CYS Privacy Notice
Controller GDPR Art.4 (7) within the meaning of the General Data Protection Regulation (“GDPR”) is:
Cyprus Organization for Standardization (CYS)
30 Limassol Avenue and Costa Anaxagora Corner
Strovolos CY-2014, Nicosia - Cyprus
The Cyprus Organization for Standardization (CYS) is the National Standards Body of Cyprus which operates as a limited company under private law having as sole shareholder the Republic of Cyprus. Through the "Accreditation, Standardization and Technical Information Law" (N.156(I)/2002) the activities of standardization have been allocated to CYS. It is managed by a seven (7) member-Board of Directors which consists of representatives from the Ministry of Finance, the Ministry of Energy, Commerce & Industry as well as organizations from the private sector such as the Cyprus Consumer Association, the Cyprus Chamber of Commerce & Industry, the Cyprus Employer’s and Industrialists Federation, the Technical Chamber of Cyprus, and the academic Institutions.
CYS has the following objectives:
- Strengthen the national standardization system and effectively promote the national interests on the European and International Standardization system.
- Implement the European and International standards to enhance the competitiveness of the Cyprus economy and businesses and to ensure consumer health, safety, and environmental protection.
CYS at the International level is a full member of the three (3) International Standardization Bodies ISO, IEC and ITU and at the European level, of the three (3) European Standardization Bodies CEN, CENELEC and ETSI.
1. Data protection
The protection of your personal data is an important concern for us. In this Privacy Notice we explain how we collect your personal data, what we do with it, for what purposes and on what legal basis this is done, and which rights and claims are associated with it for you.
Our Privacy Notice for the use of our website does not apply to your activities on the websites of social networks or other providers that you can reach via the links on our website. Please check the websites of these providers for their data protection regulations.
2. Reasons for Collecting and processing your personal data
We will only collect and process personal data from you if it is necessary for:
- Fulfilling the Contract that you have signed or agreed with us
- The provision of the service you want to use
- Compliance with the requirements of the law
- The purposes of our legitimate interests, unless in this case your interests or the fundamental rights and freedoms of data subjects that require the protection of personal data are preferred
- The processing of your personal data for the purpose of direct marketing - sending business messages if we already deal with you in a business relationship and the business message will directly relate to the goods or services, we have already provided you.
You are not legally or contractually obliged to make available your personal data. However, it is possible that certain functions of our website depend on the availability of personal data. If you do not make available personal data in these cases, this may result in functions not being available or only being available to a limited extent.
3. Acquisition of personal data
We do not obtain your personal data from publicly available sources, but always from you or from third parties who cooperate with us and have obtained personal data from you in accordance with the law and may transmit it to us. In both cases, we will follow this policy.
We will either expressly request your personal information or obtain it from you if you register with our services, enter into a contract with us or use a service. Alternatively, you can provide us with your personal information, for example, by filling out forms on a website or communicating with us via telephone, e-mail, internet discussion or otherwise. Some of them are collected automatically with your consent, such as using Cookies when you visit our website.
We will always inform you about the specific reason for processing your personal information. This information is either stated directly in the contract, or in the terms of the service provided or in this policy. Alternatively, you may ask us at any time for the reasons for processing your personal information through the contact details listed below.
4. How we use your information
In its everyday business operations, CYS makes use of a variety of personal data about identifiable individuals, including data about:
- Visitors to our website or associated on-line platforms
- Customers, including subscribers to our web store and our subscription services
- Members of standards committees
- Traders and economic operators
- Other stakeholders.
This privacy notice tells you what to expect when CYS collects personal information.
5. Purposes of use
Personal data is used for taking care of client relationships, offering products and services, direct marketing, and risk management.
a. We obtain and use your personal data when you contact our organization, through the following sources:
- Our website
- Our on-line platform
- Your emails
- In person (site visit)
- Through a recruitment drive.
b. If you make available to CYS additional personal data, namely:
- Contact form
- A survey
- A competitive proposal
- For the execution of a Contract
Then we may use such data for the purposes refer to within this Privacy Notice and for the use of CYS to carry out its business operations. In each case to the extent required by the relevant function to comply by the organization’s framework and legislative requirements.
In other cases, we may only collect and process your personal data with your explicit and free consent. You may at any time revoke your consent through the contact details provided in this policy. Specific conditions for the use of your personal data after granting consent are always provided within each individual consent.
7. The lawful basis for use of your personal data
We process data where it is necessary for the following purposes:
- To fulfill a legal obligation with which we must comply.
- For the performance of a task carried out in the public interest or in the exercise of official authority, which includes:
- Responding to any comment, feedback, or complaint you may send to us and to investigate any complaint received from you about our operations, products or services, and
- Monitoring use of our website and on-line platforms to correct or improve their use and content.
- For the performance of a contract to which you have agreed or to take steps at your request prior to entering a contract.
With your consent to contact you regarding relevant events, products and services, market research or studies (ref. para. 6).
8. Passing on of personal data
We will not share your personal information with anyone except as described in this policy.
- Your personal data will be accessed by our employees who will be assigned working with this personal information. All employees who will have access to your personal data have signed an Employee Personal Data Consent document and are committed to operational confidentiality. To protect our legitimate interests to ensure we can exercise our legal rights for purposes such as legal claims, regulatory, business and legal compliance and to prevent fraud.
- These employees are also responsibly selected and properly trained to know how they should treat your personal information and how the processing of your personal data can take place.
We will then pass on your personal information to some third parties if necessary. These persons are referred to as processors. CYS is responsible for ensuring that these processors provide reasonable assurance that your personal data will be processed. We choose all the processors responsibly. At the same time, the processors will be contractually obliged to perform all their duties, ensuring that your personal data is adequately protected and minimize the risk of abuse.
9. Sharing information
We may share your personal information with the following third parties:
- Agents, partners, or sub-contractors for functions carried out on our behalf such as auditing services, sales of standards, provision of prescribed functions under law and courier/delivery services. These parties only have access to such information as necessary to perform their functions and may not use it for any other purpose.
- Providers of professional business services such as financial and legal advisors, accountants and auditors.
- Suppliers of personal data processing services, e.g., document management services.
We ensure that all third parties used by us to process personal data provide the same level of protection of your data. Instances whereby, government authorities and/or legitimate organizations require such data we are obligated to provide such information.
10. Information provided to third parties and social media
Personal data exchanged on public messages in social media platforms is owned by CYS or the agencies CYS acts on behalf of. The social media platforms have their own privacy notices and guidelines which social media platform users and advertisers agree to comply with.
The CYS website provides links and products utilizing the services of acknowledged third parties or agencies. In doing so, your personal data may be transferred to the respective provider (e.g., the site, cookies, personal details and other relevant information).
11. Cookie Statement
12. Purpose of processing individual’s data
12.1 Purchasing of standards
We use third party providers for sales of standards on-line. The third parties may only use the data for the agreed purposes and in accordance with data protection requirements. They also provide CYS with information on standard sales which can include personal data of standards purchasers from Cyprus which we may use to contact you from time to time with updates and offers of other services which may be of interest to you. If you do not want us to provide such information, you can object to this at any time with effect for the future ("opt-out").
12.2 Professional qualification registries
On behalf of OCECPR, CYS maintains a Professional Qualification Registry of individuals’ details licensing, including a unique CYS Identification number associated with legislative information (ΚΔΠ 107/2018).
12.3 Events, Marketing and Communications
We disseminate information relevant to standardization, through promotional events such as conferences, seminars, award presentations and workshops, etc. By registering for participation to these events and activities organized by CYS, you agree that personal data will be collected and processed by us for the purposes of the facilitation of your participation to such event or activity.
For marketing and communications purposes participant’s photos and videos may be used on the CYS website, internal and external presentations, marketing campaigns, and in collections for the press. As a participant to such an event, you consent that during the event you may be photographed, or video recorded. Such photos and videos are used exclusively by CYS for reporting of such events and are not used for any commercial purpose.
12.4 Committee Members
We formulate standards through consultation with a wide range of stakeholders who contribute to the process on a voluntary basis. When applying for membership of a standards committee you provide us with personal data which will be used to validate your application and upon acceptance to the committee you will have access to the on-line platforms used to share documents amongst committee members.
This information is shared with the standardization organization developing the standard in accordance with the personal data protection policies of such organization. CYS, as member of the standardization organizations, is party to the agreement on implementation of the data protection policies. Instances, whereby CYS determines that a data subject is not contributing and/or participating in such agreement, CYS has the right to remove the data subject from this agreement.
12.5 Draft Standards Commenting
As already addressed in para 12.4, all stakeholders assigned to comment in particular stages on standards development through consultation with a wide range of individuals comply the personal data protection policies of CYS.
Therefore, Committee participation details and Commenting is shared amongst the Committee Members as required by the GDPR and according to the policies set by the standardization organization.
13. Security of Personal Data
CYS has organizational, physical, administrative, and technical measures in place to protect the personal data we collect and process. We monitor the measures to ensure information is secure and operating in a manner to reasonably protect the collected and processed information. The information security systems and measures are upgraded from time to time to limit risks of unauthorized disclosure.
In the event of a data breach, CYS will report a security breach that affects personal data to the Commissioner for Personal Data Protection, as the GDPR legislation specifies and according to Article 33 of the law, which requires organizations to notify the Commissioner of a breach within 72 hours of becoming aware of the breach.
14. Transmission outside the EU
Your personal data is not transmitted to countries outside the European Union or to international organizations, except for situations where they are being transferred there to better back up and protect data and situations under these conditions.
15. Rights of the data subject
- As a data subject, you have the Right of Access (GDPR Art. 15), Right to Rectification (GDPR Art. 16), Right to Erasure (GDPR Art. 17), Right to Restriction of Processing (GDPR Art. 18 and Right to Data Portability (GDPR Art. 20).
- If you have consented to the processing of your personal data by us, you have the Right to Revoke your consent at any time. The legality of processing your personal data before revocation remains unaffected. We may further process such data pursuant to another applicable legal basis, e.g., for the fulfillment of our legal obligations (ref. para. 7).
- If you believe that the processing of your personal data violates legal requirements, you have the right to lodge a complaint with a competent Data Protection Supervisory Authority (GDPR Art. 77).
16. Right to Object
You have the right to object at any time to the processing of your personal data pursuant to GDPR Art. 6 (1) (e) (data processing in the public interest) or GDPR Art. 6 (1)(f) (data processing based on a balance of interests) on grounds relating to your particular situation. If you object, we will only process your personal data if we can prove compelling legitimate reasons that outweigh your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
If you believe that the processing of your personal data violates legal requirements, you have the right to lodge a complaint with a competent Data Protection Supervisory Authority (GDPR Art. 77).
17. Changes to the Privacy Notice
We will post any changes to this privacy notice on our website to inform you of the personal data we collect, how it is used and the circumstances, if any, it can be disclosed. If we decide to use personal data in a significantly different manner to that stated in this Privacy Notice or for a different purpose for which it was collected, we will notify you of such change and if appropriate you will be given a choice as to whether we use your information in the new manner.
18. The person dealing with matters of personal data protection
CYS has identified the person(s) in charge for dealing with matters of personal data protection in our organisation (ref. para. 19).