1. Introduction
1.1. The protection of natural persons against the processing of personal data is a right of the highest value. According to paragraph 1 of article 8 of the Charter of Fundamental Rights of the European Union (“Charter”) and paragraph 1 of article 16 of the Treaty on the Functioning of the European Union (“TFEU”), every person has the right to the protection of personal data concerning him.
1.2. On 05/25/2018, the General Data Protection Regulation 2016/679 came into force. The aim of this Regulation (hereinafter the “Regulation” and widely known as the General Data Protection Regulation – “GDPR”) was to tighten the framework for the protection of natural persons against the processing of personal data and the free flow of such data.
1.3. The establishment of this Policy aims to fulfill the Office’s obligation, which derives from Article 13 of the Regulation, to provide information to citizens on how it uses the data it collects/maintains, in its capacity and role as data controller.
2. Terms
2.1. In the Regulation, the following terms are interpreted as follows:
“personal data” (hereinafter “PD”) is any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as a name, an identity number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of the natural person in question”.
“processing” is any act or series of acts carried out with or without the use of automated means, on personal data or sets of personal data, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, retrieval of information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, limitation, deletion or destruction of personal data.
“Data Controller” is any natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of processing personal data.
“Processor” is any natural or legal person, public authority, agency or other entity that processes personal data on behalf of and on behalf of the controller.
“Data Subject” (hereinafter “DS”) is the natural person to whom the data refer and whose identity is known or can be ascertained, directly or indirectly, based on an identity number or on the basis of specific elements characterizing his condition, from a physical, biological, mental, economic, cultural, political or social point of view.
“Receiver” is the natural or legal person, public authority, agency or other body, to which the personal data is disclosed, whether it is a third party or not. However, public authorities that may receive personal data in the context of a specific investigation in accordance with Union or Member State law are not considered as recipients; the processing of such data by said public authorities is carried out in accordance with the applicable data protection rules depending on the purposes of the processing,
“Third” is any natural or legal person, public authority, agency or body, with the exception of the data subject, the controller, the processor and the persons who, under the direct supervision of the controller or the processor, are authorized to process the personal data.
3. Processing PD by the Office of the Financial Commissioner
3.1. The Office processes PD, in the context of the execution of its duties, responsibilities and powers, as well as its legal operation and cooperation with citizens and companies/organizations of the public or private sector. It is noted that the Office has access to all PD and to all the information required for the execution of its mission and the exercise of its powers, without any type of confidentiality being able to oppose it, with the exception of attorney confidentiality.
Processing of data in relation to the submission of complaints/complaints/requests for restructuring
3.2. The collection and processing of PD by the Office is done in the following cases:
(a) The processing of PD is done for the purposes of examining requests, complaints and complaints submitted by DS and related to acts/omissions of financial enterprises that fall under the competence of the Financial Commissioner, in accordance with the provisions of the 2010 Law on the Establishment and Operation of the Single Body for the Out-of-Court Resolution of Financial Disputes.
(b) The Office collects the PD directly from the data subjects, from their legal representatives or from the financial enterprises.
(c) The legal basis can be derived from the provisions of article 6(1)(a), (c) and (e) of the Regulation, by virtue of which the Office processes and gains access to all the PD required for the performance of its duties.
(d) The PD that is normally collected is the name, identity and contact details of the complainant and any other personal data that the complainant may disclose. Such, are related to his particular situation in relation to the complaint/complaint/application (e.g. financial, professional, health data, etc.), as well as PD related to the Complainant.
Processing PD for the purposes of cooperation in the matters of the Office’s competences with the competent bodies of other Member States and with the competent supervisory authorities of the Republic
3.3. The processing is carried out for the purposes of cooperation in matters of the Office’s competences with the competent bodies of other member states and with the competent supervisory authorities of the Republic, in accordance with the provisions of article 24 of the Establishment and Operation of the Single Body for the Out-of-Court Resolution of Financial Disputes Law of 2010. It is noted that the Office collects PD from consumers.
3.4. The legal basis can be derived from the provisions of article 6(1)(a), (c) and (e) of the Regulation, by virtue of which the Office processes and obtains access to all the IFIs required for the performance of its duties and in the public interest/exercise of public authority.
3.5. The PD, which are generally collected, are the following:
– Identification data,
– Contact details,
– Data for the processing of the consumer’s complaint.
iii. Processing PD for record keeping purposes
3.6. The processing of PD is done for the purposes of maintaining the Special Register of Mediators and the Special Register of Approved Financial Complaint Analysts, in accordance with the provisions of article 9(1)(k) of the Law of 2010 on the Establishment and Operation of the Single Body for the Out-of-Court Resolution of Financial Disputes. The Office collects PD from financial analysts and intermediaries, who wish to be registered in said registers.
3.7. The legal basis can be derived from the provisions of article 6(1)(a) of the Regulation, by virtue of which DS has consented to the processing of its personal data for one or more specific purposes.
3.8. The PD, which are generally collected, are the following:
– Identification data,
– Contact details,
– Details of degrees and qualifications.
4. Data Recipients
4.1. The PD are, as a rule, not shared or passed on to third parties. In some cases, however, the Office has the obligation to communicate the data of the subjects to third parties, in the context of the execution of its duties, powers and responsibilities. For example, it may be necessary for the Office to share PD with other public Authorities or counterpart supervisory authorities, or with Judicial Authorities, Law Enforcement Authorities and the Legal Service. It is clarified that this may only be done if required by law, or in the context of legal proceedings, or when handling complaints, requests or audits.
4.2. It is also noted that there may be an exchange of information with an expert who provides services to the Office, in the context of the execution of his duties under his contract.
4.3. It is further noted that, when an audit is carried out by the Auditor General of the Republic or by other external partners of the Agency, the same obligations, with regard to the protection of PD, are imposed through the terms of the relevant contract on the authorized partners as well. And this, in order to provide sufficient assurances for the implementation of appropriate technical and organizational measures, so that the processing meets the requirements of the Regulation.
5. PD Retention Period
5.1. The retention of PD by the Office is decided according to each intended purpose and is determined on the basis of the retention policy of said data. To determine the time period under discussion, the obligations imposed by national or EU legislation are taken into account, as well as the provisions of the State Archive Law N. 208/1991. In addition, they are maintained, taking into account other rules or relevant circulars of the Department of Public Administration and Personnel, after having previously been consulted with the Office.
6. Rights of DS
6.1. Pursuant to the applicable legislation and always respecting the limitations set by the legal basis of the processing in each case, DS have the following rights:
Right of access
6.1.1. DS have the right to request information on the processing of VAT by the Office, as well as copies of documents containing their own VAT. They may also be informed, among other things, for the purposes of the processing, the categories of the data, their retention time, the recipients, as well as their origin.
Right of correction
6.1.2. The DS have the right to request the correction/updation/completion of inaccurate PD relating to them.
Right to erasure
6.1.3. DS have the right of deletion of their PD, which will be satisfied under the conditions of article 17 of the Regulation, such as, for example, if there is no legal obligation to retain them.
Right to restriction of processing
6.1.4. DS have the right to request restriction of processing, in the following cases:
(a) when the accuracy of the personal data is disputed and pending verification;
(b) when they object to the deletion of personal data and request instead of deletion the restriction of their use,
(c) when the personal data are not needed for the purposes of the processing, but are nevertheless necessary for the establishment, exercise, support of legal claims, and
(d) when they object to the processing and until it is verified that there are legitimate reasons that override the reasons for which they object to the processing.
Right of Disclosure
6.1.5. The Data Controller informs each recipient, to whom their personal data was legally disclosed, of any correction or deletion of data or restriction of processing. It also informs the data subject accordingly.
Right to portability
6.1.6. The above right is only valid if the Office processes the PD based on the consent of the DS or for the purpose of concluding or executing a contract. It is noted that the processing is automated and concerns only the PD that have been granted by the DS themselves. In such a case, the DS have the right to receive, free of charge, the PD relating to them in a structured, commonly used and machine-readable format or to request, if technically feasible, that the Office transmit the data directly to another data controller.
Right to Object
6.1.7. The DS have the right to object to the processing of the personal data concerning them, which is based on the public interest / exercise of public authority or the legal interest, for reasons related to its particular situation. In this case, the processing of the personal data concerning them stops, unless:
– there are compelling and legitimate reasons for the processing, which override the interests, rights and freedoms of the DS, or
– to establish, exercise or support legal claims.
7. Data Controller
7.1. For any processing of personal data carried out in the context of any possible interaction you may have with the Office, the Data Controller is the OFFICE OF THE FINANCIAL COMMISSIONER
7.2. The contact details of the Office are as follows:
– Address: 15 Kypranoros, 1061 Nicosia
– Phone: +357 22848919
– Fax: +357 22660118
– Email: dataprotection@financialombudsman.gov.cy
8. Data Protection Officer (DPO)
8.1. To exercise the rights of the DS, as well as for any issue related to the processing of personal data by the Office, you can contact the Data Protection Officer (DPO) of the Office (data protection officer), at the email address dataprotection@financialombudsman.gov.cy or at the postal address of the Office, 15 Kypranoros Street, 1061 Nicosia, for the attention of the Data Protection Officer.
8.2. It is understood that the Office will make every effort to respond to each request, without delay, and in any case within one month of receiving the request. It is noted that, in exceptional cases, the deadline in question may reasonably be extended, taking into account the complexity of the request and/or the number of requests.
Payment of Fee
9.1. The payment of any fee is not required by DS, for the exercise of their rights. However, a reasonable fee may be imposed if their request for access is determined by the Office to be clearly unfounded, abusive or excessive.
This Privacy Policy was last revised in October 2023.