IMPERIO or Company – Y.A.M IMPERIO ENTERPRISES LTD a company incorporated and validly existing in the Republic of Cyprus with registration no. HE141929 and having its registered office at 131 Gladstonos street, 3032 Limassol, Cyprus and any of its subsidiaries and/or affiliated companies.
Biometric Data – Personal Data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data
Consent – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her;
Data Concerning Health – Personal Data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
Data Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Portability – the requirement for controllers to provide the Data Subject with a copy of his or her data in a format that allows for easy use with another controller (more info here).
Data Processor – a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.
Data Protection Officer – an expert on data privacy who works independently to ensure that IMPERIO is adhering to the policies and procedures set forth in the GDPR (Contact details: Skevi Hadjichralambous at firstname.lastname@example.org)
Data Protection Committee: it is a committee comprises of employees of IMPERIO and holds meetings once a month to report on current procedures and deficiencies observed as well as to suggest improvements, new procedures and measures for the processing of Personal Data.
Data Subject – a natural person whose Personal Data is processed by a controller or processor
Encrypted Data – Personal Data that is protected through technological measures to ensure that the data is only accessible/readable by those with specified access
GDPR – the Regulation (EU) 2016/679 (General Data Protection Regulation)
Genetic Data – Personal Data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question
Personal Data – any information relating to a natural person whose Personal Data is processed by a controller or processor (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data Breach – breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Privacy Impact Assessment – a methodological tool used to identify and reduce the privacy risks of entities by analysing the Personal Data that are processed and the policies in place to protect the data
Processing – any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling – any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Recipient – a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a third party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Regulation – a binding legislative act that must be applied in its entirety across the Union
Supervisory Authority – Commissioner of Personal Data Protection – Address: 1 Iasonos str., 1082 Nicosia, P.O.Box 23378, 1682 Nicosia – Tel: +357 22818456, Fax: +357 22304565 – Email: email@example.com.
This policy describes how Personal Data is collected, handled, and stored to meet the Company’s data protection standard and to comply with GDPR. This Policy ensures that IMPERIO:
IMPERIO may supplement or amend this Policy by additional policies and guidelines from time to time. Any new or modified policy is circulated to staff before being adopted. IMPERIO is responsible for ensuring compliance with the GDPR requirements outlined in this Policy. Non-compliance may expose IMPERIO to complaints, regulatory action, fines and/or reputational damage.
However, the relation between responsibility and key managerial position is as follows:
ManagementIMPERIO’s management is ultimately responsible for ensuring that the Company meets its legal obligations.Data Protection OfficerThe Data Protection Officer (DPO), is responsible for:
IMPERIO has adopted the following principles to govern its collection, use, retention, transfer, disclosure and destruction of Personal Data:
IMPERIO processes Personal Data fairly, lawfully and in a transparent manner in accordance with Data Subjects’ rights.
This means, IMPERIO informs Data Subjects about what processing will be carried out (transparency), ensures the processing matches the description given to the Data Subject (fairness), and requires the processing to be for one of the purposes specified in the applicable GDPR regulation (lawfulness).
IMPERIO ensures that any Personal Data it processes is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. IMPERIO processes Personal Data obtained for a specific purpose and does not process these data for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Individuals may ask IMPERIO to correct inaccurate Personal Data relating to them. If employees believe that Personal Data are inaccurate then they record the fact that the accuracy of the information is disputed and inform the DPO accordingly.
Personal Data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. IMPERIO does not store any Personal Data beyond what is strictly required.
IMPERIO keeps Personal Data secure against loss or misuse. In case of data processing assignment to external parties, the DPO establishes what, if any, additional specific data security arrangements need to be implemented in contracts with the aforementioned parties.
IMPERIO uses Personal Data of its contacts for the following broad purposes:
The following general principles apply:
Data Sources: Personal Data are collected from a data subject if one of the following conditions applies:
Where it has been determined that notification to a Data Subject is required, privacy notice is given promptly. Where a need exists to request and receive the consent (as descripted immediately below) of an individual prior to the collection, use or disclosure of their Personal Data, IMPERIO is committed to seeking such consent.
In certain cases, IMPERIO may collect Personal Data under the Data Subject’s consent. The Data Subject retains the right to revoke this consent at any time.
The DPO, in cooperation with the IT Department, established a system for obtaining and documenting data subject consent for the collection, processing, and/or transferring of their Personal Data which can be found here. The system includes provisions for:
IMPERIO does not process Personal Data unless it has identified a lawful basis for the processing, i.e. provided that at least one of the following requirements is met:
IMPERIO ensures any use of Personal Data is justified using at least one of the conditions for processing, and this is specifically documented. All staff who is responsible for processing Personal Data is aware of the conditions for processing. The conditions for processing are available to Data Subjects in the form of a privacy notice. Data are processed by the Company on a fair basis and data subjects are duly informed about such uses. IMPERIO provides ‘privacy notices’ to deliver explanations to individuals when information is collected about them – in effect stating, ‘how we use your data’.
The privacy notice is supplied to the individual at the time they provide IMPERIO with their Personal Data. IMPERIO, according to GDPR principles, provides information to individuals which is:
IMPERIO processes special categories of data (also known as sensitive data) only under specific and limited circumstances, especially in relation to health data of employees, which are processed for the purpose of discharging obligations under employment, social security or social protection law. IMPERIO may also processes personal data such as clients’ criminal records for the purpose of property and clients’ management.
IMPERIO according to GDPR requirements minimises the retention of Personal Data such that data must be kept in a form that permits identification for no longer than necessary for the purposes for which the data are collected or processed.
IMPERIO retains Personal Data for no longer than is necessary. What is necessary depends on the circumstances of each case, taking into account the reasons that the Personal Data were obtained. IMPERIO’s obligation regarding data retention arises from local laws or regulations or from contracts with employees, external parties, agents and other providers.
The Company’s Personal Data retention policy dictates that any Personal Data should not be kept for no longer than reasonably necessary pursuant to the legal basis for the processing. Therefore, the largest volume of your Personal Data shall be retained for a period equal to the duration of your employment contract.
However, basic details of your employment relationship may need to be retained for a period after the termination of your employment contract, either to meet certain obligations imposed by law, or to serve needs of prudent management, or to establish, exercise or support our legal claims.
More specifically, data are retained in order to protect IMPERIO’s interests, preserve evidence, and generally conform to good business practices, for a period of time where IMPERIO sees fit. Reasons for data retention include:
The record retention schedule is as follows:
Record TypeRetention PeriodAccounting and Finance12 yearsContractsExecution + 5 yearsElectronic mail12 yearsInsurance records7 yearsLegal files and papers10 yearsPayroll documentsTermination + 12 yearsPersonnel recordsTermination + 12 yearsTax records7 yearsProspective clients’ records18 months
The retention period has been defined for all data categories needed. When the retention period is over, IMPERIO destroys the respective documents.
Each head of the department and the Data Protection Committee are responsible for enforcing the retention, archiving and destruction of documents and communicating these periods to the relevant personnel. Also, each head of the department and the Data Protection Committee are responsible for submitting exception requests to the process and receiving legal advice if necessary.
Physical or technical destruction is defined as sufficient when the information contained in the document become irretrievable.
Exceptions to all the above, are requested by the head of the department and/or the Data Protection Committee and approved by the Management.
If any information retained under this policy is stored in an encrypted format, IMPERIO takes appropriate measures to secure storage of the encryption keys. Encryption keys are retained as long as the data that the keys decrypt is retained.
IMPERIO adopts physical, technical, and organisational measures to ensure the security of Personal Data. This includes the prevention of loss or damage, unauthorised alteration, access or processing, and other risks to which it is exposed by virtue of human action or the physical or natural environment.
The minimum set of security measures which has been adopted by IMPERIO is provided in the IMPERIO Data Protection Manual. Some high-level points of the Personal Data related security measures are provided below:
11 Data Subject Requests Procedure – Protect Individual Rights
This procedure deals with the rights under GDPR whereby an individual can request access to their Personal Data. Data Subjects have access rights to their personal information irrespective of when the record was created. To exercise this right, an individual makes a written “Data subject’s request form” for information.
IMPERIO establishes a system to enable and facilitate the exercise of Data Subject rights related to:
Data Subject’s access requests can be made by:
This procedure applies to all requests for access to Personal Data held by IMPERIO.
All individuals whose Personal Data are held by the Company are entitled to:
If an individual contacts IMPERIO requesting this information, this is called a subject access request.
Subject access request from individuals are made by email or web-based “Data subject’s request form”, addressed to the DPO, who logs each request as it is received. The DPO can provide a standard request form, although individuals do not have to use this.
The DPO aims to provide the relevant Personal Data within 30 days of the receipt of the written request from the Data Subject.
The DPO always verifies the identity of anyone making a subject request before handling over any information. The DPO must be confident that the requestor is authorised to receive the information, whether this is the individual, legal guardian or law enforcement agent with appropriate jurisdiction. The DPO/designated individual records details of the identification check, along with the request, in the “Data Subject Request Log”.
This log is kept by IMPERIO of all requests for information under GDPR. This log is controlled and managed by the DPO. It includes a record of requests, actions and the employee who executed the request. This log also evidences a chain of responsibility in the event of a problematic handling of requests.
Any staff member who receives a request for information, which it believes to be a request for data under the GDPR, immediately forwards the request to the DPO.
The “Data subject’s request form” contains sufficient information to enable the DPO to locate the information requested as well as a copy of an identification document. The DPO checks that the “Data subject’s request form” fulfils the following criteria:
Data Subjects shall have the right to require IMPERIO to correct or supplement erroneous, misleading, outdated, or incomplete Personal Data. Once identification of the requestor has been confirmed, data on the individual is to be updated. IMPERIO confirms to the requestor, by email, that an update has occurred in line with information provided unless this proves impossible or involves disproportionate effort. The request is recorded in the Data Subject request log.
A Data Subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.
IMPERIO is obligated to erase Personal Data where one of the following applies:
If the request to erase Personal Data has been received, identity has been confirmed, the request meets one of the above requirements and there is no legal contrary reason for processing, IMPERIO deletes the relevant data in its entirety. The request is recorded in the Data Subject request log.
Key steps in erasing data:
If IMPERIO cannot delete Personal Data, IMPERIO ensures that it:
The data subject has the right to object at any time to processing of Personal Data when:
In determining whether or not to approve an objection, IMPERIO considers whether or not there is compelling legitimate ground for continued processing. To continue processing those grounds override the rights and freedoms of the Data Subject or be necessary for the establishment, exercise or defense of legal claims.
When such grounds do not exist, the processing must cease immediately.
Data Subjects have the right not to be subject to a decision based solely on automated processing. An exception applies where it is necessary for entering into a contract between the Data Subject and the Company.
Upon request and provided that the relevant requirements stipulated in Article 20 of GDPR are met, a Data Subject has the right to receive a copy of their data in a structured format. These requests are processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A Data Subject may also request that their data are transferred directly to another system. In this case, the transfer of the data is done for free.
If IMPERIO cannot respond fully to the request within 30 days, the DPO nevertheless provides the following information to the Data Subject, or their authorized legal representative within the specified time:
IMPERIO transfers Personal Data to, or allows access by, third parties when it is assured that the information is processed legitimately and protected appropriately by the recipient. Where third party processing takes place, IMPERIO first identifies if, under applicable law, the third party is considered a Data Controller or a Data Processor of the Personal Data being transferred.
Where the third party is deemed to be a Data Controller, IMPERIO enters into, in cooperation with the DPO, an appropriate agreement with the Data Controller to clarify each party’s responsibilities in respect to the Personal Data transferred.
Where the third party is deemed to be a Data Processor, IMPERIO enters into, in cooperation with the DPO, an adequate processing agreement with the Data Processor. The agreement requires the Data Processor to protect the Personal Data from further disclosure and to only process Personal Data in compliance with IMPERIO instructions. In addition, the agreement requires the Data Processor to implement appropriate technical and organizational measures to protect the Personal Data as well as procedures for providing notification of Personal Data breaches.
The DPO conducts regular audits of processing of Personal Data performed by third parties, especially in respect of technical and organizational measures they have in place. Any major deficiencies identified are reported to and monitored by the IMPERIO management team.
13 Reporting Breaches
Any employee who suspects that a Personal Data breach has occurred due to the theft or exposure of Personal Data must immediately notify the DPO providing a description of what occurred. All members of staff have an obligation to report also actual or potential data protection compliance failures. This allows us to:
Notification of the incident can be sent to firstname.lastname@example.org
The DPO investigates all reported incidents to confirm whether or not a Personal Data breach has occurred. If a Personal Data breach is confirmed, the DPO follows the relevant authorised procedure based on the criticality and quantity of the Personal Data involved.
A data processing agreement is needed when:
By having an agreement in place with the required terms, IMPERIO:
The agreement sets out what the Processor is expected to do with the Personal Data.
The agreement includes the following details about the processing:
All staff receives training on this policy. New joiners receive training as part of the induction process. Further training is provided at least every two years or whenever there is a substantial change in the law or our policy and procedure. Completion of training is compulsory.
Training is provided through an in-house seminar or by external providers with appropriate experience.
It covers at the minimum the following elements:
More precisely, to confirm that an adequate level of compliance is being achieved by IMPERIO, the DPO carries out an annual data protection compliance audit for IMPERIO. Each audit, as a minimum, assesses compliance with policy in relation to the protection of Personal Data, including:
The DPO, in cooperation with key business stakeholders, devises a plan with a schedule for correcting any identified deficiencies within a defined and reasonable time frame. Any major deficiencies identified are reported to and monitored by IMPERIO Management team.