Privacy Policy

Table of Contents

A. OVERVIEW

B. CYBC AS A DATA CONTROLLER OR DATA PROCESSOR

C. WHAT IS THE BASIS ON WHICH WE JUSTIFY PROCESSING OF YOUR PERSONAL DATA

D. HOW DO WE COLLECT PERSONAL DATA

E . WHY WE PROCESS YOUR PERSONAL DATA

F. HOW LONG WE KEEP YOUR PERSONAL DATA

G. SHARING OF PERSONAL DATA

H. CATEGORIES OF PERSONAL DATA PROCESSED

I. TECHNICAL & ORGANISATIONAL MEASURES PROTECTING PERSONAL DATA

J. DATA PROCESSORS TO CYBC

K. YOUR RIGHTS

L. QUERIES & COMPLAINTS

M. OTHER IMPORTANT INFORMATION

N. USE OF COOKIES

O. GLOSSARY & USEFUL DEFINITIONS

A. Overview

On the 25th of May 2018, the new European data privacy law, known as the General Data Protection Regulation (“GDPR”), has come into force. GDPR defines a specific framework and set of rules for the protection of individuals within the European Economic Area (EEA) with regard to the processing of their personal data.

Any physical or legal person, be it an individual, a company or an organization that collects, stores, manipulates or otherwise processes personal data (hereafter collectively referred to as “processing”) is affected, and is required to adopt appropriate technical and organizational measures that make such processing compliant to the provisions of the GDPR. GDPR affects therefore any physical or legal person or body who performs processing irrespective if they are established within or outside the European Union, so long as such physical or legal persons perform processing of personal data for individuals who are in the European Union.

This Privacy Policy has been prepared by the Cyprus Broadcasting Corporation wirg Registration number E2218 (hereafter referred to as [(“CyBC”)], with the objective of assisting natural persons whose personal data is or may be processed by CyBC in its capacity as Data Controller or Data Processor all other interested parties, gain an understanding of the measures we have adopted and operate, as part of our open GDPR compliance program and practices. When we mention CyBC “we”, “us” or “our” in this Privacy Policy, we are referring to the Cyprus Broadcasting Corporation which is the organization responsible for processing your data.

B. CyBC as a Data Controller or Data Processor

In running our business, CyBC is typically a Data Controller and in a small number of cases a Data Processor under the GDPR, with possible access to, and processing of personal data of, physical persons in their various capacities (e.g. interviewee, performer, actor, collaborator). CyBC is committed to performing such processing in transparent and fair ways, based on processes which are private by design and using appropriate technical and organizational measures in support of security and privacy objectives. This commitment is applicable throughout the lifecycle of personal data processing, including during collection, transmission, use and storage.

CyBC also commits to taking all reasonable steps to ensure that personal data processing is based on a valid legal basis. When CyBC is the Data Processor, this commitment typically means that we rely on the Data Controller in each case, to establish a valid legal basis 1 for the processing we perform in that capacity. We also depend on the Data Controllers to notify us in a timely manner when any changes to the status of such bases occur. In certain other cases, the processing we perform is dictated by legislation or may be based on our legitimate interests, especially those which emanate from our professional obligations and responsibilities and / or other regulatory frameworks subject to which we perform our work.

C. What is the Basis on Which we Justify Processing of Your Personal Data

In accordance with Article 6 of the GDPR, personal data processing is lawful if at least one of the processing bases described below applies:

the existence of evidenced consent of the data subject (i.e. the physical living person), whose personal data is processed
processing is necessary in order to enter into a contract to which the data subject is a contractual party or to take action at the request of the data subject before or after a contract is entered into force
processing is necessary to comply with a statutory obligation of the Data Controller or the Data Processor
processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or Data Processor as relevant, unless such interest overrides the interest or fundamental rights and freedoms of the data subject who require the protection of personal data, in particular if the subject of the data is a child
processing is necessary to safeguard the vital interest of the data subject or other natural person
processing is necessary for the performance of an obligation performed in the public interest or in the exercise of public authority assigned to the organization.

Based on the above, CyBC seeks to ensure that each type of personal data processing we perform is supported by one or more of the above legal bases. With very few exceptions, the legal bases applicable to our operational routines and the resulting personal data processing we conduct are those described in the first four bullets.

In addition, we may process personal data for journalistic purpose in which case we rely on and follow the provisions of GDPR Article 85, which stipulates that the related processing needs to be reconciled to and balanced against the individuals’ privacy protection required under the GDPR.

D. How Do we Collect Personal Data

As part of CyBC’s core processes (which include production, archiving transmission and distribution of audio-visual content; journalism and news discovery, dissemination and analysis) we may collect personal data from multiple sources, not necessarily directly from the individuals affected. In those cases, our staff is instructed to carefully balance the needs and rights for freedom of expression and access to information, against the need to protect the privacy of the persons affected.

In other cases, we receive the personal data directly from the affected individual (i.e. the “data subject”). Typically, such personal data is requested when we initiate our relationship, or in some cases at a later stage, after we commence interacting with each other. There are various means we may accept for receiving personal data including paper-based forms, electronic self-service functions (e.g. in a website), or through email or messaging communications or physical exchange of contact information (such as a business card). We may also collect personal data via automated means when data subjects interact with resources we provide (websites, email submission tools, mobile applications, access control systems, time and attendance applications, CCTV systems, etc.). We may also enhance the personal information we process about data subjects, as a result of the interactions and / or transactions between the individuals and CyBC.

Finally, we receive personal information for the data subjects from 3rd party sources. Key examples include references from previous employers during an employment application process and other lawful services of similar nature. If the data subject is a representative of one of our customers or suppliers, we may receive their personal information directly from their employer / principal, or from other colleagues of the data subjects.

E. Why we Process your Personal Data

We describe below the key ways we use personal information, and in Section H of this Privacy Policy, the legal bases on which we rely for such processing. We have also identified what our legitimate interests are where appropriate.

In general terms, we use the personal information we collect to identify, analyse, report and disseminate news and news worthy information to the general public. We also process personal data to help CyBC better understand you and to enable us to personalise your experience with CyBC and meet your needs in your interaction with CyBC. In this context, we may use your information to:

create, distribute and make available content such as news, films, documentary reports and other material via various channels (TV, Radio, Web)
deliver services, such as advertisements, sponsorships and placements of products in the most appropriate way possible
execute necessary services to pensioners (ex-CyBC employees)
provide customer services such as responding to queries and executing requests
provide, develop and improve our services
invite you to marketing, promotional and other events
manage competitions, customer surveys and questionnaires
check and verify your identity, and prevent, mitigate or detect fraudulent or illegal activities (where applicable).

Kindly be aware that your personal data may be processed based on more than one lawful purpose. If you need more information as to the specific legal basis on which we are relying to process your personal data, please send us your specific request to dataprotection@cybc.com.cy.

F. How Long we Keep your Personal Data

Personal data may be maintained by us in physical and / or electronic form and be processed in ways designed to respect the principles of purpose limitation; data minimization; data accuracy; integrity and confidentiality; and retention limitation.

Specifically, with regards to retention, the technical and organizational measures operated by CyBC are designed to result in personal data being kept only for as long as required to fulfil our statutory, professional and / or regulatory obligations.

At the end of the retention periods applicable in each case, defined operational processes or routines shall result in personal data being deleted or destroyed in controlled ways, in electronic and physical form, as appropriate. In some circumstances we may anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

CyBC also operates a Central Archive, that was created and operates in a way that collects, categorizes and stores all original content produced by CyBC (including external productions created for CyBC under contractual agreements with 3rd parties). The Central Archive processes and stores significant volumes of data (radio and TV content, photos, music records and even artefacts and other objects considered of historical value), which for the most part includes or reflects personally identifiable information.

The ensuing processing is based on the relevant legislation in force (The State Archives Law 208 / 91), and in practice means that such personal information is maintained indefinitely or until the Central Archive issues an instruction for deletion.

G. Sharing of Personal Data

Within CyBC, your personal information can be accessed by or may be disclosed internally on a need-to-know basis, based on user access rights management processes.

Your personal information may also be accessible and / or accessed by third parties, including suppliers and advisers, as those are outlined below. When this happens, we take specific measures and steps to protect such shared information, as described in more detail in section “SUB-DATA PROCESSORS” of this Privacy Policy. In summary, such measures and steps include requiring all such 3rd parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our 3rd party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions. The types of 3rd parties that may typically be involved in processing of your personal data include:

Service providers acting as Data Processors based in the EEA who provide IT, system administration services, payment providers to facilitate purchases, production companies who undertake to deliver content for CyBC, etc.
Professional advisers including lawyers, bankers, auditors and insurers based in the EEA who provide consultancy, banking, legal, insurance and accounting services.
Tax and Customs authorities, regulators, law enforcement bodies and other authorities acting as processors, or joint or independent controllers based in the EEA who have the right to require reporting of processing activities in certain circumstances and otherwise in defence of legal claims.
Market researchers, fraud prevention agencies and analytics providers.
Specifically, with regards to HR data, these may be shared with Payroll, Pension or Provident Fund Providers; Accountants & Auditors; Recruitment Agencies; Call Centre Providers; and HCM Consultants.

In addition, there are circumstances where we may need to disclose your personal information to 3rd parties, to help manage our business and deliver our services. In this context, we may disclose your personal information:

to 3rd parties to whom we may choose to sell, transfer, or merge parts of our organization or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If such a change happens to our organization, then the new owners may use your personal information in the same way as set out in this Privacy Policy
to 3rd parties when we are under a duty to disclose or share your personal information in order to comply with any legal or regulatory obligation, or in order to enforce or apply our legal rights, in which case we may share your personal information with our regulators and law enforcement agencies in the EEA, or to our legal advisers and
when it is necessary in order to protect the rights, property, or safety of CyBC, in which case we may disclose your personal information to our legal advisers and other professional services firms.

We may also disclose your personal data to national authorities and government bodies if legislation allows or compels us to do so.

H. Categories of Personal Data Processed

As part of our operational business processes and routines and depending on the specific relationship and or commercial or other engagement in place, we may process personal data for one or more data subject categories, as those are tabulated below (not a definitive or exhaustive list).

#	Business Relationship	Type of Processed Personal Data	Legal Basis
a.	Applicants	· CV information · Contact details · Previous employment records · Referee · Clear Police / Criminal Record · Work permit information · Skills & Professional and Academic Achievements (e.g. languages, academic degrees · Medical information (for specific vacancies / jobs only)	Consent Legitimate Interest (for application information voluntarily submitted by the applicant to us, unsolicited by CyBC)
b.	Employees, Contractors & Workers	· “Master Data” [full name, ID, Social Security number, address, marital status, children, age, gender, personal emails] · “Recruitment Data” [academic records, experience, previous employers, references] · Evaluation & Performance Information [salary, appraisals, promotions, disciplinary data, complaints and resulting investigations, appeals against HR decisions] · Occupational data [languages, special skills, driver license] · Operational data [, locations of travel, training records, leave of absence, timesheets / arrival and departure times, passports and IDs in support of business travel arrangements] · Financial data [payroll, payroll-related, life insurance details, family status, bank account details] · Type of employment [full-time, part-time, hourly employees, public sector employees, limited-time employees, self-employed]	Contract
c.	Former Employees, Contractors and Workers	For former employees, contractors or workers, the personal data types listed in (b) above continue to be processed after the conclusion of employment of the affected physical persons, for as long as it is deemed necessary based on applicable legislation and the Regulation (ΚΑΝΟΝΙΣΜΟΙ) governing CyBC’s operations, as well as to comply to legal, regulatory and other obligations of CyBC.	Employment and Social Insurance Legislation Employment / Work Contracts
d.	Next of Kin and Dependents	· Full name, mobile phone details, relationship with employee, contractor or worker (next of kin) · Full name, gender, age and birth date	Consent
e.	Board members and Directors	Executive – as per employees; and regulatory data such as registration with any applicable regulatory authority, your regulated status and any regulatory references Non-Executive – full name, mobile phone details, personal email, CV information, other full or part time employment / service positions, financial information such as bank accounts details, regulatory data such as registration with any applicable regulatory authority, your regulated status and any regulatory references	Legislation Legitimate interest
f.	Pensioners	As per “Former Employees, Contractors & Workers”. The following are additional personal data processed: · For ill-health retirement, also health and medical records and information · For divorcees, court order information (special categories). Financial data are kept indefinitely to help execute Pension Fund Administration and pension payment processes, as well as for tax and regulatory purposes	Legislation Contract Legitimate Interest
g.	Onsite Visitors & Guests	· Full name · Employer · Person(s) to visit · Entry and exit time · Signature · Pass number used · Camera / CCTV recordings	Legitimate Interest
h.	Event Attendees	· Full name · Employer · Work position and title · Work and Mobile Phone numbers · email address (work and / or personal) · Photos and images	Legitimate Interest
i.	General Public	· Full name, email, phone numbers, employer, title (for cases where you initiate an electronic communication and / or correspondence with us) · Photos and images of you from CCTV cameras we operate	Legitimate Interest
j.	Library Users	· Full name · email · Address · Mobile phone number and · Date of birth	Consent
k.	Website Users	· Full name · Gender · email address (business or personal)	Consent Contract (where this information is collected for the purpose of entering into a contract with the affected individual)
l.	Scholarship Applicants	· Full name · email address · Mobile phone number · Date of birth · Academic and other achievements and information · Family information and professional and academic references.	Consent
m.	CyBC Archive Users (via online channels or physical presence)	· Full name · email · Address · Mobile phone number and · Date of birth	Consent

I. Technical & Organisational Measures Protecting Personal Data

GDPR imposes obligations to Data Controllers and Data Processors which are in several cases dependent upon consistent implementation of relevant measures and controls across their own operations as well as those of their Data Processors. Our policy is to process personal data with due regard to the security, privacy and protection of the data we receive, store and process. This privacy policy explains the types of such technical and organizational measures that we employ so as to enhance the level of protection of personal data that we process. These measures are also designed to maximize the control over privacy in accordance to GDPR and have the objective of providing a level of security that is appropriate to the related risks.

As part of our overall data protection framework, CyBC has appointed a Data Protection Officer (DPO), in accordance with the requirements of GDPR. Our DPO can be contacted at dataprotection@cybc.com.cy.
All our personnel periodically observe GDPR-specific awareness sessions so as to maintain the currency of their understanding of GDPR and how it may impact our various operations that affect personal data we process.
We support the implementation of 3rd party entities’ (such as our customers, suppliers) lawfully issued instructions to us, in relation to data subjects for whom such 3rd party entities are Data Controllers, exercising their rights under GDPR, so long as such instructions do not come in conflict with our own legal, professional or regulatory obligations. In such cases, we shall seek to notify the 3rd party entity of the options available to them.
We seek to ensure that 3rd parties who support CyBC operations or systems or who are otherwise involved in our personal data processing operations (including other affected persons), have and operate necessary technical and organizational measures for protecting the security and privacy of personal data.
Our Incident Response Management and Breach Notification procedures are designed to include escalation of identified incidents to our Data Protection Officer, who is authorized and trained to involve other CyBC executives when such incidents involve personal data of CyBC-affected persons.
Where data transfers to 3rd countries are necessary, we shall seek to ensure that a valid lawful basis for such transfers evidently exists, as well as the necessary safeguards for such 3rd country data transfers in accordance with GDPR.
Our recruitment and ongoing personnel training and development, as well as the evaluation and disciplinary processes we operate, are designed to promote and maintain a high standard of professional ethics and competency at all levels of CyBC, which is in line with industry standards and our professional and legal responsibilities.
In addition, CyBC operates several complementary technical and organizational measures, designed to protect the privacy of personal information that we collect, store and process. Such measures include logical access controls and user rights management with the objective of minimizing access to personal (and other CyBC) information and data, only to authorized CyBC personnel. We also utilize user access credentials management with enforced frequent changes, password complexity and maximum / minimum lengths, restrictions on reuse of same passwords, etc., complemented by a structured process for periodic review and confirmation of continued business need to such personal data.
Furthermore, CyBC uses purpose-specific technologies and tools (such as firewalls, intrusion prevention, mail security gateways, etc.), all designed to monitor and manage the security of its electronic perimeter. CyBC also has in place an active and ongoing patch management program across security, server and endpoint devices for addressing newly released threats, and benefits from the use of endpoint malware protection at laptop, servers and desktop level.
A significant part of our operations involves 3rd parties (legal or physical persons) who are involved and / or provide support in many aspects including invariably in personal data processing. The related technical and organizational measures which we apply and operate with the objective of enhancing and maintaining privacy are described in the next section.

J. Data Processors to CyBC

Like almost all organizations, CyBC utilizes 3rd parties as part of its operations and routines. Such 3rd parties include legal and / or physical persons who provide services and / or products relating to film and content production, technology, marketing, facilities management, legal and other areas which may have an impact on personal data processing (including processing as specified in this Privacy Policy).

When necessary in the context of such personal data processing, our selection process and criteria for cooperation with 3rd parties (suppliers, vendors or other advisors), incorporates consideration and evaluation of those 3rd parties’ level of GDPR readiness and compliance. In this respect, we seek to ensure that 3rd parties who support CyBC operations or systems or who are otherwise involved in our personal data processing operations, have and operate necessary technical and organizational measures for protecting the security and privacy of personal data. Whenever relevant therefore, our contracts with 3rd parties include specific provisions designed to

identify the respective role of the 3rd party as a Data Processor or Sub-processor to CyBC
define the 3rd party’s GDPR-related obligations towards CyBC, including:
- enforcement of CyBC’s Data Retention Periods
- integration of the 3rd party’s Incident Response Management Process into that of CyBC stipulating allowable access and connectivity methods for remote support (where relevant and necessary)
- definition of the processes via which CyBC shall issue relevant instructions to the 3rd party in relation to the expected and required processing of personal information (where applicable), under each respective agreement
- prohibition for conducting cross border data transfers by the 3rd party, except with the express, prior written permission of CyBC (which itself is subject to, must be in line with and in compliance to, CyBC’s contractual and other obligations to affected data subjects).
conferring to CyBC the right to conduct periodic audits (including surprise audits) against the execution of GDPR related processes which the 3rd party supports and / or operates on CyBC’s behalf. In this context, CyBC also seeks to implement review processes with the 3rd party sub-processor so as to jointly monitor on a periodic basis the effectiveness of execution of privacy processes and routines, in order for such processes to become and continue to be “Private by Design”, as relevant.

K. Your Rights

Individuals whose data are processed, have defined rights under the GDPR. Specifically, GDPR requires Data Controllers and Data Processors to implement the necessary processes and mechanisms in support of data subjects’ exercising the following rights, the exact definitions of which have the meanings assigned to them by the GDPR:

Right to information as to the personal data processing being performed and the rationale of such processing
Right to access to the personal data being processed for his / her person
Right to rectification allowing individuals to request the correction or amendment of their data
Right to object to a specific type of processing, under specific circumstances
Right to object to automated processing or profiling in cases where automated processing results in decisions that in the opinion of the affected data subject, do not adequately reflect the unique characteristics of the case involved
Right to withdraw consent allowing a data subject to give notice and withdraw a previously given consent for a specific type of processing
Right to data portability allowing the transfer of personal data processed by a Data Controller to the data subject or directly to another Data Controller in electronic, machine readable format
Right of Erasure (“right to be forgotten”) entitling a data subject – under certain circumstances – to request the deletion of their personal data. It is important to note that this is not an absolute right, which may be affected by the specific circumstances of each case. For example, requests for deletion of personal data in CyBC’s Archive cannot as a general rule be deleted.

You will not have to pay a fee to exercise any of the rights as listed above. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. In extreme cases, we may even refuse to comply with your request in such circumstances.

If you would like to exercise any of the above rights, please send your request at dataprotection@cybc.com.cy, or by using the form provided at the respective websites operated by CyBC.

L. Queries & Complaints

CyBC is committed to acknowledge, consider and respond to all queries and complaints that it receives from any natural person who believes is affected by CyBC’s processing of his / her data. To communicate such queries or complaints please contact us on dataprotection@cybc.com.cy, and we shall seek to respond to the substance of your query as soon as practical, within a 30-day window as stipulated by GDPR.

If despite our responses and actions to address your concerns, you are not satisfied, you have the right to address the matter to the Cyprus Data Protection Commissioner whose offices are at Iasonos street 1, 2nd Floor, Nicosia 1082. The Commissioner’s office can be reached on +357 22818456 and their email address is commissioner@dataprotection.gov.cy.

M. Other Important Information

This Privacy Policy does not alter in any way other than explicitly defined herein, the obligations and responsibilities of CyBC or its customers, employees, vendors or partners, all of which are governed by the respective contracts (where applicable) and related arrangements between CyBC and each of those customers, employees, vendors or partners.

N. Use of Cookies on Our Websites

CyBC uses cookies on our websites. This is done to facilitate easier navigation throughout the website and increase visitor convenience. Your internet browser is likely to accept these cookies by default; however, you can refer to your browser’s help guide if you would like to reject or even delete them from your system.

According to www.allaboutcookies.org, Cookies[1] are small, often encrypted text files, located in browser directories. They are used by web developers to help users navigate websites efficiently and perform certain functions. Due to their core role of enhancing / enabling usability or site processes, disabling cookies may prevent users from using certain websites or specific areas or functionality of such websites.

Cookies are created when a user’s browser loads a particular website. The website sends information to the browser which then creates a text file. Every time the user goes back to the same website, the browser retrieves and sends this file to the website’s server. Cookies are created not just by the website the user is browsing but potentially also by other websites that run ads, widgets, or other elements on the page being loaded. These cookies regulate how the ads appear or how the widgets and other elements function on the page.

We may use both “session[2]” cookies and “persistent[3]” cookies on the website. We will use the session cookies to: keep track of you whilst you navigate the website. We will use the persistent cookies to: enable our website to recognise you when you visit.

To learn more about advertisers’ use of cookies the following links may be helpful:

European Interactive Digital Advertising Alliance (EU)
Internet Advertising Bureau (EU)

Log File Information

As is true of most web sites, we and / or our 3rd party tracking-utility partners gather certain information automatically and store it in log files. This information includes internet protocol (IP) addresses, browser type, internet service provider (ISP), referring / exit pages, operating system of the device used, date / time stamp, and clickstream data.

We use this information, which does not identify individual users, to analyse trends, to administer the Website, to track users’ movements around the Website and to gather demographic information about our user base as a whole.

3rd Party Cookies

We may allow third party organizations to set cookies using this website in order to deliver services.

O. Glossary & Useful Definitions

#	Term	Definition
1.	Transfers to 3^rd Countries	Transfers of personal data outside the European Economic Area in physical and / or electronic form
2.	Data Controller	The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
3.	Data Processor	A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.
4.	Data Protection Officer	A Data Protection Officer (or “DPO”) is a security leadership role required by the GDPR. The DPO is responsible for (a) overseeing data protection strategy and implementation within an organization; (b) ensuring compliance with GDPR requirements; (c) the provision of advice to the Data Controller or the Data Processor and their staff in relation to personal data processing; and (d) to cooperate with Data Protection Authorities and supervisory bodies in all privacy and data protection matters.
5.	Legitimate Interest	Our lawful interests in conducting and managing our business to enable us to give you the best services and / or products and secure and private by design experience. In choosing to perform personal data processing under the legal basis of legitimate interest, we seek to ensure that we consider and balance any potential impact on you (both positive and negative) and your rights before doing so. As a general principle, we do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
6.	Personal Data	Also referred to as “personally identifiable information (or “PII”), personal data is any information relating to an identified or identifiable living natural person (the “data subject”)

This document is protected by copyright laws. Use of this document in any way is strictly prohibited.

[1] Also known as browser cookies or tracking cookies

[2] Session cookies are typically deleted from your computer when you close your browser

[3] Persistent cookies remain stored on your computer until deleted, or until they reach a specified expiry date