Welcome To The Banking Of Cyprus

Processing means anything that is done to, or with, personal data (including simply collecting, storing or deleting those data). This definition is significant because it clarifies that the EU data protection law is likely to apply wherever an organisation does anything that involves or affects personal data.

Personal data are any information relating to an individual, whether it relates to his or her private, professional or public life. It can be a name, an address, a telephone number, an email address, bank details, or an IP address or a combination of them. Special categories of personal data, also known as sensitive personal data, which uniquely identify a person, are classified in the GDPR as sensitive data, like genetic and biometric information. Sensitive data are under very strict processing restrictions, like the stricter handling of that data such as the need to provide explicit consent.

The new legal framework mainly affects businesses offering goods or services or performs monitoring of EU-based individuals, be it these are customers, prospects, contractors or employees. It also affects any businesses located outside the EU, which hold or process personal data of individuals residing within the EU.

The GDPR has been approved by the EU Parliament on April 14th 2016 and will come into effect on May 25th 2018.

GDPR stands for the General Data Protection Regulation (Regulation (EU) 2016/679). The new European Union Regulation is set to replace the current Data Protection Directive (95/46/EC) as well as the Cyprus Data Protection Law of 2001 [and amendments of 2003]. The aim of the Regulation is to ease and safeguard the flow of personal data across the 28 EU Member States. Being an EU Regulation, it is directly applicable to each Member State’s national law.

A controller is the entity that determines the purposes, conditions and means of the processing of personal data. The controller is the one who collects the data from the data subject. The processor is an entity which processes personal data on behalf or upon the request of the controller. However, if you are a controller, the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. For example, a bank is a controller while an external vendor of the bank, such as an IT company, is a processor.

One of the key ways the GDPR issue affects all organisations is the new extended set of rights granted to individuals, as outlined below: Right to be informed - Organisations need to be clear and transparent on how they use personal data, which would typically be displayed through the organisation’s Privacy statement. Right of access - Individuals are entitled to know what information is held about them and how it’s processed. They should be able to gain unlimited access to this information. Right of rectification - Individuals are entitled to have their personal data corrected in case they are inaccurate or incomplete. Right to erasure (also known as the right to be forgotten) - Individuals have the right to request the removal of personal data where there is no compelling reason for its continuing with their processing. Right to restrict processing - Individuals have a right to request to block or suppress processing of their personal data. This however may be declined by the organisation on a number of grounds. Right to data portability - The right to data portability allows individuals to receive a copy of their personal data and transfer them from one IT environment to another, safely and securely. Right to object - Individuals have the right to object to the use of their personal information in certain circumstances. Right to not be subject to automated decision making - In specific circumstances, individuals have the right not to be the subject of a decision which has either a legal bearing on them, and is based on automated processing. This however may be declined by the Bank on a number of grounds. Right to lodge a complaint - If individuals have exercised any or all of their data protection rights and still feel that their concerns about how the organisation uses their personal data have not been adequately addressed by the organisation, they have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection at http://www.dataprotection.gov.cy/.

For infringements relating to transparency of information and communication, or data processing organizations could be fined up to EUR10M or 2% global turnover, whichever is higher. For infringements relating to data processing, consent, data subject rights and actual data breaches, organizations could be fined up to EUR20M or 4% of global turnover, whichever is higher.

If an organisation holds information on individuals, they must provide a detailed explanation on these, like what information they hold on them, how their data is processed and where it is kept. This can be done through a Privacy statement which should be made publicly available to them. The GDPR accordingly states that this statement should be clear, easy to access and free of charge. The Privacy statement for the Bank of Cyprus can be found at our website www.bankofcyprus.com.cy and also or at any branch of the Bank.

Any processing of personal data must be lawful and fair, transparent to data subjects while any information and communication regarding personal data is easily accessible and easy to understand.The organisation identifies below the lawful basis for any processing of personal data when: They have obtained direct consent from the individual or the data subject, to the processing of his/her personal data; There is a necessity to perform a contract- processing is needed in order to enter into or perform a contract; For protecting the vital interests of the individual-it is vital that specific data are processed for matters of life and death; There are legal obligations of the organisation- the organisation is obliged to process personal data for a legal obligation [ e.g. for compliance to anti money laundering regulations]; There is a necessity for the public interest- processing by public authorities and organisations in the scope of public duties and interest; and There is a legitimate interest for the organisation- There should be a compelling justification for processing and using personal data or when the organisation uses it in a way people would reasonably expect. It is also important to conduct a legitimate interests’ assessment and keep records of it.

There are restrictions on the transfer of personal data, outside the EU, to other countries or international organisations, imposed for the protection of individuals and their personal data as provided by the Regulation. Transfers require the approval of the Commissioner for Personal Data Protection while in certain other cases to inform the Commissioner. The transfer of personal data outside the EU is only allowed, provided certain conditions are met for example: where the European Commission has designated a third country or an international organisation as providing an adequate level of personal data protection; or where model contracts exist based on agreements on transfers made between organisations within a group, called standard data protection clauses or binding corporate rules; or where an approved certification mechanism applies, e.g. EU-US Privacy Shield. In addition, a transfer may be made where the individual has provided specific consent, it is necessary for the performance of a contract between the individual and the organisation if: it is necessary for reasons of public interest, it is necessary for the establishment, exercise or defence of legal claims, it is necessary to protect the vital interests of the data subject or other persons.