General Data Protection Regulation (GDPR)
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) applies as of 25 May 2018. It repeals Directive 95/46/EC.
The regulation is an essential step to strengthen individuals’ fundamental rights in the digital age and facilitate business by clarifying rules for companies and public bodies in the digital single market.
The cross-references between the articles and the recitals in the preamble can be found at: http://www.privacy-regulation.eu/en/index.htm
Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018 (Law 125(I)/2018)
On 31 July 2018 the national law providing for the protection of natural persons with regard to the processing of personal data and for the free movement of such data (Law 125(I)/2018), was published in the official gazette of the Cyprus Republic.
The law was adopted for the effective implementation of certain provisions of the Regulation (EE) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), which applies as of 25 May 2018.
Upon entry into force of the provisions of the law 125(I)/2018, the Processing of Personal Data (Protection of Individuals) Law of 2001 (Law 138(I)/2001) was repealed.
Acts issued by the Commissioner under the provisions of the Processing of Personal Data (Protection of Individuals) Law, which is repealed, will continue to be valid until their expiration or replacement.
Data Protection Policy
In carrying out its statutory duties, City Unity College Nicosia needs to hold personal data for a variety of reasons. It strives to ensure that such data is held securely, and that it is used only in appropriate ways. To that end, the College Council has produced the following Data Protection Policy.
All those acting on behalf of the College are required to observe and enforce these policies.
The College takes its responsibilities with regards to the management of the requirements of the General Data Protection Regulation (GDPR) very seriously.
The College obtains, uses, stores and otherwise processes personal data relating to potential staff and students (applicants), current staff and students, former staff and students, current and former workers, contractors, website users and contacts, collectively referred to in this policy as data users. When processing personal data, the College is obliged to fulfil individuals’ reasonable expectations of privacy by complying with GDPR and other relevant data protection legislation (data protection law).
The DPO ensures that we:
- Are clear about how personal data must be processed and the College’s expectations for all those who process personal data on its behalf;
- Comply with the data protection law and with good practice;
- Protect the College’s reputation by ensuring the personal data entrusted to us is processed in accordance with the data users’ rights
- Protect the College from risks of personal data breaches and other breaches of data protection law.
Data users’ Rights
Data user has rights in relation to the way we handle their personal data.
These include the following rights:
- Where the legal basis of our processing is Consent, to withdraw that Consent at any time
- To ask for access to the personal data that we hold
- To prevent our use of the personal data for direct marketing purposes
- To object to our processing of personal data in limited circumstances
- To ask us to erase personal data without delay:
- If it is no longer necessary in relation to the purposes for which it was collected or otherwise processed
- If the only legal basis of processing is Consent and that Consent has been withdrawn and there is no other legal basis on which we can process that personal data
- If the data user objects to our processing where the legal basis is the pursuit of a legitimate interest or the public interest and we can show no overriding legitimate grounds or interest
- If the data user has objected to our processing for direct marketing purposes
- If the processing is unlawful
- To ask us to rectify inaccurate data or to complete incomplete data
- To restrict processing in specific circumstances e.g. where there is a complaint about accuracy
- To ask us for a copy of the safeguards under which personal data is transferred outside of the EU
Requests (including for data user access – see below) must be sent to the College’s DPO for processing and approval.
The College must implement appropriate technical and organizational measures in an effective manner to ensure compliance with data protection principles. The College is responsible for, and must be able to demonstrate compliance with, the data protection principles.
We must therefore apply adequate resources and controls to ensure and to document GDPR compliance including:
- Appointing a suitably qualified DPO
- Implementing Privacy by Design (design policies, procedures and systems which comply with the GDPR from the inception of the product’s or processes’ development)
- Integrating data protection into our policies and procedures, in the way personal data is handled by us and by producing required documentation such as Written Consent Forms, Records of Processing and records of Personal Data Breaches
- Training staff on compliance with Data Protection Law and keeping a record accordingly
- Regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort
1. College responsibilities
The College is responsible for establishing policies and procedures in order to comply with data protection law.
2. Data Protection Officer responsibilities
The DPO is responsible for:
- Advising the College and its staff of its obligations under GDPR
- Monitoring compliance with this Regulation and other relevant data protection law, the College’s policies with respect to this and monitoring training and audit activities relate to GDPR compliance
- To provide advice where requested on data protection impact assessments
- To fully understand the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
3. Staff responsibilities
Staff members who process personal data about students, staff, applicants, alumni or any other individual must comply with the requirements of this policy. Staff members must ensure that:
- All personal data is kept securely
- No personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorized third party
- Personal data is kept in accordance with the College’s retention schedule
- Any queries regarding data protection, including user access requests and complaints, are promptly directed to the Data Protection Officer
- Any data protection breaches are swiftly brought to the attention of the Data Protection Officer
- Where there is uncertainty around a data protection matter advice is sought from the Data Protection Officer
Where members of staff are responsible for supervising students doing work which involves the processing of personal information (for example in research projects), they must ensure that those students are aware of the Data Protection principles.
Staff who are unsure about who are the authorized third parties to whom they can legitimately disclose personal data should seek advice from the Data Protection Officer.
4. Third-Party Data Processors
Where external companies are used to process personal data on behalf of the College, responsibility for the security and appropriate use of that data remains with the College.
5. Where a third-party data processor is used
- A data processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of personal data
- Reasonable steps must be taken that such security measures are in place
- A written contract establishing what personal data will be processed and for what purpose must be set out
For further guidance about the use of third-party data processors please contact the Data Protection Officer.
6. Contractors, Short-Term and Voluntary Staff
The College is responsible for the use made of personal data by anyone working on its behalf.
Managers who employ contractors, short term or voluntary staff must ensure that they are appropriately qualified for the data they will be processing. In addition, managers should ensure that:
- Any personal data collected or processed in the course of work undertaken for the College is kept securely and confidentially
- All personal data is returned to the College on completion of the work, including any copies that may have been made. Alternatively, that the data is securely destroyed and the College receives notification in this regard from the contractor or short term / voluntary member of staff;
- The College receives prior written notification of any disclosure of personal data to any other organization or any person who is not a direct employee of the contractor;
- Any personal data made available by the College, or collected in the course of the work, is neither stored nor processed outside the country unless written consent to do so has been received from the College
- All practical and reasonable steps are taken to ensure that contractors, short term or part time staff do not have access to any personal data beyond what is essential for the work to be carried out properly
7. Student responsibilities
Students are responsible for:
- Familiarizing themselves with the College GDPR Policy provided when they register with the College
- Ensuring that their personal data provided to the College is accurate and up to date
- Any changes to their personal information they are responsible to notify/inform the College’s Registrar
Limitations on the transfer of personal data
The GDPR restricts data transfers to countries outside the EU in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. You transfer personal data originating in one country across borders when you transmit or send that data to a different country or view/access it in a different country.
You may only transfer personal data outside the EU if one of the following conditions applies:
- The European Commission has issued a decision confirming that the country to which we transfer the personal data ensures an adequate level of protection for the data users’ rights and freedoms.
The countries currently approved can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
- The data user has provided written consent to the proposed transfer after being informed of any potential risks; or the transfer is necessary for one of the other reasons set out in the GDPR including:
- The performance of a contract between us and the data user (e.g. students’ mandatory year abroad in an overseas institution/placement)
- Reasons of public interest
- To establish, exercise or defend legal claims
- To protect the vital interests of the data user where the data user is physically or legally incapable of giving consent
Sharing Personal Data
In the absence of a written consent, a legal obligation or other legal basis of processing, personal data should not generally be disclosed to third parties unrelated to the College (e.g. students’ parents, members of the public, private property owners).
Changes to this policy
We reserve the right to change this policy at any time without notice to you so please check regularly to obtain the latest copy.
Data protection training sessions
Data protection training for all staff is available through eClass, short burst seminars and one to one sit ins.
Under the College’s Data Protection Policy, all staff have responsibility for data protection compliance in their day-to-day work. To keep up to date with these responsibilities, staff must complete the College’s mandatory data protection training session.
Academics conducting research and the research support staff members must also complete the additional data protection training session.
Privacy by design
Data subject rights’
The GDPR builds on the data subject rights in the Data Protection Act. These are:
- the right to be informed via Fair Processing Notices
- the right of access – known as Subject Access Requests
- the right to rectification of data
- the right to be forgotten (new under the GDPR)
- the right to restrict processing
- the right to data portability (new under the GDPR)
- the right to object to processing
- rights in relation to automated making and profiling
The right of data portability is only available where the personal data is processed with the consent of the data subject, not where the personal data has been collected using any of the other legal basis for processing.
Data Protection Officer
The controller for personal data is City Unity College Nicosia 19 Stasinou Street, 2404, Engomi, Nicosia.
For information and quires about your personal information, or if you require advice on how to exercise your rights regarding GDPR, contact the Data Protection Officer (DPO) of the College.
The main tasks of the Data Protection Officer are:
- to implement the requirements of data protection legislation throughout the College
- to inform and advise the College and staff processing personal data of their obligations
- to monitor compliance, including the assignment of responsibilities, awareness-raising and training of staff, and related audits
- to provide advice where requested about privacy impact assessments and monitor their execution
- to act as the contact point for the Information of the Office of the Commissioner for Personal Data Protection in Cyprus on issues related to personal data (http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/All/FFD5E37F40FC4C74C2258272002C1B1A?OpenDocument).
The role of the DPO is defined in the GDPR. The DPO must be allowed to perform tasks in an independent manner, set the data protection strategy for the College and report to the College Council.