1. Who is the Legal Person?
The person responsible for processing personal data is the Transport Organization of Nicosia District company (OSEL), 93 Lykavitou Avenue, 2401 Engomi, Nicosia, telephone 22468088, fax 22468091.
2. Principles in which we rely
OSEL is committed on following principles of processing Personal Data, in accordance with Article 5 of the Regulation:
3. From whom do we collect Personal Data (data subjects) and why?
- Legality, integrity and transparency - Personal data are processed fairly with integrity, in a transparent manner.
- Limitation of purpose - Personal data are collected for specified, explicit and legitimate purposes and are not subject to further processing in a manner incompatible with those purposes.
- Data minimization - Personal data is sufficient, relevant and limited to what is necessary in relation to the purposes for which are processed.
- Quality and Accuracy of Data - Personal data is updated with accuracy as soon as it arrives to OSEL.
- Limitation of the storage period - Personal data is kept not more than necessary or imposed by the law.
- Integrity and confidentiality - OSEL uses the appropriate technical and organizational measures to the extent feasible and guarantees the security of your data, especially the protection against unauthorized or illegal processing, accidental destruction or damage to the data.
- Accountability Authority - With this Policy, OSEL proves that it respects the principle of Accountability.
We collect and maintain Personal Information from:
- Passenger and any interested person: We collect your personal data with your consent when requesting the issuance of cards in accordance with the provisions of the supreme authorities, or when you contact through our call center or our website or with any other way.
- Suppliers and partners that perform our contracts or obligations and safeguard our legitimate interests.
- Those involved in accidents with our vehicles, to safeguard our legitimate interests.
- Employees of the organization company for the following reasons: Responding to our legal obligations, implementing contracts that we have signed, continuing education and / or safeguarding our legitimate interests.
- Those wishing to work with us for the reason of employment.
- Those who enter our offices and facilities through legally functioning closed video surveillance systems for the sake of the security of our people, our property and our facilities.
4. Child Personal Data
When collecting information directly from you, we take proper care to determine which of the collected personal information relates to minors. In any case, if we find that we have collected any personal information from a minor under 16 without a verifiable parental consent (as provided for in Article 8 of the Regulation), we will delete the information from our database as soon as possible. If you believe that we may have collected information from a minor under the age of 16, please contact Mr. Antonis Stephanis, Data Protection Officer of "OSEL" at: 93 Lycabettus Avenue, 2401 Engomi, Nicosia, 22468088, Fax 22468091, e -mail: firstname.lastname@example.org
5. What personal data do we collect and for what period of time?
The personal data we collect is the least possible to achieve the aforementioned purposes per data subject (natural person).
6. How we ensure the Security of Personal Data
- From the public to issue cards, we collect data determined by National Authorities, mainly, name, identity number, nationality, date of birth and contact details (address, telephone number, email). The data we collect for card issuance is kept for a maximum of one year after the card is issued.
- For those who want to communicate with us, we collect there contact details and the reason regarding the communication with us which is given to us selflessly. These data are usually kept for one to two years depending on the reason of communication, unless justified (eg in the case of accident communication) should be maintained until the case is legally completed. In case they communicate with us through social media or are collected and uploaded personal data for marketing purposes, we may refer to our sites, names or nicknames, photos, comments, remarks, preferences, etc. Photo files are kept at most two months. Items uploaded will be deleted whenever a request is made. In the event of a visit to our site, no information is collected or observed.
- From our suppliers and partners, we collect contact information, invoicing data and any details of staff if required for communication, or if the institutional framework of each case provides for it (eg required subcontractor guide information, routes and professional data required such as licenses, tachograph, etc.). These data are kept as long as they are provided by the respective institutional framework (usually 7 years), although in certain cases they are kept not less than the conclusion of our signed contract with the state (the contract is 10 years).
- From our staff we collect the full name and contact details, CV data such as date of birth, place, date of recruitment / termination, copies of diplomas or certificates required per job and all the other items they refer to, details of their employment and insurance required by our legal obligations such as ID number and social insurance, marital status, working and absence dates, overtime hours per day, payroll amount, IBAN bank account misdemeanors or rewards, elements of their education, and elements required to insure dependent family members or elements of sickness, maternity and paternity, in accordance with the laws and conventions we have signed. These data are retained for as long as required by the laws of the State (7 years).
- From the trainers involved in the training of our staff, we collect the information required on a case basis and are enforced by the institutional framework, such as name, identity number, certification number, Social Insurance Register number and contact details. These data are kept for 5 years from the repayment of the training program.
- From the candidates for employment, we collect the name, contact details and the information they provide on their CV, such as ID number and social insurance number, date of birth, nationality, certificates, regular and professional license number with dates of issue and ending, tachograph card, previous professional experience (period, employer name), white criminal record where applicable. This information in case of nonemployment of the candidate is kept for up to 6 months.
- In the event of an accident, we collect the names, identification and insurance numbers, date of birth, contact details, photographs and a detailed description of the incident. These data are retained until the case is finalized.
- In case you visit our offices or other facilities, it is likely that your image will be captured in the closed video surveillance circuit for security reasons. The recording material is kept for 15 days.
- If you connect to our Wi-Fi wireless network, we collect IP and Mac addresses. These items are not retained when the wireless network is stopped.
We have obtained reasonable organizational and technical measures to protect the information we collect and, in particular, any special categories of personal data. Our Department of Informatics follows international standards and practices to ensure the security of our networks. We ensure that your personal data is subject to safe and lawful processing, policy compliance and process development and implementation. For example, the following security measures are used to protect personal data against unauthorized use or any other form of unauthorized processing:
7. Who can be given the Data?
- Our facilities are safe, taking reasonable steps to the extent possible.
- Access to personal data is limited to a certain number of authorized persons, for the specific purposes and the necessary data transfer, it is done through secure procedures.
- Our staff is bound by confidentiality rules, with graduated and limited access only to the necessary data.
- Special categories of data are stored on a PC where there is only authorized access. Also in hard copy, they are locked in cabinets where only authorized people have access.
- We select reliable partners, who are bound in writing in accordance with Article 28 of the Regulation, with the same obligations regarding the protection of personal data. We retain control over them in accordance with Article 28 (3) (h).
- In computer systems used to process personal data, all technical measures are taken to the extent possible in order to prevent unauthorized access or other form of processing.
- In addition, access to these IT systems is monitored on a permanent basis in order to detect and prevent illegal use at an early stage. Although data traffic via the Internet or a website can not be protected by cyberattacks, we are working to maintain natural, electronic and procedural security measures to protect your data.
OSEL receives all the provisions so that the recipients of personal data are the least possible. The personal data we collect are made known to third parties, provided that the legitimacy of this disclosure is fully justified.
Specific personal data from what we legitimately collect may be accessed (or disclosed) depending on the circumstances:
- Any supervisory authority within its supervisory role.
- Any public or judicial authority, if required by law or by court order.
- The auditor of the organization, for as much data as is required (financial data, personnel, contracts and other controls), on a confidential basis.
- The legal counsel of the organization, for what data are required in legal cases (eg contracts, accidents, etc.), under confidentiality.
- The contractor with respect to the calls received by our call center, with a confidentiality clause.
- The guilds, only for data in the context of their role.
- The insurance companies (for our insurance or accident insurance) which are required to meet the information security requirements.
- Affiliated banks (company, staff, or affiliates and suppliers) only for data relating to payment issues.
- Educational consultants, trainer and HRDA for training issues and only for the necessary information and data departments.
- Contracted storage company for unused physical files, with a privacy clause.
- Contracted company for the closed-loop video surveillance, any affiliated event photographer, and external partners to maintain machines that process personal data, with confidentiality clauses.
- The companies - administrators of the radio network and our website, under confidentiality.
The personal data we collect is not transmitted to third countries or international organizations.
8. Your Rights as a Data Subject and how you can exercise them
You have the right to request access to your personal data, correct, delete your personal data if it can be done as described below, limitation of processing, right to oppose processing and / or exercise your right to data portability.
If the processing of your personal data is based on your consent, you can revoke it at any time, in accordance with the following.
More specifically, you have the right:
- Access: You have the right to know what data we have about you, to process the data from us, and you also have the right to access those data that concern you.
- Rectification: You have the right to request correction or completion of your data if it is inaccurate or incomplete.
- ERASURE: You have the right to request the deletion of your data. This right can be satisfied if:
- Data is no longer necessary for the purposes for which it was collected.
- If there is no other legal basis for treatment beyond the consent.
- If you exercise the right of objection (see below).
- If the data were processed contrary to the applicable legal provisions.
- If the data should be deleted to comply with a legal obligation.
We reserve the right to deny the above rights, if the processing of the data is necessary to meet our legal obligation, in the public interest or to establish, exercise or support our legal claims (Article 17 § 3).
- Restriction of processing: You have the right to highlight data in order to limit processing. For example, when you have questioned the accuracy of your personal information, for the period required for verification.
- Portability: You have the right to receive your data in a structured, commonly used and machine readable format, as well as requesting it to be forwarded to you and to another person who will process it.
- OBJECT: You have the right to object at any time to your processing of data, including profile training, and when the reason for the processing concerns direct marketing.
In case you submit any request in writing, OSEL will examine your request and respond to you within one month of receiving it either for its satisfaction or to notify you of the objective reasons that prevent it from satisfying you, or , taking into account the complexity of your request and the number of requests from you and / or others, within a further two months (Article 12 (3)).
Your rights are exercised at no cost, by sending a request or letter or email to the Privacy Officer mentioned below. Abusive exercise of these rights (Article 12 §5) may impose a reasonable fee.
In the event that you are not satisfied with the use of your data by us or our response to the exercise of your rights, you are entitled to submit a complaint to the Privacy Authority.
You can exercise these rights in the contact details listed below.
9. Breach of Personal Data
In the event of a breach of the security and integrity of the data at our disposal concerning personal data, the Agency will take the following measures (pursuant to Rules 33 and 34 of the Rules of Procedure):
- Review and evaluate the procedures needed to limit the breach.
- Assess the risk and its impact on the rights and freedoms of data subjects.
- Will try to reduce as much as possible the damage that has been or may be caused.
- Will notify within 72 hours of knowledge of the violation, if required.
- Assess the impact on privacy and take appropriate steps to avoid repetition of the violation.
10. Links to other Web sites
11. Contact details of the Personal Data Protection Authority
Cyprus Personal Data Protection Authority, Iasonos 1, 1082 Nicosia, telephone 22818456, e-mail: email@example.com
12. Contact details of OSEL for personal data issues
For any matter relating to the processing of your personal data and the exercise of the above-mentioned rights, you may contact our Organization's Data Protection Officer, Mr. Antonis Stefani, at 22468088, fax 22468091, or e-mail : firstname.lastname@example.org
13. Updating the Policy
This policy is in effect from May 25, 2018 and is revised when there is a significant change. This review will be available at the same time on our website, with a date of entry into force. Printed form of this policy, you can find in our head offices or it can be sent to you at your request.