposal for a law that amends Article 8 of the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Movement of Data Law, which is being examined in Parliament.
However, the Commissioner's Office expressed some concerns in principle and expressed reservations as to the feasibility of the proposed amendment, underlining that the current age limit of 14 years is balanced, aligned with the penal and educational framework of the Republic of Cyprus and compatible with the European average.
The Authority's position is that the current limit of 14 years is appropriate and sufficient within the framework provided by the General Data Protection Regulation (GDPR) and that the protection of children online is not achieved through horizontal prohibitions, but through education, responsible guidance, technological means of age verification and strengthening digital literacy.
Challenges in Europe:
At the European level, one of the most important challenges, says the Commissioner, is the Commission's Digital OMNIBUS Package of Proposals, a reform that aims to reduce red tape and compliance costs for businesses while maintaining a high level of protection for citizens and consumers.
These amendments are expected to save resources and enhance innovation in Artificial Intelligence and cybersecurity data areas by reducing the administrative burden by at least €5 billion by 2029.
There is GDPR compliance. Other data protection laws are coming
The Commissioner expresses satisfaction with the fact that "we are on the right track and that there is a good level of awareness and compliance of the majority of organizations and businesses in Cyprus regarding the General Data Protection Regulation (GDPR)", the Commissioner expresses.
Especially, she said, with regard to the main sectors of economic activities, such as insurance, banking, the health sector, the education sector, the pharmaceutical sector, the hotel sector, the transport sector and even the general trade sector.
"Efforts are being made by the Authority for continuous training and education of organizations as well as businesses and continuous monitoring of their compliance through sectoral administrative controls," it states and adds: "Compliance is not a destination we reach, but a continuous obligation that requires internal policies, staff training, regular evaluation of data processing practices and constant vigilance."
In the meantime, says the Commissioner, there are legislation in the works in relation to personal data.
Among the ideas that have been put forward in the context of the discussions on the so-called Digital Omnibus is the possible clarification of the definition of personal data. In particular, the approach is being considered whereby data that cannot lead to identification by the controller himself, because he does not have 'reasonable means' to identify the individual, may not be considered personal. This is, however, a direction that is still under discussion and requires careful consideration so that innovation can coexist with the protection of citizens' rights.
At the national level, she said, legislation in the field of data protection is constantly evolving "and this is positive. It shows that society is trying to keep up with the speed of the digital age, without sacrificing fundamental rights."
