1. Introduction
The protection of individuals with regard to the processing of personal data is a right of the highest value. Article 8(1) of the Charter of Fundamental Rights of the European Union ('the Charter') and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) ensure that everyone has the right to the protection of personal data concerning them.
On 25.05.2018, the General Data Protection Regulation 2016/679 entered into force, which tightened the framework for the protection of natural persons with regard to the processing of personal data and for the free movement of such data (hereinafter the "Regulation" and widely known as the General Data Protection Regulation - "GDPR").
This Policy was established to fulfill the Authority's obligation under Article 13 of the Regulation, to provide citizens with information on how it uses the data it collects/maintains, in its capacity and role as controller
2. Terms
According to the interpretation of the Rules of Procedure:
"personal data" (hereinafter referred to as "PD") means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available; the association or combination, restriction, erasure or destruction of personal data
"Controller" is any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
"Processor" means any natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
"Data Subject" (hereinafter referred to as "DS") means the natural person to whom the data refer and whose identity is known or can be identified, directly or indirectly, on the basis of an identification number or on the basis of specific elements characterising his or her physical, physiological, mental, economic, cultural, political or social identity.
"Recipient" means the natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by those public authorities is carried out in accordance with the applicable data protection rules depending on the purposes of the processing;
"Third party" means any natural or legal person, public authority, agency or body, with the exception of the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
The Authority processes personal data in the context of the performance of its duties, responsibilities and powers, its legal operation and its cooperation with citizens and companies / organizations of the public or private sector. The Authority shall have access to all personal data and to all information required for the performance of its mission and the exercise of its powers, without any kind of confidentiality being invoked against it, with the exception only of legal privilege.
3. The Authority collects and processes personal data in accordance with the responsibilities given to it by the Auditors Law of 2017 (N53(I)2017):
Data processing during audits
It concerns the fulfillment of supervisory duties of the Authority in order to monitor and enforce the implementation of the Law, the assessment of the level of compliance of the various entities with the Law, the recording of the procedures applied and the monitoring of the corrective measures applied. The Authority collects personal data from Data Controllers, processors and third parties such as the Department of the Registrar of Companies and Intellectual Property.
The legal basis can be derived from the provisions of Article 6(1)(c) and (e) of the Regulation, pursuant to which the Authority processes and gains access to all personal data required for the performance of its duties, and in the public interest / exercise of Public authority. The relevant duty of the Authority derives from Part III of the Law.
The personal data that are usually collected are: Name, position, contact details, as well as information concerning the employees of the audited entities, name and contact details of partners, customers or their employees.
In the context of the audit, any personal data of data subjects related to the entity under examination and/or personal data held by the audited entity may be collected to check the lawfulness of the processing carried out.
Keeping the Register of Auditors
The purpose is to maintain a Register of Statutory Auditors by the Authority in order to apply the Law. The Authority collects personal data directly from the Data Protection Officers or from their employer (controller / processor)
The legal basis can be derived from the provisions of Article 6(1)(c) and (e) of the Regulation, pursuant to which the Authority processes and gains access to all personal data required for the performance of its duties, and in the public interest / exercise of Public Authority. This duty derives from Part VIII of the Law.
The personal data that are usually collected are: Name, address, registration number.
Processing of Personal Data for the purposes of Tenders and Tenders
The processing is done for the purpose of conducting tenders in accordance with the Regulation of Public Procurement Procedures and Related Matters Law of 2016 and for keeping a relevant record. The Authority collects personal data from bidders for the purposes of awarding the Tender, awarding and implementing the contract, detecting any violations and for transparency purposes.
The legal basis can be derived from the provisions of Article 6(1)(c) and (e) of the Regulation, pursuant to which the Authority processes and gains access to all personal data required for the performance of its duties and in the public interest / exercise of Public Authority. This duty derives from the Regulation of Public Procurement Procedures and Related Matters Law of 2016, as amended.
The personal data that are usually collected are: Identification data, contact details, CVs of employees of the bidder.
4. Data recipients
As a rule, no data is shared or transmitted to third parties. In certain cases, however, the Authority has the obligation to disclose data of data subjects to third parties in the performance of its tasks, powers and responsibilities. For example, it may be necessary for the Authority to share personal data with other public authorities or supervisory counterparts, or Judicial Authorities, Law Enforcement Authorities and Legal Service if required by law or in the context of judicial proceedings, or when handling complaints, requests or audits. There may also be an exchange of information with an expert who provides services to the Authority, in the context of the performance of his duties under contract and in accordance with Article 25 of the Auditors Law of 2017 (N53(I)2017).
Also, when, on a case-by-case basis, the Authority assigns to its associates the conduct of audits and/or the maintenance of the register on its behalf, the same obligations regarding the protection of personal data are imposed on authorized partners through the terms of the relevant contract, in order to provide sufficient assurances for the implementation of appropriate technical and organizational measures, so that the processing meets the requirements of the Regulation and the Law.
5. Personal Data Retention Period
The retention period of personal data by the Authority is decided according to each intended purpose and is determined in the data retention policy. For the determination of the time period, obligations imposed by national or EU legislation as well as the provisions of the State Archive Law N. 208/1991 and other rules or relevant circulars are taken into account.
6. Data Subjects’ rights
Under current law, Data Subjects have the following rights, always subject to the limitations set by the respective legal basis of processing:
6.1. Right of access
Data Subjects have the right to request information on the processing of personal data by the Authority as well as copies of documents containing their personal data. They may be informed, inter alia, about the purposes of processing, the categories of data, their retention time, the recipients as well as their origin.
6.2 Right to rectification
Data Subjects have the right to request the correction / update / completion of inaccurate PD concerning them.
6.3 Right to erasure
Data Subjects have the right to delete their PD, which will be satisfied under the conditions of Article 17 of the Regulation, such as if there is no legal obligation to retain them.
6.4 Right to restriction of processing
Data Subjects have the right to request restriction of processing - (a) when the accuracy of personal data is disputed and until it is verified, (b) when they object to the deletion of personal data and request instead of deletion the restriction of their use, (c) when personal data are not needed for the purposes of processing, but are necessary for the foundation, exercise, support of legal claims, and (d) when they object to processing and until it is verified that there are legitimate reasons that override the reasons for which they object to processing.
6.5 Right to disclosure
The Controller shall inform any correction or deletion of data or restriction of processing to each recipient to whom his or her personal data have been lawfully disclosed and shall inform the data subject accordingly.
6.6 Right to data portability
This right applies only if the Authority processes the personal data based on the consent of the Data Subject or for the purpose of concluding or executing a contract and the processing is automated, and concerns only the personal data provided by the Data Subjects themselves. In such a case, the Data Subjects have the right to receive free of charge the personal data concerning them in a structured, commonly used and machine-readable format or to request, if technically feasible, that the Authority transmit the data directly to another controller.
6.7 Right to object
Data Subjects have the right to object to the processing of their personal data, which is based on public interest / exercise of public authority or legitimate interest, for reasons related to their particular situation. In this case, the processing of the personal data concerning them ceases, unless: there are compelling and legitimate reasons for the processing, which override the interests, rights and freedoms of the Data Subjects or for the establishment, exercise or support of legal claims.
7. Data Controller
For any processing of personal data carried out in the context of any possible interaction with the Authority, the Data Controller is:
AUTHORITY FOR PUBLIC OVERSIGHT OF THE AUDIT PROFESSION
Address:
Leof. Makariou 56 & Dimofontos 1-3
Lamda Tower, 2nd floor
1075 Nicosia
Tel. 22 284800
Fax 22 284898
E - mail: info@cypaob.gov.cy
8. Data Protection Officer (DPO)
For the exercise of the rights of the DPOs as well as for any issue related to the processing of personal data by the Authority, in its capacity as controller, you may contact the Data Protection Officer (DPO) of the Authority at info@cmllc.eu or at the postal address of the Authority, to the attention of the Data Protection Officer.
It is understood that the Authority will make every effort to respond to any request, without delay and in any case within one month of receipt of the request, except in exceptional cases, where such deadline may reasonably be extended taking into account the complexity of the request and/or the number of requests.
9. Payment of the fee
No fee is required for the exercise of rights by the Data Subjects.
However, a reasonable fee may be imposed if the request for access is considered by the Authority to be clearly unfounded, abusive or excessive.
10. Right to complain
Also, any affected natural or legal person has the right to file a complaint with the Office of the Commissioner for Personal Data Protection at dataprotection.gov.cy and email commissioner@dataprotection.gov.cy
This Privacy Policy was last revised on 3/4/2024.