[Last updated: 24/05/2018]
1. Introduction
The present document comprises the “PHOEBE Data Management and Protection Policy” (from now on referred to as ‘Policy’).
This policy applies to all products/services, all projects and in general all operations of PHOEBE Research and Innovation Ltd, referred to as ‘PHOEBE’, ‘us’, ‘our’ and ‘we’. PHOEBE is a private company operating through its officers in Cyprus in the domains of information and communication technologies (ICT), including consulting services, technical solutions development, design/development/ operation of cyber-physical systems/solutions, design/development/operation of intelligent systems and artificial/computation intelligence -based solutions. The Policy describes how PHOEBE collects, uses, manages and protects the personal data and information of our customers, clients, partners, end-users, project stakeholders, pilot and test participants, and any other person with whom we interact in the course of performing our normal business and from whom we request any data. From now on, we will refer to all these persons collectively as ‘you’ or ‘your’.
Your privacy and control over your personal data, whether provided directly to us or whether transferred to us through third-parties, are important to us and we therefore do our best to comply with the EU General Data Protection Regulation (from now on referred to as ‘EU GDPR’) or any subsequent update of the relevant EU regulations, as well as any other more strict rules enforced by law and regulations in the countries through which we operate. Please read this Policy carefully to understand how we collect, manage, process, and protect your personal data.
In summary, our data management and protection practices are based on the following principles: privacy, control of data, lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability, in compliance with the EU GDPR.
All our products, services, projects, social media accounts, etc., are covered by this Policy. In addition, they may provide their own extensions to the Policy, giving clarifications on the specific data they collect, how they process them and all other details related to the implementation of the Policy and the enforcing of your rights.
Our products, services, projects, social media accounts, etc., may contain links to and from sites maintained by third parties. This Policy does not cover your activities on those third sites, any information you may provide to those sites, or information that may be collected about you by those sites.
We do our best to ensure compliance with this Policy. If you have any question in relation with the present Policy and/or you need certain clarifications regarding your data and/or regarding how to enforce your rights on the data we manage and/or regarding the language (including simplicity and translations, etc) used in this document please contact PHOEBE Data Management and Protection Officer at: management@phoebeinnovations.com. If you do not receive any response within 48 hours, please, use the contact form at:
http://www.phoebeinnovations.com/contactus
or call us at: 00357 99587884.
In case of any issue in relation with the implementation of this Policy and/or in relation with our processing of your personal data, we commit to take all reasonably possible measures to resolve it and if required to cooperate with the appropriate supervisory and regulatory authorities, including local data protection authorities, to seek for their advice and support. We shall not be liable for any incidental, consequential or punitive damages relating to this Policy.
2. Data Collection and Processing Roles
During performance of our business, we collect several types of data from you, depending on the context and type of interaction we have with you. In certain cases we act as the primary collector of your data, while in other cases we may act as a ‘processor’ of your data on behalf of the primary persons (third-parties) to which you have provided the data or even as a ‘third-party’ to which your data have been disclosed within certain context. The present Policy applies to all these cases.
3. Policy Principles relating to processing of the personal data
We commit to collecting and processing your data in accordance with all principles set out in the EU GDPR, namely:
a) lawful, fair and transparent data processing;
b) data collection for specified, explicit and legitimate purposes, without further processing in a manner that is incompatible with those purposes;
c) adequate, relevant and limited data to what is necessary in relation to the purposes for which they are collected and processed;
d) accurate data and, where applicable, kept up to date; we take every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) data kept in a form which permits your identification for no longer than it is necessary for the purposes for which the data have been collected and processed in the first time;
f) data collected and processed in a manner that ensures their appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. To achieve that we utilise reasonable and appropriate technical and organisational measures.
4. Lawfulness of data processing
We strive to comply with all laws and regulations related to the collection and processing of personal data. To do so, we apply one or more of the following:
a) We request your clear consent to the processing of your personal data for one or more specific purposes, for which we give clear information beforehand;
b) In the cases of contracts/agreements we sign with you, we only keep your personal data to the extent they are necessary for the performance of the contracts/agreements or in order to take steps at the request of you or another party of the contract/agreement prior to entering into the contract/agreement;
c) We perform data processing if necessary for compliance with a legal obligation to which we are subject, or to protect the vital interests of you or other natural persons or when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us or when processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of yours.
5. Communication and Consent Requests
We always request your consent to collect and process your personal data, in a clear manner, through a dedicated written declaration (either in paper or through electronic means).
The communication and the request for a consent happen before any personal data are obtained, and contain the following details:
(a) the identity and the contact details of our company, and of our Data Management and Protection Officer;
(b) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(c) any third-party recipients or categories of recipients of the personal data;
(d) where applicable, the fact that we intend to transfer personal data to a third country or international organisation, with reference to the appropriate or suitable safeguards and means by which they can obtain a copy of the data or where they have been made available. We make clear all legitimate interests pursued by our company or by the third party;
(e) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(f) the existence of your right to request from us access to and rectification or erasure of your personal data or restriction of processing concerning your data or to object to processing as well as the right to data portability;
(g) the existence of your right to withdraw consent at any time; note, however, that this would not affect the lawfulness of processing based on your consent before its withdrawal;
(h) your right to lodge a complaint with a supervisory/regulatory authority regarding the use of your personal data;
(i) whether the provision of your personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and of the possible consequences of failure to provide such data;
(j) the existence of any automated decision-making, including profiling, referred to in EU GDPR and meaningful information about the logic involved, as well as the significance and the envisaged consequences on you, of such processing.
Where the personal data belong to a person below the age of 18 years, the consent must be given or authorised by the holder of parental responsibility over the person. We shall make reasonable efforts to verify in such cases that the consent is indeed given or authorised by the holder of parental responsibility over the person.
6. Processing of special categories of personal data
In general, we do not perform and we are not engaged in any processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
In the cases where specific products, services, projects, necessitate the processing of data mentioned in the above paragraph, we take the following measures:
a) We make sure that you have given explicit consent to the processing of those personal data for one or more specified purposes, except where the EU or Cyprus law provides that this action is prohibited anyway;
b) We ensure the processing is necessary for the purposes of carrying out the obligations and exercising our or your specific rights or the processing is necessary to protect your vital interests or the vital interests of another person where you are physically or legally incapable of giving your consent.
We do not process any personal data relating to criminal convictions and offences.
7. Processing which does not require identification
In the cases where the purposes for which we process personal data do not or do no longer require your identification, we do not maintain, acquire or process any additional information in order to be in position to identify you.
In the above cases, we make all efforts to remove any possibility of us being able to identify you and we inform you accordingly, where this is possible.
8. Your Rights in relation with this Policy
Transparency and modalities:
We take all appropriate measures to communicate to you all information related to the implementation of this Policy in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular when you are a child or belong to any other vulnerable group. We always provide the information in writing, including the electronic means where feasible. We are available to communicate all relevant information orally or by other feasible means, when you request it, provided that we can confirm your identity by other means.
We will never refuse to act on your request for exercising your rights under any law or regulation, unless we can demonstrate that we are not in position to identify you. In such cases, we will provide to you information on actions taken, within one month of receipt of your request. All these will happen free of any charge, unless your requests are manifestly unfounded or excessive, in particular because of their repetitive character. In the latter cases we reserve the right to either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or refuse to act on your request.
We will always take reasonable measures to authenticate you when you interact with us, so as to avoid any wrong disclosure of data.
The above hold also in case your personal data have not been directly provided to us but we are processing it on behalf of third-parties.
As an exception, we will not provide the information as above mentioned, in case it must remain confidential subject to an obligation of professional secrecy regulated by EU or the countries from which we operate.
Right of access to your data
You have the right to obtain from us confirmation as to whether or not we process personal data of yours. Where that is the case, you have the right to access to the personal data and all the information which is being requested when we ask for your consent (see Communication and Consent Requests in this Policy)
We shall provide a copy of your personal data undergoing processing. For any further copies you request, we may charge a reasonable fee based on administrative costs.
Rectification and erasure
You have the right to request and obtain from us the rectification of inaccurate personal data concerning you, without undue delay, even if this will cause us having incomplete personal data records for the purposes we need it.
You have the right to request and obtain from us the erasure of any of your personal data, without undue delay.
We undertake the obligation to erase your personal data without undue delay where: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; and/or (b) you withdraw your consent on which the processing is based, and where there is no other legal ground for the processing; and/or (c) you objects to the processing and there are no overriding legitimate grounds for the processing; and/or (d) your personal data have to be erased for compliance with a legal obligation in the EU or any other country from which we operate;
Pursuant to paragraphs above, where we have made your personal data public, we will take into account the available technology and the cost of implementation and we will take reasonable steps, including technical measures, to inform third-parties which are processing the personal data that you have requested the erasure of any links to, or copy or replication of your personal data.
However, we will not erase the data if they are processed: (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation which requires processing by the EU or other country from which we operate or for the performance of a task carried out in the public interest or in the exercise of official authority vested in PHOEBE; (c) for reasons of public interest in the area of public health in accordance with the EU GDPR; (d) for the establishment, exercise or defense of legal claim
Right to restriction of processing
You have the right to request and obtain from us restriction of processing of your personal data where: (a) you contest the accuracy of your personal data, for a period enabling us to verify the accuracy of the personal data; (b) the processing is unlawful and you oppose the erasure of your personal data and requests the restriction of their use instead; (c) we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims;
Where processing has been restricted, your personal data will, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of EU or any other country.
In all above cases, you will be informed by us before any restriction of processing is lifted.
Communication - Notifications
We undertake to communicate any rectification or erasure of your personal data or restriction of processing carried out in accordance with this Policy, to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We will inform you about those recipients if you request it.
Right to data portability
You have the right to receive the personal data concerning you, and which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those data to a third-party without hindrance from us, where the processing is based on prior consent or contractual relation and the processing is carried out by automated means. Where technically feasible, we undertake to transmit the data directly to the a third-party appointed by you.
The above right is applied if not adversely affecting the rights and freedoms of others.
Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, including automated processing and profiling. We undertake to then stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defenseof legal claims.
We do not process personal data for direct marketing purposes. We always seek for clear consent.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
The above right does not apply if: (a) the decision is necessary for entering into or for the performance of a contract/agreement between you and us; (b) the processing is authorized by an EU or other country’s law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; (c) it is based on your explicit consent.
Right to lodge a complaint with a supervisory authority
We understand that you have the right to lodge a complaint with a supervisory authority, if you consider that the processing of personal data relating to you infringes the EU GDPR.
9. PHOEBE Rights and Responsibilities / Obligations
1. Taking into account the nature, scope, context and purposes of processing data, we implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the EU GDPR. The measures we take are reviewed frequently and they are updated where and at the extent necessary.
2. When it comes to electronic data processing, we take all proportionate measures to safeguard your data by preventing unauthorized access and implementing the widely adopted security measures for the product/service/project in consideration. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the data processing, we implement appropriate technical and organisational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the EU GDPR and protect your rights.
3. We implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. The measures we take, ensure that by default personal data are not made accessible, without your clear consent.
4. Where we process data jointly with other organisations (e.g. in project consortia), we make sure that our agreements with them determine transparently our respective responsibilities for compliance with the data management and protection policies of each organisation and the EU GDPR, in particular as regards the exercising of your rights and our respective duties to provide the information related to the exercising of these rights. In all these cases, we inform you about the details of the arrangement we have with these other organisations, as well as the contact details to use in relation with the data management and protection policy and the EU GDPR.
5. Although our company is not obliged to appoint a Data Protection Officer according to the EU GDPR regulation, we took the initiative and appointed a Data Management and Protection Officer. The relevant contact details can be found at the beginning of this document. Wemandate the Data Management and Protection Officer to be addressed in addition to us or instead of us by, in particular, supervisory authorities and you, on all issues related to personal data processing, for the purposes of ensuring compliance with this Policy and the EU GDPR.
6. In the cases we process data on behalf of third-parties, we provide sufficient guarantees to these third-parties that we implement appropriate technical and organisations measures in such a manner that processing will meet the requirements of the EU GDPR and ensure the protection of the rights of their data subjects.
7. We never engage another processor in your data processing without your prior specific or general written authorization or of the third-party on behalf of which we process the data. In the case of general written authorization, we undertake to inform you or the responsible third-party of any intended changes concerning the addition or replacement of third-parties processing the data, thereby giving to these persons the opportunity to object to such changes.
8. When we process data on behalf of third-parties, we always enter into contract/agreement or other legal act under the laws of the countries through which we operate, that is binding on us with regard to the third-parties and that sets out the subject-matter and duration of the data processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the third-parties on behalf of which we process the data. The respective contract or other legal act shall make it clear that we: (a) process the personal data only on documented instructions from the third-party, including with regards to transfers of personal data to a third country or an international organisation; (b) ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) take all measures required pursuant to supporting these third-parties in their obligations arising from the EU GDPR; (d) assist the third-party by appropriate technical and organisational measures, insofar as this is possible, for the fulfillment of their obligation to respond to requests for exercising the rights of persons to which the data belong, as laid down in EU GDPR; (e) assist the third-party in ensuring compliance with the obligations pursuant to the content of EU GDPR, taking into account the nature of processing and the information available to us; (f) at the choice of the third-party on behalf of which we process the data, delete or return all the personal data to them after the end of the provision of services relating to processing, and delete existing copies unless an EU law or the law of a country through which we operate, requires storage of that personal data; (g) take actions to immediately inform the third-party if, in our opinion, an instruction they give us, infringes the EU GDPR or the data protection provisions of the countries through which we operate.
9. Where we engage another party for carrying out specific processing activities on behalf of us or a third-party, we take measures so as the same data protection obligations as set out in the contract or other legal act we participate in as referred to above are imposed on that other party by way of a sub-contract or other legal act.
10. Security of Data Processing
1. Taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purposes of the data processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we are implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alias as appropriate: the pseudonymization and encryption of the personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security, we take into account, in particular, the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
3. We take all necessary steps to ensure that any natural person acting under our authority, who has access to personal data, does not process them except on direct instructions from us (or from a third-party if we give such consent).
4. In the case of a personal data breach, we shall without undue delay and, where feasible, not later than 72 hours after having become aware of it (or longer if the delay can be duly justified by us), notify the personal data breach to the supervisory authority competent in accordance with the EU GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of any natural persons.
5. When the personal data breach is likely to result in a high risk to your rights and freedoms, we shall communicate the personal data breach, using clear and plain language, to you without undue delay. If such communication would involve disproportionate effort, we will instead communicate publicly in a way we believe you will be informed in an equally effective manner.
6. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to your rights, we undertake, prior to the processing, to carry out an assessment of the impact of the envisaged processing operations on the protection of your personal data. In any case, such impact assessment will in particular be undertaken in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data as referred to in Article 9(1) of the EU GDPR or of personal data relating to criminal convictions and offences referred to in Article 10 of EU GDPR; (c) a systematic monitoring of a publicly accessible area on a large scale.
Where necessary, we undertake to carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.
11. Changes to Our Privacy Policy
We reserve the right to modify or revise this Policy from time to time and especially when such modifications are subject to complying with updated laws and regulations from EU and/or the countries through which we operate. Although we do our best to notify you in the case of major changes applied to this Policy, we do expect you to take actions and stay informed about the most up to date version of the Policy, by periodically checking at our website.
All changes/updates/revisions to the Policy will be clearly annotated in the latest version, with information also on the “last modified date”, so that we make it easy for you to know whether an update has been performed and the content of that update. At each time, only the latest version of the Policy remains applicable. We do our best for the Policy updates to be backward compatible, that is, to avoid voiding any of the rights and obligations assumed in previous versions, without offering sufficient treatment. In the case the changes affect your data protection rights, you have the right to contact us immediately and request to enforce any of your rights.