• OUR VILLAGES
  • DESTINATIONS
  • DISCOVER
  • NEWS
  • OUR VILLAGES
  • DESTINATIONS
  • DISCOVER

General Data Protection Regulation - Privacy Policy

 

PERSONAL DATA PROTECTION POLICY - PRIVACY POLICY

 

LARNACA – FAMAGUSTA DISTRICTS

DEVELOPMENT AGENCY

 

TABLE OF CONTENTS

CHAPTER 1: INTRODUCTION, SCOPE AND BASIC PRINCIPLES

ARTICLE 1 – INTRODUCTION.................................................................................................................. 

ARTICLE 2 – PURPOSE............................................................................................................................. 

ARTICLE 3 – SCOPE OF APPLICATION...................................................................................................... 

ARTICLE 4 – PERSONAL DATA................................................................................................................. 

ARTICLE 5 – BASIC PRINCIPLES............................................................................................................... 

CHAPTER 2: LEGALITY OF TREATMENT, INFORMATION AND CONSENT OF SUBJECT

ARTICLE 6 – PROCESSING OF PERSONAL DATA……………......................................................................... 

ARTICLE 7 – SUBJECT INFORMATION...................................................................................................... 

ARTICLE 8 – INFORMATION INCLUDED IN THE DECLARATION

INFORMATION OF THE SUBJECT….......................................................................................................... 

ARTICLE 9 – LEGAL DATA PROCESSING BASIS………………........................................................................ 

ARTICLE 10 – SUBJECT CONSENT............................................................................................................ 

ARTICLE 11 – RIGHTS OF SUBJECTS........................................................................................................ 

ARTICLE 12 – SPECIAL DATA CATEGORIES………….................................................................................. 

CHAPTER 3: SECURITY MEASURES AND VIOLATION OF PERSONAL DATA

ARTICLE 13 – DATA PROTECTION "ALREADY FROM DESIGN" AND "BY DEFINITION"……..................... 

ARTICLE 14 – ORGANIZATIONAL AND TECHNICAL MEASURES ………………………………………………………… 

ARTICLE 15 – ARCHIVES REGISTERS OF PROCESSES.............................................................................. 

ARTICLE 16 – DATA PROTECTION IMPACT ASSESSMENT...................................................................... 

ARTICLE 17 – BREACH OF PERSONAL DATA……………............................................................................ 

ARTICLE 18 – REGISTRATION OF PERSONAL DATA BREACHES ……....................................................... 

ARTICLE 19 – ANNOUNCEMENT OF BREACH OF PERSONAL DATA........................................................ 

CHAPTER 4:DATA PROCESSOR MANAGEMENT................................................................................... 

ARTICLE 20 – CONTRACT CLAUSES........................................................................................................ 

CHAPTER 5: DATA TRANSMISSION TO THIRD COUNTRIES OR INTERNATIONAL

ORGANIZATIONS................................................................................................................................. 

ARTICLE 21 – DATA TRANSMISSION TO THIRD COUNTRIES OR INTERNATIONAL

ORGANIZATIONS.................................................................................................................................. 

ANNEX………........................................................................................................................................  

CONCEPTS AND DEFINITIONS.............................................................................................................. 

 

CHAPTER 1: INTRODUCTION, SCOPE AND BASIC PRINCIPLES

ARTICLE 1 – INTRODUCTION

The Larnaca and Famagusta Districts Development Agency (hereinafter "ANETEL") collects and processes personal data or personal data in the context of:

-          The creation of conditions and the promotion of strategic and operational planning and planning processes as well as the undertaking of an essential role of support and implementation of development programs, projects and initiatives through participatory processes that will make the most of all local forces and are also expressed through Local Authorities but also the other local bodies or wider bodies, organizations, productive classes and social groups. The aim is to improve the operation and efficiency of the above as well as the general support of the development process.

-          The contribution to the upgrading and utilization of the natural environment and to the preservation of ecological balances through the design and implementation of environmental protection programs and projects, the rational management and utilization of natural resources, the continuous information and awareness of the public and ensuring compatibility of every development program and project with nature protection and sustainable development.

-          The promotion and support of alternative and mild forms of tourism compatible with the protection and promotion of the balance of the human-geographical environment.

-          The responsibility for the study - construction - improvement - expansion - management and utilization of the technical, social - cultural and development infrastructure of the wider area as well as other areas and the elaboration of studies and construction of projects while ensuring the compatibility of each project and program with nature protection.

-          The creation, participation and development of networks, media, mechanisms and processes for continuous improvement of information - information - communication - cooperation of citizens, public bodies, development organizations of all kinds, productive classes, farms, businesses, etc. between them but also with the wider European Regional, National and Local environment, with the design of relevant programs and the creation of infrastructure and networks and modern communication and dissemination of information.

-          The undertaking, elaboration, execution, monitoring, evaluation for the same account, on behalf of its shareholders or third legal or natural persons, proposals, programs, projects, works and studies of all kinds (e.g. strategic and business planning, sectoral studies, preparation of investment plans, investigation of investment opportunities and sources of financing, etc.)

-          The undertaking, elaboration, execution, monitoring, evaluation on behalf of all the above mentioned persons of each category of Community and National programs (integrated and not) and the utilization and management of the financing related to them.

-          The continuous and substantial contribution to the promotion of employment and the fight against unemployment of the inhabitants of the productive classes and rates, the farmers, the women, the youth, etc. by undertaking or promoting all kinds of initiatives and the design and implementation of programs and related actions of labor market research, training, vocational training, specialization and overall accompanying support.

-          The provision of professional level of specific and specialized services (based on the legal and valid specifications and directions of the competent European and National bodies) social support and promotion of employment to population groups and categories that for objective or subjective reasons are already seriously excluded or threatened from the labour market.

-          The establishment or participation in Vocational Training Centres (continuing vocational training and combating social exclusion, in accordance with the respective legal specifications, conditions and certifications).

-          The strengthening and promotion of social solidarity (aid programs, social capital, etc.)

-     The promotion of initiatives for the development of a spirit of cooperation and solidarity, with the aim of preserving the historical-cultural heritage and ensuring its continuity by supporting the current production and cultural creation.

• the performance of its functions e.g. data of employees with a dependent employment relationship, paid mandate or other employees and persons who maintain a cooperation relationship with the Company under any conditions.

The processing of this data, which is a prerequisite for the smooth execution of its operations as well as for the support and monitoring of all kinds of relations of the Company with the data subjects, is carried out in accordance with the requirements of the existing legislative and regulatory framework for the protection of personal data (General Data Protection Regulation - GDPR and relevant Cyprus legislation).

 

 

ARTICLE 2 – PURPOSE

This Policy sets out the basic principles for the effective management and protection of personal data in the Company as well as the preservation of the confidentiality of this data and describes the directions and objectives of the Company regarding the organizational and technical measures.

ARTICLE 3 – SCOPE

This Policy applies to the Company, which may be extended to third parties, partners, suppliers, etc., who receive, transmit, collect, access or process in any way personal data on behalf of the Company, or jointly controllers, or as data processors.

It does not apply only in cases where the Company operates as executor of processing.

 

ARTICLE 4 - PERSONAL DATA

Personal data is defined as any information concerning an identified or identifiable natural person ("data subject"). An identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identity identifier, such as name, identity number, location data, online identity, or one or more physical identifiers. , physiological, genetic, psychological, economic, cultural or social identity of that natural person.

ARTICLE 5 - BASIC PRINCIPLES

The protection of personal data in the Company is governed by the following basic principles:

Legitimacy, objectivity and transparency

Personal data is obtained lawfully and lawfully, with respect for the data subject's right to information. The data shall be processed for the fulfilment of lawful and legitimate purposes in a transparent manner and only if the legality of the processing has been ensured through the legal bases described in the GCC and Article 9 hereof.

Limitation of purpose

Personal data is collected only for specified, explicit and legitimate purposes which are communicated to the subject and are not further processed in a manner incompatible with the stated purposes.

 

 

Data minimization

Only personal data that are necessary and relevant to the purpose of the processing for which they were collected are collected.

Accuracy

The personal data collected must be accurate and the subjects must be able to update it, if requested.

Limitation of the retention period

The personal data are kept in a form that allows the identification of the data subjects for the appropriate period of time for the purpose of processing, as provided in the institutional and operational framework of the Company.

Integrity and confidentiality

The Company takes adequate organizational and technical measures to protect the integrity and confidentiality of personal data, both in digital and physical form.

Accountability

The Company can demonstrate its compliance with the obligations set by the Regulation (EU) 2016/679 (GDPR) through the continuous monitoring and improvement of the privacy framework.

 

CHAPTER 2: LEGALITY OF PROCESSING, INFORMATION AND CONSENT OF THE SUBJECT

ARTICLE 6 - PROCESSING OF PERSONAL DATA

The processing of personal data includes the collection, registration, organization, structure, storage, adaptation or alteration, retrieval, retrieval of information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction.

ARTICLE 7 - UPDATE INFORMATION

The Company ensures that the subjects to whom the data refer have at their disposal sufficient information regarding the processing and use of their data by the Company and give their consent, if required.

If the data is received by the data subject and not by third parties, an appropriate information statement should be provided at the time of data collection, including reasonable information regarding the processing of the data. In case the data is received from third parties, the Company must inform the subject no later than one (1) month from the collection, or, if the data is to be used for communication with the data subject, no later than of the first communication with it, or, if disclosure to another recipient is provided, at the latest when the data is first disclosed.

ARTICLE 8 - INFORMATION INCLUDED IN THE DEFENDANT'S INFORMATION STATEMENT

The following information is included in the subject information statement in order to ensure the fair and transparent processing of his personal data:

- the identity and contact details of the controller,

- the contact details of the Data Protection Officer,

- the processing purposes for which the personal data are intended,

- the relevant categories of personal data,

- the legal basis for the processing of personal data,

- the existence of the subject's right to withdraw his consent, provided that the processing of his data is based on it,

- the recipients or categories of recipients of personal data, if any,

- information on data transfers to third countries,

- the period for which the personal data are processed, as well as the period during which they will be stored,

- the right to lodge a complaint with a supervisory authority as well as adequate information on the rights of the subjects and how their rights are exercised in accordance with the provisions of the GIP,

- information on the existence or non-automation of decision-making,

- the existence of a right to submit a request to the Controller for access, correction or deletion of personal data, restriction of their processing, opposition to their processing, as well as for their portability,

and

- the source from which the personal data are extracted in case they are not collected by the data subject.

 

ARTICLE 9 - LEGAL BASIS OF DATA PROCESSING

Any processing of personal data must be based on one of the following legal bases:

- Subject Consent: Subjects provide their consent for one or more processing purposes,

- Contractual relationship: performance of a contract to which the data subject is a party or for the purpose of acting at the request of the data subject prior to the conclusion of a contract,

- Legal obligation: compliance with a legal obligation of the Controller,

- Safeguarding a vital interest of a natural person: relates to the interest of the data subject or other natural person,

- Duty of public interest / exercise of public authority by the controller: performance of a duty performed in the public interest or in the exercise of public authority delegated to the controller,

- Legal interest: refers to a legitimate interest pursued by the controller or a third party, unless that interest or the fundamental rights and freedoms of the data subject prevail over that interest, if the data subject is a child.

 

ARTICLE 10 - CONSENT OF THE SUBJECT

If the consent of the subject is required, the Company ensures in order to obtain his consent at the time of data collection and before any processing. If a new processing purpose for this data arises, the Company must obtain the consent of the data subject again.

The Company ensures that:

- consent is sought in an easily accessible and comprehensible manner, expressed in clear and simple language,

- the consent is submitted in a manner clearly distinct from other matters to which the subject also may consent,

- consent is given freely, explicitly and in an affirmative manner by the data subject,

- the type for which consent is sought is not pre-selected / pre-filled,

- consent is given for specific purposes of collecting and processing personal data,

- where the consent is provided by the subject by electronic or otherwise automated means, is automatically stored in a secure environment,

- the receipt or withdrawal of consent is stored and accompanied by the following information: name of the subject, date and manner of declaration / withdrawal of consent, the declaration of consent notified to the subject,

- the subjects are informed that they can modify or withdraw their consent at any time, without, however, affecting the processing done before the withdrawal of the consent,

- withdrawal of consent is in practice as easy as obtaining it,

- appropriate organizational and technical measures have been put in place to prevent the processing of personal data in the event of a withdrawal of consent, and

- proof of declaration / withdrawal of consent is easily accessible.

 

ARTICLE 11 - RIGHTS OF SUBJECTS

The Company ensures the existence of a defined procedure based on which it handles and responds to the requests of the data subjects in accordance with the rules of transparent information, communication and regulations for the exercise of the data subject's rights. All subjects for whom the Company maintains personal data are entitled to:

- request information on and / or access to personal data concerning them,

- request their deletion,

- request their correction,

- request that their processing be restricted,

- implement the portability of their data, to the extent that they have made it available to the Company, and

-oppose their processing.

 

ARTICLE 12 - SPECIAL DATA CATEGORIES

The Company collects, stores, uses, discloses or processes in a different way the "Special categories of data" (sensitive data) only if one of the following cases occurs:

- the subject has given explicit consent to the processing of the information,

- the elaboration is necessary for the fulfilment of the obligations deriving from the labour law,

processing is necessary to protect the subject (or other person) when the subject is physically or legally incapable of giving his or her consent.

The processing concerns information that has been disclosed by the subject or is necessary for legal claims or is necessary for reasons of substantial public interest. Cases of processing of personal data, which are not covered by the provisions of the GCC (such as criminal convictions or offenses, requests of public authorities for lifting of banking secrecy, collection of criminal records of employees upon their employment) are covered by more specific legislation.

 

CHAPTER 3: SECURITY MEASURES AND VIOLATION OF PERSONAL DATA

 

ARTICLE 13 - DATA PROTECTION "ALREADY FROM DESIGN" AND "BY DEFINITION"

The Company applies the basic principle of data protection from the design (by design), incorporating the principles of data protection in each new project in which the processing of personal data is involved. The Company also applies, when necessary, the basic principle of data protection by default (by default), ensuring that personal data are processed according to their purpose, for a period that is absolutely necessary and, in any case, is not accessible to an unlimited number of people.

ARTICLE 14 - ORGANIZATIONAL AND TECHNICAL MEASURES

The Company extensively evaluates the existing security measures and defines the minimum organizational and technical measures, in order to protect the confidentiality, integrity, availability and lawful processing of personal data. It has developed an Authority Framework and an Organizational Framework for Information Systems Security Policy, as well as a set of individual policies and procedures to ensure best practices in personal data security.

In addition, the Company has developed a training and awareness program for its staff in order to ensure continuous information, not only on security issues, but more generally on issues of personal data protection.

ARTICLE 15 - ARCHIVES (REGISTERS) OF PROCESSES

The Company keeps, in electronic form, a file (register) of the processes for which it is responsible.

This file includes at least the following information, in cases where the Company operates as a controller:

-the name and contact details of the controller and, where applicable, of the joint controller, of the controller's representative and of the Data Protection Officer,

-the purposes of processing,

-description of categories of data subjects and categories of personal data,

-the categories of recipients to whom personal data are to be disclosed or disclosed, including recipients in third countries or international organizations,

-transfers of personal data to a third country or international organization, including the identification of that third country or international organization and documentation of appropriate guarantees, where applicable,

-the estimated retention period of the various categories of data, where possible,

-general description of technical and organizational security measures, where possible.

This file should include at least the following information, in cases where the Company operates as the executor of the processing:

-the name and contact details of the processor or processors and the processors acting on their behalf and, where appropriate, the representative of the processor or processor, as well as the data protection officer,

-the processing categories carried out by each controller,

-transfers of personal data to a third country or international organization, including the identification of that third country or international organization and documentation of appropriate guarantees, where applicable,

-general description of technical and organizational security measures, where possible.

 

ARTICLE 16 - DATA PROTECTION IMPACT ASSESSMENT

The Company conducts an impact assessment based on specific criteria whenever a type of processing may pose a high risk to the rights and freedoms of individuals, unless otherwise specified. The following criteria are taken into account in order to identify processing operations that require an impact assessment due to their inherently high risks:

-assessment or grading, including profiling and forecasting,

-make automated decisions that produce legal effects or significant effects in a similar way: such as exclusion or discrimination against individuals,

-systematic monitoring, including data collected through networks or systematic monitoring of publicly accessible space,

-sensitive data or highly personal data,

-s Large-scale data processing,

-assignment or combination of data sets,

-data concerning vulnerable data subjects, such as children, vulnerable sections of the population in need of special protection (the mentally ill, asylum seekers, the elderly, the sick, etc.),

- innovative use or application of new technological or organizational solutions, and

-when processing itself prevents data subjects from exercising a right or using a service or contract.

 

ARTICLE 17 - BREACH OF PERSONAL DATA

Violation of personal data constitutes an incident related to unintentional or unlawful destruction, loss, configuration, unauthorized disclosure or access to personal data transferred, stored or otherwise processed by the Company.

The Company has the appropriate organizational and technical measures for the timely recognition as well as the effective management of such incidents. The following criteria are taken into account when assessing the risk:

-the type of violation,

-the nature, sensitivity and volume of personal data affected,

- the ease of identifying the data subject,

-the severity of the consequences for the data subject,

the specific characteristics of the data subject, and

-the number of data subjects.

 

ARTICLE 18 - REGISTRATION OF BREACH INCIDENTS

All incidents of personal data breach are kept in an appropriate log file. This file records all the details about the incident (date, actions, stakeholders, action plan, etc.), as well as details about the assessment of the incident and informing the subjects and / or supervisory authorities.

 

ARTICLE 19 - ANNOUNCEMENT OF DATA BREACH

When the violation of personal data may endanger the rights and freedoms of the subjects, the Company, through the Data Protection Officer, must notify this violation to the supervisory authority without undue delay and, where possible, within seventy-two (72) hours from the update of its realization and in accordance with the prescribed procedure. If the notification to the supervisory authority is not made within this specific time period, the Company will have to prove the reasons for the delay.

When the violation of personal data is likely to lead to a high risk to the rights and freedoms of the subjects, the Company must also notify without delay the violation of personal data to the data subject.

 

CHAPTER 4: MANAGEMENT OF DATA PROCESSORS

 

ARTICLE 20 - CONTRACT CLAUSES

In any case in which the Company acts as the controller and expresses the intention to enter into an agreement with a third party who will act as the executor of the processing, ensures the existence of appropriate measures of confidentiality and data security, which apply in the environment of the executor. processing. The Company retains the responsibility of protecting this data.

Any cooperation is governed by a written contract, which includes sufficient clauses to meet requirements such as security and confidentiality obligations, information security requirements, and obligations regarding the use and disclosure of information. The processor undertakes in writing not to disclose, signing either a non-disclosure agreement or a relevant term in any cooperation agreement with the Company, to prevent the processor and his employees from using or disclose the information of the Company.

 

CHAPTER 5: DATA TRANSMISSION TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS

 

ARTICLE 21 - TRANSMISSION OF PERSONAL DATA TO THIRD PARTIES

The Company ensures that personal data are not transferred to countries that do not ensure an adequate level of protection regarding their protection. If the Company deems it necessary to transfer data to countries that do not ensure an adequate level of protection, it ensures that appropriate guarantees are provided, such as through binding corporate rules, standard data protection clauses, an approved Code of Conduct.

Any transfer of data by the Company within the framework of its responsibilities as a contractor or partner of a government agency or other service of the European Union (EU), the European Commission or another EU body, is carried out in accordance with the provisions of the Regulation (EU) 2016/679 (GDPR).

 

ANNEX

CONCEPTS AND DEFINITIONS

 

GDPR

General Regulation on Data Protection (Regulation (EU) 2016/679 of the European Parliament and of the Council).

 

Special categories of personal data ("sensitive data")

Personal data disclosing racial or ethnic origin, political views, religious or philosophical beliefs or trade union affiliation, as well as genetic data, biometric data for the purpose of indisputable natural person life or sexual orientation.

 

Data Processor

The natural or legal person, public authority, service or other body that processes personal data on behalf of the controller.

 

Impact assessment on data protection

Risk assessment process related to the rights and freedoms of individuals, which then determines the appropriate measures to address them.

 

Data processing

Any operation or sequence of operations performed with or without the use of automated means, on personal data or on personal data sets such as collection, registration, organization, structure, storage, adaptation or modification, retrieval, the search for information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction.

 

Supervising Authority

Independent public authority set up by a Member State. In Cyprus, this authority is called the Office of the Commissioner for Personal Data Protection (GEFDPX).

 

Disclosure

Disclosure, notification, announcement, disclosure or any other action makes it possible to disclose such data to recipients.

 

Register of processes

Electronic file with all the Company's processes related to personal data per Service Unit.

 

Breach of personal data

An incident involving accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.

 

Consent

Any indication of will, free, specific, explicit and fully aware, with which the data subject expresses that he agrees, with a statement or with a clear positive action, to process the personal data concerning him.

 

Third parties

Any natural or legal person, public authority, service or body is authorized to process the personal data of the Company.

Exceptions are the data subject, the controller, the processor, as well as the persons who are under the direct supervision of the controller or processor.

 

Controller

The natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and manner of processing personal data. Where the purposes and manner of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be laid down in European Union legislation or in the law of a Member State.

Data Protection Officer (DPO)

The person to whom the Company has been assigned the respective role described by the GCP.

 

Data subject

Any natural person is subject to the personal data kept in the Company.