In a move to harmonise and clarify current workplace practices, the Office of the Commissioner for Personal Data Protection in Cyprus has published Directive No. 1/2025 concerning the use of personal mobile devices for work-related tasks . This guidance responds to the growing trend of “bring your own device” (BYOD) arrangements and the attendant privacy and security risks for both employees and employers.
The Directive opens by noting the ubiquity of personal smartphone use in professional contexts—ranging from electronic signature capture and one-time password retrieval to accessing corporate email and monitoring staff attendance. While such practices can enhance efficiency, they also carry potential threats to workers’ privacy and to the integrity of employers’ data systems .
A Presumption of Prohibition with Limited Exceptions
At its core, the Directive establishes a clear rule: no employee may be compelled to use their personal mobile phone for work purposes . Three specific exceptions permit voluntary use:
1. The employee expressly wishes to use their own device.
2. Use genuinely facilitates the performance of their duties.
3. No processing of the employee’s personal data by the employer is involved.
Should an employee decline to use their personal device—even where no data processing takes place—the employer must offer an alternative solution and ensure that the employee faces no adverse consequences for doing so .
Employer Obligations and Risk Mitigation
Where personal-device use does give rise to data processing—for example, via an app tracking hours or remaining leave entitlement—employers are reminded to:
• Comply with the fundamental processing principles under Article 5 of the GDPR.
• Rely on a lawful basis under Article 6 (excluding consent, owing to the employer’s position of power).
• Observe transparency obligations and notify employees in advance.
• Offer, where feasible, a less intrusive alternative (such as swipe-card access in lieu of an app).
• Ensure no employee choosing an alternative measure suffers discrimination.
• Fulfil all other GDPR requirements, including conducting Data Protection Impact Assessments (Article 35) and, if necessary, prior consultation with the Commissioner (Article 36) .
Furthermore, if an employee’s device cannot support requisite technical safeguards, the employer must provide the necessary infrastructure or alternative technological solutions. In cases of systematic personal-device use—regardless of whether data processing occurs—organisations are urged to adopt and communicate a clear policy addressing scenarios such as device failure, forgetfulness, or employee preference against BYOD .
Looking Ahead
The Directive concludes by signalling that a subsequent guidance document on teleworking will be issued for both the public and private sectors, underscoring the Commissioner’s commitment to evolving workplace realities .
Hi, this is a comment.
To get started with moderating, editing, and deleting comments, please visit the Comments screen in the dashboard.
Commenter avatars come from Gravatar.