The European Commission has issued multiple warnings to Cyprus regarding the transposition of Directive (EU) 2021/2167, which sets out rules for credit servicers and credit purchasers (commonly associated with non-performing loans). Member States were required to incorporate this directive into national law by December 29, 2023. However, according to Member of the European Parliament (MEP) Giorgos Georgiou from the AKEL party, Cyprus only notified the Commission of its full transposition efforts in November, resulting in delays that prompted both a warning letter in January 2024 and a reasoned opinion in July 2024.

A central concern raised by Mr. Georgiou is that several companies managing non-performing loans in Cyprus have been operating without the necessary licensing in place, as mandated by the directive. This gap has significant implications for borrowers’ privacy rights, particularly since borrowers are not always adequately informed or asked for consent regarding data sharing, an issue that falls under the GDPR framework.

In her response, Commissioner Maria Luis Albuquerque, responsible for Financial Services as well as Savings and Investment within the EU, emphasized that the directive imposes heightened safeguards for borrowers, including the requirement under Article 10(1)(c) for credit managers and purchasers to respect and protect personal data. She also noted that the Commission is currently assessing whether the measures Cyprus reported in November align with all provisions of the directive.

Finally, the Commissioner highlighted that for any credit agreements transferred after the official transposition date to entities lacking proper authorization, the directive obliges national supervisory authorities to intervene. The goal is to ensure that both licensing requirements and data protection standards are upheld, providing robust safeguards for borrowers throughout the EU’s debt management and debt acquisition market.