Last updated: 12 June 2019
- Our role under the Regulation
Under the Regulation, The Cyprus Institute is the Data Controller for all the personal data it maintains and processes. As a Data Controller, The Cyprus Institute is allowed to collect, maintain and process the personal data of all customers and collaborators.
- How are Personal Data Collected
- directly from you from our contractual agreement
- through third parties in the standard course of the business we do in order to provide you with the service you requested
- through our website
- Types of Personal Data Collected
We collect and use several types of data for the individuals we co-operate with, including Data by which subjects may be identified (“Personal Data” means any Data relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person), such as your first and last name, identity number, e-mail address, address and province, telephone number, education details and training records, employment Data, financial and / or banking Data, as well as other Data related to demographics, other (online) contact Data and possibly health related Data, etc.
Further to other media of collection, we collect and use on or through our Website including:
- Data that you provide by filling in forms, in particular at the time of first contact with us.
- Data when you enter a fair, contest or an event organised or sponsored by us
- Records and copies of your correspondence (including e-mail addresses)
- Details of transactions you carry out, if any, and of the fulfilment of your orders.
We collect and use your information under the following lawful bases:
- where we have consent by the data subject;
- where necessary to execute a contract with the data subject;
- where it is necessary for compliance with a legal obligation;
- where processing is necessary to protect the vital interests of the data subject or of another person;
- where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- where justified by the legitimate interest of the The Cyprus Institute or of your legitimate interest or other’s
- Disclosure of Your Personal Data
We do not share your Personal Data with third parties except as indicated below:
- Affiliates. We share of Personal Data with our subsidiaries and affiliates to the extent this is necessary for the purposes of provision of services, customer management, customization of content, advertising (if you have consented) security and compliance, or to the extent you have provided your consent.
- Service providers. To our authorized service providers that perform certain services on our behalf, including for purposes of provision of the services you requested from us, customer management and security. These services may include fulfilling orders, processing credit card payments, risk and fraud detection and mitigation, providing customer service and marketing assistance. These service providers may have access to Personal Data needed to perform their functions but are not permitted to share or use such data for any other purposes. We have taken all reasonable steps to ensure that they comply with the current data protection regulations.
We also disclose your Personal Data to other third parties, including official authorities, courts, or other public bodies:
- In response to a subpoena or similar investigative demand, a court order or other judicial or administrative order, or a request for cooperation from a law enforcement or other government agency; to establish or exercise our legal rights; to defend against legal claims; to comply with applicable law or cooperate with law enforcement, government or regulatory agencies; or to enforce our Website terms and conditions or other agreements or policies; or as otherwise required by law (including responding to any government or regulatory request). In such cases, we may raise or waive any legal objection or right available to us, in our sole discretion.
- To the extent a disclosure is necessary in connection with efforts to investigate, prevent, report or take other action regarding illegal activity, suspected fraud or other wrongdoing; to protect and defend the rights, property or safety of our company, our users, our employees, or others; to maintain and protect the security and integrity of our Website or infrastructure.
We may disclose aggregated Data about our users, and Data that does not identify any individual, without restriction. In particular, we may transfer non-Personal Data and process it outside your country of residence. We may combine non-Personal Data we collect with additional non-Personal Data collected from other sources. We also may share aggregated Data with third parties, including advisors, advertisers and investors, for the purpose of conducting general business analysis.
- How We Store Your Personal Data
The Data that we collect about you, including Personal Data, is safely stored and processed in Cyprus and/or in remote cases in the Countries within the European Union.
- Retention of Personal Data
The period for which we keep your Personal Data that is necessary for compliance and legal enforcement purposes varies and depend on the nature of our legal obligations and claims in the individual case.
To the extent we have collected your Personal Data for purposes of provision of services, customer management, and customization of content (for descriptions of these purposes see above), we keep your Personal Data for as long as you have an account with us, as needed to provide you with our respective services and in compliance with relevant laws of Cyprus.
- Legal Bases for Collection, Use and Disclosure of Your Personal Data
There are different legal bases that we rely on to collect, use and disclose your Personal Data, namely:
- Consent: We will rely on your consent to use (i) your Personal Data for marketing and advertising purposes; (ii) your Personal Data for other purposes when we ask for your consent and for which the purpose of the process does not relate to the services, we offer to you.
- Performance of contract:The use of your Personal Data for purposes of providing the services, customer management and functionality and security as described above is necessary to perform the services provided to you under our term and conditions and any other contract that you have with us.
- Compliance with legal obligation: We are permitted to use your Personal Data in to the extent this is required to comply with a legal obligation to which we are subject.
- Protection of your vital interests: The processing of your Personal Data is necessary to protect your vital interests, if you are physically or legally incapable of giving consent.
- Protection of our legitimate interests: The processing of your Personal Data is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child.
- How We Protect the Security of Your Personal Data
We take appropriate security technical and organisational measures (including physical, electronic and procedural measures) to safeguard your Personal Data from unauthorized access, unlawful use, intervention, modification or disclosure under the requirements of the Regulation. For example, only authorized employees are permitted to access Personal Data, and they may do so only for permitted business functions. In addition, we have trained our employees on how to handle, manage and process personal data, applied upgraded technical measures and transformed our policies and procedures in a way that will comply with the General Data Protection Regulation.
- Automated Decision-Making, Including Profiling
We reserve the right to use automated decision-making in the following cases: When deemed necessary to provide services to you, with your written, express consent, and if the appropriate measures have been taken to safeguard your rights.
- Choices About How We Collect, Use and Disclose Your Personal Data
We strive to provide you with choices regarding the Personal Data you provide to us.
You can choose not to provide us with certain Personal Data, but that may result in you being unable to use certain services.
When you register with us, you may be given a choice as to whether you want to receive email messages, newsletters or advertising material about product updates, improvements, special offers, or containing special distributions of content by us. If consented yet later on you decide you no longer want to receive commercial or promotional emails or newsletters from us, you will need to avail yourself of the unsubscribe mechanism set out in the applicable communication. It may take up to thirty days for us to process an opt-out request. We may send you other types of transactional and relationship e-mail communications, such as service announcements, administrative notices, and surveys, without offering you the opportunity to opt out of receiving them as these will related directly to your relationship with us.
If you provided Personal Data, you may terminate your relationship with us at any time as per the provision of the between us agreement or engagement. If you choose to do so, your Personal Data will be deleted in accordance with our retention policy.
Subject to the provisions of the General Data Protection Regulation, you have the following rights in regard to your Personal Data: (Please note, these rights are not absolute and in some cases, they are subjected to conditions as defined by law)
- Right of Access – You have the right to access your own Personal Data through the platform, as well as the right to request a copy of your personal data that is maintained and processed by our company.
- Right of Rectification – You have the right to request the correction of any incomplete and / or inaccurate Personal Data we hold for you.
- Right to Erasure – You have the right to request the deletion of Personal Data only if one of the following reasons is true:
- Personal Data are no longer necessary in relation to the purposes for which they were collected or processed.
- If the processing is based on your consent and you have withdrawn this consent (on which processing is based) in accordance with Articles 6.1.a and 9.2.a of the Regulation and if no other legal basis, for processing, applies.
- If you object to processing in accordance with Article 21.1 of the Regulation and there are no compelling and legitimate reasons for processing.
- If Personal Data have been processed illegally.
- If Personal Data should be deleted in compliance with a legal obligation under Union law to which our company is subject to.
- If the personal data have been collected in relation to the provision of referred to in Article 8.1 of the Regulation.
- Right to Object – You have the right to oppose the processing of your Personal Data at any time and for reasons related to a specific situation, unless there are compelling legitimate reasons for processing that override your interests, rights and freedoms.
- Right to Restriction of Processing – You reserve the right to request the restriction of processing on your Personal Data so that we may no longer process the specific Data until the restriction is lifted (for example, the data have been corrected).
- Right to Data Portability – You have the right to request the transfer of your personal data, which you have provided to our company. These data will be given to you in a format that is structured, widely used and machine readable and, in certain cases you may also have the right to request for us to send the Data to another organization, provided that such a transfer is technically feasible.
- Right to Object and Automated Individual Decision-Making (Including Profiling) – You have the right to request that we do not make any decision, regarding you, solely on the basis of automated processing, including profiling, only in the case that this decision has legal or significant consequences on you.
- No Rights of Third Parties
- No Error Free Performance
- Contact Data
In case you require any clarification, additional data, wish to exercise any of your rights and/or have a complaint, you are kindly asked to contact the Data Protection Officer of our Institute:
Telephone: +357 22 397 539
In addition to the above, if you consider that the processing of Personal Data on the part of the Institute breaches the applicable legislation on data protection, you have the right to make a complaint to the competent supervisory authority, and in particular to the Office of the Commissioner for the Protection of Personal Data:
Office address: Iasonos 1, 1082 Nicosia
Postal address: P.O. Box 23378, 1682 Nicosia
Telephone: +357 22818456
Fax: +357 22304565