The General Data Protection Regulation

Frequently Asked Questions [FAQs]

1. What is the GDPR?

GDPR stands for the General Data Protection Regulation (Regulation (EU) 2016/679).  The new European Union (“EU”) Regulation is set to replace the current Data Protection Directive (95/46/EC) as well as the Cyprus Data Protection Law of 2001 [and subsequent amendments of 2003].  The aim of the Regulation is to ease and safeguard the flow of personal data across the 28 EU Member States.  Being an EU Regulation, it is directly applicable to each Member State’s national law.

2. When will the GDPR come into effect?

The GDPR has been approved by the EU Parliament on April 14th 2016 and will come into effect on May 25th 2018.

3. Who does the GDPR affect?

The new legal framework mainly affects businesses offering goods or services or processing personal data of individuals, resident in the EU, whether these are customers, potential customers, contractors or employees.  It also affects any businesses located outside the EU, who own or process personal data of individuals resident in the EU.

4. What we mean by “personal data” and “special categories of personal data”?

By personal data we mean any information relating to a natural person, be it his or her private, professional or public life.  They include name, address, telephone number, email address, bank details, IP address or a combination of them.

Special categories of personal data, also known as sensitive personal data, which uniquely identify a person, are classified in the GDPR as sensitive data, like genetic and biometric information.  Sensitive data are under very strict processing restrictions, like the stricter handling of that data such as the need to provide explicit consent.

5. What does "processing" mean?

Processing means anything that is done on, or with, personal data (including the simple collection, storage or deletion of such data).  This definition is important because it clarifies that the EU data protection legislation is likely to apply, when an organization does anything that involves or affects personal data.

6. What are the key principles that each businesses should follow when processing personal data?

  • Personal data should be processed lawfully, fairly and in a transparent way.
  • Collection of personal data should be relied on an explicit reason for being collected.
  • The requested data must be only limited to what is necessary for the specific service to be carried out.
  • Personal data should be accurate and updated at regular intervals.
  • Personal data should not be kept for longer than necessary.
  • Data should be processed in a manner that safeguards the security of the personal data.

7. What is the difference between a “data controller” and a “data processor”?

A controller is the entity that determines the purposes, conditions and means of the processing of personal data.  The controller is the one who collects the data from the data subject.

The processor is an entity which processes personal data on behalf or upon the request of the controller.

Consequently, if you are a controller, the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.  For example, CISCO is a controller while an external vendor of CISCO, such as an IT company, is a processor.

8. What rights will individuals have under GDPR?

One of the key ways the GDPR issue affects all organizations is the new extended set of rights granted to individuals, as outlined below:

Right to be informed - Organizations need to be clear and transparent on how they use personal data, which would typically be displayed through the organization’s Privacy statement.

Right of access - Individuals are entitled to know what information is held about them and how it’s processed.  They should be able to gain unlimited access to this information.

Right of rectification - Individuals are entitled to have their personal data corrected in case they are inaccurate or incomplete.

Right to erasure (also known as the right to be forgotten) - Individuals have the right to request the removal of personal data where there is no compelling reason for its continuing with their processing.

Right to restrict processing - Individuals have a right to request to block or suppress processing of their personal data.  This however may be declined by the organization on a number of grounds.

Right to data portability - The right to data portability allows individuals to receive a copy of their personal data and transfer them from one IT environment to another, safely and securely.

Right to object - Individuals have the right to object to the use of their personal information in certain circumstances.

Right to not be subject to automated decision making - In specific circumstances, individuals have the right not to be the subject of a decision which has either a legal bearing on them, and is based on automated processing.  This however may be declined by the Bank on a number of grounds.

Right to lodge a complaint - If individuals have exercised any or all of their data protection rights and still feel that their concerns about how the organization uses their personal data have not been adequately addressed by the organization, they have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection at http://www.dataprotection.gov.cy/.

CISCO enables individuals to address their data protection concerns by submitting a complaint at ciscoinfo@bankofcyprus.com.

9. What are the penalties in case of non - compliance?

For infringements relating to transparency of information and communication, or data processing organizations could be fined up to EUR10M or 2% of global turnover, whichever is higher.  For infringements relating to data processing, consent, data subject rights and actual data breaches, organizations could be fined up to EUR20M or 4% of global turnover, whichever is higher.

10. What is a Privacy statement?

If an organization holds information on individuals, it must also provide to those individuals a detailed explanation for holding this information, how it is processed and where it is kept.  This can be done through a Privacy statement which should be made publicly available to them.  The GDPR accordingly states that this statement should be clear, easy to access and free of charge.

The Privacy statement of CISCO can be found at the following website address: http://www.cisco-online.com.cy and also at any CISCO office.

11. What are the lawful bases of processing and when is consent required?

Any processing of personal data must be lawful and fair, transparent to data subjects, while any information and communication regarding personal data is easily accessible and easy to understand.

The organization identifies below the lawful basis for any processing of personal data, which is when:

  • Consent was received directly from the data subject, to the processing of his/her personal data;
  • It is necessary for the execution of a contract – i.e. processing is needed in order to enter into or execute a contract;
  • For protecting the vital interests of the individual - i.e. it is vital that specific data are processed for matters of life and death;
  • There are legal obligations of the organization - i.e. the organization is obliged to process personal data because it is subject to a legal obligation [ e.g. for compliance with the anti-money laundering regulations];
  • It is necessary to process for matters of  public interest - i.e. it is necessary for the public authorities and organizations to process them in the context of their public tasks and interest; and
  • There is a legitimate interest for the organization – That is if there is a valid justification for the processing of personal data, processing is considered justified or when the organization uses it in a way individuals would reasonably expect.  It is also important to conduct an assessment of the legitimate interests to be used as a basis and to keep a record of them.

12. When can personal data be transferred outside the EU?

There are restrictions on the transfer of personal data, outside the EU, to other countries or international organizations, imposed for the protection of individuals and their personal data as provided by the Regulation.

Transfers require the approval of the Commissioner for Personal Data Protection, and in some other cases it is sufficient to inform the Commissioner.

The transfer of personal data outside the EU is only allowed, provided certain conditions are met, for example:

  • where the European Commission has designated a third country or an international organization as providing an adequate level of personal data protection; or
  • where model contracts exist based on agreements on transfers made between organizations within a group, called standard data protection clauses or binding corporate rules; or
  • where an approved certification mechanism applies, e.g. EU-US Privacy Shield.

In addition, a transfer may be made where the individual has provided specific consent, which is necessary for the performance of a contract between the individual and the organization, if:

  • it is necessary for matters of public interest,
  • it is necessary for the establishment, exercise or defence of legal claims,
  • it is necessary to protect the vital interests of the data subject or other persons.

13. Does my company need to appoint a Data Protection Officer (DPO)?

Organizations are required to appoint a Data Protection Officer (DPO) if their main activities involve the processing of personal data on a large scale and/or involve continuous monitoring of personal data.

The DPO may be an employee of the organization, only if his / her duties do not conflict with his / her role as DPO, otherwise the role may be outsourced.

14. What are the DPO’s responsibilities under GDPR?

The responsibilities of the DPO, as defined in Article 39, are briefly as follows:

  • Το inform and advise the organization and staff about their obligations under the GDPR;
  • Το monitor compliance with the GDPR by the controller or processor;
  • Το advise on data protection impact assessments and monitor their performance; and
  • To cooperate and liaise with the supervisory authority on data processing-related issues.

The contact details of the assigned DPO of CISCO are mentioned on the Privacy statement of CISCO, which is published on our website at http://www.cisco-online.com.cy

15. What are the rules on security under the GDPR?

GDPR safeguards personal data by protecting their processing in a way that assures their security, including protection against unauthorized or unlawful processing as well as by accidental loss, destruction or damage.

Organizations should have the appropriate technical or organizational measures to prevent any leakage or unlawful processing of personal data.

Useful links:

For more information on how we use your information, or how we maintain the security of your information, and your rights to access information we hold for you, please refer to the Privacy statement of CISCO at http://www.cisco-online.com.cy

For further reference regarding GDPR legislation, please refer to the General Data Protection Regulation: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN