TABLE OF REVISIONS
|REVISION NUMBER||DATE||AMENDMENT DESCRIPTION|
|DRAFTED BY:||APPROVED BY:|
|JOB POSITION:||Data Protection Officer||Municipality Representative|
The purpose of this policy is to define and formulate the general context and the basic principles that the “MUNICIPALITY OF PEYIA” (hereinafter referred to as the “Organisation“) sets out and applies with regard to the processing of personal data and the protection of their safety, confidentiality, integrity and availability.
This Policy applies to all personal data managed by the Organisation within the framework of its activities.
3 PERSON RESPONSIBLE FOR IMPLEMENTING THIS POLICY
- Data Protection Officer
- The staff of the entire Organisation.
- All partners who manage and/or have access to personal data
Our organisation acknowledges and respects the importance of personal data it manages in the context of its activities, and for this reason it has adapted fully its policy to the requirements of the General Regulation on the Protection of Personal Data (hereinafter referred to as GDPR) 2016/679/EC.
We hereby declare that our organisation wishes:
- to inform its transactors in what capacity, for what purpose, and on what legal basis it processes personal data, i.e. information that can help to directly or indirectly identify persons
- to determine the categories of data, the sources of data (when the data are not provided by the person itself) and the criteria for determining the period of retaining the personal data
- to inform its transactors on the transfers of their personal data to third parties or to third countries
- to inform the subjects about their ability to contact our Organisation for any matter relating to the processing of their personal data, the ability to exercise their rights of access, rectification and, where appropriate, deletion, restriction and opposition to the processing with regard to their personal data, and the right of the persons to report any breach of their rights associated with their personal data to the Commissioner for the Protection of Personal Data,
- to define the principles governing compliance of the Organisation with the relevant personal data protection and safety guarantees.
For any questions or concerns, or if anyone wishes to receive a copy of this declaration, or wishes to exercise any of the rights associated with his personal data, the person concerned can address the Data Protection Officer (DPO) of our Organisation.
4.2 Data Controller, Representative and Data Protection Officer Details
Data Controller: Data Protection Officer:
|Name:||MUNICIPALITY OF PEYIA||AQS – Advanced Quality Services|
|Address:||Vrisi ton Peyiotisson Square, 8560 Peyia||1A Tirnavou & Saradaporou str, Agios Stefanos, Attica|
|Telephone:||(+357) 26 621113 (+357) 26 621244||(+30) 210 6216997
(+30) 210 6216998
|Fax:||(+357) 26 621571||(+30) 210 6216990|
4.3 Who collects the personal data?
Our Οrganisation has its registered office in Cyprus and operates as a local government body.
It should be noted that during your visit to our Organisation’s Web page simple data are collected that are related to your interaction with the web page and the installation of cookies (see relevant cookies Policy). The websites of third parties, in general, apply their own confidentiality declarations and their own terms and conditions. We invite you to read them before you use these websites.
4.4 How are my personal data collected?
We may collect personal data from various sources, namely:
- Personal data given to our Organisation directly from the subjects, for one of the following reasons:
- Details you give us to satisfy your request.
- Details you give us when concluding, during the progress and when terminating our contractual relationship.
- Details you give us when you participate in events and actions of our Organisation.
- Details you give us when you contact us or when you submit a request.
- Details you give us when you sign up to the newsletter of our Organisation.
- We also take personal information indirectly, in the following cases:
- Details we collect during the CCTV operation at the premises of our Organisation.
- Details we obtain from other Governmental Agencies, in the context of fulfilling our legal obligations.
4.5 What personal data are collected?
Personal Data means any information relating to an identified or identifiable natural person (“data subject”). an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Due to the nature of the activities of our Organisation, the Personal Data collected mainly relate to the following subject categories:
- Organisation Employees:e. their personal data and details concerning exclusively the working relationship with our Organisation, which include, but are not limited to, identity and contact details, financial and health data of themselves or additional members related to our Organisation’s compliance with the labour and insurance legislation.
- Candidates for recruitment: i.e. their personal data and details referred to in their evaluation as candidates and the recruitment procedures of the Organisation, which include, but are not limited to, identity and contact details, as well as details of the professional curricula vitae of the candidates.
- Organisation’s partners (suppliers and other partners in general): i.e. their personal data and details referred to in our contractual relationship, which include, but are not limited to, identity and contact details, transactions data and financial information related to our Organisation’s compliance with the labour and insurance legislation.
- Transactors of the Organisation (customers, prospective customers and generally people who communicate with our Organisation): i.e. their personal data and details referred to in our contractual relationship, where it exists, or are used to communicate with our Organisation, which include, but are not limited to, identity and contact details, transactions data and financial information related to our Organisation’s compliance with the labour and insurance legislation.
- Trainees of the Organisation: i.e. personal data of the persons participating in training courses organised by our Organisation, which include, but are not limited to, identity and contact details, details of the contractual relationship of our Organisation with the participants (e.g. a contract of employment when the participant is an employee of our Organisation).
- Newsletter recipients:e. personal data of the persons who provide them to our Organisation with their consent to communicate with them for purposes of information and direct marketing of products and services, which include, but are not limited to, identity and contact details, details of older transactions of our Organisation with them (if the recipient is or has been a client of our Organisation).
Furthermore, Personal Data may be collected from natural persons entering our Organisation and its facilities during the CCTV operation, for safety reasons of persons and goods.
It should be noted that we do not collect special categories personal data, besides the health and nationality data referred to in this document, such as personal data relating to race, religion, sexual orientation or genetic biometric data, etc., which are categorised as special data categories and receive additional protection in accordance with the European legislation on the protection of personal data.
4.6 Specifically, as to the privacy of children
Children personal information may be collected exclusively within the framework of the fulfillment of our legal obligations and the working relationship of our employees, i.e. for the description of the marital status of employees for remuneration issues, labour rights, etc. It is understood that these details are provided with the consent of the person who has parental responsibility of the child (see also below).
4.7 What purposes are my data used for?
The processing purpose is analogous to the relevant operation performed. In particular:
- The personal data of the employees, are provided to our Organisation with the purpose of concluding, performing or terminating the relevant work / cooperation contract. Also, the personal data of the employees concerning attendances, absences, hours of attendance, leaves, sick leave medical supporting documents, are retained for the purpose of granting leaves, including sick leaves, while the personal data relating to the performance of the employees are provided by the heads of the individual departments for evaluation purposes of the staff by the Organisation.
- The personal data of the candidates, which they provide themselves during the individual selection and evaluation stages of the candidates shall be notified to the relevant Department of the Organisation and to the Administration, with a view to inform the Organisation, assess them, perform interviews etc. in order to recruit employees and enter into cooperation.
- The personal data of partners, customers, trainees and transactors in general of the Organisation, which they provide to our Organisation themselves, are collected and processed for the purpose to enter into and further develop our contractual relationship, where it exists, our compliance with our legal contractual obligations and as the case may be our communication with them at their request.
- The personal data of the newsletter recipients are collected with their consent and are used to communicate with them for purposes of information and direct marketing of products and services.
- The entrance and the other facilities are surveilled with CCTV image recording cameras. Any person (employee or visitor) entering the premises shall be informed in an appropriate, clearly visible and understandable way (signs) that he is entering a CCTV-surveilled area for reasons of safety and protection of persons, goods and critical infrastructure, and shall also be informed about other legal details.
4.8 What is the legal basis for processing?
The collection and processing of personal data of the above subjects, is based on:
- Article 6 (1) subpar. a the data subject has consented to the processing of his personal data for one or more specific purposes.
- Article 6 (1) subpar. b the preparation and the performance of the contract,
- Article 6 (1) subpar. c processing is necessary for compliance with a legal obligation of the controller.
- Article 6 (1) subpar. f processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or the fundamental rights and freedoms of the data subject take precedence over those interests, which impose the protection of the personal data, in particular if the data subject is a child.
4.9 Profile Drafting
The Organisation does not use personal data to create profiles.
4.10 Transmission of Data to Third Parties: Whom will my data be shared with?
The Organisation generally does not share the data with third parties, except in the following cases. In particular:
- Data obtained automatically via the information systems of the Municipality from interconnected public services
- The data transmitted to partners within the framework of the contracts the Organisation concludes with them.
It should be noted that the aforementioned partners have access to the personal data needed to perform their functions, but it is prohibited to use them for other purposes, and in addition they have priorly committed to our Organisation, as regards their relevant obligations not to use the data for any purpose other than the performance of processing, to observe confidentiality and in general to comply with the Regulation in accordance with applicable laws.
4.11 How long shall my personal data be retained for?
The retention time of personal data depends primarily on the purpose of processing, since their simple retention constitutes an act of processing which is only allowed if governed by the principles of processing. After the expiry of the retention time the personal data shall be deleted. In particular:
- The personal data of candidate employees shall be retained in electronic format in a mail server and a file server, to which the H.R. Department and the Administration of the Organisation shall have access, for a two-year period after the completion of the selection – recruitment process of the employee. The retention is due to possible reassessment of the candidates by the Organisation.
- The personal data of the employees, i.e. people who have already entered into a contract of employment with the Organisation, shall be retained in a physical file and in a file server by the H.R. Department firstly during the term of the employment relationship. After the termination of the employment relationship, for whatever reason, the relevant data shall be retained for twenty years at maximum (indicative limitation period for any relevant legal claims), a period during which any legal case of processing thereof may occur, such as the occurrence of civil law cases or the investigation of felonies where an employee might be involved, a fiscal audit, etc., The aforementioned shall apply with respect to information of corporate assets provided to employees, accesses to electronic and physical files and fields of work and corporate mobile phones, for the purpose of performing the employment contract. They shall also apply with regard to personal data relating to granting leaves to the employees (attendances, absences, hours of attendance, leaves, sick leave medical supporting documents) and to the assessment of the staff.
- The personal data of customers and partners of our Organisation shall be retained in a physical file and in a file server firstly during the term of our contractual relationship. After the termination of the employment relationship, for whatever reason, the relevant data shall be retained for twenty years at maximum (indicative limitation period for any relevant legal claims), a period during which any legal case of processing thereof may occur, such as the occurrence of civil law cases or the investigation of felonies, a fiscal control, etc
- Personal data of employees and visitors deriving from a closed-circuit TV system that operates on our premises, including the entrance and selected work sites, shall be retained for a period of fifteen (15) days on a CCTV recorder, without prejudice to more specific provisions of the law applicable to specific categories of controllers. In the event of an incident related to the purpose of processing, the controller may keep the recordings in which the specific incident has been recorded in a separate file for three (3) months. After the expiry of the above period, the controller may retain the data for a longer specific period only in the exceptional cases where the incident requires further investigation. In this case, the controller shall be obliged to inform the Authority for the necessary retention time of the said recordings.
4.12 What rights do I have?
The processing of your personal data is connected to your respective rights, which, without prejudice to the provisions that may restrict the exercise thereof, are:
- Right to be informed: You have the right to receive clear, transparent and understandable information about how we use personal data and what your rights are. For this purpose, we provide to you the information in this Declaration- Protection Policy and we urge you to address to us any clarification requests.
- Right of access: You can request us to correct or supplement your data if they are incomplete or contain inaccuracies.
- Right to rectification: You can request us to correct or supplement your data if they are incomplete or contain inaccuracies
- Right to data portability: You can request us to give you or transfer to a third-party provider in electronic format specific information you have provided to us.
- The right to erasure: In some cases, you can request the erasure of all or part of your data (for example, if the data are no longer necessary for the purposes for which they were collected, etc.).
- Right to restrict processing: You have the right to restrict processing of your personal data.
- Right to withdraw the consent: If you have given your consent for the processing of your Personal Data, you have the right to withdraw your consent at any time by contacting us at the details provided herein.
- Right to object: You can object against the processing of your data performed in the context of our legitimate interests, as they are mentioned above.
- Right to complain to the Personal Data Protection Authority. You have the right to submit a complaint directly to the local supervisory authority, the Personal Data Protection Authority concerning how we process your personal data.
- Rights in relation to automated decision making. You have the right not to be subject to a decision based solely on automated processing and which has legal or other significant consequences on you. Specifically, you have the following rights:
- right to human intervention,
- right to express your opinion,
- right to get explanations for the decision adopted after an assessment,
- right to challenge this decision.
In the case of exercising one of the above rights, we will take every possible measure to satisfy your request within a reasonable period and at the latest within (1) month from the identification of your submitted request, informing you in writing about the satisfaction of your request, or the reasons which prevent the exercise of the right, or also the satisfaction of one or more of your rights, in accordance with the General Regulation on the Protection of Personal Data. It should be noted that, in some cases, the satisfaction of your relevant requests may not be possible, as for example when the satisfaction of the right is contrary to a legal obligation or comes into conflict with a contractual legal basis for the processing of your data.
However, if you think that there is a breach of any of your rights or of a legal obligation of our Organisation in relation to the protection of Personal Data and after you have previously addressed the Data Protection Officer of the Organisation (DPO) on this issue, i.e. you have exercised your rights against the Organisation and either you did not receive a response within one month (a period prolonged for two months in the case of a complicated request), or you consider that the response you received from the Organisation is not satisfactory and your issue has not been resolved, you may submit a complaint to the competent supervisory authority i.e., the Office of the Commissioner for Personal Data Protection, http://www.dataprotection.gov.cy/ 1 Iasonos Ave., 1082 Nicosia, email: commissionerdataprotection.gov.cy, Τηλέφωνο: +357 22818456 Fax: +357 22304565.
4.13 How are my personal data protected?
We have taken appropriate organisational and technical measures to protect your personal data from abuse, intervention, loss, unauthorized access, modification or disclosure. The measures that we use include the implementation of appropriate measures in access control and technical safety of information, as well as ensuring that personal data are encrypted, pseudonymised and anonymised, where necessary and feasible.
Access to your personal data shall only be allowed to our competent employees and partners and only if it is necessary to support the activities of the Organisation, and it is subject to strict contractual obligations of confidentiality, when processing is assigned to and performed by third parties.
4.14 How can I contact the Organisation?
You can contact us at the address of our registered office, Vrisi ton Peyiotisson Square, 8560 Peyia, Cyprus or at the e-mail address firstname.lastname@example.org or submit a request via the Contact form on our website.
4.15 Updating of this Declaration of Personal Data Protection Policy
This declaration will be revised where necessary in order to be adapted to legislative changes, to respond to the comments and the needs of the personal data subjects and to the changes in products, services and internal procedures of our Organisation. Any change will be published with simultaneous revision of the last update date at the top of this declaration – Personal Data Protection Policy.