‘Personal Data’: any information that relates to an identified or identifiable living individual. This does not include data whose identity/origin has been removed (known as ‘anonymous data’).
‘Data Controller’: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘Data Processor’: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
‘Data Subject’: a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Processing’: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘Consent’ of the Data Subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
The Personal Data Privacy Policy (hereinafter, the ‘Policy’) concerns the processing of Personal Data by the Cyprus University of Technology (CUT).
The Policy and resulting processing to which the CUT proceeds, shall ensure that the Personal Data is:
- processed lawfully and fairly;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which is processed;
- accurate and, where necessary, kept up to date; and
- kept in a form which permits identification of data subjects for no longer than is necessary, in the Commissioner’s discretion, for the purposes for which the personal data is processed.
Without prejudice to the above, the CUT hereby commits to protect your personal data. The CUT collects, processes and uses such personal data in full compliance with the principles of the General Regulation 2016/679 of the European Parliament and the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, the ‘GDPR’), the given applicable legislation as amended from time to time, and any other legal and/or regulatory obligations.
This Policy aims at informing you about how and for which purposes the CUT uses, processes and retains your personal data. Below you will find information regarding the processing of your personal data and your rights relating to the protection of such data. The content and extent of the data processing are greatly based on each of the products and services you have requested or that have been agreed with you.
Compliance with this Policy applies for all staff at the CUT, including the Rectorial Authorities, the Council, the Management Team, the Deans and the Department Presidents. All the above persons shall lead by example with respect to the compliance with the present Policy.
We process the personal data we obtain from you within the scope of our business or/and academic relationship. For the purposes of the provision of our services and to the extent deemed necessary, we process personal data which is also recoverable from publicly accessible sources.
More specifically, the CUT processes Personal Data such as that of its personnel, applicants, students, tenderers, pensioners and partners for legal purposes. The University retains information about the above persons from information they basically provide themselves to the University.
Our records include:
- your full name,
- you ID,
- your social insurance number,
- your address,
- your email,
- your CV details,
- your salary data,
- your ΙΒΑΝ,
- copies of academic and professional qualifications,
- socioeconomic information concerning your family,
- your academic achievements,
- the seminars you have followed and your results, etc.
Some types of information may be categorised as ‘sensitive’ for the purposes of the EU data protection law and it should be mentioned that there are additional restrictions regarding the way in which we may use and handle such information. In general, it is necessary for us to obtain your consent to be able to handle and use such information. In any case, we may retain and use such information based on limited legal purposes, ie. to ensure compliance with our equal opportunities policy, as well as compliance with health and safety regulations or, if deemed necessary, to safeguard your vital interests, for legal requirement purposes or for public interest purposes.
We will always notify you of the purposes for which we wish to use your sensitive information when this is collected and, if needed, to obtain your consent at the given time. In any case, you will have the possibility to revoke such consent at any time.
Principles of the Personal Data processing and legal base for the above categories:
We process the above personal data in accordance with the provisions of the GDPR, as well as the local legislation on personal data protection applicable from time to time.
- To comply with a legal obligation which might arise
As an academic institute, we ought to comply with various legal obligations.
- To perform our contractual relationship
- To safeguard the legitimate interests of the Data Controller/CUT
If necessary, we process your data beyond the carrying out of our obligations as a university, to safeguard the legitimate interests pursued by us or a third party.
- Based on your consent
To the extent you have provided us with your consent to process your personal data, the lawfulness of such processing is subject to your consent. Such consent may be revoked at any time by contacting us.
The same applies to the revocation of consent statements granted to us prior to the GDPR entering into force, ie. prior to 25th May 2018.
Please note that we will use your personal data only for the purposes for which it was collected, unless we reasonable deem that it must be used for another relevant purpose which is compatible with the initial purpose. If you wish to receive further information about how such data processing based on this new purpose is compatible with the initial purpose, please contact us.
If there is a need for us to use your personal data for an irrelevant and/or incompatible purpose, we will notify you and explain the legal base permitting us to do so.
The CUT retains personal data for as long as it is required for its lawful processing.
Your personal data will be retained for as long as necessary to fulfil the purposes for which it was collected, among others, for the fulfilment of any legal, auditing or reporting requirements. For details regarding the retention periods, please refer to the Record of Processing Activities of the Cyprus University of Technology.
In some cases, your personal data may be anonymised so that it can no longer be associated to you and, therefore, we will have the right to use such data without notifying you.
More information regarding the retention periods of various data is available at each department or/and you may contact the Data Protection Officer by email at: gdpr.dpo@cut.ac.cy
As part of our duties, your data may be transferred to trusted third persons we collaborate with, within the scope of our relationship and the processing of your personal data. Any transfer shall be carried out in compliance with the GDPR and all reasonable measures shall be taken to ensure the compliance of such third persons with the GDPR, as well.
The GDPR and the local legislation applicable from time to time prohibit the transfer of personal data outside the European Economic Community (‘EEC’), unless certain criteria for the protection of the personal data in question are met.
Data shall be transferred to countries outside the EU or the EEC, only when
(i) this is required by law or
(ii) you have given us your consent and/or asked us to transfer this data.
Please note that in the case third-country providers are used, all reasonable measures will be taken to ensure that they comply with Europe’s level of data protection in accordance with the GDPR.
Any transfers to locations outside the EU shall be carried out in accordance with the legal and regulatory provisions of the GDPR and the local legislation applicable from time to time
We have implemented appropriate security measures to prevent the loss, the use or access of your personal data in an unauthorised manner, its alteration or its disclosure to unauthorized persons. Furthermore, we restrict the access to your personal data to those employees, contractors and other third parties with a business need to access your data. They shall process your personal data strictly according to our instructions and they shall be subject to an obligation of confidentiality.
We have introduced procedures to manage any potential data security breach, and we shall inform you and any applicable regulatory bodies of any potential breach when legally obliged to do so.
The Data Subjects have the below rights:
- Right to be informed about the personal data concerning them and to obtain information about it and its origin;
- Right of access confirming the purposes of the processing, the recipient or categories of recipient and the period for which it is stored;
- Right to rectification of inaccurate data and to completion of incomplete data retained;
- Right to erasure (‘right to be forgotten’) of the data, subject, however, to the obligations and legal rights of the CUT to retain it for a specific minimum period of time, pursuant to the given applicable legislative and regulatory framework;
- Right to restriction of processing of the data, given that either its accuracy is contested, its processing is unlawful, or the purpose of its processing no longer applies, and on the condition that there are no legitimate grounds to retain it;
- Right to data portability to another data controller, on the condition that the processing is based on the data subject’s consent and is carried out by automated means;
- Right to object the processing of the data concerning them, on grounds relating to their particular situation; and
- Right to non-automated, individual decision-making. The data subject shall have the right not to be subject to a decision based solely on automated processing (profiling), which produces legal effects concerning him or her or similarly significantly affects him or her. The processing shall be subject to suitable safeguarding measures, such as the right to obtain human intervention, the possibility for the data subject to express his or her point of view etc.
- Right to lodge a complaint with the Commissioner for Personal Data Protection at any time the data subject considers that any of his or her rights has been infringed.
- Right to revoke consent of the data subject at any time. The revocation of the data subject shall not affect the lawfulness of the processing based on the consent before its withdrawal.
In case the CUT, as the Personal Data Processor, has any legal interest in retaining the Personal Data concerning him or her, the data subject’s request to revoke consent and/or to erase his or her data may not be accepted.
In the scope of our relationship, we may need to collect personal data by law or pursuant to a contract we have with you. Without this data, we may not be in a position to finalise or perform our contract with you.
If you opt not to provide us with such personal data, this may delay or prevent us from fulfilling our obligations. In addition, this might mean that we will not be able to perform the services necessary to the effective provision of services to you.
Any collection of data which is optional will be made clear at the collection point.
The Data Controller is the CUT which is headquartered at 30, Achiepiskopou Kyprianou, 3036 Limassol.
The Data Processor is any natural or legal person, public authority, agency or other body which processes personal data upon the CUT’s instructions.
In accordance with the GDPR, the CUT has appointed a Data Protection Officer who participates in all matters concerning the protection of personal data.
The contact details of the Data Protection Officer are also posted on the CUT’s website.
You may contact the Data Protection Officer at the following address:
Data Protection Officer
PO Box 50329
3603 Limassol
or by email at: gdpr.dpo@cut.ac.cy
The CUT reserves the right to review the present Personal Data Privacy Policy as it deems necessary.