PRIVACY AND DATA PROTECTION POLICY
PRIVACY AND DATA PROTECTION POLICY
1. Purposes and objectives
1.1. The Association is committed to handling Personal Data responsibly in order to earn and preserve the trust of its members and any third party interacting with the Association.
- This Policy defines the main principles applicable to the Processing of Personal Data by the Association with a view to guarantee every individual’s right to privacy.
- The Association Processes Personal Data in order to comply with its legal obligations, carry out administrative tasks, and comply with requirements for the proper performance of its legal relationships towards its members and third parties with whom there is any legal relationship.
2.1 This Policy is global in scope and applies to the Association everywhere and to all Processing of Personal Data of Data Subjects.
- The requirements defined in this Policy shall also be applied to third parties Processing Personal Data on behalf of the Association, such as consultants, service providers, or other partners, for instance by way of contractual provisions.
- This Policy concerns all Personal Data the Association is Processing and applies to any individual’s Personal Data, whether, in particular, a member, a party to an agreement with the Association, such as a subcontractor or service provider or any consultant.
- This Policy also concerns all Personal Data the Association is Processing and equally applies to any kind of Personal Data Processing regardless of the medium used (electronic, paper, other) and purposes listed in paragraph 4.2.2 below.
- This Policy does not apply to data related to legal entities.
- “Association” or “Controller” means Accept – LGBT Cyprus and it shall also constitute the data controller, i.e.
the legal person which determines the purposes and means of the Processing of Personal Data of the Data Subjects subject to this Policy; you may contact the Association at email@example.com
- “Consent” means the Data Subject’s freely given specific and informed indication of his/her wishes by which the Data Subject signifies his/her agreement to the Processing of his/her Personal Data for the purposes described;
- “Data Subject” means an identified or identifiable natural person to whom Personal Data that are being Processed relates; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity; this definition includes members of the Association and third parties in a legal relationship with the Association;
- “Personal Data” or “Data” means any information relating to a Data Subject;
- “Personal Data Processing” or “Processing” or “Processed” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
- “Policy” means this privacy and personal data protection policy;
- “Processor” or “Data Processor” means the person or persons Processing Personal Data on behalf of the Association and it shall jointly be the Secretary and the Treasurer of the Board of the Association, whoever they are from time to time;
- “Recipient” means the natural or legal person to whom/which Personal Data are disclosed and these may be (a) regulatory and/or governmental authorities and/or services, and other organisations with whom the Association
- “Sensitive Data” or “Special Categories of Personal Data” means Personal Data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
- The Processor, or any other natural or legal Processing Personal Data on behalf of the Controller, shall only act on instructions from the Association, and must comply with the terms of this Policy, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and all other relevant applicable national and EU law.
The Processor, or any other natural or legal Processing Personal Data on behalf of the Controller, shall comply with the following processing principles:
- Legitimate and fair processing
Processing of personal data may only be carried out on a legitimate basis and in a fair and transparent manner. The Association may only process personal data based on one or more of the legitimate bases explained below in paragraph 4.2.2.
Explicit and lawful purpose
- Personal data needs to be collected for one or more specific and legitimate purpose(s) and should not be processed in a way incompatible with this/those purpose(s).
- No Personal Data may be Processed unless the purpose of the Processing has been precisely defined beforehand and is legitimate under applicable law. Under the conditions provided for by applicable law, the purpose of Processing may not vary in time, except if Data Subjects are duly notified by electronic or other communication and give their consent to such variation and/or amendment where required.
- Generally, the purposes of Processing of Data Subjects’ Personal Data within the context of this Policy are in relation to fulfilling the obligations and duties of the Association under its mandate, as expressed in the objects stated in the Articles of Association of the Association in connection with the Data Subjects.
- The main legal bases for processing Data Subjects’ Personal Data are as follows:
- It is necessary to protect the vital interests of the relevant Data Subjects or those of another data subject or a third party, not overridden by the interests, fundamental rights or freedoms of the relevant Data Subject;
- To ensure the safety and security of members or other related individuals both within and beyond the mandate of the Association or third parties;
- Performance of obligations to Data Subject: We process Personal Data in order to provide our services and/or information and/or assistance to members and/or in order to comply with obligations to third parties with whom we have a legal relationship such as payments and/or social insurance obligations. In view of this, we need to verify the Data Subject’s identity and pertinent details we shall be needing for the purposes of such obligations;
- For the purposes of safeguarding legitimate interests: We Process Personal Data so as to safeguard the legitimate interests pursued by us or by a third party. A legitimate interest is when we have a lawful reason to use the Data Subject’s information. Despite that, it must not unfairly go against what is right and best for the Data Subject. Examples of such processing activities include initiating complaints before independent authorities, initiating legal claims and/or preparing our defence in litigation procedures;
- Consent: Our storage and use of the Data Subject’s Personal Data is based on their consent (other than for reasons described or implied in this Policy when consent is not required). The Data Subject may revoke consent at any time; however, any processing of personal data prior to the receipt of revocation will not be affected;
- To investigate or settle enquiries or disputes: We may need to use personal information collected from the Data Subject to investigate issues or to settle disputes with them because it is in our legitimate interests to ensure that issues and disputes get investigated and resolved in a timely and efficient manner;
- To comply with applicable laws, court orders, other judicial process, or the requirements of any applicable regulatory authorities: We may need to use the Data Subject’s personal information to comply with any applicable laws and regulations, court orders or other judicial process, or the requirements of any applicable regulatory authority. We do this not only to comply with our legal obligations but because it may also be in our legitimate interest to do so.
- For administrative purposes and/or keeping a record of who are our members and/or our partners;
- Fulfilling statutory requirements of the Registrar of Associations; and
- To notify members and/or partners of any upcoming events, matters, activities, projects, and meetings of the Association.
- Quality and proportionality of data
Personal Data must be accurate, up to date, adequate, relevant, and not excessive in relation to the purposes for which they are Processed.
Length of the retention period of personal data
- Personal Data shall be retained for as long as it is necessary for the purposes for which they are Processed.
- Personal Data of members shall be retained for as long as they remain members of the Association. After the end of their membership, for whatever reason, such Personal Data shall be retained for up to a further maximum of 6 years.
- Personal Data of any third parties in a contractual or other legal relationship with the Association shall be retained up to the end of the contractual or legal relationship with the Association; after the end of the said contractual or legal relationship, such Personal Data shall be retained for up to a further maximum of 6 years.
- Open and fair processing
Personal Data shall not be collected or obtained by deceit or other underhanded methods. For the sake of fair Processing of Data, Data Subjects are entitled to receive the information that will make Processing a transparent one (in particular: identity of the Controller, purposes of the Processing, categories of Recipients, what are the rights of Data Subjects, and, where appropriate, that their Data may be disclosed for specific purposes). The Association is responsible for ensuring that the proper information is provided to the Data Subjects at the time of Data collection unless law stipulates otherwise.
Security and confidentiality
- The Association shall adopt or require that be adopted technical and organisational security and confidentiality measures that are appropriate in relation to the risks associated with the Processing so as to prevent, in particular, accidental or unlawful destruction or accidental loss, alteration, disclosure of, or unauthorised access to, the Data.
- The Association however cannot guarantee the security of the Data during their transmission to the Association by the Data Subjects. Any information or Data that the Data Subjects send to the Association is done at their own risk and the Association can only guarantee the security of Data that has been received and is in the Association’s possession.
- The Data Processed can be viewed only by the Processor, authorised personnel of the Registrar of Associations and it may be disclosed to other government authorities or third parties if the Association is under a legal obligation to do so or for other lawful purposes.
Rights of Data Subjects
- Sensitive Data or Special Categories of Data may be Processed only where strictly necessary for the Association’s legitimate purposes and in accordance with any safeguards required by law, such as the prior express consent of the Data Subject.
- The Data Subject has the rights of (i) access to a copy of the information comprised in their Personal Data, (ii) restriction of Processing of Personal Data, (iii) objection to processing that is likely to cause or is causing damage or distress, (iv) prevention of processing for direct marketing, (v) objection to decisions being taken by automated means, (vi) rectification, blockage, erasure or destruction of inaccurate Personal Data where considered right by the Association or Office of the Commissioner for Personal Data Protection in case of recourse to him/her, (vii) lodging a complaint with the Office of the Commissioner for Personal Data Protection or other supervisory authority, (viii) right to portability, and (ix) claim to compensation for damages caused by a breach of the terms of this Policy, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and all other relevant applicable national and EU law and regulations. Data Subjects have the right, in case that they do not want us to use their personal information anymore, to opt out by informing the Association by sending a pertinent e-mail to firstname.lastname@example.org If a Data Subject decides to do so, the Association may not be able to continue to provide information, services and/or assistance requested by the Data Subject, or continue to have any form of legal relationship with them, and it will have no liability to that Data Subject in this respect.
- Complaints mechanism
The Data Subject has the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection 1 Iasonos str., 1082 Nicosia, P.O.Box 23378, 1682 Nicosia Tel: +357 22818456, Fax: +357 22304565, Email: email@example.com and/or lodge a complaint in accordance with the Association’s complaints mechanism. Individuals wishing to lodge a complaint with the Association complaints mechanism must do so in writing by e-mail at firstname.lastname@example.org
- Data to be collected and processed
5.1 The Personal Data that may be collected and Processed by the Association in relation to members of the Association
as well as third parties in cooperation with the Association, such as consultants, service providers, subcontractors, or other partners, is listed as follows:
- E-mail address;
- Mobile telephone number;
- Address and postal code;
- Other contact details;
- Place of birth;
- Date of birth;
- Passport or ID number;
- Member ID number; and
- Status of payment of membership fee.
Personal Data Disclosures
- The Association may, in the conduct of its business, have to disclose Personal Data for administrative purposes or for the purpose of fulfilling legal obligations under the Associations and Institutions and other Related Matters Law of 2017 (104(I)/2017) and other applicable law, or requirements of the Registrar of Associations, whether to regulatory authorities, affiliated companies or third parties
- Any such disclosure shall take place in strict compliance with applicable law and it shall only be carried out for a specified, explicit and legitimate purpose, compatible with legal requirements under Cyprus Law and the General Data Protection Regulation. Thus, the Association must be capable of justifying the disclosure, and providing evidence that the disclosure is compatible with the purpose of the initial Processing and of the legal requirements under Cyprus Law, the General Data Protection Regulation and/or this Policy.
- Such disclosure shall only concern Personal Data which are relevant and not excessive for the purpose of the disclosure.
- Before any personal data disclosure, the Data Subject shall be notified and consent shall be requested, where applicable, and/or the pertinent authorisation shall be obtained, where applicable.
- No Personal Data shall be disclosed and/or transferred to any operator outside Cyprus.
The Association reserves the right to take such action as it deems appropriate against users who breach this Policy. Violators are subject to disciplinary action up to and including termination of legal relationships, and civil or criminal prosecution, as appropriate. Disciplinary action shall be conducted in accordance with applicable policies.
- Review And Updates To The Policy
This Policy will be reviewed and updated annually or more frequently if necessary, to ensure that any changes to the Association’s practices are accurately reflected. Any changes to this Policy shall be duly communicated to Data Subjects and consent shall be requested, where applicable.
Questions or recommendations regarding this document should be directed to the Secretary and/or the Treasurer of the Association at email@example.com