PRIVACY AND DATA PROTECTION POLICY
1. Purposes and objectives
1.1.The Association is committed to handling Personal Data responsibly in order to earn and preserve the trust of its members and any third party interacting with the Association.
1.2This Policy defines the main principles applicable to the Processing of Personal Data by the Association with a view to guarantee every individual’s right to privacy.
1.3The Association Processes Personal Data in order to comply with its legal obligations, carry out administrative tasks, and comply with requirements for the proper performance of its legal relationships towards its members and third parties with whom there is any legal relationship.
2. Scope
2.1This Policy is global in scope and applies to the Association everywhere and to all Processing of Personal Data of Data Subjects.
2.2The requirements defined in this Policy shall also be applied to third parties Processing Personal Data on behalf of the Association, such as consultants, service providers, or other partners, for instance by way of contractual provisions.
2.3This Policy concerns all Personal Data the Association is Processing and applies to any individual’s Personal Data, whether, in particular, an employee, a member, a party to an agreement with the Association, such as a subcontractor or service provider or any consultant.
2.4 This Policy also concerns all Personal Data the Association is Processing and equally applies to any kind of Personal Data Processing regardless of the medium used (electronic, paper, other) and purposes listed in paragraph 4.2.2 below.
2.6This Policy does not apply to data related to legal entities.
3 Definitions
3.1“Association” or “Controller” means Youth for Exchange and Understanding (NEOLEA GIA ANTALLAGI KAI KATANOISI) and it shall also constitute the data controller, i.e. legal person which determines the purposes and means of the Processing of Personal Data of the Data subject to this Policy; you may contact the Association at info@yeucyprus.org
3.2 “Consent” means the Data Subject’s freely given specific and informed indication of their wishes by which the Data Subject signifies their agreement to the Processing of their Personal Data for the purposes described;
3.3“Data Subject” means an identified or identifiable natural person to whom Personal Data that are being Processed relates; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic,
cultural or social identity; this definition includes members of the Association and third parties in a legal relationship with the Association;
3.4“Personal Data” or “Data” means any information relating to a Data Subject;
3.5“Personal Data Processing” or “Processing” or “Processed” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, blocking, erasure or destruction;
3.6“Policy” means this privacy and personal data protection policy;
3.7“Processor” or “Data Processor” means the person or persons Processing Personal Data on behalf of the Association and it shall jointly be the Secretary and the Treasurer of the Board of the Association, whoever they are from time to time;
3.8“Recipient” means the natural or legal person to whom/which Personal Data are disclosed and these may be (a) regulatory and/or governmental authorities and/or services, and other organisations with whom the Association cooperates;
3.9 “Sensitive Data” or “Special Categories of Personal Data” means Personal Data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
4 Requirements
4.1 The Processor, or any other natural or legal Processing Personal Data on behalf of the Controller, shall only act on instructions from the Association, and must comply with the terms of this Policy, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and all other relevant applicable national and EU law.
4.2 The Processor, or any other natural or legal Processing Personal Data on behalf of the Controller, shall comply with the following processing principles:
4.2.1 Legitimate and fair processing of personal data may only be carried out on a legitimate basis and in a fair and transparent manner. The Association may only process personal data based on one or more of the legitimate bases
explained below in paragraph 4.2.2.
4.2.2 Explicit and lawful purpose
4.2.2.1 Personal data needs to be collected for one or more specific and legitimate purpose(s) and should not be processed in a way incompatible with this/those purpose(s).
4.2.2.2 No Personal Data may be Processed unless the purpose of the Processing has been precisely defined beforehand and is legitimate under applicable law. Under the conditions provided for by applicable law, the purpose of Processing may not vary in time, except if Data Subjects are duly notified by electronic or other communication and give their consent to such variation and/or amendment where required.
4.2.3 Open and fair processing Personal Data shall not be collected or obtained by deceit or other underhanded methods. For the sake of fair processing of Data, Data Subjects are entitled to receive the information that will make Processing a transparent one (in particular: identity of the Controller, purposes of the Processing, categories of Recipients, whether replies to questions are mandatory or voluntary, what are the rights of Data Subjects, and, where appropriate, that their Data may be transferred). YEU Cyprus is responsible for ensuring that the proper information is provided to the Data Subjects at the time of Data collection unless law stipulates otherwise.
4.2.4 Security and confidentiality. YEU Cyprus shall adopt or require that be adopted technical and organisational security and confidentiality measures that are appropriate in relation to the risks associated with the Processing so as to prevent, in particular, accidental or unlawful destruction or accidental loss, alteration, disclosure of, or unauthorised access to, the Data. YEU Cyprus however cannot guarantee the security of the Data during their transmission to YEU Cyprus by the Data Subjects. Any information or Data that the Data Subjects send to YEU Cyprus is done at their own risk and YEU Cyprus can only guarantee the security of Data that has been received and is in YEU Cyprus possession. The Data Processed can be viewed only by the Processor, authorised personnel and it may be disclosed to government authorities or third parties if YEU Cyprus is under a legal obligation to do so or for other lawful purposes.
4.2.5 Quality, Accuracy and proportionality of data. Personal Data must be accurate, up to date, adequate, relevant, and not excessive in relation to the purposes for which they are Processed.
4.2.6 Length of the retention period of personal data. Personal Data of Data Subjects shall be retained for as long as they remain in contact with or in a legal or otherwise defined relationship with YEU Cyprus and thereafter for a further period of 6 years. At any given time, when YEU Cyprus considers that personal information is no longer necessary for the purpose for which it was collected, it will remove any details that will identify the Data Subject or will securely destroy the records.
4.2.7 Rights of Data Subjects. Sensitive Data may be Processed only where strictly necessary for YEU Cyprus legitimate purposes and in accordance with any safeguards required by law, such as the prior express consent of the Data Subject. The Data Subject has the rights of (i) access to a copy of the information comprised in their Personal Data, (ii) restriction of Processing of Personal Data, (iii) objection to processing that is likely to cause or is causing damage or distress, (iv) prevention of processing for direct marketing, (v) objection to decisions being taken by automated means, (vi) rectification, blockage, erasure or destruction of inaccurate Personal Data where considered right by YEU Cyprus or Office of the Commissioner for Personal Data Protection in case of recourse to him/her, (vii) lodging a complaint with the Office of the Commissioner for Personal Data Protection or other supervisory authority, (viii) right to portability, and (ix) claim to compensation for damages caused by a breach of the terms of this Policy, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and all other relevant applicable national and EU laws and regulations.
4.2.8 Processors Before YEU Cyprus engages the services of a Processor (for example, as a result of an outsourcing or other Data Processing arrangements), whether an employee of YEU Cyprus or an affiliated organisation or association or company or a third party, YEU Cyprus shall enter into appropriate written Data Processing Contracts in accordance with the requirements under applicable Cyprus and EU law and regulations and of this Policy, which will stipulate inter alia that the Processor will act only on documented instructions from YEU Cyprus and will put in place and maintain adequate security and confidentiality measures to protect the Personal Data being Processed.
4.3 Accountability and Supervision In order to ensure accountability for the processing of personal data in line with this Policy, YEU Cyprus will set up an accountability and supervision structure as follows: YEU Cyprus as the data controller is responsible for establishing and overseeing the processing of personal data under its area of responsibility. In order to comply with the Policy the YEU Cyprus Board of Directors designates the Vice-President of the Board, Annita Tsolaki as the the Data Protection Officer. The Data Protection Officer is responsible for:
(i) Determining the applicable legitimate basis for and the specific and legitimate purposes of data processing;
(ii) Ensuring the implementation of organizational and security measures as well as assessing data security of third parties;
(iii) Establishing internal procedures, in the form of Data Protection Standard Operating Procedures, covering all relevant aspects of this Policy, in particular regarding the respect for the rights of the data subject and measures aimed at ensuring data confidentiality and security;
(iv) Ensuring that data protection and data security aspects are adequately included in agreements with third parties;
(v) Negotiating and concluding data transfer agreements with third parties as required or appropriate.
4.4 Complaints mechanism: The Data Subject has the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection 1 Iasonos str., 1082 Nicosia, P.O.Box 23378, 1682 Nicosia Tel: +357 22818456, Fax: +357 22304565, Email: commissioner@dataprotection.gov.cy and/or lodge a complaint to YEU Cyprus directly.
5. Data to be collected and processed
5.1 The Personal Data that may be collected and Processed is listed as follows:
Name;
E-mail address;
Mobile telephone number;
Address;
Other contact details;
Emergency contact name and details
Social Security number;
TIC;
Nationality;
Date of birth;
Gender;
Identification number;
Bank Account Details;
Education / Qualifications;
Fewer Opportunities;
6 Personal Data Transfers
6.1 YEU Cyprus may, in the conduct of its business, have to transfer Personal Data from one country to another, whether to affiliated companies or third parties.
6.2 A Transfer shall take place in strict compliance with applicable law and the rules laid down in this Policy. In order to provide Data Subjects with the highest possible level of protection, YEU Cyprus, its employees, affiliated companies, and third parties involved in the Transfer shall apply the legislation of that country concerned which is most protective of Personal Data, in the case of Transfers of Personal Data from one country to another.
6.3 A Transfer shall be carried out for a specified, explicit and legitimate purpose. Thus, YEU Cyprus must be capable of justifying the Transfer, and providing evidence that the Transfer is compatible with the purpose of the initial Processing and of the legal requirements under Cyprus Law, the General Data Protection Regulation and/or the law of the country where the Data shall be transferred.
6.4 The Transfer shall only concern Personal Data which are relevant and not excessive for the purpose of the Transfer. 6.5 Where the Transfer is carried out from YEU Cyprus to an affiliated company or third party located outside the European Economic Area, safeguards shall be taken to ensure an adequate level of protection of the Personal Data in accordance with applicable law, such as in the form of the model clauses published and approved by the European Commission from time to time, if applicable, he EU-US Privacy Shield or any other equivalent applicable arrangements and provided always that the Data Subject has been duly notified and consented to the Transfer, where required, and the necessary notifications have been made to and/or the necessary authorisations have been obtained by the relevant national data protection authority, if applicable.
7. Enforcement
YEU Cyprus reserves the right to take such action as it deems appropriate against users who breach this Policy. Violators are subject to disciplinary action up to and including dismissal from employment, and civil or criminal prosecution, as appropriate. Disciplinary action shall be conducted in accordance with applicable policies.
7. Review And Updates To The Policy
This Policy will be reviewed and updated annually or more frequently if necessary, to ensure that any changes to the YEU Cyprus practices are accurately reflected. Questions or recommendations regarding this document should be directed to YEU Cyprus Vice-President, Annita Tsolaki as the Data Protection Officer.