The European Union’s General Data Protection Regulation (GDPR) that began May 25 is aimed at offering safeguards for Internet users but on Cyprus at least has resulted in a number of companies uncertain how to ask for consent, and some facing fines.

Inboxes and phones across Europe have been bombarded with all types of creative emails and texts asking them to consent to staying in touch and on Cyprus has seen uneven application and uncertainty, the Cyprus Mail reported.

Cyprus’ Personal Data Protection Commissioner Irini Loizidou Nicolaidou said many companies have asked for consent the wrong way. The regulation stipulates explicit consent must be given by consumers and be specific, informed, freely given and unambiguous.

If the data was gained improperly the first time around – such as by a company selling data – then even asking those people for their permission was also in breach of the regulation, under the new rules, the paper said.

Two kinds of requests of consent have been circulating on the island and one of them was wrong, the report said, as it asked people to reply to the company’s message if they wanted to continue receiving emails and messages. “Let’s stay in touch!” and “keep receiving our offers!” were some of the taglines. If you sent no reply the company was required to delete your data.

The second kind of request sent messages that if there was no response then the company would accept that as consent for information to keep being sent but Nicolaidou told the Sunday Mail that was wrong and subject to a fine up to 4 percent of a company’s annual revenue or as much as 20 million euros ($23.29 million).