Cyprus: Guidelines standardise data retention period for credit institutions

The Office of the Commissioner for Personal Data Protection (‘the Commissioner’) published, on 8 August 2017, guidelines No. 1/2017 for licensed credit institutions operating in Cyprus on the retention period applicable to personal data of customers, affiliates and guarantors (‘the Guidelines’). The Guidelines, which were issued following consultations with the Association of Cyprus Banks, aim to standardise data retention practices by establishing a maximum period of ten years and introducing particular access controls.

The Guidelines concern the retention of personal data of former customers, including affiliates and guarantors, after the termination of their contractual relationship and/or closure of their account. According to the Guidelines, personal data may be retained as readily accessible for a maximum of eight years on a need-to-know basis and then archived in such a way that it is kept separate from other data. Access to the same after archiving is to be strictly limited. Any specially authorised access and/or other access to the electronic or printed file taking place during the ninth and tenth year should be recorded in a special log maintained by each institution.

Furthermore, the Guidelines outline that a different regime applies to the data of prospective customers. In such cases the retention period is limited to six months and starts from the date when the prospective customer withdraws their application or is notified of the rejection. Finally, according to the Guidelines, the retention period of customer, affiliates and guarantors’ data is not limited to ten years from the date of contractual termination where court proceedings or investigations are pending; instead, the period starts running from the date of their termination.

This article and any associated images were originally published here: https://www.dataguidance.com/cyprus-guidelines-standardise-data-retention-period-credit-institutions/