INTRODUCTION

Areti Charidemou & Associates L.L.C. (hereafter “AC”) is a limited liability company, incorporated under the Companies Law of the Republic of Cyprus, Cap. 113, under the given registration number HE 240348. It was incorporated in 2008, having as main activities various aspects of the legal industry.

AC must comply with the European Union General Data Protection Regulation (GDPR), and other relevant legislation protecting privacy rights. As AC is a Data Controller, and also Joint Controller or Data Processor for certain activities, the territorial scope of this legislation, and therefore of this policy, applies to all processing of personal data by and for AC, regardless of where the processing takes place.

Data protection laws require AC to protect personal information and control how it is used in accordance with the legal rights of the data subjects – the individuals whose personal data is processed.

All data subjects are entitled to know

  • Their rights under data protection law and how to utilise those rights.
  • What AC is doing to comply with its legal obligations under data protection law.

Misuse of personal data, through loss, disclosure, or failure to comply with the Data Protection Principles and the rights of data subjects, may result in significant legal, financial and reputational damage. This may include penalties of up to €20 million or 4% of worldwide annual turnover for serious breaches of the law, claims for compensation and loss of recruitment and research income.

In order to manage these risks, this policy sets out responsibilities for all managers, employees, contractors, and anyone else who can access or use personal data in the course of their work for AC.

PURPOSE

This policy and its supporting procedures and guidance support AC compliance with its obligations as a Data Controller and where applicable, as Joint Controller or Data Processor under data protection law.

AC is responsible for, and must be able to demonstrate, compliance with the following Data Protection Principles (“accountability”). In summary, the Principles state that personal data shall be:

  • Processed lawfully, fairly and in a way that is transparent to the data subject (“lawfulness, fairness and transparency”);
  • Collected for specified, explicit and lawful purposes and not be further processed in a manner that is incompatible with those purposes. (“purpose limitation”);
  • Adequate, relevant and limited to what is necessary for those purposes (“data minimisation”);
  • Accurate and kept up to date (“accuracy”);
  • Retained in a form that can identify individuals for no longer than is necessary for that purpose (“storage limitation”);
  • Kept safe from unauthorised access, processing, accidental or deliberate loss or destruction (“integrity and confidentiality”).

Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is compatible with the purpose and storage limitation principles, subject to appropriate safeguards for the rights and freedoms of the data subjects.

Under data protection law AC must also:

  • Proactively inform data subjects about its data processing activities and their rights under the law,
  • Meet its legal obligations as a data controller or processor, including data protection by design and default, data protection impact assessment, maintaining records of processing activities, measures to ensure the security of processing, handling of data breaches; designation and role of the Data Protection Officer,
  • Allow personal data to be transferred to other countries only if those countries maintain the same level of protection for the privacy rights of the data subjects concerned.

This policy sets out a framework of governance and accountability for data protection compliance across AC. This incorporates all policies and procedures that are required to protect AC information by maintaining:

  • Confidentiality: protecting information from unauthorised access and disclosure
  • Integrity: safeguarding the accuracy and completeness of information and preventing its unauthorised amendment or deletion
  • Availability: ensuring that information and associated services are available to authorised users whenever and wherever required
  • Resilience: the ability to restore the availability and access to information, processing systems and services in a timely manner in the event of a physical or technical incident.

OBJECTIVES

AC will apply the Data Protection Principles and the other requirements of data protection law to the management of all personal data throughout the information life cycle by adopting the following policy objectives.

Process personal data fairly and lawfully.

This means that we will:

  • Only collect and use personal data in accordance with the lawful conditions set down in the GDPR;
  • Document each condition we rely on; maintain this information within a formal set of Records of Processing Activities; regularly review and update these records and make them available to the Personal Data Protection Commissioner’s Office, other supervisory authorities and data subjects on request;
  • Treat people fairly by using their personal data for purposes and in a way that they would reasonably expect;
  • Ensure that if we collect someone’s personal data for one purpose e.g. job application, we will not re-use their data for a different purpose that the individual did not agree to or expect e.g. to promote goods and services for an external supplier;
  • Rely on consent as a condition for processing personal data only where:
  1. We first obtain the data subject’s specific, informed and freely given consent, and
  2. The data subject gives consent, by a statement or a clear affirmative action that we document, and that the data subject can withdraw their consent at any time without detriment to their interests.

Inform data subjects what we are doing with their personal data.

This means that, at the point that we collect their personal data, we will explain to data subjects in a clear, concise and accessible way:

  • The identity and contact details of AC and the Data Protection Officer,
  • What personal data we collect,
  • For what purposes we collect and use their data,
  • What lawful conditions we rely on to process data for each purpose and how this affects their rights,
  • Whether we intend to process the data for other purposes and their rights to object,
  • The sources from which we obtain their data, where we have received the data from third parties,
  • Whether we use automated decision making, including profiling, and if so the impact on data subjects and their rights to object,
  • Whether they need to provide data to meet a statutory or contractual requirement and if so, the consequences of not providing the data,
  • Our obligations to protect their personal data,
  • To whom we may disclose their data and why,
  • Which other countries we may send their data to, why we need to do this and what safeguards apply in each case,
  • Where relevant, what personal data we publish and why,
  • How data subjects can update the personal data that we hold,
  • How long we intend to retain their data,
  • How to exercise their rights under data protection law.

We will publish this information on our website and where appropriate in printed formats. We will review the content of these Privacy Notices regularly and inform our data subjects of any significant changes that may affect them.

We will provide simple and secure ways for our staff and other data subjects to update the information that we hold about them such as home addresses.

Where we process personal data to keep people informed about AC’s activities and events, we will provide in each communication a simple way of opting out of further marketing communications.

In these ways we will provide accountability for our use of personal data and demonstrate that we will manage people’s data in accordance with their rights and expectations.

Uphold individual’s rights as data subjects.

This means that we will uphold their rights to:

  • Obtain a copy of the information comprising their personal data, free of charge within one month of their request,
  • Have inaccurate personal data rectified and incomplete personal data completed,
  • Have their personal data erased when it is no longer needed, if the data have been unlawfully processed or if the data subject withdraws their consent, unless there is an overriding legal or public interest in continuing to process the data,
  • Restrict the processing of their personal data until a dispute about the data’s accuracy or use has been resolved, or when AC no longer needs to keep personal data but the data subject needs the data for a legal claim,
  • Data portability; where a data subject has provided personal data to AC by consent or contract for automated processing and asks for a machine-readable copy or have it sent to another data controller,
  • Object to and prevent further processing of their data for AC’s legitimate interests or public interest unless AC can demonstrate compelling lawful grounds for continuing,
  • Prevent processing of their data for direct marketing,
  • Stop AC processing data obtained for online services such as social media, where consent for the processing was previously given by or on behalf of a child, who withdraws their consent
  • Object to decisions that affect them being taken solely by automated means,
  • Claim compensation for damages caused by a breach of data protection law.

Apply “data protection by design and default” principles to all our personal data processing.

This means that we will:

  • Use proportionate privacy and information risk assessment, and where appropriate data protection impact assessment, to identify and mitigate privacy risks at each stage of every project or initiative involving processing personal data and in managing upgrades or enhancements to systems and processes used to process personal data,
  • Adopt data minimisation: we will collect, disclose and retain the minimum personal data for the minimum time necessary for the purpose,
  • Anonymise personal data wherever necessary and appropriate, e.g. when using it for statistical purposes, so that individuals can no longer be identified.

Protect personal data.

This means that we will use appropriate technical and organisational measures to:

  • Control access to personal data so that staff, contractors and other people working on AC business can only see such personal data as is necessary for them to fulfil their duties,
  • Require all AC staff, contractors, and others who have access to personal data in the course of their work to complete basic data protection training, supplemented as appropriate by procedures and guidance relevant to their specific roles,
  • Set and monitor compliance with security standards for the management of personal data as part of the AC‘s wider framework of information security policies and procedures,
  • Reduce risks of disclosure by pseudonymising personal data where possible,
  • Provide appropriate tools for staff, contractors and others to use and communicate personal data securely when working away from AC, for instance through provision of a secure Virtual Private Network, encryption and cloud solutions,
  • Take all reasonable steps to obtain assurance that all suppliers, contractors, agents and other external parties who process personal data for AC will comply with auditable security controls to protect our data and enter into our Data Processor Agreements,
  • Maintain Data Sharing Agreements with educational partners and other external bodies with whom we may need to share personal data to deliver academic programmes, shared services or joint projects to ensure proper governance, accountability and control over the use of such data,
  • Where transferring personal data to another country outside the European Union put in place appropriate agreements and auditable security controls to maintain privacy rights,
  • Ensure that our associates and employees are aware of how data protection law applies to their use of personal data in the course of our business relationship and how they can take appropriate steps to protect their own personal data and respect the privacy of others,
  • Manage all subject access and third-party requests for personal information about staff and other data subjects in accordance with our Procedures for responding to requests for personal data,
  • Make appropriate and timely arrangements to ensure the confidential destruction of personal data in all media and formats when it is no longer required for AC

Retain personal data only as long as required.

This means that we will:

  • Apply the AC records retention policies to keep records and information containing personal data only so long as required for the purposes for which they were collected.

Then, in line with the retention policy recommendations, we will

  • Destroy records securely in a manner appropriate to their format; OR
  • Transfer them by arrangement to our records storage contractor for a limited period where required for legal and evidential purposes; OR
  • Transfer the records for archiving in the public interest, scientific or historical research purposes or statistical purposes.

Some AC records containing personal data are designated for permanent retention as archives or for scientific, historical and statistical purposes. When managing access to archives containing personal data we will apply appropriate technical and organisational measures to safeguard the rights and freedoms of the data subjects concerned:

  • Apply exemptions to public rights of access to information as appropriate in accordance with the data subjects’ rights to privacy,
  • Redact personal data, e.g. by pseudonymisation,
  • Withhold access to specific categories of record

Manage any breaches of data security promptly and appropriately.

This means that we will take all necessary steps to reduce the impact of incidents involving personal data by following the AC’s policies and procedures.

Where a data breach is likely to result in a risk to the rights and freedoms of data subjects, the Data Protection Officer will liaise with the Personal Data Protection Commissioner’s Office and report the breach, in line with regulatory requirements, within 72 hours of discovery. The Data Protection Officer will also recommend, where necessary, actions to inform data subjects and reduce risks to their privacy arising from the breach.

SCOPE

What information is included in the Policy

This policy applies to all personal data created or received in the course of AC business in all formats, of any age. Personal data may be held or transmitted in paper, physical and electronic formats or communicated verbally in conversation or over the telephone.

Who is affected by the Policy

Data subjects

These include, but are not confined to: prospective job applicants, job applicants, current and former employees, family members where emergency or next of kin contacts are held, workers employed through temping agencies, members of the Court and members of the Committees of the Court, research subjects, external researchers, customers, people making requests for information or enquiries, complainants, professional contacts and representatives, partners and contractors.

Users of personal data

The policy applies to anyone who obtains, records, can access, store or use personal data in the course of their work for AC. Users of personal data include employees and associates, contractors, suppliers, agents, AC partners and external researchers and visitors.

Where the Policy applies

This policy applies to all locations from which AC personal data is accessed including home use.

As AC operates internationally, through its Headquarters in Cyprus and through arrangements with partners in other jurisdictions the remit of the policy shall include such overseas premises and international activities and shall pay due regard to non-Cyprus and non-EU legislation that might be applicable.

LINES OF RESPONSIBILITY

All users of AC information are responsible for

  • Completing relevant training and awareness activities provided by AC to support compliance with this policy,
  • Taking all necessary steps to ensure that no breaches of information security result from their actions,
  • Reporting all suspected information security breaches or incidents promptly to the DPO, Mr. Konstantinos Tsioullos, at dpo@aretilaw.com so that appropriate action can be taken to minimise harm,
  • Informing AC of any changes to the information that they have provided to AC in connection with their employment, for instance, changes of address or bank account details.

The Managing Director of AC, has ultimate accountability for AC ‘s compliance with data protection law.

The Data Protection Officer is responsible for

  • Informing and advising senior managers and all staff of AC of their obligations under data protection law;
  • Promoting a culture of data protection, e.g. through training and awareness activities;
  • Reviewing and recommending policies, procedures, standards, and controls to maintain and demonstrate compliance with data protection law and embed privacy by design and default across AC;
  • Advising on data protection impact assessment and monitoring its performance;
  • Monitoring and reporting on compliance to the Managing Director and other relevant boards;
  • Maintaining Records of Processing Activities;
  • Providing a point of contact for data subjects with regard to all issues related to their rights under data protection law;
  • Investigating personal data breaches, recommending actions to reduce their impact and likelihood of recurrence;
  • Acting as the contact point for and cooperating with the Personal Data Protection Commissioner’s Office on issues relating to processing.

All Heads of Departments are responsible for implementing the policy within their business areas, and for adherence by their staff. This includes:

  • Assigning generic and specific responsibilities for data protection management;
  • Managing access rights for information assets and systems to ensure that staff, contractors and agents have access only to such personal data that is necessary for them to fulfil their duties;
  • Ensuring that all staff in their areas of responsibility undertake relevant training provided by AC and are aware of their responsibilities for data protection;
  • Ensuring that staff responsible for any locally managed IT services liaise with AC staff to put in place equivalent IT security controls;
  • Assisting the Data Protection Officer in maintaining accurate and up to date records of data processing activities.

The IT Manager is responsible for ensuring that centrally managed IT systems and services embed privacy by design and default and for promoting good practice in IT security among staff.

The Head of Human Resources Department is responsible for maintaining relevant human resources policies and procedures, to support compliance with data protection law.

MONITORING AND EVALUATION

The Data Protection Officer will monitor new and on-going data protection risks and update the relevant AC risk register, reporting this promptly as required to the Managing Director. The DPO will liaise with the IT Manager to ensure that IT security risks related to data protection are captured on the register and that all Departments record data protection and information security risks on their registers and escalate these as necessary to the DPO.

The Data Protection Officer will make regular reports to the AC’s Board on data protection compliance.

IMPLEMENTATION

This policy is implemented through the development, implementation, monitoring and review of the component parts of AC’s Management System.

These will require:

  • The Data Protection Officer to liaise with Heads of all Departments to review and update information risk assessments and records of processing activities and take necessary actions to identify and protect personal data and systems used to process the data;
  • Coordination of effort between relevant Heads and professional specialists to integrate IT, physical security, people, information management, risk management and business continuity to deliver effective and proportionate information security controls;
  • Review and refresh of all relevant policies and procedures;
  • Generic and role specific training and awareness;
  • Embedding privacy by design and default and related information governance-requirements into procurement and project planning;
  • Information security incident management policies and procedures;
  • Business continuity management;
  • Monitoring compliance and reviewing controls to meet business needs.