The new European Union (EU) Data Protection Law, the General Data Protection Regulation 2016/679(“GDPR”), came into effect on 25th of May 2018. The GDPR gives individuals in the EU more control over how their personal data is used and places certain obligations on businesses that process the information of those individuals.
Terms – Definitions:
Personal Data: means any information relating to an identified or identifiable natural person.
An identified natural person is one whose identity has been established.
An identifiable natural person is one whose identity may be confirmed, directly or indirectly, by information such as:
- Name and surname, identity card number, passport number, telephone number, email (where needed), direct debit details (where needed) billing address, or other factors specific to that natural person’s physical, physiological, mental, economic, cultural, political or social identity.
Consolidated data of a statistical nature, from which the data subject cannot be identified, are not deemed to be Personal Data.
Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
Data Processor: means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.
Data Subject: is the natural person to which the Personal Data refers and whose identity is known or may be confirmed, directly or indirectly, by reference to an Identity Card number or to factors specific to that person’s physical, physiological, mental, economic, cultural, political or social identity.
Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.
Such operations are the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.
Consent of the Data Subject: means any freely given, specific, informed and unambiguous statement/acceptance by the Data Subject by which he/she agrees to the processing of his/her Personal Data by the Club.
Who we are:
The Club incorporated on 28/02/2011 at the Republic of Cyprus with Registration of Societies Number: 3545, and it is governed under the Societies and Institutions and Other Related Issues Law of 2017 (Law 104 (I) /2017) as amended from time to time.
The aim of the Club is to promote the classical car movement in corporation with other clubs and organizations in Cyprus and abroad who have the same interests and believes. The Club does not take into account political, religious, ideological beliefs, ethnic origins and religion and its establishment is with non-profit making purpose.
Identity and contact details of the “Data Controller”, “Data Processor”:
(a) Data Controller:
The Club is the “Data Controller” pursuant to the GDPR, and related Cyprus Legislations, Orders, Decisions, local and EU Regulations and Local and EU Directives and determines how your personal data is kept and processed.
The offices of the Data Controller and is situated at: 1A, Agias Ekaterinis Street, 2368, Agios Dometios, Nicosia, Cyprus Telephone: 22-878390, Email: email@example.com
(b) Data Processor:
The Data Processor is any natural or legal person, public authority, service or other body that processes Personal Data on behalf of the Club. Ιn some cases the Club will be acting as the Data Controller and as the Data Processor in order to comply with the Club’s activities.
How do we collect personal data and/or personal information of our members’?
In order to register our members in our Club’s registry we may collect directly from you and process different types of your personal data and/or personal information in the following ways:
- On a personal basis, during the performance of a contract or during the process of examining a candidate member’s application.
- Through the use of our website and other electronic programmes and social media.
- By post and/or electronic mail.
- By completing any questionnaires and/or documents, for research purposes aiming at the improvement of our purposes.
- When your information is published.
- By signing up and giving your freely and unambiguous consent, subscribe and/or register for receiving newsletters, notifications or other information about our events.
- When you visit any of our offices.
- When you visit or browse our website/s.
Other than personal information obtained from you directly (as described above), our Club may also obtain your personal information from third parties we deal with or are connected with you, and from such other sources where you have given your freely and unambiguous consent for the disclosure of information relating to you, and/or where otherwise lawfully permitted under the relevant Cy legislations, Orders and Regulations and EU Regulations and/or EU Directives.
What categories of personal data do we collect?
We collect and use several types of information from our members, including information by which you may be personally identified and that is defined as personal data under applicable law/s such as:
- contact information such as your name and surname, identity card number and passport number, gender, nationality and race, preferred language, IP numbers and any websites visited (where applicable) current private and/or business address, telephone or mobile phone number, fax number, email address.
- the amount of data that has been received and/or sent by you.
- the equipment you use when accessing our products and/or services (such as your mobile, your computer system and platform) to customize the service for you.
- capture of your image via photographic cameras when you visit our events after we have your prior freely and unambiguous consent.
In case that there will be a need for further process of your personal data for a purpose other than that for which they were initially collected by our Club, you will be informed in advance about the additional purpose and the relevant details in respect to the further processing.
What lawful reasons do we have for collecting, processing and members’ personal data:
In order to proceed with a relationship, our members must provide their personal data and/or personal information to us which are necessary for the required commencement and continuation of a relationship with our Club. These personal data are processed by the Club throughout the validity period of the registration in members’ registry in order for the Club to deal with its main objectives.
Failure to provide us with personal data prevents us from commencing or continuing a relationship with you.
In accordance with GDPR we may rely on the following lawful reasons when we collect and process personal data to operate our Club:
Compliance with legal obligation: We may process personal data in order to meet legal and regulatory obligations such as Societies and Institutions and Other Related Issues Law of 2017 (Law 104 (I) /2017) as amended from time to time, the Regulations or Orders for the time being and from time to time in force, any other CY Legislation/s, Regulations and Orders of various Supervisory authorities in the Republic of Cyprus, the European Union (EU) Data Protection Law, the General Data Protection Regulation 2016/679(“GDPR”) and generally for the purpose of compliance with the Law.
Further legal obligations are:
Consent: We may rely on your freely and unambiguous given consent at the time you provided your personal data to us for a purpose of the process other than for the purposes set out hereinabove, then the lawfulness of such processing is based on that consent. You have the right to withdraw consent at any time. However, any processing of personal data will not be affected prior to the receipt of the withdrawal.
Legitimate interests: We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced and we make sure that legitimate interest of our Club does not exceed your rights.
Why do we need personal data?
We aspire to be transparent when we collect and use personal data and tell you why we need it, which typically includes:
- Providing the services of the Club to our members.
- To send invitation for events of our Club to our members, once we have their freely and unambiguous consent.
- To send email and/or SMS notifications to our members for our Club’s events once have specifically requested once we have their freely and unambiguous consent.
- Our services may include reviewing members’ files for quality assurance purposes, which may involve processing personal data for the relevant member.
- Administering, maintaining and ensuring the security of our information systems, applications and websites.
- Functionality and security: to detect, prevent, and respond to actual or potential fraud and illegal activities.
- Compliance: to enforce our terms and conditions and to comply with our legal obligations as these derive from the applicable laws of the Republic of Cyprus and any amendments or additions thereof from time to time and/or any applicable EU Directives and EU Regulations as those amended thereof from time to time.
Do we share personal data with third parties?
In the course of our relationship our members’ personal data may be provided to the following third parties may also be the recipients of the personal data under the certain circumstances:
- Supervisory and other regulatory and public authorities, whereby a statutory obligation exists by the Law. Some examples are the income tax authorities, criminal prosecution authorities, external consultants such as Lawyers’, Accountants’, Auditors’ etc. The aforementioned third parties are obliged and responsible to comply with the relevant Laws.
- Third parties to whom we may disclose personal data may have their own privacy policies which describe how they use and protect personal data. In the event that our Company has a contractual relationship with them does not authorize us to disclose your personal data in any other way beyond the provision of their services.
What about personal data security?
Our Club maintains solid information security measures and procedures to safeguard its members’ personal data, in line with its legal obligations developed by Local and/or European standards organisations and/or by international bodies and it complies strictly with the provisions of the GDPR and/or any local legislation of personal data.
Last but not least, we have put in place appropriate technical and organizational measures including physical, electronic and procedural measures to protect your personal data from loss, misuse, alteration or destruction.
How long do we retain personal data?
We will keep our members’ personal data for as long as we have a relationship with them i.e. until they are still members in our Club’s registry of members.
Once our relationship has ended, we will delete immediately your personal data from our systems either in hard copies or in an electronic form.
The following data are not erased:
- Data maintained for the purposes of legitimate interest in which litigation and/or investigations might arise in respect of the services and/or products rendering by our Club when we are lawfully requested to do so until the legitimate purposes is completed.
- Data maintained accordingly to any retention periods are set in relevant CY legislations and/or EU Regulations and EU Directives whenever applicable.
- The personal data processed for the purposes of sending newsletters etc., as per your prior freely and unambiguous given consent to our Club, shall be kept with us until you notify us in writing that you no longer wish your personal data to be used for this purpose.
What are your data protection rights?
Subject to the provisions of the GDPR, you have certain rights regarding the Personal Data we collect, process or disclose and that is related to you, including the right:
- To receive access to your personal data (“right to access”).
- To rectify inaccurate personal data concerning you (“right to data rectification”).
- To request deletion/erasure of your personal data (“right to erasure/deletion, “right to be forgotten”).
- To receive the Personal Data provided by you in a structured, commonly used and machine-readable format and to transmit those Personal Data to another data controller (“right to data portability”).
- To object to the use of your personal data where such use is based on our legitimate interests or on public interests (“right to object”).
- In some cases, to request the restriction of processing of your personal data (“right to restriction of processing”).
- The member as the Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or significantly affects him/her (“right to a non-automated individual decision-making”).
Our member/s has/have the right to withdraw his/her consent given at any time in relation to the processing of your personal data. KINDLY NOTE that any withdrawal of your consent will not affect the lawfulness of processing based on it prior to withdrawal.
If the Club as the Data Controller has a legitimate interest in retaining your personal data, your request to withdraw your consent and have your personal data deleted may be denied.
Last but not least, we may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. No fee is required to make a request unless your request is clearly unfounded or excessive.
How does the Club deal with leaks of Personal Data?
The Club informs the Commissioner for Personal Data Protection in detail of any leak and/or violations within 72 hours of being made aware of such a leak/violation.
The Club informs the Data Subject (“natural person” and/or our member) when there is a high risk of violation of his/her rights and freedoms.
How to raise a complaint?
To exercise any of the above rights, or for any questions or complaints about our use of your personal data, please contact us, either by post at: 1A, Agias Ekaterinis Street, 2368, Agios Dometios, Nicosia, Cyprus Telephone: 22-878390, Email: firstname.lastname@example.org.
Complaints may also be lodged to the supervisory authority in Cyprus (Office of the Commissioner for Personal Data Protection, by post at 1 Iasonos Str. 1082, Nicosia, Republic of Cyprus. More information can be found at http://www.dataprotection.gov.cy.
Applicable Laws and Jurisdiction
The said Policy applies only to the Club’s website and not to any other organizations and we are not responsible for the Privacy policies of such third parties.