PURPOSE

The purpose of this Policy is to define and formulate the general framework and basic principles set and applied by the "Department of Postal Services" (hereinafter referred to as the "Department") with regard to the processing of personal data and for the protection of their security, confidentiality, integrity and availability.

1. SCOPE

This Policy applies to all personal data managed by the Department in the context of its activity.

2. RESPONSIBILITY FOR THE POLICY IMPLEMENTATION

• Management
• Data Protection Officer
• All the staff of the Department.
• All associates who manage and/or have access to personal data managed by the Department.

3. DESCRIPTION

3.1 General

Our Department recognizes and respects the importance of the personal data it handles in the context of its activity, and for this reason it has fully adapted its policy to the requirements of the General Data Protection Regulation (hereinafter GDPR) 2016/679/EC and the national law 125(I)2018.

With this statement, our Department wishes:

• to inform the persons dealing with it, in what capacity, for what purpose and on what legal basis it processes personal data, i.e. information that may serve to directly or indirectly identify persons
• identify the categories of data, the sources of the data (when the data is not received from the person himself/herself) and the criteria for determining the period of time for the retention of the personal data
• to inform the persons dealing with it regarding transfers of their personal data to third parties or to third countries
• to inform about the ability of subjects to contact our Department on any issue related to the processing of their personal data, the ability to exercise their rights of access, rectification and, where appropriate, erasure, restriction and opposition to processing, as well as the ability of individuals

to report any violation of their rights related to their personal data to the Office of the Personal Data Commissioner.

• to determine the principles governing the compliance with the relevant personal data protection policies and security guarantees by the Department.

For any question or query, or to receive a copy of this policy statement, or to exercise any of the rights related to his/her personal data, the interested party may contact the Data Protection Officer (DPO) of our Department at +357 25108600 and email: stioakim@hsbrconsulting.com

3.2 Data Controller and Data Protection Officer Details

Controller:

Name	Department of Postal Services
Address	100 Prodromou Street, 2063, Strovolos, Cyprus
Telephone - Fax	+357 22805711/+357 22304154
Email	registry@dps.mcw.gov.cy

Data Protection Officer:

Full name : Stavros Ioakeim

Tel.: +357 25108600

Email: stioakim@hsbrconsulting.com

3.3 Who collects personal data?

The Department is subordinate to the Ministry of Transport, Communications and Works and operates on the basis of the Postal Law, Chapter 303, as amended to date, as well as the Regulation of Electronic Communications and Postal Services Law of 2004 (L.112(I)/2004), as amended to date.

The Department (Cyprus Post), in accordance with article 161 (7) of Law 112(I)/2004, remains a provider of the Universal Postal Service in the Republic of Cyprus until 31 December 2027 and therefore has an obligation to provide postal services that fall within the scope of the universal service. This statement covers the collection of personal data by our Department in the course of conducting its business, including its presence on third-party websites, platforms and applications under our Website Terms of Use.

It is noted that when visiting the website of our Department, simple data related to the visitor's interaction with the website and the installation of cookies is collected (see the relevant Cookie Policy). Third-party websites, in general, apply their own privacy statements and their own terms and conditions. We encourage you to read them before using these websites.

3.4 How is personal data collected?

We collect personal data from various sources, namely:

• Personal data provided to our Department directly by the subjects, for one of the following reasons:

1. Information is provided when all our services are used and when concluding, developing and terminating the contractual relationship between us.
2. Data provided during participation in the events and actions of our Department.
3. Information provided when contacting us or when submitting a request.
4. Data provided when registering in the newsletter of our Department.

• We receive personal data indirectly, in the following cases:

1. Data that we collect during the operation of a closed circuit video surveillance (CCTV) at the Department's premises.
2. Data that we collect during the operation of GPS telematics management systems during the movement of the Department's vehicles.
3. Data received from senders of postal items transmitted electronically and/or on the item itself by the sending postal organisations.
4. Data received from senders of financial services transmitted electronically and/or in paper form.

• The Department receives and stores certain types of personal data whenever anyone interacts with it online, i.e. when cookies and tracking technologies are used.

3.5 What personal data is collected?

Personal Data means any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one whose identity can be established, directly or indirectly, in particular by reference to an identifier, such as a name, an identity number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

Due to the nature of our Department's activities, the personal data it collects mainly concerns the following categories of subjects:

• Employees: i.e. their personal data and data that refer purely to the employment relationship with the Department, which include indicatively identity and communication data, financial data as well as health data of the same or additional members related to the compliance of our Department with labor and insurance legislation.

Geolocation data is also collected from the GPS systems installed in the vehicles.

Finally, data is collected from CCTV systems, where applicable.

• Candidates for recruitment: i.e. their personal data and data referred to in their evaluation as candidates and in their recruitment procedures by the Department, which include indicative identity and contact information, as well as details of the candidates' professional CVs.
• Partners of the Department (suppliers and other associates): i.e. their personal data and data referring to the contractual relationship between us, which include indicatively identity and communication data, transaction data as well as financial data related to the compliance of our Department with its legal contractual obligations.
• Dealing with the Department (citizens/individuals who communicate with our Department): i.e. their personal data and data referring to the contractual relationship between us, where it exists, or used for their communication with our Department, which include indicatively identity and contact data, transaction data from the use of the Department's services;  as well as financial data related to the compliance of our Department with its legal contractual obligations.
• Trainees from the Department: i.e. personal data of the persons participating in the trainings organized by our Department, which include indicatively identity and communication data, elements of the contractual relationship of our Department with the participants (e.g. employment contract when the participant is an employee of our Department).
• Newsletter  recipients: i.e. personal data of the persons who, with their consent, provide to the Department for communication with them, for informational purposes and direct marketing of products and services, which indicatively include identity and contact details, data of a previous transactional relationship of our Department with them (if the recipient is or has been a customer of our Department).

Please note that we do not collect personal data of special categories, such as personal data relating to race, national origin, religion, sexual orientation or genetic biometric data, etc., which are categorized as special categories of data and receive additional protection under European data protection legislation.

3.6 Especially with regard to children's privacy

Personal data of children may be collected exclusively in the context of the employment relationship of our employees, i.e. on the one hand to describe the marital status of employees regarding salary, labor rights, etc. and on the other hand, for the inclusion of minors/additional members in the group insurance provided to the employees and to service the said insurance contract. It is understood that this information is provided with the consent of the person who has parental responsibility of the child (see below).

3.7 What is the data used for?

The purpose of the processing is proportional to the function performed at any given time. Especially:

• The personal data of employees are provided to our Department for the purpose of concluding, executing or terminating the respective employment/cooperation contract. Also, the personal data of employees regarding attendance, absences, hours of presence, leaves, medical documentation of sick leaves, are kept for the purpose of granting leaves, including sick leaves, while personal data relating to the employees’ performance are provided by the heads of the individual departments for the purpose of appraisals the staff by the Department.

The processing of geolocation data (GPS) is carried out for the purpose of fulfilling the public interest, i.e. the provision of postal services to citizens, which by its nature requires proper organization and accuracy.

• The personal data of the candidate employees, which they themselves provide during the individual stages of selection and evaluation of candidates, are disclosed to the competent Service of the Department and to the Administration, for the purpose of informing the Department, evaluating, interviewing, etc., for the recruitment of employees and the conclusion of cooperation.
• The personal data of partners, citizens, trainees and those who do business with the Department, which they themselves provide, are collected and processed for the purpose of concluding and developing a contractual relationship, when it exists, compliance with legal contractual obligations and, where appropriate, communication with them upon their request.
• The personal data of newsletter recipients is collected with their consent and is used for our communication with them for informational purposes and direct marketing of products and services.
• The surveillance of the entrance as well as the rest of the facilities is also carried out with image recording cameras (CCTV). Any person entering the premises (employee or visitor) is informed by announcement signs about the existence of CCTV.

3.8 What is the legal basis of processing and storage time?

Purpose of Processing	Legal basis of processing	Storage Time / period of time when personal data is kept
The personal data of employees are provided to our Department for the purpose of concluding, executing or terminating the respective employment/cooperation contract. Also, the personal data of employees regarding attendance, absences,  hours of attendance, leaves, medical documentation of sick leave, are kept for the purpose of granting leaves,  including sick leaves, while personal data regarding employee performance are provided by the heads of the individual departments for the purpose of staff appraisals by the Department. The processing of geolocation data (GPS) is carried out for the purpose of fulfilling the public interest, i.e. the provision of postal services to citizens, which by its nature requires proper organization and accuracy.	The processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to the conclusion of a contract; The processing is necessary for compliance with a legal obligation of the controller; The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;  The processing is necessary on the basis of the legitimate interests of the controller or a third party.	For as long as the employment relationship lasts. After the termination of the employment relationship, for any reason, the relevant data are retained for a maximum of twenty years, during which time any legal case for their processing may arise.
The personal data of the candidate employees, which they themselves provide during the individual stages of selection and evaluation of candidates, are disclosed to the competent Service of the Department and to the Administration, for the purpose of informing the Department, evaluating, interviewing, etc. for the recruitment of employees and the conclusion of cooperation.	The data subject has consented to the processing of his or her personal data	Two-year period
The personal data of partners, citizens, trainees and those who transact with the Department, which they themselves provide, are collected and processed for the purpose of concluding and developing a contractual relationship, when it exists, compliance with legal contractual obligations and, where appropriate, communication with them upon request.	The data subject has consented to the processing of his or her personal data The processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to the conclusion of a contract; The processing is necessary for compliance with a legal obligation of the controller; The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union body, office or office	For as long as the contractual relationship between us lasts. In a number of systems, anonymization is done in one (1) year, while in others it is deleted in two (2) years. After the termination of the contractual relationship, for any reason, the relevant data are retained for a maximum of twenty years (indicative limitation period for any arising legal claims), a period during which any legal case for their processing may arise, such as the case of civil cases or the investigation of a criminal act, the case of tax audit, etc.
The personal data of newsletter recipients is collected with their consent and is used for our communication with them for informational purposes and direct marketing of products and services.	The data subject has consented to the processing of his or her personal data	Until the withdrawal of consent
The surveillance of the entrance as well as the rest of the facilities is also carried out with CCTV image recording cameras. Anyone entering the premises (employee or visitor) is informed by notice signs about the existence of a CCTV.	The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body; The processing is necessary on the basis of the legitimate interests of the controller or a third party.	They are kept for fifteen (15) days in a recorder

3.9 Profiling

The Department does not use personal data to create profiles.

3.10 Data Transfer to Third Parties: To whom will the data be shared?

The Department discloses personal data to third parties:

• Postal organizations in the countries of destination of postal items
• Postal and other financial service providers provided by the Department
• Competent state authorities of the Republic of Cyprus or other countries, through the respective postal organizations of the country (e.g. Customs) 

In cases where our associates process personal data on behalf of our Department, they have previously contractually committed themselves to their relevant obligations regarding the non-use of the data for any purpose other than the execution of the processing, the maintenance of confidentiality and compliance with the Regulation.

3.11 What are the rights of the subject?

The processing of the subject's personal data is also linked to corresponding rights, which, without prejudice to provisions that may restrict the exercise thereof, are:

• Transparency in Information

Providing the data subject with all information relating to the processing in a concise, transparent, understandable and easily accessible form, using clear and simple wording.

The controller does not refuse to act at the request of the data subject to exercise his or her rights, unless the controller proves that he or she is unable to verify the identity of the data subject.

• Right of Access

The data subject has the right to obtain confirmation from the controller as to whether or not the personal data concerning him or her are being processed and, if so, the right of access to the personal data.

• Right to Rectification

The data subject has the right to request from the controller without undue delay the correction of inaccurate personal data concerning him/her.

Having regard to the purposes of the processing, the data subject has the right to request the completion of incomplete personal data

• Right to Erasure – Right to "be forgotten"

The data subject has the right to request from the controller the erasure of personal data concerning him/her.

• Right to restriction of processing

The data subject has the right to obtain from the controller the restriction of processing.

• Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he has provided to a controller, in a structured, commonly used and machine-readable type, as well as the right to transmit such data to another controller without objection from the controller to whom the personal data were provided;  when:

a) the processing is based on consent or a contract;

and

b) the processing is carried out by automated means;

Right to Object

The data subject has the right to object, at any time and for reasons related to his or her particular situation, to the processing of personal data concerning him/her.

Decision Making - Profiling

The data subject has the right not to be subject to a decision taken solely on the basis of automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar way.

The above shall not apply when the decision:

(a) is necessary for the conclusion or performance of a contract between the data subject and the data controller;

(b) it is based on the explicit consent of the data subject. 

In case of exercising one of the above rights, we will take all possible measures to satisfy your request within a reasonable period of time and at the latest within one (1) month from the identification of your submitted request, informing you in writing of the satisfaction of your request, or the reasons that may prevent the exercise of the relevant right;  or the satisfaction of one or more of your rights, in accordance with the General Data Protection Regulation. Please note that in some cases it may not be possible to satisfy your relevant requests, such as when the satisfaction of the right is contrary to a legal obligation or conflicts with a contractual legal basis for processing your data.

In order to exercise any of your rights, please fill in the relevant PERSONAL DATA SUBJECT REQUEST form, which can be found on our website.

If you believe that any of your rights or legal obligations of our Department regarding the protection of Personal Data is being violated and after you have previously contacted the Data Protection Officer of the Department (DPO) for the relevant matter, i.e. you have exercised your rights to the Department and either you have not received a response within one month (extending the deadline to two months in case of a complex request);  or you consider that the response you received from the Department is not satisfactory and your issue has not been resolved, you may file a complaint with the competent supervisory authority, i.e. Office of the Commissioner for Personal Data Protection, P.O. Box 23378, 1682 Nicosia, Tel.: 22 818 456, Fax: 22 30 45 65.

3.12 How is personal data protected?

We have taken appropriate organizational and technical measures to protect your personal data from misuse, interference, loss, unauthorized access, modification or disclosure. The measures we use include implementing appropriate measures in access control, technical information security as well as ensuring that personal data is encrypted, pseudonymised and anonymised, where necessary and feasible.

Access to personal data is allowed only to our competent employees and associates and only if it is necessary to support the activity of our Department, and is subject to strict contractual confidentiality obligations, when processing is commissioned and carried out by third parties.

3.13 How can I contact the Department?

You can contact us at our registered office address, 100 Prodromou Street, 2063, Strovolos, Cyprus or at registry@dps.mcw.gov.cy email address or submit a request via the Contact Form on our website.

3.14 Update – Update of this Data Protection Policy Statement

We reserve the right to modify and update this Policy from time to time to respond to the feedback and needs of data subjects and changes in our Department's products, services, and internal processes.

Any changes will be posted with a simultaneous revision of the date last updated at the top of this statement – Data Protection Policy.

The Department recommends that its customers/partners periodically check this policy in order to be aware of the way in which the Department processes and protects their personal data.