Last updated: 12 June 2019

This Privacy Policy explains how and why, The Cyprus Institute (“we” or “CyI”), collect data about you, what we do with it and it also explains your rights under the General Data Protection regulation (GDPR). In legal terms, we are the data controller, as we determine the means and/or purposes of the processing of the personal data held by us.  We might, in some cases, have the role of the processor.  Such cases are the ones in which we process data on behalf of a controller.  Whether we are the controller or the processor, the personal data stored and processed within The Cyprus Institute follows the current policy.

The General Data Protection Regulation (GDPR) governs how we take handle the data we hold about you. The first principle of the Regulation is that your personal data must be processed fairly and transparently. We have an obligation to let you know how we will process your data and what we will use it for.

Definitions (as they are safeguarded by EU law)

“Personal Data” means all the data concerning an identified or identifiable natural person (“data subject”); identifiable natural person i.e. whose identity may be established, directly or indirectly, particularly by reference to an identifier, such as: name, identity card number, location, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, financial, cultural or social identity of the said natural person.

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Special Categories Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or participation in a trade-union, as well as genetic data, biometric data, data concerning health or the sex life of a natural person or their sexual orientation.

Why do we collect and use your personal data?

We may process personal data relating to students and we gather the following data to facilitate with the provision of post-graduate academic services and other associated functions:

We process student personal data such as name, age, nationality, gender, email, telephone number, id number, passport number, bank account data and others to register a student at the CyI.

Legal Bases for Collection, Use and Disclosure of Your Personal Data

There are different legal bases that we rely on to collect, use and disclose your Personal Data, namely:

• Consent: We will rely on your consent to use (i) your Personal Data for marketing and advertising purposes; (ii) your Personal Data for other purposes when we ask for your consent and for which the purpose of the process does not relate to the services we offer to you.
• Performance of contract:The use of your Personal Data for purposes of providing the services, customer management and functionality and security as described above is necessary to perform the services provided to you under our terms and conditions and any other contract that you have with us.
• Compliance with legal obligation: We are permitted to use your Personal Data to the extent that this is required to comply with a legal obligation to which we are subject.
• Protection of your vital interests: The processing of your Personal Data is necessary to protect your vital interests, if you are physically or legally incapable of giving consent.
• Protection of our legitimate interests: The processing of your Personal Data is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child.

The data that we collect, hold and share may include:

We hold personal data about students to support teaching and learning and to assess the quality of education provided by CyI as well as how CyI is performing. We may also receive data about students from other organizations, including but not limited to: Universities, Colleges, the Ministry of Education, National Statistics Authority.

The abovementioned data may include but is not restricted to:

• Basic details such as name, address, date of birth, phone number
• Results of exams, presentations, assessments
• Academic achievements
• Data on student characteristics such as ethnic group, any special educational needs (e.g. dyslexia) any personal/familial circumstances (e.g. death of a loved one) that could affect one’s mental state and therefore may affect your studies
• Details on any medical conditions that may affect the studies that you have provided to us
• Images of the CCTV system we have installed in the broader CyI premises

How long is your general data retained?

Academic records are kept at CyI for a period of 75 years after you graduate as part of the Students’ Archive in accordance with the Cyprus law: The Private Universities (Establishment, Operation and Control) Law, 2005.

Any data we have because of your involvement in an Erasmus program will be retained for 5 years after the conclusion of the program in which you were involved.

Any data included in your personal file which is not related to academic records will be deleted 2 years after your graduation.

We keep your financial data for payment purposes, and we will delete that data 7 years after the corresponding transaction.

Any data collected under the lawful basis of the consent, such as your email address, telephone number and postal address for communication purposes will be deleted when you withdraw your consent. You may withdraw your consent at any given time.

We keep the CCTV images of our premises for the necessary period to ensure the security of the people visiting, working or studying on our premises and to secure our infrastructure and assets for unlawful actions.

Who do we share personal data with?

We may also be asked by statutory bodies to share basic data about you, such as your name and address. When this happens, it is normally because it will assist them to carry out their statutory duties.

Non-EU Students and transfers to non-EU countries

Security of Personal Data

All the necessary technical and organizational measures shall be taken in order to protect the said Personal Data based on the Regulation from wrongful use, intervention, alteration or disclosure.

Rights in relation to the Personal Data in the context of the EU

The following constitute rights held by the student in accordance with the provisions of the Regulation and the legislation in force concerning Personal Data.

(These rights are not absolute and in certain cases are subject to conditions as specified by the applicable legislation).

Right of Access – You maintain the right of access to your Personal Data and also the right to be given a copy of the data kept and submitted for processing.

Right to Rectification – You have the right to demand rectification of any incomplete or/and inaccurate Personal Data kept by the Institute about you.

Right to Erasure – You have the right to ask for the erasure of your Personal Data. The right is not absolute as they are conditions in the Regulation under which we still need to keep your data even though you may have requested that it be erased.

Right to Object – You have the right to object to the processing of Personal Data at any time and for reasons related to your particular situation, unless there are compelling reasons for processing, which override your interests, rights and freedoms.

Right to Restrict Processing – You have the right to ask for restriction of Personal Data processing, so that the Institute may no longer process the particular data (e.g. until their accuracy or reason for processing are established) until the restriction is lifted.

Right to Portability – You the right to ask for the transmission of your Personal Data, which you have provided to the Institute, in a structured, commonly used and machine-readable format and, in certain conditions, you are entitled to transmit this data to another organization, where such transmission is technically feasible.

Right to Object to Automated Individual Decision Making, including Profiling – You have the right to ask not to be subjected to any decision taken exclusively by automated processing, including profiling, if such decision has legal or similar important effects on the subject.

Right to withdraw consent – In a limited number of cases where you may have given your consent for the collection, processing and transfer of Personal Data for a specific purpose, you shall have the right to withdraw such consent at any time. The withdrawal shall only be valid in the case where it does not affect:

• the legitimacy of processing that was based on your consent before the withdrawal.
• any other processing pursued on any other legal grounds.

No Error Free Performance

We do not guarantee error-free performance under this privacy policy. We will use reasonable efforts to comply with this privacy policy and will take prompt corrective action when we learn of any failure to comply with our privacy policy. We shall not be liable for any incidental, consequential or punitive damages relating to this privacy policy.

Communication

In addition to the above, if you consider that the processing of Personal Data on the part of the Institute breaches the applicable legislation on data protection, you have the right to make a complaint to the competent supervisory authority, and in particular to the Office of the Commissioner for the Protection of Personal Data:

Telephone: +357 22208753
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

In addition to the above, you the right to make a complaint to the competent supervisory authority, if they consider that the processing of Personal Data on the part of the Institute breaches the applicable legislation on data protection, and in particular to the Office of the Commissioner for the Protection of Personal Data: 

Office address: Iasonos 1, 1082 Nicosia
Postal address: P.O. Box 23378, 1682 Nicosia
Telephone: +357 22818456
Fax: +357 22304565
Email: commissionerdataprotection.gov.cy
Website: http://www.dataprotection.gov.cy

Amendment of Policy