Applicable Law

The law governing intellectual property rights in relation to works and acts eligible to copyright protection in the Republic of Cyprus is the Copyright and Related Rights Acts Law of 1976 (59/1976) (the “Copyright Law” or the “Law”). According to article 3(1)(a)(ii) of the Copyright Law, literary works are eligible to copyright protection afforded by the Law. The term “literary work” as defined in article 2 of the Law and in accordance with Berne Convention for the Protection of Literary and Artistic Works of 1971 (as has been revised in 1979) (the “Berne Convention”) and the Directive 2009/24/EC on the legal protection of computer programs (the “Software Directive”), includes computer programs.

Eligibility for protection

Pursuant to article 3(2) of the Law, for a work to be eligible for protection, it must be in substantive form and consist of original work. More specifically, in relation to the protection of computer programs, the relevant protection extents to the preparatory design material leading to the development of a computer program, comprising any flow charts, graphs and functional or technical specifications which, for reasons of clarity, does not include the description of the functionality of the computer program or any other information that can be deduced from observing the user interface of the program and its look (the “Preparatory Work”) while, according to article 7B(2) of the Law the ideas and principles that have been used as the basis for the creation of the computer program, are not eligible for copyright protection. The protection afforded by the Law is limited to the manner in which an idea is expressed, provided that the idea can be expressed in more than one ways and that the expression of the idea is “original in the sense that it is the author’s own intellectual creation”. The literary work is found to be original, if the author shows sufficient labour, skill, judgement and his/her own creative choices.

Considering the above, a computer program may be eligible for protection under the Copyright Law as the expression of an idea that is produced in writing (including the storage in a computer), provided that the computer program is not a product emanating from a copyright law infringement and more specifically provided that there is no other computer program expressing in the same way the same idea; the expression of the idea is original in the sense that it is the product of the author’s own skill and labour; the new computer program is not a product of copying of an existing computer program, either wholly or partially or of translation into a different programming language, adaptation, alteration or rearrangement.

Computer Program and User Interface

When examining the copyrightability of a computer program, it is important to analyze the elements that compose it in conjunction with the idea-expression dichotomy. The term “computer program” is not specifically defined in the Directive, however, in the Proposal for a Council Directive on the legal protection of computer programs COM(88) 816, “computer program” was described as the “set of instructions the purpose of which cause an information processing device, a computer, to perform its functions”. The code of the computer program is a protectable element of that program, since it consists of the instructions for the performance of the program’s functions and it constitutes the expression of an idea. Based on the above definition, the protectable elements of a computer program should not extend to the functionality of such program and its “look and feel”, which constitute elements that can be recreated in another program, even if the programmer did not copy another program’s code line by line or even had access to it, such as the computer program’s structure, graphic user interface (“GUI”) -which is the computer environment that allows a user to interact with the computer through visual elements-, sequence and organisation.

The above has been established through UK case law, in Nova Productions Ltd v Mazooma Games Ltd & Ors [2007] EWCA Civ 219, a Court of Appeal decision and in Navitaire Inc v Easyjet Airline Co Bulletproof Technologies Inc. [2004] EWHC 1725, a High Court decision, where it has been found that if a computer program emulates the functionality of an existing program, without copying its code, then this does not amount to copying protectable expression of computer program. In addition, based on the opinion of the Advocate General of the Court of Justice of the European Union (“CJEU”) delivered on 14 October 2010 for the case Bezpečnostní softwarová asociace Svaz softwarové ochrany v Ministerstvo kultury Case C-393/09, the protection afforded by the Software Directive covers the literary elements of a computer program, the source code and the object code, which form the basis of such program; however, the interface that enables communication between the program and the user could not be regarded as “an expression in any form of computer program” within the meaning of article 1(2) of the Directive and therefore cannot benefit from the copyright law protection on computer programs. More specifically the Advocate General found that the expression of a computer program, in whatever form, must be protected “from the moment when its reproduction would engender the reproduction of the computer program itself, thus enabling the computer to perform its tasks”, concluding that the GUI alone cannot give that result. The CJEU agreed with this reasoning in its ruling for the same case, where it was found that a GUI “merely constitutes one element of that program by means of which users make use of the features of that program”. These findings were subsequently invoked in the CJEU preliminary ruling for the case SAS Institute Inc. v World Programming Ltd Case C-406/10.

Considering the above, the courts are not inclined to extend the copyright protection for computer programs to the functional effects of a program and more specifically to the business logic or the look and feel of the program. It could be therefore concluded that another computer program can be developed independently based on similar principles to an existing program and be afforded copyright protection, on the condition that the authors of such computer program express these ideas and principles in their own way by using their own skill, judgement, choices and decisions

Nowadays, more frequently than ever, the concept of “involuntary medical intervention” is discussed in both the medical and the political world globally. The Covid-19 pandemic, as characterized as such from the World Health Organization, raises issues, fears and questions to the general public that they will be subjected to medical interventions, such as vaccinations, without their will and consent.


Since every government follows a different policy, through this Article we will focus on the relevant legislative framework in Cyprus. The “Law for the Establishment and Protection of Patient’s Rights (1(I)/2005)” (hereinafter “the Law”) was enacted in 2005 and has not been amended since. In the Preamble of the Law, it is stated that it is extensively based on International Conventions in which Cyprus is a party, on the Declaration on the Promotion of Patient’s Rights in Europe (March 1994), on the European Charter of Patients’ Rights (November 2002) and the Charter of Fundamental Rights of the European Union (December 2000). Article 3 of the Law, explains as well that the provisions of the Law are supplementary to the provisions of the previously stated legal instruments.

Article 2 of the Law, defines “patient” as a natural person who suffers from any illness or condition or any natural person who asks for or receives health care. In the same Article, “medical emergency” is deemed to be an incident which directly threatens the life or may result in severe incapacity in case health care is not provided immediately.

In the Declaration on the Promotion of Patient’s Rights in Europe, the definition of “medical intervention” is any examination, treatment or other act having preventive, diagnostic, therapeutic or rehabilitative aims and which is carried out by a physician or other health care provider.


Article 11 of the Law, states that the patient’s consent is a prerequisite for medical intervention and care. The patients must be well informed in a timely manner for the relevant health care that they will receive, along with any associated risks, discomforts, side-effects and alternatives, in order to decide freely and without any external influences whether they will be subjected to a medical intervention or treatment, or not.

In the same Article, it is also mentioned that in case of “innovative therapies”, patients shall be fully informed and provide their written consent.

In Article 4 of the European Charter of Patients’ Rights, which refers to the Right to Consent, it is provided (among others) that health care professionals must give the patient all information relative to a treatment or an operation to be undergone, including the associated risks, discomforts, side-effects and possible alternatives. This information must be given with enough advance time to enable the patient to actively participate in the therapeutic choices regarding his or her state of health.

In the Declaration on the Promotion of Patient’s Rights in Europe, it is established (in addition to the above) that the patient has the right to refuse or to halt a medical intervention. Of course, the implications of refusing or halting such an intervention must be carefully explained to the patient.


Article 13 of the Law enumerates the instances where medical intervention and treatment can be provided without obtaining the patients consent:

(a)    When the patients are in no condition, physical or mental, to express their will BUT it is urgent to proceed with medical treatment, their consent is taken for granted, UNLESS it is apparent from previously expressed preferences that they would refuse to receive such treatment.

(b)   When the health care provider decides on his own judgement in medical emergencies that medical treatment is for the benefit of the patient.

(c)    When it is impossible to receive the patients’ consent, but their previously stated preferences constitute implied consent to the upcoming treatment.

When the patient is a minor, consent is given by its parents. In case where the parents refuse to give their consent and the health provider believes that the medical intervention or treatment will benefit the minor, the matter is referred to the Court or any other instrument with decisive power, provided that there is enough time for this procedure.


In the light of the previous analysis, we are now called to answer the main question: Is mandatory vaccination legitimate and allowed in Cyprus?

Firstly, it should be noted that vaccination falls within the scope of medical intervention, as a medical act with a preventive aim. Therefore, as such, consent is essential for proceeding with the vaccination of a physical person, followed by adequate information on any associated risks, discomforts, side-effects and alternatives.

The intermediate question arising at this point is, does vaccination falls within the instances where medical intervention is allowed without the obtainment of the patient’s consent?

Since vaccination is a preventive measure, it is almost impossible to be connected with a “medical emergency”. Urgent medical occurrences constitute the cornerstone for proceeding with health care without receiving the necessary consent, and the lack of such emergency in the concept of “vaccination” leaves no room for a different interpretation.

The only “blind spot” lies on the potential mandatory vaccination of minors. Article 13(4) of the Law permits physicians or other professionals who are convinced that a medical action will benefit the minor, to refer the matter to Court or other instrument, in cases where parents do not grant their consent. This specific section does not include “medical emergencies”. Obviously, the level of protection is higher for minors, possibly in order to establish that they are well protected by the law and not fully relied on their parents decisions. On the other hand, it is easily noticeable that the final decision for minors depends on a Judge, namely a person who is not a physician, a fact that raises concerns about the effectiveness of the provision and the sufficiency in the protection of the minors.

To summarise this section, mandatory vaccination is not allowed in Cyprus and is not even permitted from the previously mentioned international and European instruments, as far as adults are concerned. For minors, the letter of the law may allow for mandatory vaccination providing that a Court decides affirmatively on the matter.


It is hardly acceptable that in 2020 the legal framework on patients’ rights and protection is the same as it was in 2005. Even the European and international legal instruments on the matter, have not been updated for decades. Manifestly, the lack of amendments or modernization of the Law, reflects the fact that medical care and its relevant aspects do not constitute a priority for the Government. One can say that is it also an indication of the general unpreparedness for the unexpected corona virus.

It is true that the unprecedented challenges we are facing, require unprecedented measures. Nevertheless, it should be borne in mind that if the government opts for mandatory vaccination, there is no solid legal background to support such choice.


On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a preliminary ruling in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems effectively invalidating the European Commission’s Decision (EU) 2016/1250 relating to the EU – U.S. Privacy Shield. At the other end of the spectrum, the CJEU affirmed the validity of Standard Contractual Clauses (SCCs) as a means of ensuring an adequate level of protection to personal data being transferred to third countries, subject always to the strict adherence to the requirements provided under EU data protection legislation and the EU Charter.

The Schrems judgment is especially important in relation to entities engaged in the transfer of personal data to processors established in third countries and, in particular, the United States.  

What is the EU – U.S. Privacy Shield?

The EU-U.S. Privacy Shield is a self-certification mechanism designed by the U.S. Department of Commerce and the European Commission to ensure compliance with data protection requirements in the course of transferring personal data from the European Union to the United States for the purpose of facilitating transatlantic commerce. The EU – U.S. Privacy Shield had been recognised as providing an adequate level of protection taking into consideration the applicable framework relating to personal data protection applicable in the EU, following the European Commission’s Implementing Decision (EU) 2016/1250 of 12 July, 2016 (the Privacy Shield Decision). The Privacy Shield Decision was formally incorporated into the European Economic Area Agreement by Decision No. 144/2017 of the European Economic Area Joint Committee of 7 July 2017. In essence, the EU – U.S. Privacy Shield allows for the transfer of personal data from entities based in the European Economic Area (EEA) that have been self-certified as providing appropriate legal guarantees in respect of such transfers of data and undertake to uphold and observe a series of data protection principles enshrined in the EU – U.S. Privacy Shield, to entities based in the United States.  

Factual Background and Ruling of the CJEU in Schrems

Schrems concerned an application for a preliminary ruling submitted to the CJEU by the High Court of Ireland in the context of judicial proceedings with regards to a complaint lodged by MS in respect of the transfer of his personal data from Facebook Ireland to Facebook Inc., an entity established in the United States. In effect MS sought to preclude the transfer of his personal data to the United States by Facebook Ireland, claiming that the legislation and practices appliable in the United States with regards to personal data protection did not ensure adequate protection of the personal data held in its territory against the surveillance activities in which the public authorities were engaged. In particular, MS argued, among other things, that United States law requires Facebook Inc. to make the personal data transferred to it available to certain United States authorities such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) in the context of various monitoring programmes incompatible in a manner inconsistent with applicable EU law.

In addressing the issues raised in Schrem, the CJEU was asked to examine, among other things, whether the Privacy Shield Decision complied with the requirements stemming from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) read in light of the EU Charter.

In holding that the Privacy Shield Decision was invalid, the Court found that the application of U.S. law is incompatible with the principles of necessity and proportionality enshrined in the GDPR. Going further, the CJEU found that EU citizens – data subjects whose personal data are subject to unlawful processing in the United States are not afforded with an effective administrative and judicial redress mechanism. The Court therefore reasoned that in light of the fact that U.S. law does not provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data, it falls afoul of the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the EU Charter and is incompatible with Article 45 of the GDPR.

In Schrems, the CJEU also proceeded to examine the interpretation and validity of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46 (OJ 2010 L 39, p. 5), as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 (OJ 2016 L 344, p. 100) (the SCC Decision). In particular, it was held that the ‘SCC Decision provides for effective mechanisms which, in practice, ensure that the transfer to a third country of personal data pursuant to the standard data protection clauses […] is suspended or prohibited where the recipient of the transfer does not comply with those clauses or is unable to comply with them.’

Commentary on the Importance of the Schrems Judgment in the context of EU Data Protection Legislation

As a general remark, it can be said that, in many ways the Schrems ruling, recognizes the merit in the concerns that have long been expressed at EU level (most notably by the European Data Protection Board) with regards to the adequacy of protection granted to personal data under the Privacy Shield, particularly with regards to the transfer of personal data to processors established outside the EEA. More explicitly, in the context of its annual joint reviews of the Privacy Shield, the European Data Protection Board called into question the compliance with the data protection principles of necessity and proportionality in the application of U.S. law.

In light of the lacuna that has arisen in the wake of the Schrems Judgment (due to the Privacy Shield being ruled as invalid), it is almost certain that the EU-US data protection framework will have to be revisited in a manner that ensures compliance with applicable EU data protection legislation.

At the same time, the CJEU has affirmed the validity of SCCs in the context of the transfer of personal data to processors established outside the European Union to the extent, and in so far as the SCCs maintain a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the Charter of Fundamental Rights of the European Union.

In this respect, when considering whether to enter into SCCs, the importer and the exporter are tasked with the responsibility of carrying out an assessment of whether the legislative framework relating to personal data protection in the country to which personal data will be transferred offers an adequate level of protection.

In the course of any such prior assessment, the exporter is expected to take into consideration all material factors including the circumstances of the transfer, the content of the SCC and the legal and regulatory framework with regards to personal data protection applicable in the importer’s country. Where, following such an assessment it appears that an essentially equivalent level of protection is not or cannot be guaranteed in the country of the importer, the exporter may have to adopt additional measures to those included in the SCCs in order to ensure compliance with his obligations under the GDPR. Importantly, in the event that the stipulations included in the SCCs cannot be complied with for whatever reason, the exporter is under an obligation to suspend the transfer or terminate the SCCs or notify its competent supervisory authority if it intends to continue transferring data.

The EU is the only area in the world where citizens are protected by a full set of passengers’ rights – whereby they travel by air, rail, bus or coach. The focus of this article is to provide a brief overview of the “Air rights” that passengers have and to briefly clarify certain guidelines that the EU has established due to the outbreak of Covid-19.

o   “Air Rights” – have been established within the European Union, after the Regulation (EC) No 261/2004 (herein the “Regulation”) has been enforced on February 2004, setting common rules on compensation and assistance to passengers in the event of denied boarding and of cancellation or long delay flights.

o   “Operating air carrier” = refers to the air company that decided to perform the flight, and not the company which leased out the aircraft and its crew. Flight is an air transport, performed by the air carrier which fixes itinerary and a journey involving an outward and a return flight cannot be regarded as a single flight as such[1].

The scope of application of the Regulation extents to passengers departing from any airport located in the territory of an EU Member State as well as any passengers departing from an airport located in a third country towards an airport situated at any EU Member State, unless any benefits or compensation or assistance have been provided in that third country, as such.

Events giving rights under the Regulation are:

  1. When passengers are denied boarding against their will[2]
  2. When flights are cancelled[3]
  3. When flights are delayed[4]

However, to be able to claim air rights, passengers:

a)      must have confirmed a reservation on the flight, and

b)      must have been present at the check-in counter, at the stipulated time which was indicated in advance and in writing. If no time had been specified by the air carrier, not later that 45 minutes before the published departure time.

General Rights:

In general, passengers have a right to receive information[5] with regards to flight, which is specified to them in a notice that is clear and visible (electronically or physically). In case of a delay, cancellation and denied boarding, there is an obligation to provide each passenger with a written notice setting out the rules for compensation and assistance. However, by taking into account the significance of delay as it can materialize at final destination, it is of vital importance to let passengers know of any delay at least three(3) hours before final destination[6]. Failure to do so, could enable passengers to claim compensation.

The right to reimbursement, re-routing or rebooking in the event of denied boarding or cancellation:

Upon denied boarding or cancellation of the flight or even delay (when it is at least 5 hours), the Regulation has established that the air carrier is obliged to offer the passengers the choice among[7]:

i)                    reimbursement (refund)

ii)                  re-routine at the earliest opportunity

iii)                re-routing at a later date at the passenger’s convenience, subject to availability of seats

When passengers book the outbound flight and the return flight separately and the outbound flight is cancelled, the passenger is only entitled to reimbursement of the cancelled flight. However, if the flight and the return flight are part of the same booking, even if operated by different air carriers, passengers should be offered two options if the outbound flight is cancelled. (i) The first option is to reimburse for the whole ticket (booking) or (ii) to be re-routed on another flight for the outbound flight

Right of care?

The right to care appears to be offered by an operating air carrier, in the event when passengers are affected by flight cancellation, delay and denied boarding. The Regulation essentially secures that passengers shall be offered free of charge meals and refreshments, hotel accommodation, in cases where it becomes necessary and any transportation costs[8]. The intention of the Regulation is to guarantee that the passengers, while waiting for their return flight or re-routing at a later convenient date, will have enough and adequate supplies and/or amenities. The extent of adequate care is assessed on a case-by-case basis by considering the needs of passengers and the principle of proportionality[9].

The right to care subsists only as long as passengers have to wait for a rerouting at the earliest convenience of the passenger. Therefore, when the passenger chooses re-routing at a later date at the passenger’s convenience, the right to care ends. It is worth mentioning that the same occurs when the passenger chooses reimbursement of the full cost of the ticket. In fact, there is an obligation for the air carriage to care even when the cancellation of a flight is caused by “extraordinary circumstances” which could not have been avoided even if all reasonable measures had been taken[10].

The European Court of Justice considered extraordinary circumstances to be “even a technical problem which has occurred unexpectedly, not attributable to poor maintenance and not detected during routine maintenance checks, which does not fall within the definition of ‘extraordinary circumstances’ when it is inherent in the normal exercise of the activity of the air carrier”[11].

Compensation may be due in the event of cancelation or denied boarding, under these conditions and unless the cancellation is caused by extraordinary circumstances which could not have been avoided even if all reasonable measures had been taken. It must further be noted that the method of calculation varies according to the number of kilometres that each flight consists and may even be reduced by 50%[12]. It must be clearly understood that the Regulation makes no distinction as to whether the passengers concerned reach their destination by means of direct flight or an air journey with connecting flights. In both cases, the passengers are treated equally when calculating the amount of compensation and in case of connecting flights, the amount of compensation is determined on the radial distance that a direct flight would cover between the departure airport and the arrival airport[13].

The Covid-19 outbreak: “extraordinary circumstance”

With outbreaks of the global pandemic, Covid-19 has affected many sectors which are vital to the economy one of them being also the transportation sector. The European Union has issued a Commission Notice with regards to the EU passengers’ rights regulation in the context of the developing situation of Covid-19[14]. Within those guidelines it was not assessed that the situation on passengers’ rights may be varied by the national rules of each Member State, as there may be national rules creating an obligation to treat passengers differently (for example, some national rules refund passengers or issue vouchers). However, what has become obvious is that although the Regulation contains information on the rights available to passengers, yet it lacks clear provisions on travel disruptions. Nonetheless, rights to compensation in case of cancellation are linked to the carrier failing to give notice sufficiently in advance, therefore providing some for of guidance in view of the pandemic.

Right to reimbursement or re-routing?

With regards to the choice of re-routing, the air carriers may find it impossible to re-route passengers to their intended destination within a short amount of time. The earliest opportunity to re-routing may, under the circumstances of the Covid-19 outbreak, imply considerable delay. The same may apply to the availability of concrete information of such “opportunity”, given the high level of uncertainty surrounding air traveling. Reimbursement of ticket price or re-routing at a later date may therefore be more preferable for passengers. Whether or not reimbursement will be offered depends on the type of ticket booked, subject to the carrier’s terms and conditions.

By considering the provision of the Regulation in light of Covid-19, it is expected that passengers should be informed about delays and/or uncertainties linked to their choice of re-routing instead of reimbursement. If, a passenger chooses re-routing at the earliest opportunity, the air carrier should be considered to have fulfilled its information obligation towards the passenger if it communicated on its own initiative, as soon as possible and in good time, the flight available for rerouting.

In addition, the Commission has adopted the position that, where the public authorities take measures to contain and/or prevent the spread of the pandemic Covid-19, such measures are by their very nature not within the ambit of control of the activity by air carriers. Therefore, since this situation is caused by “extraordinary circumstances”, which could not have been avoided by taking all reasonable measures, then the right for compensation is waived by virtue of the Regulation.

“An operating air carrier shall not be obliged to pay compensation, if it can prove that the cancellation is caused by extraordinary circumstances which could not have been avoided even if all reasonable measures had been taken”[15].

Thus, the condition seems to be satisfied, where public authorities either prohibit certain flights or ban the movement of people in a way that completely precludes operation of flights, and thus excluding compensation liability of any air carrier. Another possibility to waive the right to compensate, includes the flight is cancelled due to prohibition of movement, either in part or not.

Of course, a cancelation may be justified on grounds of “extraordinary circumstances”. Yet, in a situation when there is the possibility that no person is willing to risk and take the flight, therefore giving the potential right of cancelation to the carrier. It would be reasonable to expect some notice, not until the very last minute, so that appropriate measures to be taken by the carrier.

What remains clear is that the right to compensation under Regulation 261/2004 does not apply to cancellation made more than 14 days in advance or when the cancellation is caused by extraordinary circumstances, which could not have been avoided even if all reasonable measures had been taken.

[1] Case C-173/07, Emirates Airlines , Case C-532/17 Wirth

[2] Regulation (EC) No 261/2004, Article 4

[3] Regulation (EC) No 261/2004, Article 5

[4] Regulation (EC) No 261/2004, Article 6

[5] Regulation (EC) No 261/2004, Article 14

[6] C-402/07 and C-432/07 – Sturgeon e.a. ECLI:EU:C:2009 – Passengers who were delayed of at least three hours must be treated in the same way as passengers whose flights are cancelled

[7] Regulation (EC) No 261/2004, Article 8

[8] Regulation (EC) No 261/2004, Article 9

[9] Interpretative Guidelines On Regulation (EC) No261/2004 of the European Parliament and the Council

[10] Regulation (EC) No 261/2004, Article 5(1) and Article 7

[11] Case C-549/07 Wallentin-Hermann
“The collision of mobile boarding stairs with the aircraft was not considered to fall within the scope of extraordinary circumstances”, Case C-394/14 Siewert:

[12] Regulation (EC) No 261/2004, Article 7

[13] C-559/16 Bossen

[14] Commission Notice with regards to the EU passenger rights regulation in the context of the developing situation of Covid-19

[15] Regulation (EC) No 261/2004, Article 5(3)

European Directive 2015/2366 on payment services in the internal market (the “PSD2”)

PSD2 is the revised version of the EU Directive on Payment Services and its goal is to modernise the payment services for the benefit of consumers and businesses through innovative rules. One of the main objectives of the modernisation is the stronger security of electronic payments without negatively impacting the customer experience.

PSD2 has been transposed into Cyprus law through the Payment Services and Access to Payment Systems Law of 2018 (31(I)/2018).

Main components of PSD2:

–          Strong security requirements for electronic payments

–          Increases competition by allowing non-bank companies to offer innovative services

–          Increase of consumer rights in case of unauthorised payments

–          Broader geographical reach by including transactions where only one payment service provider is located in the EU, that also includes transactions in non-EU currency

–          Prohibition of charging fees that exceed the direct cost which has been borne by the payment service provider for the specific payment instrument

–          Improvement of complaints procedure

Strong Customer Authentication (the “SCA”)

The SCA is introduced by PSD2 and it establishes an authentication process that applies when a payer accesses its payment accounts online; initiates an electronic payment transaction; or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. The SCA serves as a validation of the identity of the user and its purpose is to fight online fraud and protect the confidentiality of financial data. EU Commission Delegated Regulation 2018/389, supplementing the PSD2, sets out the regulatory technical standards (the “RTS”) for the SCA that should be implemented by the payment service providers.

Two of the following authentication elements of the SCA should apply for each transaction, which are mutually independent in that the breach of one does not compromise the reliability of the other:

–          Knowledge: something only the user knows, such as a password, knowledge-based challenge question, passphrase or memorised swiping path, but does not include -among others- email address,                  card details and one-time password (“OTP”) received on a device.

–          Possession: something only the user possesses, such as the OTP received by a device, card evidenced by a dynamic card security code, app with possession evidenced by device binding, but does not include -among others- card evidenced by card details or installed app without registration.

–          Inherence: something the user is, such as a fingerprint or other biometric.

The payment service providers may apply the following exceptions to the SCA:

–          When payments are made below Euro 30, on the condition that the total amount of previous payments since the last application of the SCA does not exceed Euro 100; or the number of previous transactions since the last application of the SCA does not exceed five consecutive transactions.

–          The payer may create a list of “trusted beneficiaries”. The SCA will be applied upon the creation or amendment of this list and all future transactions with the “trusted beneficiaries” will be exempt, on the condition that the transactions do not infringe the general authentication requirements (fraud related).

–          When the payer orders a series of recurring transactions with the same amount and the same payee. SCA will only apply when the recurring transactions are created, amended or initiated.

–          When legal persons initiate a payment through a payment process or protocol that is only available to payers who are not consumers, on the condition that the said protocols provide equivalent levels of security to the PSD2.

–          If the transaction poses a low level of risk based on the fraud rate for that type of transaction, the exemption threshold value and a real-time risk analysis, as included in the RTS.

If payment service providers apply the above mentioned exceptions, they are obliged to implement a mechanism to record and monitor the data for each type of transaction and share those data -upon request- with the European Banking Authority (the “EBA”) and the Central Bank of Cyprus (the “CBC”), as the competent authorities for the implementation of the SCA in Europe and Cyprus respectively.

The SCA does not apply in the following circumstances:

–          When payments are initiated through phone or email.

–          When payments are initiated by the payee and not the payer (“Merchant Initiated Transactions”). These transactions are based on (a) a mandate by the payer authorising the payee to initiate the payments and (b) a pre-existing agreement for the provision of products or services (e.g. utility bills, digital services subscriptions, insurance premium payments)

Implementation of the SCA

The effective date for the implementation of the SCA was set for 14 September 2019, but the EBA has set a new deadline for the migration to the SCA in connection with remote card-based payments on 31 December 2020. The extension is a result of EBA’s acknowledgement of the challenges experienced by the industry in implementing the new standards, following responses from various stakeholders. The purpose of the new deadline is to give competent authorities time to coordinate with the relevant payment service providers and monitor the migration plans. Even though the 14 September 2019 remains the legal deadline for the SCA application, -as specified in EBA’s opinion of 16 October 2019 and as also included in CBC’s release of 24 December 2019- action for non-compliance will not be pursued, on the condition that the payment service providers comply with the milestones and requirements set out by the competent authorities, based on the EBA’s opinion. In its release, the CBC specified that they do not intend to take supervisory enforcement actions against licensed institutions, on the condition that they have submitted a migration plan to the CBC.

The implementation of the SCA may prove challenging for credit institutions and other payment service providers, especially considering the expected increase in IT costs and the need to find a balance between, on the one hand, the implementation of the strict rules on identity authentication and payment security and on the other hand, the provision of a seamless user experience to their clients.

A non-profitable company / organization may be incorporated in the form of either a private company limited by guarantee or in the form of a foundation. In whichever case, provided that the said company or foundation (as the case may be) is granted approval by the Council of Ministers for its treatment as a ‘charitable foundation’, the income of such a charitable organization of public interest is exempted from taxation.

Such a non-profitable company / organization in the form of a private company limited by guarantee (registered as a non-profitable organization) is treated as every company in the sense that it falls under the provisions of the Companies Act (Cap. 113). The difference distinguishing the usual type of a private company, namely the private company limited by shares, from a private company limited by guarantee lies in the liability of the shareholders (members in the case of a private company limited by guarantee) of each type of company. In particular, the liability of the shareholders of a private company limited by shares is limited by the company’s Memorandum to the amount, if any, unpaid on the shares respectively held by each of the shareholders. On the other side, companies limited by guarantee ‘provide’ limited liability to their members; in particular, the liability of the members of such a company is limited to the undertaking of contributing (an amount respective to the amount each of the members guaranteed) to the company’s assets in case the company is wound up. It is worth to note that, as regards companies limited by guarantee, there is no minimum quota that a member is obliged to guarantee. However, it should be noted that (a) previous member(s) of the company may also be liable to contribute to the company’s assets upon the winding up of the latter but such an obligation of an old member extents only to the amount of it guaranteed and for debts incurred while it was a member in the company.  

On that basis, a private company limited by guarantee may serve the purposes of a non-profit company / organization that may be, among others, a charity, club, society, professional body or trade association / union. To this end, the key elements of a non-profit company / organization (that must be included in the Memorandum of Association of the company) are the following:-

(a)    The company is incorporated with regards to the promotion of trade, art, science, religion, beneficence or for any other charitable purpose or for any collateral or supportive purpose.

(b)   All the profits (if any) and/or any other income must be given for the promotion of the objects of the company.

(c)    The payment and/or distribution of any dividend to the member(s) of the company is strictly prohibited.

On the other hand, a non-profitable company / organization in the form of a foundation, in the scope of the Law on Societies and Foundations (Law 57/1972), is defined as the allocation of assets for a specific purpose. Such a foundation has to register (in the respective Register) its Act of Incorporation containing its name, purpose, seat and allocated property as well as the names and addressed of the members of its management. The founder(s) is(are) liable to transfer the allocated property from the outset of the incorporation of the foundation.

According to the provisions of the Law on Income Tax (Law 118(I)/2002), donations to such approved charitable organizations (incorporated in either form) may be qualified for deduction for tax purposes. However, whether the donors may be able to deduct the amount of donation(s) made in the form of charities to the approved charitable organizations, it is a matter falling under the tax laws of the jurisdictions from which donation(s) is(are) coming from.

On May 25th 2018, the General Data Protection Regulation (“GDPR”) entered into force, representing the most significant initiative on data protection in 20 years. Arguably, the most notable alteration in the everyday life of citizens is the “cookie pop-up” on -almost- all websites. Nowadays, when entering a website, the first thing the user sees is a message equivalent to the following:

“We use cookies to improve your experience on our website. By browsing this website, you agree to our use of cookies.”

The official definition provided by the European Commission for “cookies” provides that a cookie is “a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing.” Their purpose is to allow the website to “remember” the user’s actions or preferences over time.

Surprisingly, cookies are only mentioned once in the GDPR and not even in the main body of the Regulation. The sole reference is found in the recital No.30 of the Regulation:

“(30) Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

These few lines have a massive impact on the compliance of cookies, basically stating that when cookies can identify an individual directly or indirectly, it is considered personal data. The GDPR considers a name, a photo, an email address, bank details, posts on social networking websites, medical information, a computer IP address as personal data. Examples of cookies that could identify users are cookies for analytics, advertising and functional services, such as survey and chat tools.

The usual problem with cookies lies on the notion of “consent”. In order to secure the compliance with the data protection requirements, website administrators use the “cookie pop-ups” in order to receive the consent of the website user to acquire, store and track his or her identifiable data.

The lack of consent represents a major breach from a legal point of view, and due to the indifference of website owners and administrators, the user’s privacy is increasingly compromised. The user is not in a position to be aware neither of which personal data is tracked and saved, nor of who is tracking users, for what purpose and for how long. Undoubtedly, the aforementioned are vigorously opposed to both the spirit and the letter of data protection regulations and therefore many website administrators and owners may be in breach. The consequences of non-compliance may be economic (e.g. fines), reputational (e.g. negative publicity and lack of trust) or commercial (e.g. obstacles in concluding agreements with other companies).

The question arising at this point is, how does a website administrator ensure that a website and its cookies are compliant with the GDPR? The answer is mainly found in the ePrivacy Directive (Directive 95/46/EC) which provides for the protection of privacy and all personal data collected in relation to EU citizens for reasons of processing, use and data exchange.

Combining the provisions of the GDPR and the ePrivacy Directive, the following guidelines for website administrators emerge:

  • Users whose data is being collected should be given notice of such collection. The user must know that his or her data are collected during the website surfing.
  • Users whose personal data is being collected should be informed as to the party or parties collecting such data. They shall also be aware of the reasons of the collection, processing and use (e.g. advertisement and promotion of products).
  • Once collected, personal data should be kept safe and secure from potential abuse, theft, or loss. Therefore, the obligation to the website administrator to establish a secure system and impenetrable databases for the personal data of the users is a prerequisite for the compliance with the GDPR.
  • Data collected should be used only for the purposes stated in the “cookie pop-up” and for no other purposes.
  • Personal data should not be disclosed or shared with third parties without consent from its subjects.
  • Consent must be obtained explicitly and prior to the initial processing of the personal data. This can be done through either the use of an opt-in box which the user can ‘tick’ to demonstrate their acceptance of website cookies or through editing their setting preferences. In general, consent must be given by means of an affirmative, positive action that cannot be misinterpreted.
  • Data subjects shall have the right to withdraw their consent at any time in an easy manner, according to Article 7(3) of the GDPR. Controllers must inform data subjects of the right to withdraw before consent is given. Once consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing due to “the right to be forgotten”.
  • Every 12 months, the consent should be renewed upon the user’s first visit to the site.
  • Subjects should be able to hold personal data collectors accountable for adhering to the above principles.

Based on the abovementioned, a GDPR compliant cookie message would be the following:

We use cookies to personalize content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided them or that they’ve collected from your use of their services. Please press the “OK” button if you consent to the above in order to continue to use this website.”

To conclude, the safeguarding of a subject’s personal data constitutes a significant aspect of the right to privacy. Website owners and administrators are obliged to operate in a manner which guarantees the protection and respect to a person’s personal information. The need for data protection in the internet environment nowadays is greater than ever before, and non-compliance with the previously mentioned principles will not be tolerated.