Privacy Notice – GDPR
Privacy Notice – General Data Protection Regulation (GDPR)
The organisation EUROPEAN UNIVERSITY CYPRUS (hereunder the “EUC”) is committed to protecting your personal information. EUC will collect, process and use your personal data exclusively in compliance with the principles of Regulation (EU) 2016/679 of The European Parliament And of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”), the applicable local legislation as amended from time to time and any other legal and/or regulatory obligations.
How we use your personal information
This privacy notice aims to let you know how and for what purposes EUC uses, processes, and looks after your personal information. Below we provide information about the processing of your personal data and the data protection rights you are afforded. The content and scope of the data processing are largely based on each of the products and services that you have requested or that have been agreed with you.
Data Protection as of 25 May 2018
We process your personal data in accordance with the provisions of GDPR and the applicable local legislation as amended from time to time and this notice sets out your rights under the new laws.
Which data is processed and where does this data originate from
We process personal data that we receive from you in the context of our business and/or academic relationship. To the extent necessary and in order to provide our services we also process personal data that may also be obtained from publicly available sources.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (known as “anonymous data”).
Some types of information are classified as ‘sensitive’ for the purposes of European data protection law and there are additional restrictions on how we may use and hold this information.
Generally, it is necessary to obtain your consent before we can hold and use such information. However, we may hold and use such information without consent for limited statutory purposes such as monitoring compliance with our equal opportunities policies and health and safety rules, or if necessary to protect your vital interests, for legal claims, or in the public interest.
We will always communicate to you the purposes for which we wish to use your sensitive information when it is being collected, and, if necessary, obtain your consent at that time. In such cases, you will be able to withdraw your consent at any time.
Who we disclose your personal data with
With regard to the transfer of data to recipients outside the university, we note that as an academic institution we are under a duty to maintain discretion with respect to student(s) related and other matters and assessments of which we acquire knowledge as an academic institution. We may disclose information that concerns you if we are legally required to do so pursuant the provisions of the GDPR, applicable local legislation as amended from time to time as well as any other relevant legislation.
We may disclose your personal data to third parties in order to comply with any legal obligation or in order to enforce or apply our terms and conditions and other agreements and/or based on your consent/instructions.
Personal data is shared with (when required):
- Governmental Institutions
- Accreditation Bodies
- Professional Bodies
- Research Institutions
- Insurance companies
- Hospitals & Private Clinics
- Funding Agencies / Partner Institutions submitting to Funding Agencies
- Partner Universities for Erasmus purposes
- Career Promotion Organizations
- Other private organizations offering assistance to students
Where the party to whom we share your personal information is a legal entity, we hereby affirm that we will take all reasonable steps and/or actions to confirm that the employees and/or representatives of such a third party will execute their duties in accordance with the highest industry standards and will comply with all provisions and requirements of the provisions of this Privacy Notice and the local laws and regulations on the protection of personal data (as amended from time to time) and GDPR and any legislation to success it or complement it.
Why do we process your data (purpose of the processing) and on what legal basis
We process the aforementioned personal data in compliance with the provisions of GDPR and the applicable local legislation as amended from time to time.
- For compliance with a legal obligation. As an academic institution, we are subject to various legal obligations.
- For the performance of contractual obligations.
- For the purposes of safeguarding legitimate interests. Where necessary, we process your data above and beyond the actual performance of our obligations as a university in order to safeguard the legitimate interests pursued by us or by a third party.
On the basis of your consent
Insofar as you have granted us consent to the processing of personal data for marketing purposes, the lawfulness of such processing is based on your consent. Any such consent granted, may be revoked at any time by contacting us.
This also applies to the revocation of declarations of consent that were granted to us prior to the entry into force of the GDPR, i.e. prior to 25 May 2018.
Please note that we will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
How long we keep your personal information
We will keep your personal information for as long as you are a student and/or otherwise a person enjoying our services.
After you stop being a student and/or a person enjoying our services, we need to keep your personal information for a period of 7 years based on Cyprus government law. For academic purposes and in order for the university to be able to print and certify transcripts validity and issue certificates we may keep your data for up to 50 years. We also may keep your data for more than 50 years if we cannot delete it for legal and/or regulatory and/or technical reasons. If we do so, we will ensure that your privacy is protected and the data are used only for the above-mentioned purposes.
If for any reason we keep sensitive information, we will delete it as soon as the student or employee leaves from the university and there is no other relationship.
EUC Health Services Ltd will keep personal data for 15 years after the end of the relationship with the customer or after death.
Data transferred to a country outside the European Union
GDRP and the applicable local legislation as amended from time to time prohibits the transfer of personal information outside the European Economic Area (“EEA”) unless specific requirements are met for the protection of that personal information.
Data will only be transferred to countries outside the EU or the EEA (i) if it is required by law; or (ii) if you have granted us your consent and/or instructed us to do so.
Please note that if service providers in a third country are used, all reasonable and practicable measures will be taken to ensure that they will comply with the data protection level in Europe in accordance with the GDPR.
Any transfers to parties located outside the European Union will be in line with the legal and regulatory provisions of the GDPR and applicable local legislation as amended from time to time.
What data protection rights you have
The following are the rights you have pursuant to the provisions of the GDPR and the applicable local legislation (as amended from time to time) in relation to the data protection:
- Request access to your personal data (commonly known as a “data subject access request”).
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Please note however that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. In such a case,
your data will be stored but not processed until expiration of the retention obligation.
- Subject to the legal basis on which the processing activity is based, you may object to processing of your personal data. Please note that in some cases, we may have compelling legitimate grounds to process your information which we need to comply with.
- Request restriction of processing of your personal data (a) if it is not accurate; (b) where processing may be unlawful but you do not want us to erase your data; (c) where you need us to hold the data even if we no longer require it; or (d) where you may have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party.
- In case the processing of the data is performed subject to your consent, you may withdraw consent at any time where we are relying on consent to process your personal data. However, we note that this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will of course advise you if this is the case at the time you withdraw your consent.
Note that we may charge you with an administrative fee, in cases where requests are deemed manifestly unfounded or excessive, in particular because of their repetitive character.
If you choose not to give your personal information
In the context of our relationship we may need to collect personal information by law, or under the terms of a contract we have with you. Without this data, we may, in principle, not be in a position to close or execute a contract with you.
If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot perform services needed to efficiently provide you with our services. Any data collection that is optional would be made clear at the point of collection.
To what extent we carry automated decision-making and profiling
In establishing and carrying out a business relationship, we generally do not use automated decision-making. If we use this procedure in individual cases, we will inform you of this separately.
Online Teaching and Learning
Information on the processing of student personal data via the online platforms used by the EUC for online learning and teaching purposes is provided in the separate notice on “Online Teaching and Learning – Personal Data”, which is available here.
Who is responsible for the data processing and who you can contact
The entity responsible for your data processing is:
EUROPEAN UNIVERSITY- CYPRUS LTD (HE 83353)
6 Diogenous Street, 2404 Egkomi, Nicosia, Cyprus
Telephone: +357 22713000
Fax: +357 22662051
The data protection officer contact details at EUC is:
Mr. Panayiotis Demetriou
6 Diogenous Street, 2404 Egkomi, Nicosia, Cyprus
Telephone: +357 22713059, Fax: +357 22662051
If you have any questions, or want more details about how we use your personal information, you may contact us at the above contact details and we will be happy to provide you with further details.
Lodging a complain
Please let us know if you are unhappy with how we have used your personal information. You can contact us as noted above or by using the link: EUC – Data Subject Privacy Rights Request You also have the right to complain to the Cyprus Data Protection Commissionaire.
When you visit our website, our system automatically collects information about your visit, such as your browser type, your IP address and the referring website. Cookies do not contain any information that could identify the individual user personally. You can set your browser not to save any cookies of this website and you may also delete cookies automatically or manually. However, please note that by doing so you may not be able to use all the provided functions of our website in full.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and
they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Note: EUC website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and we are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.