Cyprus Regulation of Electronic Commercial Communications

Electronic commerce relates to Information Technology area and the laws applicable to IT issues also cover e-commerce. Cyprus has passed new laws concerning IT issues to be in conformity with European standards. Before 2004, this law area was weakly regulated here and implementation of EU Directives brought the Republic to the European level and expanded the applicable legal framework.

These days, businesses consider the Web to be one of the most effective tools for promotional purposes of their goods and services. Difficult to imagine a well-organized and professionally managed company without having a firm web page where potential customers and clients can inspect company’s profile, range of goods and services provided, and to conclude a contract for delivery or supply of these goods or services on-line. It is an internationally adopted practice that on-line agreements are regulated by general contract law principles with several exceptions like contracts for property purchase which need to be done in writing and, therefore, can not be concluded on-line.

For commercial and marketing purposes large companies use “commercial communications” to attract the clients, which is “any form of communication designed to promote, directly or indirectly, the goods, services or image of a company, organisation or person pursuing a commercial, industrial or craft activity or exercising a regulated profession…..the following do not in themselves constitute commercial communications: information allowing direct access to the activity of the company, organisation or person, in particular a domain name or an electronic-mail address; communications relating to the goods, services or image of the company, organisation or person compiled in an independent manner, particularly when this is without financial consideration.”

According to Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market ('Directive on electronic commerce') and Electronic Commerce and Associated Matters Law 156(I)/2004, the above definition relates to services provided at a distance and by electronic means. In simpler words, companies use on-line promotions which can be activated only by individuals who wish to participate. This kind of promotion is proved to be cost effective, innovative, technologically oriented, and regulated by law.
Companies incorporated under the laws of one of the EU member states can be sure that IT legislation of another member state is not much different from the one their country has because all member states have to comply with EU law. On the other hand, EU law gives discretion to member states to impose their own specific legal requirements in relation to IT matters, which should not violate EU law though. So, when a company is planning to perform a promo-action of its goods and services through the Internet worldwide it should be aware of this “legal gap” and should also consult local lawyers on domestic position regarding IT law in order not to become liable for breach of domestic law.

In relation to electronic commerce area, Cyprus law has come in conformity with EU standards by passing the following legislation:

Electronic Commerce and Associated Matters Law 156(I)/2004, amended by Law No. 97(I)/2007;
Law on Processing of Personal Data (Protection of Person) 138(I)/2001, amended by Law No. 37(I)/2003;
Law on conclusion of Distance Contracts 14(I)/2000, amended by Laws No. 237(I)/2004, No. 93(I)/2007, No. 16(I)/2008;
Legal Framework for Electronic Signatures and Associated Matters Law 188(I)/2004;
Regulation of Electronic Communications and Postal Services Law 112(I)/2004, last amended by Law No. 46(I)/2008.

From the provisions of Law 156(I)/2004 it is clear that commercial communications must comply with the following conditions:
(a) the commercial communication shall be clearly identifiable as such;
(b) the natural or legal person on whose behalf the commercial communication is made shall be clearly identifiable;
(c) promotional offers, such as discounts, premiums and gifts, where permitted in the Member State where the service provider is established, shall be clearly identifiable as such, and the conditions which are to be met to qualify for them shall be easily accessible and be presented clearly and unambiguously;
(d) promotional competitions or games, where permitted in the Member State where the service provider is established, shall be clearly identifiable as such, and the conditions for participation shall be easily accessible and be presented clearly and unambiguously

Also, promoters should bear in mind that performance of their on-line promotions can entail other legal issues apart from the above requirements. For instance, usually to identify the participants promoters require personal information to be provided. If so happens, promoters become “controllers” of the personal data received, according to the meaning of Law 138(I)/2001 “‘controller’ shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data” and laws protecting personal data will apply then.

EU Directives on protection of personal data were based on principles of transparency, legitimate purpose and proportionality and the same principles were preserved by Cyprus legislation. So, if the promoter for the purposes of activation of its commercial communication gathers personal data of participants, like name, birth date, marital status, ID numbers, place of origin, he must fulfill the following requirements as to the treatment of this information. According to the amendment Law No. 37(I)/2003, personal data can be processed for the purposes of direct marketing only with the consent of participant and controller must notify participant of his right to object to the processing of his data for such purposes.

Furthermore, personal data received from the participants by electronic means should be processed fairly and lawfully, collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes, must be adequate, relevant and not excessive in relation to the purposes for which it’s collected and/or further processed, it must be accurate and, where necessary, kept up to date, and it must be kept in a form which permits identification of data subjects (participants) for no longer than is necessary for the purposes for which the data were collected or processed.

The controller must provide the participant at least with the following information: the identity of the controller/his representative, the purposes of processing for which the data are intended, any relevant information like the recipients or categories of recipients of the data, whether replies to the questions are obligatory or voluntary, the existence of the right of access to and the right to rectify the data concerning him.

There are special categories of personal data which can not be processed by the promoter unless the participant gave his explicit consent to the processing of such data which includes information revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, health, and sex life; in other words the promoter can not enquire this information during his promo-action from the participants unless they give their explicit consent.

In case, the controller conducts an unlawful processing of personal data or commits any breach of the above mentioned laws he will be liable for damages suffered by participants whose data was processed.
According to the law, the promoter, as a data controller in this case, must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing.

However, if a data controller does not have ability or due to any other reason can not process data collected for his specific purposes, he should cooperate a “data processor” which will provide sufficient guarantees in respect of the technical security and organizational measures governing the processing to be carried out on his behalf. There must be a legally binding contract for supply of services concluded between the controller and processor (so the processor can not be one of the controller’s employees) according to which the processor will act only upon the controller’s instructions and should have the minimum security measures required by the controller due to the above mentioned legal obligations.

The controller is obliged, prior to carrying out any automatic processing operation, to notify (not to ask for approval from) the Commissioner unless exemptions apply which, in respect of processing, are necessary for the fulfilment of an obligation imposed by law or by contract under an employment or contractual relationship and the data subject (participant) has been notified in advance; relate to customers or suppliers (except in the case of insurance and pharmaceutical companies, companies that sell information, banks and other financial institutions), provided that the data are not disclosed or transmitted to a third party; confidentially carried out by lawyers, doctors or health service providers, provided data are not transmitted to third parties (except where necessary in accordance with the client’s instructions in the case of lawyers); or carried out by any organisation (charity, society, company or political party) in relation to its members, provided that the members have consented to the processing and the data are not transmitted to a third party. As well as there is an obligation of the controller to obtain permission or approval of the Commissioner and consent of the participant if it needs the data to be transferred to a country outside the EU, or two or more filing systems records which contain sensitive data or from which data may be retrieved using common criteria are to be interconnected.

Lastly, Law 112(I)/2004 and Law 156(I)/2004 distinguish commercial communications and unsolicited commercial communications (usually it is also called “Spam” but not all unsolicited commercial communications are spam).

The former is placed on the Web and can be activated only by the person wishing to take participation if he can fulfil and agree with terms and conditions stated in the commercial offer or promotion and the latter involves communications being sent to persons by electronic mail with or without their prior express consent. Unsolicited commercial communications involve two different policies called “opt-in” and “opt-out” which apply to different cases. If none of these policies’ requirements fulfilled the communication will be considered as spam and will be illegal. More precisely, an opt-in policy, also called permission marketing, means that the recipient should himself subscribe for the delivery of particular information which he wants to receive from the sender by ticking the box saying, for example, “Yes, I want to receive this information by e-mail”. According to Law 112(I)/2004, an opt-in policy applies when communication for direct marketing purposes is sent to the potential clients or to those who gave their prior consent.

While an opt-out policy means that the communication is sent to the recipient without his prior consent but it should provide him with an option to object further delivery of such e-mails. This policy should be preserved in cases with already existing clients, in other words with someone who previously dealt with the sender and had provided his e-mail address but the communication was sent without his express consent. In this case, the sender can deliver his commercial communications by e-mail only in relation to promotion of products or services similar to those which the client had been supplied with previously provided that at the moment of collection of client’s electronic contact details the latter was clearly and distinctly given an opportunity to object, free of charge and in an easy manner, to such use of his e-mail. Besides, the sender must also provide the client with an opportunity to object to such use of his e-mail with every e-mail he sends to the client, in other words every new electronic communication must contain sort of a tick box asking whether the recipient wants to be receiving this kind of information in future. In cases other than these two situations EU Directive 2002/58/EC gave discretion for the member states to choose when an unsolicited communication for direct marketing purposes should be considered illegal and Cyprus law says that unsolicited communications, other than with prior consent of a potential client or opportunity of existing clients to object, will be considered illegal when there was no prior consent, so Cyprus adopted an opt-in approach.

Also, according to Law 156(I)/2004, as amended, and Law 112(I)/2004, as amended, these communications must be identifiable clearly and unambiguously as such as soon as they are received by the recipients and, in case with communications for direct marketing purposes, they must show identity of the sender and his valid address to which the recipient may send request that such communication cease.

To outline, for legalization of spam, service providers which undertake unsolicited commercial communications should provide all recipients with opt-out register, so if they do not want to receive communication from some service providers they can register themselves for this.

It is up to the promoter to choose the way he wants to deliver his commercial offer to people, either by way of commercial communication or unsolicited commercial communication but he must not forget that both ways entail legal requirements for him to follow otherwise he can be charged for sending Spam.

ABOUT THE AUTHOR: By Oxana Meshkova
Born in Omsk, Russia, in 1983. Education: Cardiff University (LL.B. Hons.) 2004, need 2 more years to complete her Russian law course in the Institute of International Law and Economics in Moscow, named after Griboedov.

Languages: native Russian, English.

Copyright Georgiades & Associates LLC
More information about

Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.

Find a Lawyer

Find a Local Lawyer