Privacy & Cookies Policy
Regulation (EU) 2016/679
We are fully compliant with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). To achieve this end:
- Consent: Processing of your personal data is based on consent. Therefore, via our controller, we must be able to demonstrate that the data subject (hereinafter “you”) has consented to processing of his or her personal data. For this purpose:
- Withdrawal of consent: You have the right to withdraw your consent to the processing of your personal data at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before your withdrawal. In order to exercise your right to withdraw your consent to the processing of your personal data, you are obliged to inform Kivotos Luxury Lifestyle Ltd, 20a Themistokli Dervi Avenue, 1066 Nicoisa https://cyprusbusinessawards.com.cy/contact/, Tel: 22658536
- of your decision to withdraw from this consent with a clear statement (e.g. with a letter which is going to be sent to us by post, telefax or e-mail), or simply by using the attached specimen of withdrawal of consent to the processing of personal data form, without this being obligatory. You may also complete and submit electronically from our website cyprusbusinessawards.com.cy the specimen of withdrawal of consent to the processing of personal data form or any other such clear statement. If you use this capability, we shall transmit without delay a receipt confirmation of your withdrawal of consent to the processing of personal data on a fixed medium (e.g. e-mail).
- Please note that when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of our contract/agreement, including the provision of our services, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
- Children: All personal data of children shall be treated in the same manner as the personal data of adults. If you are traveling with children under the age of 16 please note that, in relation to the offer of information society services* directly to a child that is below the age of 16 years, personal data processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Although we do not offer our services directly to children but only via and at the request of their lawful custodians (whether they are actually traveling with their parents, or whether they are traveling with teachers, relatives, or other adult traveling companions), we assume that the personal data of the children traveling with you are given to us by full and unequivocal consent of all lawful custodians (e.g. both their parents) and you expressly agree that by providing us with the a child’s’ personal data, you have obtained or you give such consent as appropriate. If for any reason we become aware that we have received personal data of children traveling with you that have been given to us without their lawful custodians’ consent we shall immediately notify the appropriate authorities and, where applicable, the lawful custodians of the children concerned.
- Principles of Processing: The data subject’s (hereinafter “your”) personal dataǂ shall be:
* “information society service” Comprises any e-commerce service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service.
ǂ “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Collected only for specified, explicit and legitimate purposes i.e. only for the purposes of providing coverage for legal services to you according to the retainer package you have purchased, and shall not be further processed in a manner that is incompatible with this purpose.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We shall only collect:
- Your name in conjunction with your date of birth so that we can identify you.
- Your home address including your country, your telephone number and your e-mail address, for further identification but also so that we can contact you for the purposes of our agreement.
- Your arrival and departure dates in Cyprus so that we know when we can expect you in Cyprus, activate your particular package and organise our work.
- Confirmation of your payment by your provider to ensure payment of our bills. Please note that this information is given to us by your credit card provider and we do not collect or process any of your credit or billing information other than to note that you have paid us and for what package.
* “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
ǂ “Lawful” processing that applies to our contact/agreement purposes means that:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party (“our contract/agreement”) or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
In addition to the information mentioned herein above, your personal data shall be given a unique identifier code which you shall be using to contact us and against which your personal data shall be stored.
No other personal information shall be collected by us unless you wish to communicate with us through third party social media websites or applications (e.g. Twitter, Facebook, Instagram) or participate in our promotions and surveys on the Website, in which case your information shall be kept in a separate list for as long as necessary to perform only those purposes whereupon you shall get another notification regarding the processing of your personal data..
- Accurate (as far as we are able to know because you are the source of that information and you are solely responsible to provide it accurately to us) and, where necessary, kept up to date. We shall take every reasonable step to ensure that any personal data given by you to us are inaccurate, and having regard to the purposes for which they are processed, that they are erased or rectified without delay. To achieve this purpose you are obliged to notify us as soon as possible for any such inaccuracies. If you provide information that is not accurate, current or complete, or if we have reason to believe that the information you have provided us is not accurate, current or complete, we have the right to prohibit you from any and all future use of our services.
- Kept in electronic form which permits your identification for no longer than is necessary for the purposes for which the personal data are processed.
- Your personal data shall be erased automatically:
- At the end of each event unless:
- By that time two months have not elapsed from your confirmation of payment information and in such case your personal data shall be kept for a longer period until credit card cancellation rights expire and be erased automatically at the end of that month, or
- Albeit unlikely, if asked to do so, for whatever other reasonable time the Cypriot VAT and Tax authorities or Police, or other competent authority require.
- We shall not store your personal data for longer periods but we may, for statistical purposes, retain and process “number of clients” “country of origin” and “dates of travel” details, which shall not be connected in any direct or indirect manner to you and shall not include information that can be used to identify you.
- Your personal data shall be erased automatically:
- Processed in a manner that ensures security of the personal data from hacking (by using an internet firewall) and from unauthorised access by using password access to the database), including protection against unauthorised or unlawful processing (by allowing our employees password-protected limited access to your information on a “need to know basis”) and against accidental loss, destruction or damage (by appropriate backups).
- Data subject’s rights: The data subject (hereinafter “you”) has the following rights:
- Transparency of information: You have the right to know what information is collected from you, who may use it and why. Please see paragraph 4.1 below for more details.
- Access: You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information:
- The purposes of the processing.
- The categories of personal data concerned.
- The recipients or categories of recipient to whom the personal data have been or will be disclosed.
- Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing.
- The right to lodge a complaint with a supervisory authority.
- Where the personal data are not collected from you, any available information as to their source.
- The existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
- Rectification: You have the right to obtain without undue delay from the controller the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Erasure (“right to be forgotten”): You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- You withdraw consent on which the processing is lawfully based and where there is no other legal ground for the processing.
- You object to the processing (see paragraph 3.8 below) pursuant to your right to object to processing which is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and there are no overriding legitimate grounds for the processing, or you object to the processing for marketing purposes.
- The personal data have been unlawfully processed.
- The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data have been collected in relation to the offer of information society services.
Where the controller has made the personal data public and is obliged pursuant to the above paragraphs to erase that personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Provided that the above shall not apply to the extent that processing is necessary:
- For exercising the right of freedom of expression and information.
- For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- For reasons of public interest in the area of public.
- For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in in so far as the right referred to is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- For the establishment, exercise or defence of legal claims.
- Restriction in processing: You have the right to obtain from the controller restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data;
- The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead.
- The controller no longer needs the personal data for the purposes of the processing, but they data are required by you for the establishment, exercise or defence of legal claims.
- You have objected to processing pending the verification whether the legitimate grounds of the controller override yours.
Where processing has been restricted pursuant to the above paragraphs, such personal data shall, with the exception of storage, only be processed with the your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. I you have obtained restriction of processing pursuant to the above paragraphs you shall be informed by the controller before the restriction of processing is lifted.
- Notification for rectification: The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in with your rights to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform you about those recipients if you request it.
- Data portability: You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- The processing is based on consent and
- The processing is carried out by automated means.
In exercising your right to data portability you shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of this right shall be without prejudice to your Right to erasure (“right to be forgotten”). Your right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Your right to data portability shall not adversely affect the rights and freedoms of others.
- Right to object: You have at any time the right:
- To object on grounds relating to your particular situation, to the processing of personal data concerning you, that are necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on these. In such a case the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
- To object to processing of personal data concerning you for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. In such a case the personal data shall no longer be processed for such purposes.
At the time of the first communication with you at the latest, the rights referred to in paragraph 3.8.1 and 3.8.2 above shall be explicitly brought to your attention and shall be presented clearly and separately from any other information.
- To object on grounds relating to your particular situation to the processing of your personal data concerning you that are used for scientific or historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
- In the context of the use of information society services you may exercise your right to object by automated means using technical specifications.
- Automated individual decision-making, including profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision:
- Is necessary for entering into, or performance of, a contract between you and a data controller;
- Is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the your rights and freedoms and legitimate interests; or
- Is based on your explicit consent.
In the cases referred to in paragraphs 3.9.1 and 3.9.3 above, the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. Decisions referred to in paragraphs 3.9.1, 3.9.2 and 3.9.2 above shall not be based on special categories of personal data unless you have given explicit consent to the processing for one or more specified purposes or the processing is necessary for reasons of substantial public interest which shall be proportionate to the aim pursued and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
- Controller: The controller responsible for, and able to demonstrate compliance with, paragraph 2 above is Mr. Constantinos Siakallis, Director of Kivotos Luxury Lifestyle Ltd who can be found at 20a Themistokli Dervi Avenue, 1066 Nicosia, Tel 22658536, firstname.lastname@example.org
- Transparency of information: Because the personal data relating to you are collected from you, for transparency purposes, the controller shall provide you with all of the following information at the time when your personal data are obtained (i.e. upon buying one of our packages):
- The identity and the contact details of the controller.
- The purposes of the processing for which the personal data are intended as well as the legal basis for the processing.
- The legitimate interests pursued by the controller or by a third party.
- The recipients or categories of recipients of the personal data.
- The period for which the personal data will be stored and, if that cannot be determined, the criteria used to determine that period.
- The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning you or to object to processing as well as the right to data portability.
- The existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- The right to lodge a complaint with a supervisory authority.
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and of the possible consequences of failure to provide such data.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by you, the controller may charge a reasonable fee based on administrative costs. Where you make the request by electronic means, and unless otherwise requested by you, the information shall be provided in a commonly used electronic form.
- Communications: The controller shall also take appropriate measures to make any communication to you regarding your Rights (as explained in paragraph 3 above) relating to processing, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by you, the information may be provided orally, provided that your identity is proven by other means. Where the controller has reasonable doubts concerning the identity of the natural person making the request regarding your rights, the controller may request the provision of additional information necessary to confirm your identity.
- Identification: If the purposes for which a controller processes personal data do not or do no longer require the your identification by him, he shall not be obliged to maintain, acquire or process additional information in order to identify you for the sole purpose of complying with the EU Regulation. Therefore where the controller is able to demonstrate that he is not in a position to identify you he shall inform you accordingly, if possible. In such cases your Rights (as explained in paragraph 3 above) shall not apply, except where you, for the purpose of exercising your rights, provide additional information enabling your identification.
- Timeframe: The controller shall provide information on action taken on a request under your Rights to you without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Where you make the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by you.
- Delay and Complaints: If the controller does not take action on your request, the controller shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. The Cypriot Supervisory authority is the Commissioner for the Protection of Personal Data and his website can be found here dataprotection.gov.cy/dataprotection/dataprotection.nsf/home_en/home_en?opendocument
- Fees: Information provided for transparency purposes and any communication and any actions taken regarding your Rights shall be provided free of charge. Where requests from you are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
- Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
- Refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
- Special categories and criminal convictions: Please note that processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited unless it is processed for lawful purposes. One of those lawful purposes is the processing of personal data that are necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. Although we shall not ask you of any such data in our website, it may be necessary to obtain such data from you in furtherance of your defence or your legal claims e.g. your religious affiliation in Cypriot divorce cases or your political opinions in extradition proceedings or refugee applications regarding countries where civil or human rights are not protected. Although we shall not ask you of any such data in our website also please note that limited processing of your criminal record may be needed in cases where this is relevant to your defence or legal claims e.g. to defend in a criminal case against you, or in custody hearings where this is relevant etc. Under our code of ethics and legal obligations this special categories or criminal convictions shall always remain in strict confidence with your personal lawyer at the time and shall not be kept in any general database, but only in your personal file.