The Pafos Innovation Institute (PII) recognises that data collection and personal privacy are important issues in the digital economy. PII collects, processes and stores data in accordance with the provisions of the General Data Protection Regulation (GDPR) as of 25 May 2018. This policy explains what types of information will be collected from students and the public when they interact with PII, including through our website, and how this information will be used. I. GENERAL INFORMATION
SCOPE OF DATA PROCESSING
1. Personal data a. PII processes personal data that we receive from you in the context of our business and/or academic relationship, including collecting and processing your personal data/information. b. Personal data, or personal information, means any information from an individual from which that person can be identified. Personal information PII will collect from students includes, for example: Full name Contact details Residency details Details of your education and work experience Personal identification documents and numbers Health information including information about your health insurance Details about your parents and family Examination transcripts and results. c. The PII collects, processes and uses your personal data insofar as it is necessary for operating a functional educational institution and delivering our online content and services, including the PII website. Generally, it is necessary for PII to obtain your consent before we can collect and use such information. The only exception to this is where it is actually impossible for us to obtain prior consent and processing of the data is legally allowed. 1.2 Data collected through your interaction with our website a. Every time the PII website is accessed, our system automatically records data and information concerning the accessing computer/user. The following data is recorded (check this with the Cyta): information on the browser type and version used the user’s operating system the user’s IP address date and time of access websites from which the user’s system was directed to our website websites which the user’s system accesses via our website. 1b. The data is compiled in log files on our system, whereby the IP address is truncated immediately after collection, i.e. an IPv4 address is truncated to the first two bytes, an IPv6 address to the first 32 bits. Personal profiles cannot be generated based on truncated IP addresses. This data is not stored with other personal data of the user. (Need to check this with Cyta).
DELETION OF DATA AND DATA STORAGE PERIOD
1. Personal data a. Your personal data will be deleted or locked as soon as the purpose for which it has been collected has been fulfilled. Data may remain on record beyond this period if such is specified in European or national legislation from European Union Regulations, laws or other provisions to which the PII is subject. b. Data will be locked or deleted if a storage period specified in the above standards expires unless conclusion or fulfilment of a contract requires the data to remain on record further. 2.2 Data collected through your interaction with our website a. The temporary storage of the IP address on our server is necessary for granting the user’s system access to the PII website. For this purpose, the user’s IP address must remain stored on the PII server for the duration of the session. b. Data storage in log files is required to ensure the functionality of the PII website. Furthermore, the data enables us to optimise the website and guarantee the security of our IT systems. Data analysis for marketing-related purposes is not performed in this context. c. The purposes described in 2.2 a. and b. constitute the PII’s legitimate interests in data processing under Art. 6 (1 f) GDPR. The PII website cannot be provided without recording the data, and the operation of the site on the Internet is impossible without storing the data in log files. d. The data is erased as soon as it is no longer required for the purpose it was requested. Data collected for website availability is deleted when the respective session has ended. e. All data stored in log files is deleted within xx. how many days (check with CYTA). Data can be stored for longer. In such cases, the user’s IP address is truncated so that the querying client cannot be identified. 2.3 Cookies a. Cookies are technically necessary to simplify using websites. Several of our website’s functions will not work without using cookies. These functions require the browser to be recognised again after leaving and returning to our website. b. User data collected via technically required cookies is not used to create user profiles. c. The purposes described in 2.3 a. and b. constitute the PII’s legitimate interests in data processing under Art. 6 (1 f) GDPR. d. Cookies are stored on your computer and transferred to our site. Consequently, you as the user, have full control over how cookies are used. By changing the settings in your web browser, you can deactivate or restrict the transmission of cookies to external websites. You can also delete all saved cookies on your system at any time. Restrictions on cookie usage can be managed automatically by your browser. If you disable cookies for the PII website, you may no longer be able to use the site’s full range of functions. 2.4 Data collected by third parties and external service providers a. You can prevent cookies from being installed by third parties using the appropriate setting in your browser software; however, you may not be able to use all functions on the PII website, especially the search and video functions. By using these search query fields, you agree that the data search engine operator collects about you may be processed in the manner previously described and for the purposes described in Article 1.4.a. b. The PII makes available content from external sources, which can be, for example, photographs, documents, videos. In the process, personal data such as IP address, date of access and the like are transferred to the external source. Please note that the PII has no influence on the storage duration or possible analysis of such data.
YOUR RIGHTS If your personal data is processed, you are a data subject, as defined in the GDPR and consequently have the following rights: 3.1. Right of access a. You are entitled to request information from the PII (the “Controller”) on whether we are processing any personal data related to yourself. If the PII does, you can further request information on the following: (1) the purposes for which the personal data is being processed; (2) the categories of personal data processed; (3) the recipients or categories of recipients to whom your personal data is or will be disclosed; (4) the period for which your personal data is intended to remain on record or, if this cannot be specified, the criteria for defining the storage period; (5) whether you are entitled to demand correction or deletion of your personal data , to demand limitation of processing by the PII, or to object to processing; (6) whether you are entitled to file a complaint with a supervisory authority; (7) everything available on the data’s source if the entity you are enquiring with did not obtain it themselves; (8) whether there was any automated decision-making and profiling as per Art. 22 (1) and (4) GDPR and – at least where such was the case – useful information on the underlying logic and the impact and desired effects of this processing on the data subject. b. You are entitled to request information on whether your personal data will be transmitted to a non-EU member state or international organisation. You are entitled in this context to request information on suitable safeguards according to Art. 46 GDPR related to the transmission. c. Where data is processed for research or statistical purposes, the right of access can be restricted if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes. 3.2. Right to rectification a. You are entitled to request that the PII corrects and/or completes your personal data if this data is incorrect or incomplete. The PII is obliged to do so without delay. b. Where data is processed for research or statistical purposes, the right of rectification can be restricted if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes. 3.3. Right to restriction of processing a. You can request limits to the processing of your personal data if the following applies: (1) If you contest the correctness of your personal data for a period that allows the PII to check the data’s correctness (2) Processing of the data is illegal and you object to deletion of the data in favour of restricting the personal data’s use; (3) The PII no longer requires the personal data for the purposes of processing, but you need it to assert, exercise, or defend a legal claim; or (4) You have objected to processing in accordance with Art. 21 (1) GDPR and it has not yet been established whether the PII’s legitimate interests outweigh your own. b. If the processing of your personal data has been restricted, such data may be processed – apart from its storage – only with your consent, or for the purpose of asserting, exercising, or defending rights, or protecting the rights of another individual or legal entity, or on grounds of important public interest of the European Union or any Member State. c. If processing has been restricted in accordance with the above conditions, you will be notified by the PII before the restriction is lifted. d. Where data is processed for research or statistical purposes, the right to limitation of processing can be restricted if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes. 3.4. Right to erase a. You can request that the PII delete your personal data immediately; the PII is then obliged to delete the data immediately, provided one of the following conditions applies: (1) Your personal data is no longer required to achieve the purposes for which it was collected or otherwise processed. (2) You withdraw your consent under which processing became legitimate as per Art. 6 (1 a) or Art. 9 (2 a) GDPR, and there is no other legal basis for processing. (3) You object to processing as per Art. 21 (1) GDPR and your objection is not overridden by legitimate reasons for processing, or you object to processing as per Art. 21 (2) GDPR. (4) Your personal data has been processed unlawfully. (5) Deletion of your personal data is necessary for the PII to fulfil a legal obligation imposed by European Union law or the national laws of European Union member states. (6) Your personal data has been collected in connection with the offer of information society services as per Art. 8 (1) GDPR. b. If the PII has published your personal data and has become obliged to delete it as per Art. 17 (1) GDPR, the PII will take action, including technical measures, using the available technology and at appropriate expense with the aim of notifying any PIIs processing your personal data that you as the data subject have requested deletion of all links to said personal data or to copies or reproductions thereof. c. Exceptions. The right to erasure becomes void if processing is necessary: (1) to exercise of the right to free expression and information; (2) to fulfil a legal obligation requiring the PII to process the data imposed by European Union law or the national laws of a European Union member state, or to complete a duty in the public interest or to perform executive duties appointed to the PII; (3) in the interests of public health and safety as per Art. 9 (2 h and i) and Art. 9 (3) GDPR; (4) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes as per Art. 89 (1) GDPR, provided that the right described in section a) can be reasonably assumed to prevent or seriously impede achievement of the processing purposes; (5) to assert, exercise, or defend legal claims. 3.5. Notification obligation a. If you have asserted your right to rectification, erasure or restriction of processing against the PII, the PII is under obligation to notify all recipients to whom your personal data has been disclosed of the corresponding rectification or erasure of data or of the restriction of their processing. The PII is exempted from this obligation where such notification proves impossible or unreasonable. b. You have the right to be informed of who these recipients are. 3.6. Right to data portability a. You have the right to receive the personal data concerning yourself that you have provided to a controller in a structured, commonly used and machine-readable format. You are also entitled to transmit this data to another controller without the controller to whom you have provided the data hindering you from doing so and if: (1) you have consented to processing as per Art. 6 (1 a) GDPR or Art. 9 (2 a) GDPR or processing is governed by a contract as per Art. 6 (1 b) GDPR and (2) processing occurs using automated methods. b. When exercising this right, you can further request the PII to send your personal data directly to another institution or party, provided this is technically feasible. This must not adversely affect the liberties and rights of others. c. The right to data portability does not extend to the processing of personal data where such processing is necessary for fulfilling a duty in the public interest or for exercising executive duties appointed to the PII. 3.7. Right to object a. You are entitled to object for reasons arising from your own personal situation at any time against processing of your personal data where processing is legitimised by Art. 6 (1 e or f) GDPR; this applies in equal measure to profiling legitimised by these provisions. b. The PII will cease to process your personal data unless the PII can prove compelling legitimate reasons for processing that override your interests, rights, and liberties, or processing pursues the assertion, exercise, or defence of legal claims. c. If your personal data is processed for the purpose of direct advertising, you are entitled to object at any time to the processing of your personal data for this purpose; this applies equally to profiling where it occurs in connection with such direct advertising. d. If you object to processing for direct advertising, your personal data will no longer be processed for this purpose. However, uou may, in connection with the use of information society services – Directive 2002/58/EC notwithstanding – exercise your right to object by means of automated methods that are subject to technical specifications. e. You are entitled to object for reasons arising from your own personal situation at any time against processing of your personal data collected for scientific or historical research or statistical purposes pursuant to Art. 89 (1) GDPR. f.
8. Where data is processed for research or statistical purposes, the right to object can be restricted if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes. Right to withdraw your consent under data protection law a. You are entitled to withdraw your consent under data protection law at any time. Your withdrawing consent does not affect the legitimacy of any processing that has occurred with your consent prior to withdrawal. 3.9. Automated individual decision-making, including profiling a. You have the right not to be subject to any decision that entails legal implications for yourself or has similar, substantially adverse effects on yourself if said decision is based solely on automated processing; this includes profiling. You do not have this right if the decision: (1) is necessary to allow conclusion or fulfilment of a contract between yourself and the PII, (2) is legitimate under the legal provisions of the European Union or its member states to which the PII is subject and these legal provisions include appropriate measures safeguarding your rights, liberties, and legitimate personal interests, or (3) is made with your express consent. Please note, however, such decisions may have been made based on personal data of special categories as per Art. 9 (1) GDPR unless Art. 9 (2 a or g) GDPR also apply and appropriate measures have been taken to protect your rights, liberties, and legitimate personal interests. b. With respect to cases (1) and (3) detailed, the PII shall take appropriate precautions to protect your rights, liberties, and legitimate personal interests; such precautions will include at least the right to enforce intervention by a human individual at the PII, to put forward your own opinion, and to contest the decision. 3.10. Right to seek clarifications and to complain a. If you believe that processing of your personal data is in breach of the GDPR, you have the right to seek clarification from the Data Protection Officer at the PII (see below) and to lodge a complaint with a supervisory authority, particularly in the EU member state where you, your place of work, or the locale of the alleged infringement are located.
NAME AND ADDRESS OF THE RESPONSIBLE CONTROLLER a. The GDPR, national data protection laws, and other privacy regulations, require the PII to act as a responsible entity (“Controller”). For the purposes of this policy, the Controller is: Pafos Innovation Institute 69, Neophytos Nicolaides Street 8011 Pafos Cyprus Tel :(+357) 22673726Email: firstname.lastname@example.org
NAME AND CONTACT DETAILS OF DATA PROTECTION OFFICER a. The GDPR, national data protection laws, and other privacy regulations, require the PII to appoint a Data Protection Officer. For the purposes of this policy, the Data Protection Officer is: Dr. Vera Lipton Tel :(+357) 22673726 Email: email@example.com