DEFINITIONS

Defined terms used in this policy and not otherwise defined herein shall have the following meanings given to them:

Adequacy Decision

means a finding by the European Commission that a third country, territory, specific sector in a third country or an international organisation offers adequate level of data protection that is essentially equivalent to that within the EU ensuring a level of protection of the fundamental rights and freedoms. Adequacy decisions can be accessed at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

Commissioner 

means the Office of the Commissioner for Personal Data Protection in Cyprus, an independent public authority responsible for monitoring the implementation of the GDPR and other relevant laws

Data Controller

means the natural or legal person which determines the purposes and means of the processing of Personal Data

Data Processor

means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller and is a separate entity to the Data Controller (for example, cloud computing suppliers, auditors, banks and/or public authorities)

Data Subject

means the person about whom the Data Controller collects and processes Personal Data

DPO

means the data protection officer of RPA

GDPR

means the EU General Data Protection Regulation (Regulation (EU) 2016/679)

Personal Data

means any information relating to an identified or identifiable Data Subject. An identifiable Data Subject is anyone who can be identified, directly or indirectly, by reference to an identifier, such as a name, identification number, or online identifier

Processing

means any operation which is performed on Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

RPA – means Royal Pine & Associates Limited

1. Introduction

RPA respects the privacy of natural persons and is committed to protecting their Personal Data.

RPA has adopted this policy to address procedures for handling Data Subject requests and objections under the GDPR when acting as a Data Controller.

2. Data protection principles

RPA complies with the GDPR which means that RPA shall be responsible for ensuring that any Personal Data is:

• processed lawfully, fairly and in a transparent manner;
• collected only for specific, explicit legitimate and valid purposes and not further processed in any manner that is incompatible with such purposes;
• adequate, relevant and limited only to what is necessary in relation to the purposes for which it is processed;
• accurate and, where necessary, kept up to date, while every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
• kept in a form which permits identification of the Data Subject only for as long as it is necessary for the purposes for which the Personal Data is processed; and
• is processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage.

3. Data Protection Officer 

RPA has appointed a DPO to oversee compliance with the GDPR.

The DPO’s duties include, amongst others, the following:

• inform and advise RPA (and its employees who carry out processing), of their obligations under the GDPR;
• monitor compliance with the GDPR and with this policy;
• cooperate with the Commissioner and act as contact point on issues relating to processing; and
• provide advice and/or clarifications (where requested) in relation to the Data Subjects’ rights.

Should any questions arise about this procedure or any requests relating to the Data Subject’s rights under the GDPR (as these are described in section 11 below), the appointed DPO shall be contacted at dpo@royalpine.com.

Data Subjects have the right to make a complaint at any time to the Commissioner.

4. Personal Data collected by RPA 

Personal Data, or personal information, means any information about an individual from which that person can be identified. There are certain types of more sensitive Personal Data which require a higher level of protection, such as information about a person’s health and any criminal convictions or offences (if applicable).

RPA may collect, store and use, inter alia, the following documents and/or categories of Personal Data:

• Personal contact details such as full name, title, addresses, telephone numbers, and personal email addresses
• Date of birth
• Gender
• Passport/ID card copies
• Marital status and dependents
• Social Insurance Number
• Tax Identification Number
• Bank account details
• Source of wealth and source of funds information
• Copies of residence and employment permits
• Payroll records, copies of tax returns and tax status information
• Non-bankruptcy certificates
• Employment records (including job titles, work history and professional memberships) and other information included in a CV
• Photographs

In addition to the above, RPA may collect, store and use, inter alia, the following documents and/or categories of Personal Data of its employees:

• Next of kin and emergency contact information
• Salary, annual leave, pension and benefits information
• Start date and, if different, the date of continuous employment
• Leaving date and reasons for employment termination
• Recruitment information (reference letters, copies of diplomas and other information collected during the job application process)
• Compensation history
• Performance appraisal forms and information
• Disciplinary and grievance information
• CCTV footage and other information obtained through electronic means such as key card records
• Information about the use of RPA’s communications systems

RPA may also collect, store and use more sensitive types of Personal Data, such as the following:

• Information about race or ethnicity and political positions/opinions (if applicable)
• Information about health, including any medical condition(s), health and sickness records (if applicable)
• Biometric data
• Information about criminal convictions and offences (if applicable), usually obtained through the provision of a criminal record or through search information providers such as Refinitiv worldcheck

5. Personal Data collection process

RPA uses different methods to collect data from and about its clients including through:

• Direct Interactions: some of the abovementioned information and/or documentation may be obtained by corresponding with the Data Subject by email or otherwise. This usually includes Personal Data and documents a Data Subject provides when entering into a services agreement or other agreement with RPA.
• Third parties or publicly available sources: RPA collects Personal Data about a Data Subject from various public sources (if available) as set out below:

1. analytics providers such as Google;
2. employment-oriented websites such as LinkedIn; and
3. search information providers such as Refinitiv worldcheck.

RPA collects Personal Data about its employees and/or applicants during the job application and recruitment process, either directly from the candidates or from an employment agency or background check provider.

RPA may collect additional Personal Data and/or documentation in the course of its relationship with the Data Subjects throughout the years.

6. Personal Data use

RPA will only use Personal Data in accordance with the GDPR and any other relevant laws and regulations. Most commonly, RPA will use Personal Data, if at least one of the following applies:

• Where it needs to perform the agreement it has entered into with the Data Subject;
• Where it needs to comply with a legal obligation;
• Where the Data Subject has given his consent for the processing of his Personal Data for one or more specific purposes; and
• Where it is necessary for legitimate interests pursued by RPA or a third party, except where such interests are overridden by the Data Subject’s interests or fundamental rights and freedoms which require protection of Personal Data.

RPA may also use Personal Data in the following situations, which are likely to be rare:

• Where it needs to protect the interests of the Data Subject (or someone else’s interests); and
• Where it is necessary for the performance of a task carried out in the public interest.

RPA may process Personal Data for more than one lawful grounds stated above, depending on the specific purpose for which it is using such data.

1. Failure to collect Personal Data

If a Data Subject fails to provide certain information when requested, RPA may not be able to perform the agreement it has entered into with such subject.

In such case, RPA may decide to terminate the relationship with the Data Subject.

2. Change of purpose

RPA will only use Personal Data for the purposes for which it collected it, unless it reasonably considers that it needs to use it for another reason and that reason is compatible with the original purpose. If RPA needs to use Personal Data for an unrelated purpose, it must notify the Data Subject in advance and explain the legal basis which allows it to do so.

RPA may process Personal Data without the Data Subject’s knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

7. Information about criminal convictions

RPA may only use information relating to criminal convictions where the relevant laws allow it to do so. This will usually be where such processing is necessary to allow RPA carry out its obligations.

RPA will only collect information about criminal convictions if it is appropriate given the nature of the services provided and where it is legally able to do so. Where appropriate, RPA will collect information about criminal convictions when entering into an agreement with a Data Subject or it may be notified of such information directly by such subject or via other sources in the course of the relationship with the Data Subject.

8. Personal Data sharing

RPA may have to share Personal Data with third parties, including third-party service providers and other entities. In such case, RPA requires third parties to respect the security of the Personal Data and to treat it in accordance with the GDPR.

In accordance with the GDPR, RPA shall only transfer Personal Data outside the European Economic Area (EEA), if one of the following conditions are applicable:

1. if an Adequacy Decision is in place for that third country or territory, or
2. if appropriate safeguards are in place either through the medium of binding corporate rules, standard contractual clauses, or through the adherence to a code of conduct or certification mechanism.

In case of absence of the above, RPA may transfer Personal Data to countries outside the EEA if this is necessary for the performance of the agreement between the Data Subject and RPA. In any other circumstances of transfer of data outside the EEA, the Data Subject must be notified in advance, the possible risks associated with such transfer must be communicated, and written consent of the Data Subject must be obtained.

9. Personal Data security 

RPA has put in place measures, such as the implementation of an encryption software system which prevents unauthorised access to RPA’s server, to protect the security of Personal Data. Third parties will only process Personal Data upon RPA’s instructions and where they have agreed to treat the information confidentially and to keep it secure.

RPA has put in place appropriate security measures to prevent Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. RPA undertakes to deal with any suspected data security breach and will notify the Data Subject and the Commissioner of a suspected breach where it is legally required to do so.

10. Personal Data retention 

RPA will retain Personal Data for at least six (6) years after the relationship with the Data Subject has been discontinued or after the date an occasional transaction was completed.

Upon expiry of the aforementioned period, RPA will securely destroy Personal Data.

11. Data Subject’s rights

Under certain circumstances and pursuant to the GDPR, Data Subjects have the right to:

1. Request access to their Personal Data (commonly known as a “Data Subject access request”). This enables Data Subjects to receive a copy of the Personal Data kept by RPA and to check whether RPA is lawfully processing it.
2. Request correction of the Personal Data kept by RPA. This enables Data Subjects to correct any incomplete or inaccurate information kept by RPA.
3. Request erasure of Personal Data. This enables Data Subjects to request RPA to delete or remove Personal Data where there is no good reason for RPA continuing to process it. RPA is obliged to meet such requests only if one of the following applies:

• Personal Data is no longer necessary in relation to the purposes for which it was collected or processed.
• The Data Subject has withdrawn his consent on which the processing is based and where there is no legal ground for the processing (if applicable).
• Personal Data has been unlawfully processed.
• Personal Data has to be erased for compliance with a legal obligation.

RPA may refuse the erasure of Personal Data in the event that one of the following applies:

• for compliance with a legal obligation to which RPA is subject and/or
• for the establishment, exercise or defence of legal claims.

4. Request the restriction of processing of Personal Data. This enables Data Subjects to request RPA to suspend the processing of their Personal Data. RPA is obliged to meet such requests only if one of the following applies:

• the processing is unlawful;
• RPA no longer needs the data for its own purposes but is required to retain it by the individual for the establishment, exercise or defence of legal claims.

“Restriction of processing” means that RPA has the continued right to store Personal Data, but may only process it in one of the following circumstances:

• with the consent of the Data Subject;
• for the establishment, exercise or defence of legal claims;
• for the protection of the rights of another natural or legal person; and
• for important public interest reasons.

5. Request the transfer of Personal Data to another party.

Any request for the review, verification, correction or erasure of Personal Data, objection to the processing of Personal Data, or request of transfer of copies of Personal Data to another party, must be addressed to the DPO.

12. Right to withdraw consent 

Any Data Subject who has provided his consent to the collection, processing and transfer of his Personal Data for a specific purpose, has the right to withdraw such consent for that specific processing at any time.

Notifications for consent withdrawal must be addressed to the DPO.

Upon receipt of the notification that a Data Subject has withdrawn his consent, RPA shall no longer process his information for the purpose or purposes the subject originally agreed to, unless RPA has another legitimate basis for doing so in law.