PERSONAL DATA PROTECTION POLICY
SECTION I – PURPOSE AND SCOPE
1.1 This Policy sets out the rules relating to the protection of individuals, including Staff Members, with regards to the processing of their Personal Data by Cyprus Trust Awards (CTA) or on its behalf (hereinafter the “Policy”).
1.2 The implementation of any processing of Personal Data by the CTA is subject to compliance with this Policy and any other relevant rules of the CTA adopted for its implementation.
1.3 This Policy protects all Personal Data relating to individuals, whether collected by the CTA or disclosed to the CTA by a third party.
SECTION II – DEFINITIONS
For the purposes of the present Policy, the following terms are defined as follows:
2.1 “Personal Data” means any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. Company registration numbers, generic email addresses (such as info@company.com) and anonymised data are not considered Personal Data;
2.2 “Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, by manual or automated means (including the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data);
2.3 “Data Controller” means any Staff Member who has the authority to determine, alone or jointly with others, the purposes, conditions and means of the processing of Personal Data on behalf of the CTA;
2.4 “Data Processor” means any Staff Member or other individual, legal entity, public authority or similar body, including a third party, authorized to process Personal Data on behalf and under the direct authority of the Data Controller;
2.5 “Recipient” means the individual, legal entity, public authority or similar body to which Personal Data are disclosed;
2.6 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
2.7 “Sensitive Data” means data related to or revealing the national registration number, genetic data, judicial data (such as litigations, suspicions, prosecutions, criminal convictions etc.), data revealing racial or ethnic origin, data concerning health or sex life, political opinions, trade-union membership, and religious or philosophical beliefs;
2.8 “Consent” means the freely given, specific, informed and unambiguous permission expressed by an individual by which he or she agrees with the processing of his/her Personal Data. This consent is given either by a written statement or by a clear affirmative action;
2.9 “Data Protection Officer” means the Staff Member appointed by the CTA to perform the duties listed in this Policy or assigned to him/her by decision of the CTA;
2.10 “Staff Members” means any staff member of the CTA.
SECTION III – PRINCIPLES RELATING TO PROCESSING AND TRANSFER OF PERSONAL DATA
A. Processing of Personal Data
3.1 The CTA shall ensure that Personal Data disclosed to the CTA are collected and processed according to the principles expressed in this Policy.
3.2 Personal Data shall be processed and used lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’).
3.3 Personal Data shall be collected for specified, explicit and legitimate purposes consistent with the CTA’s official activities (‘purpose limitation’).
3.4 The Processing of Personal data shall always be adequate, relevant and limited to what is necessary in relation to the purposes for which they are collected and/or further processed (‘data minimization’).
3.5 Personal Data stored by the CTA shall be accurate and, where necessary, kept up-to- date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
3.6 Personal Data shall be kept or stored for no longer than is reasonably necessary for the purposes for which they are processed (‘storage limitation’).
3.7 Personal Data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
3.8 Should the CTA intend to use Personal Data for the purposes of direct marketing, Consent shall be received regarding the Processing of data resulting from participation in events and activities of the CTA. Electronic means shall be used to ensure that participants have consented to the processing of their Personal Data for the purposes of direct marketing.
B. Transfer of Personal Data
3.9 Personal Data may be transferred within the CTA on the following conditions:
(i) the Personal Data are necessary for the performance of tasks covered by the activities of the Recipient;
(ii) only the Personal Data necessary for the performance of these tasks shall be transferred; and
(iii) the Recipient may process the Personal Data only for the purposes for which they are transferred.
3.10 The CTA may transfer Personal Data towards its Members, organizations and other third parties with which the CTA entered into an agreement, in only one of the following cases:
(i) the CTA Members, organizations or other third parties observe this Policy and any other relevant rules which the CTA may adopt for its implementation; or
(ii) sufficient safeguards exist, including effective enforcement mechanisms and appropriate measures put in place by the CTA Members, organizations or other third parties, to ensure a continuing level of security and protection consistent with this Policy and any other relevant rules which the CTA may adopt for its implementation; or
(iii) the concerned individual has explicitly consented to the proposed transfer;
or
(iv) the transfer is necessary for the establishment, exercise or defence of legal claims;
(v) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the concerned individual between the Data Controller and another natural or legal person;
(vi) the transfer is necessary to protect the vital interests of the concerned individual; or
(vii) to allow the CTA to achieve its legitimate aims and to carry out its official activities.
SECTION IV – RIGHTS OF INDIVIDUALS
A. Information to be given to the individuals
4.1 Upon request by the concerned individual, the CTA shall provide the individual with the following information on the Processing of data which is personal to him/her:
(i) the identity and the contact details of the Data Controller;
(ii) the contact details of the Data Protection Officer;
(iii) the purpose of the Processing for which the personal data are intended as well as the legal basis for the processing;
(iv) the categories of Personal Data concerned;
(v) the Recipients or category of Recipients of the Personal Data;
(vi) where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the reason why no such period is fixed;
(vii) where applicable, the fact that the CTA intends to transfer Personal Data to a Member of the CTA to another organization or a third party and the reasons for such transfer; and
(viii) the existence of the right to request access, rectification or erasure of Personal Data and to submit claims.
4.2 The section above shall not apply where the provision of such information proves impossible or would involve a disproportionate effort, and such impossibility or disproportionate effort is duly motivated by the Organization. In such instances, the CTA shall take appropriate measures to protect the concerned individuals’ rights and legitimate interests to the extent reasonably possible.
B. Right to access
4.3 Every individual shall have the right to obtain from the Data Controller at any time, on request, confirmation as to whether or not Personal Data relating to him/her are being processed.
C. Right to object
4.5 Every individual shall have at any time the right to submit a request objecting, on grounds relating to his or her particular situation, to the Processing of Personal Data concerning him or her. The Data Controller shall no longer process the personal data unless the Data Controller demonstrates that such Processing is necessary for the performance of the task carried out in the exercise of the CTA’s official activities or in the framework of its missions.
