We take our responsibilities under the General Data Protection Regulation (EU) 2016/679 very seriously and as such we are committed to : • Process personal data openly, fairly and in accordance with applicable laws • Inform (either directly or in our policies) about how we will use your personal data • Only collect personal data from when we need it for legitimate purposes or legal reasons • Ensure that all personal data are adequate, relevant and not excessive for the purpose for which we collect them • Avoid keeping personal data for longer than we need to • Keep personal data secure, and limit the people who can access it • Ensure that you know how to access your personal data and exercise your rights in relation to it, including being able to keep it accurate and up-to-date; and • Ensure that any third parties we share personal data by taking appropriate steps to protect it.
There are various instances that we collect your personal data. In some instances, you provide your data to us when you subscribe with us and in some other instances, this is performed automatically through other interactions with us. Below is a list of possible ways we collect your data. • When you create an account with us. • When you use any of our networks – mobile, wifi or the Company products and services • When you request to activate a direct debit or credit order and a reference in disputes and legal cases • When you want to check network coverage of your residence or office • When you request maintenance or technical support • When you engage with us on social media. • When you are using your online account (e.g. the Company.me, etc) • When you contact us by any means with queries, complaints, etc. • When you ask one of our members or staff to email you information about a product or service. • When you enter prize draws or competitions. • When you choose to complete any surveys we send you. • When you comment on or review our products and services. • When you fill in any forms. For example, if an accident happens in one of our shops, a member of our staff may collect your personal data and a member of our management may contact you as part of the investigation • When you’ve given the third-party permission to share with us the information they hold about you. • When you visit our shops which usually have CCTV systems operated for the security of both customers and Partners. These systems may record your image during your visit.
General Data Protection Regulation (EU) 2016/679 sets out a number of different reasons for which the Company may collect and process your personal data, including: Consent In specific situations, we can collect and process your data with your consent. For example, when you tick a box to receive email newsletters. When collecting your personal data, we’ll always make clear to you which data is necessary for connection with a particular service. Contractual obligations In most circumstances, we need your personal data to comply with our contractual obligations i.e. to provide to you our services at the quality level we are committed to our customers. For example, if you have made a technical inquiry, we are contractually obliged to inform you of repair of any damage or other matters related to our services and we’ll process your name and address details to do that. Legal compliance If the law requires us to, we may need to collect and process your data. For example, we can pass on details of people involved in fraud or other criminal activity to the Police Legitimate interest In specific situations, we require your data to pursue our legitimate interests in a way that might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests. For example, we will use your viewing history to send you or make available personalized suggestions. We’ll use your personal data if we consider it is in our legitimate business interests so that we can operate as an efficient and effective business. We use your information to: • Identify, and let you know about, new products and services that interest you; • create aggregated and anonymized information for research, statistical analysis, reporting and performance measurement of our operations; • detect and prevent fraud; and • secure and protect our network, shops, building, and our Company assets
There are occasions when we need to share your personal data with a third party data processor. Our policy is that we will only transfer your personal data to a third party processor who complies with the Company’s security and data protection procedures and policies or if they put in place equivalent measures themselves, which we deem to be acceptable and are at minimum in compliance with the General Data Protection Regulation (EU) 2016/679. Furthermore, we will provide only the information they need to perform their specific services, they may only use your data for the exact purposes we specify in our contract with them and if we stop using their services, any of your data held by them will either be disposed or anonymized. Examples of the kind of third parties we work with are: • IT companies or cloud storage companies that support our Information Technology and other business systems. • Operational companies such as archiving or records management companies, printers of your monthly bills, delivery couriers. • Banks and other financial institutions. • External legal consultants, financial Auditors, and business advisors to help us with statutory and other compliance obligations. • Direct marketing companies and market research companies who help us manage our electronic or postal communications with you and shape our products and services to serve your communication and entertainment needs and expectations to the highest standards. • Card payment processing companies, such as JCC Payment Systems Ltd, • Debt collection agencies who assist us in recovering outstanding amounts For fraud management, we may share information about fraudulent or potentially fraudulent activity on our premises or systems. We may also be required to disclose your personal data to the police or other enforcement, regulatory or public authorities like income tax authorities upon a valid request to do so. These requests are assessed on a case-by-case basis and take the privacy of our customers into consideration.
We might send your personal data to other companies based outside the EEA. For example, like many companies, we may use cloud services from suppliers outside the EEA. However, your Personal data will not be transferred to a country outside the EEA unless that country has adequate measures in place to ensure that your rights and freedoms are protected when your personal data is processed (stored for example). Where we transfer your information to companies outside the EEA, we will make sure that mechanisms for adequate safeguards are provided by the processor residing in countries outside EEA. Examples of such mechanisms could include: • The country is approved by the European Union for adequacy on data protection • The recipient the Company might have signed up a contract or use adequate terms and conditions obliging them to protect your information. • The recipient is located in the US and is a certified member of the EU-US Privacy Shield scheme. There are likely some other instances in which this principle does not apply, which include cases where we might require your consent for the transfer and we will explain to you clearly in advance all the details; Examples of such instances are: • the transfer is necessary for the performance of a contract between us; • the transfer is necessary for the purposes of legal proceedings or obtaining legal advice; • the transfer is to a country which the European Commission has found to offer an adequate level of protection; • or adequate safeguards are put in place using EU Model Contract Clauses (security addendum). In all cases, however, we will ensure that any transfer of your information is always compliant with the General Data Protection Regulation (EU) 2016/679.
We follow an internal records retention policy based on legal, business and security criteria. We will store personal data for the periods needed for the purposes for which the personal data were collected or in cases there will be requirements to be further processed. There are also occasions a law requiring us to keep it longer. Otherwise, we delete it. We will keep: • a copy of your bills for 7 years from the date of the bill; • your contact details while you have a service subscription with us and for 7 years after your business relationship is terminated with us. • details relating to any dispute for 2 years after it was closed.
Online-Payments, when available It is safe to make payments with us online as it is the Company ‘s policy to protect our Customers’ privacy. This is achieved by making all Customers’ online transactions through JCC. When you send your payment details, they are encrypted, (changed to unreadable code), on their journey between your computer or mobile device and the Company. This reduces the risk of interception between these two points. When your payment details arrive they are held securely at our end. Access to your information is carefully monitored and restricted. the Company will only use your card details for the payment concerned. We will not disclose card details to any third parties other than the bank, which processes them for payment. Once your payment has been authorized, we will provide notification of this confirmation via email or letters. Cookies We use “cookies” to monitor site user traffic patterns and site usage. This helps us to understand how our customers and potential customers use our website so that we can develop and improve the design layout and functionality of the sites.
What is PERSONAL DATA? any information relating to an identified or identifiable to a living individual - natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; What is GDPR? GDPR stands for the General Data Protection Regulation (Regulation (EU) 2016/679). The new European Union Regulation is set to replace the current Data Protection Directive (95/46/EC) as well as the Cyprus Data Protection Law of 2001 The GDPR requires greater openness and transparency from companies on how they collect, store and use personal data and enhances the rights of individuals over their personal data What are SPECIAL CATEGORIES data? Information about a person’s: • Racial or ethnic origin; • Political opinions; • Religious or similar beliefs; • Trade union membership; • Physical or mental health or condition; • Sexual life; or information about • The commission of, or proceedings for, any offense committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in any such proceedings. Special categories data can only be processed under strict conditions and will usually require the explicit consent of the person concerned. What is the processing of personal data? Any activity which involves the data. It includes obtaining, recording or holding the data or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties. Who is a DATA SUBJECT? The individual the data relates to and for the purpose of this policy, data subjects include all living individuals about whom we hold personal data. A data subject need not be a Cypriot national or resident. All data subjects have legal rights in relation to their personal data. DATA CONTROLLER the Company is a data controller because under GDPR determines the purposes and methods of processing of personal data and DATA PROCESSOR Any individual or organization which processes personal data on behalf of a data controller. Employees of a Data Controller are not considered to be data processors; however, the definition is likely to include suppliers or service providers which handle personal data on the controller’s behalf. DATA PROTECTION OFFICER (DPO) This is the new responsibility for organizations introduced by article 37 of GDPR. DPO’s assist in the monitoring of internal compliance, inform and advise on data protection obligations, provide advice regarding data protection risks and acts as a contact point for data subjects and the supervisory authority. DATA USER Includes employees and other staff members whose work involves using personal data. Data users have a duty to protect the information they handle by following our data protection and security policies at all times. PRIVACY NOTICE A statement provided to data subjects when or before their personal data is collected which explains, what their information will be used for, to whom it may be disclosed for these purposes (particularly any external third parties) and any other information they may need to know in order to ensure that the processing is fair. COMMISSIONER FOR PROTECTION OF DATA An independent regulator who reports directly to Parliament. The Commissioner for Protection of data is responsible for regulating and enforcing the GDPR in Cyprus and provides advice and guidance about compliance to organizations and members of the public. Anonymized data Data that has had all personally identifiable information removed. Anonymized data are not covered by the GDPR Aggregated data Grouped information, which does not identify customers and they do not contain personal data. They are used for statistical analysis, reporting and research. For example, the total number of calls made in a month or the total number of minutes called. What are Cookies? A cookie is a piece of information, that's stored on your computer, tablet or phone when you visit a website. It can help identify your device whenever you visit that website. Cookies are a convenient way to carry information from one session on a website to another, or between sessions on related websites, without having to burden a server machine with massive amounts of data storage.