Centralized Register of Ultimate Beneficial Owners & the concerns in light of the GDPR


Taking into consideration the aggregate calls for transparency by the constitutions of the European Union (hereinafter referred to as the “E.U.”) which, now more than ever, form an essential element of the corporate sector that must be guaranteed and safeguarded, the Republic of Cyprus (hereinafter referred to as “Cyprus” and / or the “Country”) is in the process of a compelling alignment of its Laws in such a way that the Country ensures and enhances the provision of a trustworthy and transparent legal corporate system and financial sector.

To the end of achieving such aims, the Cyprus Council of Ministers on the 16th of December, 2020,  by the proposal of the Advisory Authority for Combating Money Laundering and Terrorist Financing, resolved the establishment of the “Centralized Register” of the Ultimate Beneficial Owners (hereinafter referred to as the “UBOs”), in accordance with the provisions of the 4th & 5th E.U. AML Directives (as defined below) and the Prevention and Suppression of Money Laundering and Terrorist Financing Law 188(I)/2007, as amended (hereinafter referred to as the “AML Law”).

As a reference point, section 30 (I) of the 04th E.U. AML Directive states clearly that: “Member States shall ensure that corporate and other legal entities incorporated within their territory are required to obtain and hold adequate, accurate and current information on their beneficial ownership, including the details of the beneficial interests held. Member States shall ensure that breaches of this Article are subject to effective, proportionate and dissuasive measures or sanctions. Member States shall ensure that those entities are required to provide, in addition to information about their legal owner, information on the beneficial owner to obliged entities when the obliged entities are taking customer due diligence measures in accordance with Chapter II”.


As per the stipulations of the 5th E.U. AML Directive, the Centralized Register of the UBOs was normally to be implemented by the 10th of January, 2020 by all the E.U. Members. However, due to non-compliance by the majority of them, the E.U. recently delivered warning letters encouraging them to harmonize the said Directive, as a matter of urgency.

Until recently, it seemed that the E.U. Countries maintained a wait-and-see approach to see how harmonization from other Countries would work.

Same as elsewhere, Cyprus had not complied with the relevant Directive due to its complexity, as fundamental rights and, thus, Laws (e.g. concerning the Personal Data) were considered to be violated. The last notification from the Cyprus Bar Association in relation to the subject matter was in fact circulated in March, 2019, without any information and guidance since then.

As already stated though, the Cyprus Council of Ministers on the 16th of December, 2020 issued a subsidiary legislation activating the Centralized Registry of UBOs, which shall set a new norm and a new era from now and onwards concerning the subject matter.


As envisaged in article 3(6) E.U. Directive 2015/849 (hereinafter referred to as the “4th E.U. AML Directive”), as well as in section 2 of the AML Law, “Beneficial Owner” means any Natural Person who ultimately owns or controls the Customer and / or the Natural Person on whose behalf a transaction or activity is being conducted, and includes at least:


The Natural Person who ultimately owns or controls a Corporate Entity (through direct or indirect ownership) in the percentage of 25% plus one share or has corresponding voting rights or ownership interest in that Corporate Entity (including through bearer shareholdings, or through control via other means, other than a Company listed on a regulated market that is subject to disclosure requirements consistent with European Union law or subject to equivalent international standards which ensure adequate transparency of ownership information).


(i) The Settlor;

(ii) The Trustee or Commissioner;

(iii) The Protector (if any);

(iv) The Beneficiary, or where the individual benefiting from the legal arrangement or legal entity have yet to be determined, the class of Persons in whose main interest the legal arrangement or entity is set up or operates; and

(v) Any other Natural Person exercising ultimate control over the trust by means of direct or indirect ownership or by other means; and

(C) IN THE CASE OF LEGAL ENTITIES (such as foundations, and legal arrangements similar to Trusts):

The Natural Person holding equivalent or similar positions to the person referred to in paragraph (B).


According to the E.U. Directive 2018/843 (hereinafter referred to as the “5th E.U. AML Directive”) which aims to strengthen the ways of preventing the use of the E.U. financial system for money laundering and / or terrorism financing, as adopted in accordance with the 4th E.U. Directive, and under section 61 (A) of the AML Law, the Centralized Register may be accessed by:

Α) Obliged Entities, within the framework of their Customer Due Diligence (KYC);

Β) Competent Authorities (i.e. The competent Supervisory Authority, MOKAS, the Customs and Excise Department, the Inland Revenue and the Police without any obligation for prior approval); and

C) Any person who can prove “legitimate interest”. By referring to “legitimate interest”, we mean the interest of a person regarding the suppression of money laundering activities, as well as various offences that have been enacted under the applicable legislation.

Such an access will mean the disclosure of the name, the month and year of birth, the nationality and the country of residence of the UBO, along with the nature and extent of the beneficial interest held, whereas it will be granted only in accordance with the provisions of the Processing of Personal Data (Protection of the Individual) Law.


The Council of Ministers decided that the Centralized Registry shall be maintained under the custody of the Registrar of Companies (hereinafter referred to as the “ROC”). The latter is particularly authorized to collect all the required information – including data of UBOs and of legal Entities throughout the system that has been developed.


According to the announcements of the ROC and the Cyprus Bar Association, the starting day for the collection of the necessary details is the 22nd of February, 2021.

From this day forward, a sixth-month period will be granted so as to report and declare information regarding the UBOs. What is worth mentioning, is that the access to the platform for those six months according beneficial owners, will be granted (upon the request of ROC) only to competent authorities and not individuals.

By the 2nd half of 2021, the final platform of the Centralized Registry shall become fully operational and shall become accessible by the Persons / Organizations mentioned above.


The call for absolute “Transparency” and the need for absolute protection of “Privacy” feels like they are incompatible, and thus preliminarily seems that we shall face big contradictions.

On the one hand, we have to act upon the 5th  E.U. AML Directive, whilst on the seemingly opposite side, we cannot infringe the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the “GDPR”), which entered into force in Cyprus on the 25th day of May, 2018, along with the Protection of Personal Data Law 125(I)/2018 (hereinafter referred to as the “Personal Data Law”).

The bet for the E.U. Members, and particularly speaking for Cyprus, is to find the right balance against the need to prevent financial crimes, in order to safeguard the general Public Interest (sections 15, 19 (3) of the Constitution of Cyprus).

It is obvious that the storage and transmission of Personal Data and information, holds an important position in protecting the privacy of the Data Subjects. Nevertheless, total access to information, when such is not filtered, can have the opposite effect and expose the UBOs to unfair and dangerous situations (e.g. kidnapping, violence, blackmail, intimidation). Therefore, the 05th E.U. Directive, provides that the E.U. Member may lay down in their national Laws the cases in which access to the Centralized Registry will be prohibited.

In the implementation of the legal framework and the operation of the Centralized Register, the Legislator should take into consideration, among others, the: (a) Universal Declaration of Human Rights; (b) the Charter of Fundamental Rights; (c) the GDPR; (d) the principle of proportionality; (e) the judgments of the European Courts; (f) the Constitution of the Republic of Cyprus; and (g) the Personal Data Law.


Undeniably, the final platform will succeed bringing to Cyprus the proper legal frame that could fight the money laundering. Attention should be drawn though, to the need for a fair balance between the general Public Interest in preventing money laundering and the fundamental rights of the Data Subjects.

This Article and any content forming part of it is only intended to provide a guide on the subject matter and does not constitute legal or any other advice. If professional advice is required, G.C Charalambous & Co LLC would be glad to assist you in this respect.

Share this post

Right Menu Icon