Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα

      Policy of the Office of the Commissioner for Administration and the Protection of Human Rights (hereinafter "the Office") on the Protection of Personal Data

      1. Introduction


      The protection of individuals with regard to the processing of personal data is a right of the highest value enshrined in Article 8(1) of the Charter of Fundamental Rights of the European Union ('the Charter') and Article 16(1) of the Treaty on the Functioning of the European Union ('TFEU').

      This Policy has been established to fulfill the obligation of the Office deriving from Article 13 of the General Data Protection Regulation 2016/679, to provide citizens with information on how and by what means the Office collects/maintains personal data in its capacity and role as controller.

2. Definitions

According to the interpretation of the Regulation:

      “personal data” (hereinafter “DP”) means any information relating to an identified or identifiable natural person (“data subject”); the identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, while

      “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, change, retrieval, search for, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

      “Controller” means any natural or legal person, public authority, agency or other body which either alone or together with others determines the purposes and means of the processing of personal data.

      “Processor” means any natural or legal person, public authority, agency or other body which processes personal data on the order of or on behalf of the Controller.

      “Data Subject” (hereinafter “DS”) means the natural person to whom the data refers and whose identity is known or can be identified, directly or indirectly, by reference to an identification number or factors specific to his or her physical, biological, mental, economic, cultural, political or social identity.

      “Recipient’ means the natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as Recipients; the processing of those data by the said public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

      “Third Party” means any natural or legal person, public authority, agency, or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

      3. Processing of Personal Data by the Office

      The Office processes PD in the performance of its duties, responsibilities and powers, in the exercise of its legitimate activities and in its cooperation with citizens and public or private sector companies/organisations. The Office shall have access to all personal data and to all information necessary for the performance of its mission and the exercise of its powers, without the services or officials being allowed to invoke the duty of confidentiality, except in the circumstances referred to in Section 9 of the Commissioner of Administration Laws 1991 to 2022.

The Office shall collect and process personal data in the cases listed below:

i. Processing of data in relation to complaints/charges

      The processing is carried out for the purposes of conducting an investigation and examination of requests, complaints and charges submitted by DS concerning:

          - maladministration and violation of the principles of good administration (Commissioner for Administration Laws [Law 3(I)/1991 to 2022]),

          - discrimination, both in public and private sector activities, on the grounds of race, national or ethnic origin, community, language, colour, age, disability, sexual orientation, religion, political or other opinion and gender (Law on Combating Racial and Certain Other Discrimination (Commissioner) [L.42 (I)/2004], the Law on Equal Treatment in Employment and Labour (L. 58(I)/2004) and the Law on Equal Treatment (Racial or Ethnic Origin) (Law No. 59(I)/2004)) in the areas of employment, social protection, social security, social benefits, health care, education, access to goods and services.
      - violation of human rights of general interest (Law L. 58(I)/2011)
          - violation of the UN Convention on the Rights of Persons with Disabilities (Convention on the Rights of Persons with Disabilities and Related Matters (Ratifying) Law of 2011 [L. 8(III)/2011].
          - the conditions of employment of foreign workers, where there is a serious suspicion of violation of individual human rights and fundamental freedoms.
      The Office collects PD directly from the data subjects, their legal representatives or those against whom the complaint is made.
      The legal basis can be derived from the provisions of Article 6(1)(c) and (e) of the Regulation, under which the Office processes and obtains access to all personal data required for the performance of its tasks, and in the public interest/exercise of Public authority.

      The PD that are normally collected are the name, identity and contact details of the complainant and any other personal data that the complainant may disclose that relate to his/her particular situation in relation to the complaint (e.g. financial, professional, health data, etc.) as well as PD relating to the person against whom the complaint is made.

      The above PD are processed using computers of the Office to which only Office staff with a unique user password and unique access code have access.

      The personal data are stored, in hard copy, in the Office's archives and/or in electronic form on the Office's computers, as mentioned above, and access is limited to Office staff who need to access it to perform their duties, as well as the records and Accounting staff who manage files.

      It should be noted that the Office also collects personal data for the purpose of making recommendations and reports in its capacity as:


          - the National Mechanism for the Prevention of Torture, under which it conducts visits to places where people are deprived of their liberty in order to monitor compliance with the provisions of the United Nations Convention against Torture.
          - the Independent Forced Returns Monitoring Mechanism, under which it monitors all stages of the forced return procedures followed by the Immigration Authorities in order to exercise effective control, which ensures the application of the common rules and procedures provided for both in EU and National law.

      ii. Processing of PD for the purposes of Public Procurement and Tenders

          Processing is carried out for the purposes of tendering in accordance with the Regulation of Public Procurement Procedures and Related Matters Law of 2016 and for the maintenance of relevant records. The Office collects PD from bidders for the purposes of awarding the tender, awarding and implementing the contract, identifying any violations and for transparency purposes.

          The legal basis can be derived from the provisions of Article 6(1)(c) and (e) of the Regulation, pursuant to which, the Office processes and obtains access to all the personal data required for the performance of its tasks and in the public interest/exercise of Public authority. This duty is derived from the Regulation of Public Procurement Procedures and Related Matters Law, 2016, as amended.

          The PD that are generally collected are: identification data, contact information and CVs of the bidder's employees.

      4. Data recipients

      As a rule, no personal data is disclosed or transmitted to third parties. The Office is, however, obliged to communicate the data of the subjects to third parties in the context of the performance of its tasks, powers and responsibilities. For example, it may become necessary for purposes of ensuring the right to be heard, to send PD to other public authorities or counterpart supervisory authorities, law enforcement authorities and the Law Office if required by law, or in the course of processing complaints, requests or audits. There may also be an exchange of information with an expert providing services to the Office under a contract in the context of the performance of his duties.

      There shall be no transmission of personal data to a Third country and/or an International Organisation.

      5. Time for retaining PD

      The length of time for which the Office retains the PD shall be decided in accordance with each of the purposes pursued and is specified in the data retention policy. In determining the period of time, account is taken of the obligations imposed by national or union legislation, as well as the provisions of the State Archives Law 208/1991 and other rules or circulars of the Department of Public Administration and Personnel.

      6. Rights of DS

      Pursuant to the legislation in force, the DS have the following rights, subject always to the restrictions imposed by the legal basis of the processing:

      6.1 Right of access

      The DS have the right to request information on the processing of their PD by the Office as well as copies of documents containing their PD. They may be informed, inter alia, of the purposes of the processing, the categories of data, the time of retaining them, the recipients as well as their origin.

      6.2 Right to rectification

      The DS have the right to request the correction/updating/completion of inaccurate PD relating to them.

      6.3 Right to erasure

      The DS have the right to delete their personal data which will be granted under the conditions of Article 17 of the Regulation, for example where there is no legal obligation to retain them.

      6.4 Right to restriction of processing

      The right to request a restriction on the processing of your data is also maintained, as well as the right to data portability.

      6.5 Right to be notified

      The Controller shall communicate any rectification or erasure of personal data or restriction of processing to any recipient to whom the personal data have been lawfully disclosed and inform the data subject accordingly.

      6.6 Right to withdraw consent

      Where your personal data is processed on the basis of your consent, you have the right to withdraw your consent at any time. This right may not apply in cases where the processing is necessary for the exercise of public authority. If you wish to withdraw your consent, please submit a written request to the following address: dpo@ombudsman.gov.cy.

      6.7 Right to object

      The DS have the right to object to the processing of PD concerning them, which is based on the public interest/exercise of public authority or legitimate interest, on grounds relating to their particular situation. In this case, the processing of the PD concerning them shall be stopped, unless: there are compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subjects or for establishing, exercising or supporting legal claims.

      7. Data Controller

      For any processing of personal data carried out in the context of any possible interaction with the Office, the Data Controller is:

      THE OFFICE OF THE COMMISSIONER FOR ADMINISTRATION AND DATA PROTECTION

      Address:

      Era House, 2 Diagorou str., 1097 Nicosia

      P.O. Box 22166, 1518 Nicosia

      Telephone: +357 22 405500 / 501

      Fax: +357 22 672881

      Email: ombudsman@ombudsman.gov.cy

      8. Data Protection Officer (DPO)

      For the exercise of the rights of DS and for any issue related to the processing of PD by the Office, in its capacity as controller, you may contact the Data Protection Officer (DPO) of the Office at: dpo@ombudsman.gov.cy or at the postal address of the Office, Era House, 2 Diagorou str., 1097 Nicosia or at 22405530.

      It is understood that the Office will make every effort to respond to each request without delay and in any event within one month of receipt of the request, except in exceptional cases, in which this deadline may reasonably be extended, taking into account the complexity of the request and/or the number of requests.

      9. Payment of fee

      No fee is required to be paid for the exercise of the rights by the DS.

      10. Right to lodge a complaint with a supervisory authority

      You have the right to lodge a complaint with the Office of the Data Protection Commissioner, which is responsible for the application of the legislation on the protection of individuals with regard to the processing of personal data

      This Policy on the Protection of Personal Data was last revised on 8/8/2023.