Data Protection Notice

(Last amended 9 April 2019)

This Privacy Policy governs the processing of your personal data by the State Health Services Organization, on the basis of the European General Data Protection Regulation (GDPR) and the Protection of Natural Persons Against the Processing of Personal Data and Free Data Traffic of these Data Act of the Republic of Cyprus (Law Number 125 (I) of 2018), as part of your visit to our website, www.shso.org.cy, (hereinafter: “Website”), or your communication with us via e-mail, telephone, fax and our social media channels (such as Facebook, Twitter, YouTube and Instagram).

If you want more information on how we process personal data via cookies, social plugins and other types of tracking technology, please refer to our Cookie Policy.

  1. Who are we?

Your personal data is processed by the State Health Services Organization, established by the State Health Services Organization Scheme Law of 2001 (Ν.89(Ι)/2001, with registered office at Prodromou 1 & Chilonos 17, 3rd Floor, 1449 Nicosia (hereinafter: “HIO”, “we”, “us”, “our”), on the basis of applicable data protection legislation of the European Union and the Republic of Cyprus. You can contact us via e-mail at dpo@shso.org.cy.

Where reference is made in this Privacy Policy to laws or regulations, possible amendments to these laws or regulations are implicitly included.

We reserve the right to change and adapt this Privacy Policy on our own initiative. In that case, those changes and adaptations will be communicated to you via our Website at least two weeks before those changes and adaptations will become applicable. Any further use of our Website will be subject to the amended Privacy Policy.

  1. Which of your Personal Date do we process?

When you use our Website or our social media channels, we process:

  • Technical information, such as information concerning your device, IP-address, browser type, geographical location and operating system;
  • Browsing behavior, such as the length of your visit, the links you click, the pages you visit and the frequency with which you visit a page.

When you communicate with us by e-mail, telephone, fax or social media channels, we process:

  • Identity information you provide us with, such as your first name, last name, gender, birth date, age, preferences and interests;
  • Contact details you provide us with, such as your e-mail address, postal address, country, telephone number and mobile telephone number;
  • Content of the communication, such as your request or question;
  • Technical information of the communication, such as with whom you communicate at our end, date and time of the communication;
  • Publicly available information about you, such as information publicly available on your social media profile;
  • Any other personal data you provide us with.

We receive most of your personal data directly from you, but it may happen that we receive additional information about your preferences and browsing behavior from partners such as Google. If you require more information about the personal data these parties process about you and make available to others, you are kindly requested to consult their respective privacy policies.

  1. For what purposes do we process your Personal Data and what is the Legal basis for this?

In the table below, we explain the purposes for which we process your personal data and on the basis of which legal basis we do so. We rely on the following legal bases:

  • Our legitimate interest, such as continuous improvements of our website, materials and services to ensure that you have the best experience possible, to keep them safe from misuse and illegal activity, to disseminate and promote them and to make them available to you.
Purpose Legal Basis
We process your personal data in order to be able to respond to your questions and to be able to deliver to you the materials or information you request or to provide you with the services you request. Our legitimate interest
We process your personal data:

  • To comply with legal obligations that we have to comply with, or
  • To comply with any reasonable request from competent law enforcement agents or representatives, judicial authorities, governmental agencies or bodies, including competent data protection authorities, or
  • To transfer your personal data to the police or the judicial authorities upon our own initiative as evidence or if we have justified suspicions of an unlawful act or crime committed by you through your use of our Website, our social media channels or other communication channels.
A legal obligation
We process your personal data to perform statistical analyses in order to be able to improve our Website, promotional information, materials and services or to develop new materials and services. Our legitimate interest
We process your personal data to preserve our legitimate interests or to preserve the legitimate interests of a third party in case your use of our Website, our social media channels or other communication channels can be considered:

  • A violation of any applicable terms of use of our Website or the intellectual property rights or any other of our or a third party’s rights, or
  • A danger or threat to the security or integrity of our Website, our social media channels or other communication channels or any of our, our select partners’ or a third party’s IT systems due to viruses, Trojan horses, spyware, malware or any other form of malicious code, or
  • In any way hateful, obscene, discriminating, racist, slanderous, spiteful, hurtful or in some other way inappropriate or illegal.
Our legitimate interest
  1. To whom do we send your Personal Data?

We rely on third parties, for example, to provide you our Website (such as a hosting provider). These third parties are only allowed to process your personal data on our behalf and upon our explicit written instruction. We also warrant that all those third parties are selected with due care and are committed to observing the safety and integrity of your personal data.

We may be legally obliged to share your personal data with competent law enforcement agents or representatives, judicial authorities, governmental agencies or bodies, including competent data protection authorities, to comply with a legal obligation.

  1. Where do we process your Personal Data?

Your data are exclusively processed within the territory of the Republic of Cyprus.

  1. What quality assurances do we comply with?

We do our utmost best to process only those personal data which are necessary to achieve the purposes listed under Article 3 above.

Your personal data are only processed for as long as needed to achieve the purposes listed under Article 3 above. We will de-identify your personal data when they are no longer necessary for the purposes outlined in Article 3 above, unless there is:

  • An overriding interest of SHSO or any other third party, in keeping your personal data identifiable; or
  • A legal or regulatory obligation or a judicial or administrative order that prevents us from de-identifying them.

We will take appropriate technical and organizational measures to keep your personal data safe from unauthorized access or theft as well as accidental loss tampering or destruction. Access by our staff members or third parties’ personnel will only be on a need-to-know basis and be subject to strict confidentiality obligations. You understand, however, that safety and security are best efforts obligations, which can never be guaranteed.

  1. What are your rights?

You have the right to request access to all personal data processed by us pertaining to you. We reserve the right to charge a reasonable administrative fee for multiple subsequent requests for access that are clearly submitted for causing nuisance or harm to us. Each request must specify for which processing activity you wish to exercise your right to access and must specify to which data categories you wish to gain access to.

You have the right to rectification, i. e. to ask that any personal data pertaining to you that are inaccurate, are corrected free of charge. If you submit a request for correction, your request needs to be accompanied of proof of the flawed nature of the data for which correction is asked.

You have the right to withdraw your earlier given consent for processing of your personal data.

You have the right to erasure, i. e. to request that personal data pertaining to you be deleted if these data are no longer required in the light of the purposes outlined in Article 3 above. However, you need to keep in mind that a request for deletion will be evaluated by us against:

  • Our and a third parties’ interests which may override your interests; or
  • Legal or regulatory obligations or administrative or judicial orders which may contradict such deletion.

You have the right to restriction instead of deletion, i. e. to request that we limit the processing of your personal data if:

  • We are verifying the accuracy of your personal data; or
  • The processing is unlawful and you oppose the deletion of your personal data; or
  • You require your personal data to establish, exercise or defend a legal claim, while we no longer need your personal data for the purposes listed under Article 3 above; or
  • We are verifying whether our legitimate interests override your interests if you exercise your right to object in accordance with Article 7.6.

You have the right to object to the processing of personal data if:

  • The processing is based on our legitimate interest under Article 3 above; and
  • You are able to prove that there are serious and justified reasons connected with your particular situation that warrant such objection; and
  • Our legitimate interests do not override your interests.

However, if the intended processing qualifies as direct marketing, you have the right to object to such processing free of charge and without justification.

You have the right to data portability, i. e. to receive from us in a structured, commonly-used and machine-readable format all personal data you have provided to us if the processing is based on your consent or a contract with you under Article 3 above.

If you wish to submit a request to exercise one or more of the rights listed above, you can contact our Data Protection Officer by sending an e-mail to dpo@shso.org.cy. An e-mail requesting to exercise a right, will not be construed as consent with the processing of your personal data beyond what is required for handling your request. Such request should meet the following conditions:

  • State clearly which right you wish to exercise; and
  • State clearly the reasons for exercising your right if such is required; and
  • Your request should be dated and signed; and
  • Your request should be accompanied by a digitally scanned copy of your valid identity card proving your identity. If you use the contact form, we may ask you for your signed confirmation and proof of identity.

We will promptly inform you of having received your request. If the request meets the conditions above and proves valid, we will honor it as soon as reasonably possible and at the latest thirty (30) days after having received your request.

If you have any complaints regarding the processing of your personal data by us, you may always contact our Data Protection Officer by sending an e-mail to dpo@shso.org.cy. If you remain unsatisfied with our response, you are free to file a complaint with the competent data protection authority.