data protection
Personal data protection policy Municipality of Paralimnii - Deryneia
Introduction
The Municipality of Paralimni (hereafter referred to as the Municipality, or we, us and with corresponding expressions), attaches great importance to the protection of your Personal Data, their security and your privacy when collecting and processing information about you. This Policy is intended to inform you about the collection, processing, maintenance and storage of Personal Data concerning you, the ways in which they are used and transmitted, the security measures taken by the Municipality to protect them, the reasons for and the type of personal data collected, i.e. information required to fully inform you in accordance with the legal framework. Through this Privacy Policy we also inform you of your rights as natural persons under the institutional framework for the protection of personal data. Through this transparent process, you will be able to understand what data we hold about you and why.
We assure you that this Privacy Policy for the Protection of Personal Data ("Policy") fully respects and complies with the European Data Protection Regulation EU 679/2016 ("Regulation") and the relevant Law 125/I/2018 of the Republic of Cyprus.
Useful Definitions
Personal data (also referred to as personal data): is any information that refers to an individual and identifies or can identify him or her, such as, but not limited to: full name, identification number, contact details, financial transactions and related data, online data (i.e. data from information systems and applications), as well as data related to the physical, genetic, psychological, financial situation of the individual. The individual (natural person) to whom the data refer is called the 'data subject'.
Personal data breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, disclosure or sharing, unauthorised access and similar actions.
Controller: the natural or legal person, public authority, agency or other body which determines the purposes and means or means of the processing of personal data.
Processor: the natural or legal person, public authority, agency or other body that processes personal data on behalf of the Controller.
Processing of personal data: any operation or set of operations which is related to personal data, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, search, use, disclosure, dissemination or any other form of making available, alignment, combination, restriction, erasure, destruction.
Third party: any natural or legal person, with the exception of the Data Subject, the Controller, the Processor and persons who, under the direct supervision of the controller or processor, are authorised to process personal data.
The Processing Manager
In cases where we act as a Data Controller, i.e. we determine the purpose and means of processing in the sense of the above definition, which is the majority of cases, the Data Controller is the MUNICIPALITY OF PARALIMNIOU, address Antonis Papadopoulou 6, Paralimni 5282, Cyprus, +357 23819300, fax: +357 23825023, email: [email protected].
Principles we serve
In the Municipality of Paralimni, we are committed to and adhere to the following principles of processing personal data, in accordance with Article 5 of the Regulation:
Lawfulness, objectivity and transparency: personal data are processed lawfully and fairly, in a transparent manner.
Limitation of purpose: Personal data are collected for specified, explicit and legitimate purposes
It is collected for explicit, explicit and legitimate purposes and shall not be further processed in a way incompatible with those purposes.
Data minimisation: personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy & data quality: personal data is accurate and updated as soon as it is officially brought to our attention.
Limitation of the storage period: personal data are kept no longer than necessary, or than required by relevant laws and the institutional framework in general.
Integrity and confidentiality: We use appropriate technical and organisational measures to guarantee the security of your data as far as possible, in particular to protect against unauthorised or unlawful processing, accidental destruction or damage.
Finally, we can demonstrate our compliance with the above Principles (Accountability Principle).
Collection of Personal Data
As a Data Controller, we collect data about you in the following cases:
When you contact us directly, or by phone, or indirectly such as through the website and email, or through partners, or social media, to inquire about our services or to ask about our services.
When we provide you with services, when you participate in our competitions or events, when you work with us as a business partner, or if you participate directly or indirectly in events related to the provision of our services.
If you complete any of our forms in written or electronic form, or submit a suggestion or complaint to us.
If your data is disclosed to the City by professional partners with your consent or on the basis of contracts.
When you log on to the City's website.
When you apply as a candidate for employment with the City.
When you are employed by the Municipality.
The way personal data is collected is mainly from you, unless it is transmitted to us by an official authority in the course of our duties. It may also be collected by your representatives whom you have duly authorised.
Where as a legal person you provide us with Personal Data of a natural person directly related to you (including employees, directors, shareholders and secretaries) and you provide it to us as required to achieve the purpose or where as a natural person you provide us with Personal Data of any natural person other than yourself, except in the case of parents and guardians for minors under their care, you must ensure and guarantee that the natural person whose Personal Data is directly related to you (including employees, directors, shareholders and secretaries) provides it to us as required to achieve the purpose.
Personal data of minors
As a Data Controller, we collect personal information concerning minors only with verifiable parental consent, in cases where we can control it. For example, it is not possible for us to verify information disclosed to us without physical presence.
Personal data we process as a Data Controller and Purposes
The purposes for which personal data are collected and processed are, where applicable, as follows: To assist you in questions to our services that cannot be answered directly or impersonally or to inform you when you request it, to issue municipal fees and/or water supply fees and/or taxes and/or other debts to the Municipality, to execute decisions of the Municipal Council, to perform weddings in accordance with the institutional framework, to issue or renew permits such as building, zoning, demolition, demolition, operation of an oil station, swimming pool, commercial premises, health certificate for food business, dog ownership, sale of alcoholic beverages and tobacco, inspection of hairdresser's premises at the request of the hairdressers' and barbers' registration board, management of tenders that we announce, conclusion and execution of contracts, management of communication with you, management of payments and receipts and promotion of our municipality.
Information from the following categories of data about you may be collected and processed, on a case-by-case basis, serving the purpose for which it was collected and in accordance with the appropriate lawful basis (i.e. legal condition for collection):
Contact information for you or a person you nominate (name, full name, address of your home or property you own or rent, telephone or fax number, email) and language of communication, subject of interest.
Professional status information (occupation or employment). Identification information, such as identity card or passport number or foreigner's registration card and expiry date.
Information of the parties involved in agreements, such as necessary elements of the above mentioned information, subject matter of the agreement, contact persons or witnesses, signatures of terms and conditions and amounts or charges, payment details such as payment method, credit or debit card details as issued by payment systems (POS), IBAN or account numbers, depositor details.
Marriage data:
For marriages between Cypriots:
Identity Card, Copy of Birth Certificate, Affidavit before a Registrar of a District Court, Freedom Certificate from any District Administration, the date of issue of which must not be more than three months old.
Identity Card, Copy of Birth Certificate, Affidavit before a Registrar of a District Court, Freedom Certificate from any District Administration, the date of issue of which must not be more than three months old.
In case of a previous marriage:
-Final Divorce from the Family Court after 42 days from the date of issue;
-Religious Divorce from the Holy Archdiocese of Cyprus if issued before 1990;
-Certificate of Death from the District Administration in case of widowhood.
For marriages of European citizens:
Passport or Identity Card. Copy of Birth Certificate translated into English, Sworn Statement before a District Court Registrar, Certificate of Freedom from the Official Authority of their country (Ministry or City Hall), whose date of issue must not be more than three months old, Divorce, Death Certificate in case of widowhood. Proof of legal residence in the Republic of Cyprus.
Passport or Identity Card. Copy of Birth Certificate translated into English, Sworn Statement before a District Court Registrar, Certificate of Freedom from the Official Authority of their country (Ministry or City Hall), whose date of issue must not be more than three months old, Divorce, Death Certificate in case of widowhood. Proof of legal residence in the Republic of Cyprus.
If one or both parties to the marriage are non-European citizens
Passport or Identity Card, Copy of Birth Certificate translated into English, Certificate of Freedom from the Official Authority of their country (Ministry or City Hall), whose date of issue must not be more than three months old, Affidavit before a District Court Registrar, Certificate of Freedom from the Assistant Registrar General of the Department of Population and Immigration, the date of issue of which must not be more than three months old, Divorce, Certificate of Death in case of widowhood. Proof of legal residence in the Republic of Cyprus.
Passport or Identity Card, Copy of Birth Certificate translated into English, Certificate of Freedom from the Official Authority of their country (Ministry or City Hall), whose date of issue must not be more than three months old, Affidavit before a District Court Registrar, Certificate of Freedom from the Assistant Registrar General of the Department of Population and Immigration, the date of issue of which must not be more than three months old, Divorce, Certificate of Death in case of widowhood. Proof of legal residence in the Republic of Cyprus.
For everyone: Witness details, dates, signatures
Details of tenders, terms, amounts, dates, signatures.
Certificate of criminal record/good character as required by law for the issuance or renewal of a liquor and tobacco license.Certificate of criminal record/good character as required by law for the issuance or renewal of a liquor and tobacco license.Details of your representatives or consultants where applicable.
Details and personal data (under pseudonymisation where applicable) that may be included in minutes of City Council meetings
Details of accidents or incidents, such as details of those involved and witnesses, evidence and relevant information during the investigation; transactional history (transactions, complaints, conditions) and details of persons and situations assessed
Application/website/social media data (only necessary cookies), name or nickname, photo, information you have publicly and comments when you contact us on social media, or attached to emails)Your image when with your consent it appears on our social media accounts we maintain or our website.
The data listed in your CV such as education, experience and skills or any attachments you send us
Please note, for employees, other personal data is also received, which is communicated to them through documents and information that is provided internally to the City.
Are you obliged to provide us with your Personal Data? Yes. For the purposes of fulfilling our services and/or fulfilling our obligations towards you, as well as to comply with our legal obligations, it is necessary to collect and process your personal data.
Criminal record certificate/good character as required by law for the issuance or renewal of a liquor and tobacco license.
Lawful Basis of Data Processing
The processing of personal data is based on one of the "lawful bases" as referred to in Article 6 of the Regulation (or Article 9 for special categories of data). Lawful bases on which the collection and processing of personal data by the Municipality is based are:
Your consent (Article 6.1.a of the Regulation), i.e., when you communicate with us in any way directly or indirectly, when you register in contact lists, when you are interested in working or cooperating with us, when you fill out our forms on your own initiative, when you visit our website or our social media accounts, when you expressly and freely consent to the taking of photographs and other audiovisual material at events, when you give us your business card.
For contract performance purposes (Article 6.1.b of the Regulation), such as, for example, in applications for employment, and/or in the case of tenders in competitions, or when we communicate with each other in any way in the context of contracts.
For the purposes of compliance with our legal obligations (Article 6.1.c of the Regulation), such as those arising from relevant Cypriot and European legislation on marriage, construction, fees, taxation, operation of special types of establishments, obligations towards regulatory authorities, local and community authorities, fiscal responsibility, town planning and zoning, etc., police or judicial authorities and services and Government decisions and laws.
In the performance of a task carried out in the public interest or in the exercise of official authority vested in us, pursuant to Article 6.1.e of the Regulation.
To safeguard our legitimate interests. Processing for these purposes is only permissible to the extent that the protection of your legitimate interests and/or your rights and individual freedoms are not overridden (Article 6.1.f of the Regulation). Such cases concern the improvement of our services, the management of accidents, the collection of our claims, the evaluation of persons and situations.
Informing our staff about the lawful bases for processing personal data we collect from them is done internally through documents and manuals.
If the purpose of processing is lawfully changed, the lawful basis of processing is likely to change. In such a case, the Municipality will provide you with all necessary information about such a change, including the new purpose on the basis of which the Personal Data will be used and/or processed and all your rights. Where your consent is necessary for such further processing, we will ensure that it is duly obtained. This does not apply where the further processing involves.
Retention of data
We store personal data for as long as required by the recorded processing purpose and any other permitted associated purpose.
The data collected on the basis of our contractual and legal obligations are retained after the expiry of the contractual and legal obligations for as long as provided for by the relevant institutional framework. Institutional framework that is applicable is the institutional framework of financial data controls, the time of deletion determined by the State Archives Supervisor for destruction, in accordance with the State Archives Act of 1991, the time determined for the expiry of the limitation period of actionable rights.
Data that may be needed for our legitimate interests as a Data Controller are kept until the reason for keeping them ceases to exist or until the limitation of actionable rights, as the case may be.
In particular, for the data that we process on the basis of your consent, these are kept from the time of receipt of the relevant consent and until the consent is withdrawn or the reason for keeping them ceases to exist. The withdrawal of consent does not remove the lawfulness of the processing of the data that was carried out prior to the withdrawal.
Your CV, if you send it to us as a candidate for employment or cooperation and any relevant information, will be retained until consent is withdrawn or until the recruitment is finalised and the time for objections has elapsed or any objections are finally adjudicated or a relevant audit conducted by the audit entities is completed. If the municipality proceeds to work with a candidate and is employed, the CV is transferred to the employee file, as consent is no longer the legal basis for processing, but the processing is carried out under a contract.
Information that is no longer necessary is securely destroyed or anonymised. We restrict access to your data to those persons necessary to process it for the purpose for which it was collected.
The Security of your Data
We have taken reasonable organisational and technical measures to protect the information we process and, in particular, special categories of personal data. We follow accepted standards and practices to ensure the security of our networks. We ensure that your personal data is processed securely and lawfully by adhering to policies and developing and implementing procedures. For example, the following security measures are used to protect personal data against unauthorised use, or any other form of unauthorised processing:
Access to personal data is limited to a defined number of authorised employees for the specific purposes and the necessary data transfer is carried out using secure procedures.
Pseudonymisation of data is used wherever possible during certain processing operations.
Our staff is bound by confidentiality rules, having classified and limited access only to the necessary data.
We choose reliable partners, who are bound in writing in accordance with Article 28 of the Regulation, with the same obligations regarding the protection of personal data. We reserve the right to control them in accordance with Article 28(3)(h).
We choose reliable partners, who are bound in writing in accordance with Article 28 of the Regulation, with the same obligations regarding the protection of personal data. We reserve the right to control them in accordance with Article 28(3)(h).
In the computer systems used for the processing of personal data, technical measures are taken to prevent loss, unauthorised access or any other form of processing. In addition, access to these computer systems shall be permanently monitored in order to detect and prevent unlawful use at an early stage. Although the movement of data over the internet or a website cannot be guaranteed to be protected against cyberattacks, we work to maintain physical, electronic and procedural security measures to protect your data.
Some of the security measures we take are not disclosed for obvious reasons.
To whom the Data may be disclosed
There may be occasions when we will share your personal data with third parties, including, service providers, or other government and wider public sector entities, where required by law, where it is necessary to manage our relationship, or where we have a legitimate interest in doing so. We take all steps to ensure that recipients of personal data are kept to a minimum and are bound by similar procedures to protect your data. The personal data that we collect and process as Data Controllers is primarily processed by our staff with restricted access on a need-to-know basis and is disclosed to third parties only provided that the legitimacy of such disclosure is fully justified and that such third parties apply equivalent lawful and fair processing practices.
Specific data that we as a Data Controller lawfully process may be accessed (or disclosed) on a case-by-case basis:
Any competent supervisory or law enforcement authority, in the context of its role.
Any public or judicial authority, where required by law or a court order; legal counsel, for as much data as is required in legal cases, under confidentiality.
Information system administrators under signed contracts.
Partner banks (of the municipality, or of partners and suppliers), only for data relating to payment issues.
Insurance companies for relevant insurance services.
We do not allow third party service providers to use your personal data for their own purposes. We only allow them to process your personal data for specified purposes and in accordance with our instructions. The above third parties other than the Authorities have contractually committed to the Municipality that they will only use the personal data for the above third party specific purposes, will not transfer this personal information to other third parties, and will not disclose it to third parties unless required by law or a court order.
Place of processing - Transfers to third countries
The personal data we collect is processed within the European Economic Area (EEA). Exceptionally, in cases of marriages where one or both parties to the marriage are nationals of third countries, we are required by the Marriage Act 2003 to forward the marriage certificate with all the information it contains to the Embassy or Consulate of the third country if that third country has an Embassy or Consulate in the Republic of Cyprus. This is done under the adequacy provisions of Article 45 or the provisions of Article 49 of the Regulation.
Specific data from those that we lawfully process as a Data Controller may be accessed (or disclosed) as the case may be:
Any competent supervisory or law enforcement authority, in the context of its role.
Any public or judicial authority, where required by law or a court order; legal counsel, for as much data as is required in legal cases, under confidentiality.
Information system administrators under signed contracts.
Partner banks (of the municipality, or of partners and suppliers), only for data relating to payment issues.
Insurance companies for relevant insurance services.
We do not allow third party service providers to use your personal data for their own purposes. We only allow them to process your personal data for specified purposes and in accordance with our instructions. The above third parties other than the Authorities have contractually committed to the Municipality that they will only use the personal data for the above third party specific purposes, will not transfer this personal information to other third parties, and will not disclose it to third parties unless required by law or a court order.
Your rights as a Data Subject and how you can exercise them
You have the rights:
of information,
consent where consent is the basis for the receipt of your personal data,
access to the personal data concerning you,
rectification in order to correct any deficiencies or inaccuracies in the data,
erasure of your personal data, if it can be satisfied, as indicated below,
restriction of processing,
object to processing,
data portability, if it can be satisfied,
objection.
The use of personal data by an electronic system to make a decision without human intervention constitutes automated decision-making. The Municipality does not use automated decision-making tools, nor does it carry out profiling.
Your right to be informed is exercised by posting this policy, or additionally in some cases, by including relevant information on how you can be informed, on the forms we use to contact you. You can request a hard copy of our policy by contacting us.
The right of consent is conferred on you by design and by default, in any case where it is required. The City has designed and implemented forms for obtaining consent when it is required. If the processing of personal data is based on your consent, you may withdraw it at any time by contacting us by telephone or email or by physical presence and after the required identification has been made, as may be done on a case-by-case basis.
You have the following additional rights, if you exercise them in a demonstrable manner, directly or through a legal representative and after it has been established that you are the data subject.
Right of Access:You have the right to be informed about what data we have about you, about our processing of your data, as well as the right to access the data concerning you.
Right to rectification: you have the right to request the rectification or completion of your data if it is inaccurate or incomplete.
Note: Since it is not possible for us to know any change in your personal data unless you inform us, please help us to keep your information accurate by informing us of any changes to your personal data.
Right of Deletion: You have the right to request the deletion of your data.
We can satisfy this right if:
The data is no longer necessary for the purposes for which it was collected.
If there is no other legal basis for processing, other than consent.
If the data have been processed contrary to the applicable legal provisions.
If the data were collected in the context of the Information Society when you were a minor.
We reserve the right to refuse to satisfy the above right, for as long as necessary, if the processing of the data is necessary to comply with a legal or contractual obligation, for reasons of public interest, or to establish, exercise or defend our legal claims (Article 17 §3).
Right to restriction of processing: You have the right to flag data with a view to restricting its processing, in particular where:
Question their accuracy for the period of time required to check their accuracy.
The processing was unlawful and instead of deletion, you request that their processing be restricted.
They do not need us for the purposes for which they were collected, but you need them to support your legal rights.
You are challenging the processing on the basis of our legitimate interests and until it is clear whether our legitimate interests override yours.
Right of Portability: You have the right to receive your data in a structured, commonly used and machine-readable format, and to request its transfer, both to you and to another natural or legal person who will process it. This applies when the following two conditions are met simultaneously: a) the processing is based on your consent, or is necessary for the performance of a contract to which you are a party, and b) the processing is carried out by automated means.
Right to object: you have the right to object at any time to the processing of your data, including profiling, as well as when the reason for the processing relates to promotional issues of the Municipality.
All of the above applies where we are acting as a Data Controller. In cases where we act as Processors, the Data Controller is responsible for informing you and handling your requests.
The Municipality, if you submit any request in a demonstrable manner, will examine your request and will reply to you within one month of its receipt, either to satisfy it or to inform you of the objective reasons that prevent its satisfaction, or, taking into account any complexity of the request and the number of requests at any given time and any similar inhibiting factors, request an extension of up to two additional months to reply (Article 12(3) of the GDPR).
The exercise of the above rights is carried out at no cost to you, by sending a request, or letter, or email, or in person and/or by telephone if identification is possible. Abusive exercise of the above rights (Article 12 §5) may result in the payment of a reasonable fee.
The language of communication for personal data protection and exercise of rights is Greek or English.
If you are not satisfied with our use of your data, or our response to your exercise of the above rights, you have the right to lodge a complaint with the Data Protection Authority.
Personal Data Breach
In the event of a breach of the security, availability and integrity of the data at our disposal concerning personal data for which the Municipality is the Data Controller, we will take the following measures (in accordance with Articles 33 and 34 of the Regulation):
We will examine, evaluate and implement those procedures required to mitigate the breach. We will assess the risk and its impact on your rights and freedoms.
We will try to reduce as far as possible the harm that has been, or may be, caused.
We will notify within 72 hours of becoming aware of the breach the Data Protection Authority if required (or in a short timeframe the data controller if we are acting as a processor). We will also notify you in appropriate ways.
We will assess the impact on your privacy and take appropriate steps to prevent a recurrence of the breach.
In the case where we are a Processor we will inform the Data Controller as soon as possible.
Links to other Websites
Our Website may contain links to other websites that are not operated or controlled by us. If you click on a third party link, you will be directed to that third party's website. We recommend that you check the privacy policy for each website you visit. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third party sites or services.
Contact details for the Personal Data Protection Authority
Cyprus Data Protection Authority, telephone +357.22818456, email: [email protected]. If you wish to contact us, for any issues concerning your Personal Data, or to exercise any of your rights, you may contact the Municipality of Paralimni, Address: 6 Antonis Papadopoulou, Paralimni 5282, Cyprus, +357 23819334, fax: +357 23825023, or the Data Protection Officer of the Municipality of Paralimni, i.e. SLOA ltd. Kyriakos Demetriou, address 9 Androkleous 9 Nicosia 1061, Nicosia, tel. 22051338, email: [email protected].
Please note that your communication with us can only be in Greek or English.
Updating the Policy
This policy was reviewed - updated on 17 October 2023 and may be reviewed again if there is a significant change. This revision will be available on our website, with a note of the effective date. A hard copy of this policy can be found on our premises, or sent to you on request.
