Last updated on 23rd of May 2018
1.Introduction
At EYAM Ltd (hereinafter “we”, “us” or “our”, the “Company”) we are committed to protect our employees’ privacy and handling their personal data in an open and transparent manner.
The purpose of this privacy policy (the “Policy”) is to provide a clear explanation of when, why and how we collect and use personal data. We have designed it to be as user friendly as possible, and have separated it in sections to make it easy for you to find the information that is most relevant to you.
The new European Union (EU) Data Protection Law, the General Data Protection Regulation (the “GDPR”), comes into effect on the 25th of May 2018. The GDPR (EU) 2016/679 gives individuals in the EU more control over how their data is used and places certain obligations on businesses that process the information of those individuals. We have updated our Privacy Policy to reflect the new requirements of the GDPR.
As part of our compliance with GDPR the personal information we hold about you must be:
1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about and kept securely.
2. Who we are
EYAM Ltd is a company registered in Cyprus under registration number HE 190933 with its registered office located at 236, Leontiou Arch. Street 1st Floor, 3020, Limassol, Cyprus licensed by the Institute of Certified Public Accountants of Cyprus (the “ICPAC”) to provide Accounting Services (Certificate number E171/G/2017) and Auditing Services (Certificate number E171/A/2017). EYAM Ltd is also providing business consulting services.
3. Who this privacy policy is directed to
This privacy policy is directed to natural persons (hereinafter our “Employees”) who are either past, current or potential employees.
4. Identity and contact details of the Data Controller and Data Protection Officer
(a) Data Controller
EYAM Ltd, a Cyprus private limited liability company, having registration number HE 190933, is the “Data Controller” pursuant to the GDPR, and related Cyprus Law, and determines how your personal data is kept and processed.
The main establishment and the central administration of the Data Controller is situated at 236, Leontiou Arch. Street 1st Floor, 3020, Limassol, Cyprus.
(b) Data Protection Officer (DPO)
We have designated a Data Protection Officer (the “DPO”), who is responsible to monitor compliance with this privacy policy as well as the applicable Laws and liaise with the Cyprus Supervisory Authority, namely the Office of the Commissioner for Personal Data Protection.
The DPO may be contacted directly with regards to all matters concerning this policy and the processing of your personal data including the enforcement of all applicable and available rights. Official requests may be made by post at 236, Leontiou Arch. Street 1st Floor, 3020, Limassol, Cyprus, or electronically at dpo@EYAM.com.cy.
5. How do we collect personal data
We collect and process different types of personal data which we receive directly from you through the application and recruitment process. Moreover, we may collect and process your personal data which we lawfully obtain that may come from other internal sources, such as your manager, or in some cases, external sources, such as former employers and employment agencies. We collect also certain data though the time recording system every time that you enter and leave our premises through your entrance card in accordance with our working hours policy in the Staff Manual. We collect also certain personal data through the submission of your timesheet every Friday in order to identify the hours spent for each client for billing purposes. We will collect additional personal information in the course of job-related activities throughout the employment period. We may also collect limited personal information relating to members of your family or a partner where this is required so that we have contact details in the event of an emergency.
6. Categories of personal data that we collect.
We collect and use several types of information, including information by which you may be personally identified and that is defined as personal data under applicable law such as your authentication data (e.g. signature), application first and last name, address, contact details (telephone, email), identification data (such as passport, driver’s license or ID), birth date, place of birth (city and country), curriculum vitae, photographs bank account details, reference letters, form, your contract of employment and any amendments to it, correspondence with or about you, for example letters to you about a pay rise or, at your request, information needed for payroll, taxation and social insurances, contact and emergency contact details, details of your qualifications, skills, experience, information about your entitlement to work in Cyprus, photographs, records of holiday and other absence, and records relating to your career history, such as training records, appraisals, other performance measures and, where appropriate, disciplinary and grievance records. Where necessary, we may process information relating to your health that you provide to us, which could include reasons for absence due to sickness and relevant documentation with Social Insurances Department in order to comply with applicable laws and regulations. This information will be used also in order to consider how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We will also need this data to administer and manage statutory and sick pay.
Should there be a need to further process the personal data for a purpose other than that for which they were initially collected, you will be informed in advance about the additional purpose and the relevant details in respect to the further processing and we will request your consent.
With your explicit consent we may collect special categories of personal data. Pursuant to the definition given by the GDPR, these data may include racial or ethnic origin, political opinions, religious or philosophical beliefs, health data, trade union membership, the processing of genetic data, biometric data, data concerning health, sex life or sexual orientation and criminal records.
Where we are processing data based on your consent, you have the right to withdraw that consent at any time. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
We need all the categories of information mentioned above to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases, we may use your personal information to pursue legitimate interests of our own as mentioned in Section 7 below provided your interests and fundamental rights do not override those interests.
You will, of course, inevitably be referred to in many company documents and records that are produced by you and your colleagues in the course of carrying out your duties and the business of the Company. You should refer to the Data Protection Policy which is available in the Company’s intranet.
7. Purposes and lawful reasons for processing personal data.
As your employer, we need to keep and process information about you for normal employment purposes. The information we hold and process will be used for our management and administrative use only and to meet our legal obligations. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left. We will use information relating to leave of absence, which may include sickness absence to comply with Social Insurances Law and other laws and regulations.
In case that you fail to provide us with your personal data we may not be able to perform the contract of employment we have entered into with you, or we may be prevented from complying with our legal obligations.
In accordance with GDPR we may rely on the following lawful reasons when we collect and use personal data:
Contract: We may process personal to enable us to comply with the employment contract.
Compliance with legal obligations: We may process personal data in order to meet legal and other regulatory obligations such as the Social Insurance Law and Tax Laws.
Consent: We may rely on your freely given consent at the time you provided your personal data to us for a purpose of the process that does not relate to the above. You have the right to withdraw consent at any time. However, any processing of personal data will not be affected prior to the receipt of the withdrawal. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Legitimate interests: We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced. A legitimate interest is when we have a business or commercial reason to use our employees’ information. Instances of such processing activities can include, initiating legal claims, preparing our defense in litigation procedures, education, training and development requirements, prevention of fraud and money laundering, for administrative purposes or reporting potential crimes, for employees’ performance appraisal and career progress for payment of your salary and deducting PAYE and Social Insurance Contributions and making decisions about promotions and salary reviews.
8. Do we share personal data with third parties?
In the course of our relationship our employees and prospective employees’ personal data may be provided to various departments within our Company.
In addition, the following third parties may also be the recipients of the personal data under the certain circumstances:
• Supervisory and other regulatory and public authorities, whereby a statutory obligation exists that we are subject to.
• Financial institutions in order to facilitate payroll payments.
• External auditors in the normal course of the audit of the Company’s financial statements.
Third parties to whom we may disclose Personal Data may have their own privacy policies which describe how they use and protect Personal Data. If you want to learn more about their privacy practices, we encourage you to visit the websites of those third parties.
9. Personal data security
We have put in place appropriate technical and organizational measures including physical, electronic and procedural measures to protect personal data from loss, misuse, alteration or destruction. We restrict access to information at our offices so that only officers and/or employees who need to know the information have access to it. Those individuals who have access to the data are required to maintain the confidentiality of such information. In addition, we have trained our employees on how to handle, manage and process personal data, applied upgraded technical measures and transformed our policies and procedures in a way that will comply with the GDPR.
Please be aware that the transmission of data via the Internet is not completely secure. Users should also take care with how they handle and disclose their personal data and should avoid sending personal data through insecure email.
10. Retention of personal data
We will keep your personal data for as long as we have an employment relationship. Once our business relationship has ended, we will hold your personal data on our systems for the longest of the following periods:
a) any retention period that is required by law or regulations;
b) the end of the period in which litigation or investigations might arise in respect of the employment relationship.
11. Do we change this privacy policy?
We may modify or revise our privacy policy from time to time to reflect our current privacy practices. When we make changes to the privacy policy, we will revise the “updated” date at the top of this page. We encourage you to periodically review this Privacy Policy that can be found in the Company’s intranet.
12. Duty to inform us of changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.
13. What are your data protection rights?
Subject to the provisions of the GDPR, you have certain rights regarding the Personal Data we collect, process or disclose and that is related to you, including the right:
• To receive access to your personal data (right to access).
• To rectify inaccurate personal data concerning you (right to data rectification);
• To request deletion / erasure of your personal data (right to erasure/deletion, “right to be forgotten”);
• To receive the Personal Data provided by you in a structured, commonly used and machine-readable format and to transmit those Personal Data to another data controller (right to data portability);
• To object to the use of your personal data where such use is based on our legitimate interests or on public interests (right to object);
• In some cases to request the restriction of processing of your personal data (right to restriction of processing);
• To withdraw the consent given to us with regard to the processing of your personal data at any time. Note that any withdrawal of consent will not affect the lawfulness of processing based on consent before it was withdrawn.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. No fee is required to make a request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds. We will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
14. How to raise a complaint
To exercise any of the above rights, or for any questions or complaints about our use of your personal data, please contact our Data Protection Officer, either by post at 6, Neoptolemou street, 1087, Nicosia, Cyprus, or electronically at dpo@EYAM.com.cy.
Complaints may also be lodged to the supervisory authority in Cyprus (Office of the Commissioner for Personal Data Protection, by post at 1, Iasonos street 1082, Nicosia, Republic of Cyprus. More information can be found at http://www.dataprotection.gov.cy.
15. Do we change this privacy policy?
We may modify or revise our privacy policy from time to time to reflect our current privacy practices. When we make changes to the privacy policy, we will revise the “updated” date at the top of this page. We encourage you to periodically review this Privacy policy that can be found at the Company’s intranet. Please be aware that this Privacy Policy does not form part of any contract of employment or other contract to provide services.