1 When the Company acts as a Controller
1.1 Your Personal Data
We will not obtain personally identifiable information about you when you visit our website. However, in your interactions with S. KANIKLIDES (CYPRUS) LIMITED, you may choose to provide such personal data as your name and contact details, your professional title, and other information that identifies or can identify you. The personal data that you provide will be used only for such purposes as are described or evident at the point of collection, for example, to respond to your questions or comments or to help you liaise with an S. KANIKLIDES (CYPRUS) LIMITED member.
1.3 Principles Relating to Processing of Personal Data
The company ensures compliance with the fundamental principles of GDPR.
Specifically, the principles with which S. KANIKLIDES (CYPRUS) LIMITED ensures compliance relate to:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation (retention)
- Integrity and confidentiality (security)
1.4 How Long We Retain Personal Data
We will retain your personal data for as long as it is necessary to fulfil the purposes for which it was collected or retained for any period that is required by a compelling legal obligation.
It is important that all Personal Data we maintain on you remains accurate and current at all times, therefore keep us informed if any of your Personal Data Changes during your relationship with us.
1.5 Lawfulness of Processing
There are six alternative ways in which the lawfulness of a specific case of processing of personal data may be established under the GDPR. It is company policy to identify the appropriate legal basis for each processing activity and to document it. The options are as following:
- Performance of a Contract
- Legal Obligation
- Vital Interests of the Data subject
- Task Carried Out in the Public Interest
- Legitimate Interests
1.6 The Rights of Individuals
The rights of data subjects are supported by appropriate procedures for taking the required actions within the time limits set out in the General Data Protection Regulation.
The rights of the Data Subjects:
- Right to basic information
- Right of access
- Right of rectification
- Right to erasure (the “right to be forgotten”)
- Right to restrict processing
- Right of data portability
- Right to object to processing
- The right to object automated processing, including profiling
1.7 Data Protection Officer
A Data Protection Officer (DPO) has been appointed by the company. For any clarifications, do not hesitate to contact email@example.com
2 When the Company acts as a Processor
As part of the provision of Secure Digitisation, Storage and Destruction services of Client archives (“ Services”) by the Company to its Clients, the Company assumes the responsibilities of a “ Processor” and its Clients assume responsibilities as “ Controllers” in the context of processing personal data for the provision of the aforementioned services. The obligations of “Controllers” and “ Processors” in respect to the processing of personal data are set out in the GDPR (General Data Protection Regulation 2016/679) and the Law 125(I)/2018 (“Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018”) of the Cyprus government.
The Company, in the provision of the Services to its Clients, processes personal data which are initially collected from natural persons by its Clients and the Clients transfer the personal data to the Company for the provision of the Services. The Company processes the aforementioned data for the sole purpose of providing the Services to its Clients. The Company will not further process the data for any other purpose, which is not related to the provision of the Services which are set out in the Service Agreements established between the Company and its Clients, including transferring of the said data to Third Countries.
During the provision of the aforementioned Services, we may generate additional data based on the personal data provided by our Clients and which are required for the provision of the Services. Such data will be retained for as long as it is necessary to fulfil our contractual obligations with our Client or may be retained for long periods in case it is required by a compelling legal obligation. We will permanently delete or securely dispose such data once the purpose for processing has been fulfilled.
Acting as a Processor for the provision the Services, the Company has implemented ISO 27001 Information Security controls and adopted Trust Services Criteria 2017 issued by the AICPA and which are required for SOC II Certifications. The Company maintains certifications issued by independent organisations which can be considered by its Clients as a means for the Company to provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing of Client Archives will meet the requirements of the GDPR and Law 125(I)/2018 and ensure the protection of the rights of the data subjects. Irrespective of the types of individual elements of data contained in the client archives (i.e. general purpose or special categories of data), the Company classifies the entirety of such archives as “Confidential” and applies the analogous data protection measures.
All processing activities by S. KANIKLIDES (CYPRUS) LIMITED shall be governed and limited by a contract with the controller and sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, retention schedules and the obligations and rights of the controller.
Specifically, and in respect to the provision of Services to its Clients the Company:
- establishes binding legal agreements for the provision of the services and those agreements define the rights and obligations of the contracting parties
- processes the personal data only on documented instructions from its Clients
- ensures that employees and contractors authorised to process the personal data, in any way, have committed themselves to protecting the confidentiality of client data
- implements appropriate technical and organisational measures to ensure the security of Client data
- delegates responsibility to sub processors with the same terms, concerning protection of personal data, with the relevant ones set out in the principal agreement between the Company and the Client.
- provides support to its Clients for the fulfillment of Data Subjects Requests (DSRs), for which the Client assumes responsibility to fulfill. Such support shall be provided within 7 calendar days from the date the request for the provision of support for the fulfillment of the DSR has been received by the Company. Submission of DSR support requests, in order to processed, must be communicated to the company via email to firstname.lastname@example.org. Such support may incur additional costs which must be pre-agreed before the support can be provided.
- provides support to its clients to fulfill their obligations pursuant to Article 32 to 36. Such requests should be adequately documented and communicated via email to email@example.com.
- communicates data breaches to its Clients as soon as the Company becomes aware and supports its Clients in the investigation of a relevant data breach.
- deletes or returns all the personal data to its Clients after the end of the provision of services relating to processing and deletes existing copies unless Union or Cyprus law requires storage of the personal data. This is provided only upon a written instruction of its Clients to the Company, which communicated via email to firstname.lastname@example.org.Such support may incur additional costs which must be pre-agreed before the support can be provided.
- provides SOC II attestation reports to demonstrate compliance with the aforementioned obligations. Requests for on the spot audits will be accepted only when the SOC II report does not cover the commitments of the Company to the Client as established by the relevant Service Agreement.
3 Business Continuity
S.KANIKLIDES (CYPRUS) LIMITED has adopted Business Continuity Policies and Procedures (the “Plan”) which are designed to respond to a Significant Business Disruption (SBD). The Plan will be updated as necessary and will be reviewed annually.
The Plan addresses how Kaniklides will handle disruptive events of varying scope (e.g., an internal business disruption, an external business disruption, an Event during business hours, and an Event during non-business hours). The Plan includes backup systems for critical data and operations, as well as for critical employees. The Plan is designed to continue business operations if an SBD should occur.
Last Updated 18 March 2020