Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) has been applicable in all Member States since the 25^th of May 2018. This Regulation repeals Directive 95/46/EC, the provisions of which have been transposed into Law 138(I)/2001.

The GDPR modernised the EU’s data protection legislation, making it fit for the protection of fundamental rights, in the context of the economic and social challenges of the digital age. Furthermore, it preserves and develops the basic principles and rights of the data subject on the basis of a single set of data protection rules across the EU. In addition, it introduces new obligations for organisations, which have to implement data protection by design and by default, to appoint a Data Protection Officer in certain cases, to respect the new right to data portability and to respect the principle of accountability.

The GDPR text is available in all EU languages on the European Commission's website.

The correspondence between the articles in the Regulation and the relevant references can be found on this website: http://www.privacy-regulation.eu/en/

LAW 125(I)/2018

On July 31^st 2018, the national legislation providing for the protection of natural persons with regard to the processing of personal data and the protection of the free movement of such data was published in the Official Gazette of the Republic of Cyprus, the Law Providing for the Protection of Natural Persons with Regard to the Processing of Personal Data and for the free Movement of Such Data of 2018 (Law 125 (I)/2018).

The Law was ratified for the effective implementation of certain provisions of the GDPR, the free transfer of such data and the repeal of Directive 95/46 / EC.

With the entry into force of the provisions of Law 125(I)/2018, the Processing of Personal Data (Protection of Individuals) Laws of 2001 to 2012 were repealed.

Acts adopted by the Commissioner pursuant to the provisions of the Personal Data Processing (Protection of Individuals) Act, which is repealed, will continue to apply until their expiration or replacement.

RIGHTS OF DATA SUBJECTS

The Data Subject has rights in relation to the way his or her personal data is handled.

These include, but are not limited to, the following rights:

1. Right to withdraw consent at any time when the legal basis for processing is the consent.
   2. Right of access to his or her personal data retained.
   3. Right to prevent the use of personal data for direct marketing purposes.
   4. Right to object to the processing of personal data in limited circumstances.
   5. Right to erase his or her personal data without delay:

• If they are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
• If the only legal basis for processing is consent and consent has been withdrawn and there is no other legal basis on which personal data can be processed.
• Where the data subject opposes processing where the legal basis is the pursuit of a legitimate interest or a public interest and compelling legitimate grounds or interests cannot be demonstrated.
• If the data subject has been included in the processing for direct marketing purposes.
• If the processing is unlawful.

6. Right to correct data of inaccurate data or to complete missing data.
   7. Right to restrict processing in specific circumstances e.g. where there is a complaint concerning accuracy.
   8. Right to information: Information should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
   9. Right to data portability: The right to data portability is available only when personal data are processed with the consent of the data subject and not when personal data have been collected using any other legal basis for processing. Data portability enables data subjects to receive and re-use their data for their own purposes and in different services. This right facilitates their ability to easily transfer, copy or transfer personal data from one IT environment to another without objection.
   
   11. Right to request a copy of the assurance based on which personal data are transferred outside the EU.

All requests, including access to data users, must be sent to the College's Data Protection Officer for processing and approval.

RESPONSIBILITY

The College implements appropriate technical and organisational measures in an effective manner to ensure its compliance with data protection principles.

The College is responsible and must be able to demonstrate obedience to data protection authorities.

The College's compliance with the GDPR is ensured through the following:

• Appointment of an appropriate DPO specialist.
• Applying privacy by design (design policies, processes and systems that comply with GDPR from the start of product development or processes.
• Incorporating data protection into College policies and procedures, the way we handle personal data, and creating required documents such as written consent forms, processing records, and personal data breach records.
• Training the staff in relation to the Data Protection Act and maintaining relevant records.
• Regularly reviewing the privacy measures applied as well as conducting periodic audits and audits to assess compliance with the laws, including the use of test results to demonstrate effort to improve compliance.

RESPONSIBILITIES

1. Responsibilities of the College

The College is responsible for establishing policies and procedures in order to comply with the applicable legislation and the GDPR.

2. Responsibilities of the Data Protection Officer (DPO)

The Data Protection Officer shall have the following responsibilities:

• To advise the College and its staff on their GDPR obligations.
• To monitor that there is compliance with this Regulation and the relevant Law and, above all, that the College's policies and procedures are in full compliance with this Regulation.
• Monitor the training and control procedures related to GDPR compliance.
• Advise, where appropriate, on data protection impact assessments.
• To fully understand the risk associated with the processing operations, taking into account the nature, scope, context and purposes of the processing.

3. Personnel responsibilities

Staff who process personal data about students, staff, alumni or any other person must comply with the requirements of the present policy of the College.

Staff members must ensure that:

• All personal data is kept securely.
• No personal information shall be disclosed orally or in writing, by mistake or otherwise, to any unauthorised third party.
• Personal data is kept in accordance with the College's preservation program.
• Any data protection questions, including user access requests and complaints, shall be promptly forwarded to the Data Protection Officer.
• Any data protection breaches shall be reported promptly to the Data Protection Officer.
• Where there is uncertainty around a data protection issue, advice is sought from the Data Protection Officer.
• Staff responsible for supervising students who undertake assignments involving the processing of personal information (for example in research projects), must ensure that these students are aware of data protection principles.
• When staff are unsure who the authorized third parties are, to whom they can disclose legitimate personal data, they should seek advice from the Data Protection Officer.

4. Third party data processors

When external companies are utilized to process personal data on behalf of the College, the responsibility for the security and proper use of this data remains with the College.

5. When a third-party data processor is used

• The data processor selected should provide sufficient guarantees about its security measures to protect the processing of personal data.
• Reasonable measures should be taken to implement such safety measures.
• A written contract should be established as to which personal data will be processed and for what purpose.
• For further instructions on using third party data processors, please contact the Data Protection Officer.

6. Contractors, Temporary and Voluntary Staff

The College is responsible for the use of personal data by anyone working on its behalf.

Administrators employing contractors, temporary or voluntary staff should ensure that they are appropriately trained to manage the data to be processed. In addition, administrators must ensure that:

• Any personal data collected or processed during the work carried out for the College shall be kept secure and confidential.
• All personal data is returned to the College after the completion of the work, including any copies that may have been made. Alternatively, that the data is safely destroyed and the College receives a notification from the contractor or the temporary / voluntary staff member.
• The College receives prior written notice of any disclosure of personal data to any other organisation or to any person who is not a direct employee of the contractor.
• Any personal data made available by the College or collected during the course of the work shall not be stored or processed outside the country. Only if written consent has been obtained to do so.
• All practical and reasonable measures shall be taken to ensure that contractors, temporary staff or part-time staff do not have access to personal data beyond what is necessary for the proper performance of the work.

7. Responsibilities of students

Students are responsible to:

• Familiarize themselves with the College's GDPR Policy provided when enrolling in the College.
• Ensure that their personal data given to the College is accurate and up-to-date.

RESTRICTIONS ON THE TRANSFER OF PERSONAL DATA

The GDPR limits the transfer of data to countries outside the EU in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. There is transfer of personal data originating from a country across borders when you transmit or send this data to a different country or view/access it in a different country.

You can transfer personal data outside the EU if one of the following conditions applies:

• The European Commission has adopted a decision confirming that the country to which we transfer the personal data ensures an adequate level of protection for the rights and freedoms of data users.

The countries that are currently authorized can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

• The data user has given written consent to the proposed transfer after being informed of any risks or the transfer is necessary for one of the other reasons stated in the GDPR, such as:
• The performance of a contract between us and the data user (e.g. obligatory student year in an institution abroad/placement abroad).
• Reasons of public interest.
• To create, exercise or defend legal claims.

USE OF PERSONAL DATA

In the absence of written consent, legal obligation or other legal basis for processing, personal data should generally not be disclosed to third parties unrelated to the College (e.g. parents of students, members of the public, private property owners).

CHANGES IN THIS POLICY

The College reserves the right to change this Policy at any time without notice for this reason the recipient should regularly check to receive the latest copy.

DATA PROTECTION TRAINING SESSIONS

Data protection training for all staff is carried out through short-term seminars and/or individual seminars and/or advice.

In accordance with the College's Data Protection Policy, all staff have the responsibility to comply with data protection in their daily work. To be informed about these responsibilities, staff must refer to the College's Data Protection Policy posted on the College's website.

Academics conducting research and research support staff members must also be informed by the College's Data Protection Policy posted on the College's website.

Privacy by Design

The term "privacy by design" is another term for "data protection by design" and refers to the action of defining the minimum personal data required to carry out the necessary processing. By processing only the minimum required personal data, we maintain the privacy of an individual (data protection).

DATA PROTECTION OFFICER (DPO)

The main tasks of the Data Protection Officer (DPO) are το:

• Implement the requirements of data protection legislation throughout the College.
• Inform and advise the College and the staff who process personal data on their obligations.
• Monitor compliance, including the assignment of responsibilities, awareness-raising and training of staff, as well as related controls
• Provide advice, where appropriate, on privacy impact assessments and monitor their execution
• Act as a contact point to inform the Office of the Commissioner for Personal Data Protection in Cyprus about matters related to personal data
  (http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/All/FFD5E37F40FC4C74C2258272002C1B1A?OpenDocument).

The role of the Data Protection Officer (DPO) is defined in the GDPR. They should be able to carry out their tasks independently, define the data protection strategy for the College and report to the College Council.

For information and questions about your personal information, or if you need advice on how to exercise your rights regarding GDPR, please contact the College's Data Protection Officer.

The responsible entity for data processing is KES College, Kallipoleos 5, 1055 Nicosia.