Last updated: 12 June 2019
The General Data Protection Regulation (GDPR) governs how we take handle the data we hold about you. The first principle of the Regulation is that your personal data must be processed fairly and transparently. We have an obligation to let you know how we will process your data and what we will use it for.
Definitions (as they are safeguarded by EU law)
“Personal Data” means all the data concerning an identified or identifiable natural person (“data subject”); identifiable natural person i.e. whose identity may be established, directly or indirectly, particularly by reference to an identifier, such as: name, identity card number, location, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, financial, cultural or social identity of the said natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Special Categories Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or participation in a trade-union, as well as genetic data, biometric data, data concerning health or the sex life of a natural person or their sexual orientation.
Why do we collect and use your personal data?
We may process personal data relating to students and we gather the following data to facilitate with the provision of post-graduate academic services and other associated functions:
We process student personal data such as name, age, nationality, gender, email, telephone number, id number, passport number, bank account data and others to register a student at the CyI.
Legal Bases for Collection, Use and Disclosure of Your Personal Data
There are different legal bases that we rely on to collect, use and disclose your Personal Data, namely:
- Consent: We will rely on your consent to use (i) your Personal Data for marketing and advertising purposes; (ii) your Personal Data for other purposes when we ask for your consent and for which the purpose of the process does not relate to the services we offer to you.
- Performance of contract:The use of your Personal Data for purposes of providing the services, customer management and functionality and security as described above is necessary to perform the services provided to you under our terms and conditions and any other contract that you have with us.
- Compliance with legal obligation: We are permitted to use your Personal Data to the extent that this is required to comply with a legal obligation to which we are subject.
- Protection of your vital interests: The processing of your Personal Data is necessary to protect your vital interests, if you are physically or legally incapable of giving consent.
- Protection of our legitimate interests: The processing of your Personal Data is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child.
The data that we collect, hold and share may include:
We hold personal data about students to support teaching and learning and to assess the quality of education provided by CyI as well as how CyI is performing. We may also receive data about students from other organizations, including but not limited to: Universities, Colleges, the Ministry of Education, National Statistics Authority.
The abovementioned data may include but is not restricted to:
- Basic details such as name, address, date of birth, phone number
- Results of exams, presentations, assessments
- Academic achievements
- Data on student characteristics such as ethnic group, any special educational needs (e.g. dyslexia) any personal/familial circumstances (e.g. death of a loved one) that could affect one’s mental state and therefore may affect your studies
- Details on any medical conditions that may affect the studies that you have provided to us
- Images of the CCTV system we have installed in the broader CyI premises
How long is your general data retained?
Academic records are kept at CyI for a period of 75 years after you graduate as part of the Students’ Archive in accordance with the Cyprus law: The Private Universities (Establishment, Operation and Control) Law, 2005.
Any data we have because of your involvement in an Erasmus program will be retained for 5 years after the conclusion of the program in which you were involved.
Any data included in your personal file which is not related to academic records will be deleted 2 years after your graduation.
We keep your financial data for payment purposes, and we will delete that data 7 years after the corresponding transaction.
Any data collected under the lawful basis of the consent, such as your email address, telephone number and postal address for communication purposes will be deleted when you withdraw your consent. You may withdraw your consent at any given time.
We keep the CCTV images of our premises for the necessary period to ensure the security of the people visiting, working or studying on our premises and to secure our infrastructure and assets for unlawful actions.
Who do we share personal data with?
We will not share data about students with anyone without the student’s consent, unless the law and our policies allow us to do so. Data subjects who wish to receive a copy of the data we hold about them can make a request at the Graduate School.
We are required by law to transfer certain data about students to specified external bodies which include (but are not limited to): the Ministry of Education and Culture, the Cyprus Agency of Quality Assurance and Accreditation in Higher Education, the Migration Services, the Foundation for the Management of EU Lifelong Learning programs, so that they can meet their statutory obligations.
We may also be asked by statutory bodies to share basic data about you, such as your name and address. When this happens, it is normally because it will assist them to carry out their statutory duties.
In any event that we need to share personal data with third parties, apart from the Public Authorities, we will ensure a Data Processing Agreement is in place that will establish the rules of such transfer and will ensure the security and privacy of your data. In such cases we will provide only the minimum amount of personal data necessary to fulfill the purpose for which we are required to share the data.
We may transfer some of your personal data to financial institutions and/or auditors and/or legal representatives to execute payments or take other actions in order to execute a contract or to be in accordance with the Law.
We do not share data about anyone without consent unless the law allows us to do so.
You have the right to refuse/withdraw consent to data sharing at any time. Any possible consequences will be fully explained to you and could include delays in receiving care.
Non-EU Students and transfers to non-EU countries
We generally do not transfer personal data outside of the EU. Personal data of non-EU students may sometimes be transferred to their country of origin following a request from the student’s home country government or authorities. Where possible, we will try to ensure that the country meets an adequate level of protection for the rights and freedoms of data in relation to the processing of personal data and we will only share data once a signed set of Standard Contractual Clauses (SCC) is in place between us and the other party.
Security of Personal Data
All the necessary technical and organizational measures shall be taken in order to protect the said Personal Data based on the Regulation from wrongful use, intervention, alteration or disclosure.
Rights in relation to the Personal Data in the context of the EU
The following constitute rights held by the student in accordance with the provisions of the Regulation and the legislation in force concerning Personal Data.
(These rights are not absolute and in certain cases are subject to conditions as specified by the applicable legislation).
Right of Access – You maintain the right of access to your Personal Data and also the right to be given a copy of the data kept and submitted for processing.
Right to Rectification – You have the right to demand rectification of any incomplete or/and inaccurate Personal Data kept by the Institute about you.
Right to Erasure – You have the right to ask for the erasure of your Personal Data. The right is not absolute as they are conditions in the Regulation under which we still need to keep your data even though you may have requested that it be erased.
Right to Object – You have the right to object to the processing of Personal Data at any time and for reasons related to your particular situation, unless there are compelling reasons for processing, which override your interests, rights and freedoms.
Right to Restrict Processing – You have the right to ask for restriction of Personal Data processing, so that the Institute may no longer process the particular data (e.g. until their accuracy or reason for processing are established) until the restriction is lifted.
Right to Portability – You the right to ask for the transmission of your Personal Data, which you have provided to the Institute, in a structured, commonly used and machine-readable format and, in certain conditions, you are entitled to transmit this data to another organization, where such transmission is technically feasible.
Right to Object to Automated Individual Decision Making, including Profiling – You have the right to ask not to be subjected to any decision taken exclusively by automated processing, including profiling, if such decision has legal or similar important effects on the subject.
Right to withdraw consent – In a limited number of cases where you may have given your consent for the collection, processing and transfer of Personal Data for a specific purpose, you shall have the right to withdraw such consent at any time. The withdrawal shall only be valid in the case where it does not affect:
- the legitimacy of processing that was based on your consent before the withdrawal.
- any other processing pursued on any other legal grounds.
No Error Free Performance
In addition to the above, if you consider that the processing of Personal Data on the part of the Institute breaches the applicable legislation on data protection, you have the right to make a complaint to the competent supervisory authority, and in particular to the Office of the Commissioner for the Protection of Personal Data:
Telephone: +357 22208753
In addition to the above, you the right to make a complaint to the competent supervisory authority, if they consider that the processing of Personal Data on the part of the Institute breaches the applicable legislation on data protection, and in particular to the Office of the Commissioner for the Protection of Personal Data:
Office address: Iasonos 1, 1082 Nicosia
Postal address: P.O. Box 23378, 1682 Nicosia
Telephone: +357 22818456
Fax: +357 22304565
Amendment of Policy
This Policy may from time to time be updated or/and a new version of it published when the Institute undertakes important changes, including a change of Data Protection Officer. For this reason, it is recommended that students review this Policy periodically, in order to stay informed about the way in which the Institute uses and protects Personal Data.