Skip to main content

Cyprus Data Protection Commissioner Issues Guidance on Use of Personal Mobile Phones at Work

|

Few months ago, the Cyprus Data Protection Commissioner has issued Guidance on the use of personal mobile phones for work-related purposes, addressing the increasingly common practice known as Bring Your Own Device (BYOD).

Few months ago, the Cyprus Data Protection Commissioner has issued Guidance on the use of personal mobile phones for work-related purposes, addressing the increasingly common practice known as Bring Your Own Device (BYOD).

The Guidance applies to both the public and private sectors and provides important clarifications on employers’ obligations under the General Data Protection Regulation (GDPR)

 

Key Takeaways

No obligation to use personal devices

Employees cannot be required to use their personal mobile phones for work purposes. Any such use must be voluntary and must not result in adverse consequences if an employee refuses.

Permitted use only under strict conditions

Use of a personal device may be acceptable where:

  1. the employee freely chooses to use it,
  2. it facilitates the performance of their duties, and
  3. it does not involve processing of the employee’s personal data by or on behalf of the employer.


Employer duty to provide alternatives

Where an employee declines to use their personal device, employers must offer suitable alternatives, which may include:

  1. a work-issued device,
  2. reimbursement of relevant costs, or
  3. financial support for the purchase of a device.

 

Personal Data Processing and GDPR Compliance

Where the use of a personal mobile phone does involve processing personal data (e.g. time-tracking or leave-management applications), employers must ensure full compliance with the GDPR, including that:

  1. processing complies with the principles of lawfulness, necessity, and proportionality,
  2. a valid legal basis under Article 6 GDPR is relied upon (employee consent is not appropriate due to the imbalance of power),
  3. employees are informed in advance in a transparent manner,
  4. less intrusive alternatives are offered where feasible, and
  5. employees choosing alternatives are not subject to discrimination.


Where applicable, employers must also conduct a Data Protection Impact Assessment (DPIA) and engage in prior consultation with the Commissioner.

 

Requirement for a BYOD Policy

Where the use of personal devices is systematic, employers are required to adopt and communicate a formal BYOD policy. This policy should address practical scenarios, including what happens when the employee leaves the device at home, device malfunction, and situations where an employee no longer wishes to use their personal device for work.

 

Practical Impact

The Guidance reinforces that BYOD practices must support, not burden, employees, and that respect for privacy and freedom of choice is essential. Employers should review existing workplace practices, policies, and technical solutions to ensure alignment with the Guidance and the GDPR.

 

Article provided by INPLP member: Yiannis Karamanolis (Karamanolis & Karamanolis LLC, Cyprus)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}