HemaFAIR Data Privacy Policy

We have certain responsibilities we need to uphold in accordance with data protection laws. This Privacy Notice explains how and why the Cyprus Institute of Neurology and Genetics (“we”), as the HemaFAIR (Fostering F.A.I.R. Data and Standards in Rare Hematological Diseases, EC GA no. 101159589) Project Coordinator, processes personal data and what we do with it, the conditions under which we can at times disclose it to others and how we keep it secure. It also explains how we comply with the applicable data protection law(s), especially with the European General Data Protection Regulation 2016/679 (“GDPR”).

Who we are?

The Cyprus Institute of Neurology & Genetics (CING) is a private, non-profit, bi-communal, medical, research and academic center. The CING has its campus in Nicosia. CING as the Data Controller:

CING the Coordinator is the Data Controller as we determine the means and/or purposes of the processing of the personal data held by us. The personal data stored and processed within the Cyprus Institute of Neurology and Genetics follows the current policy.

The GDPR governs how we must ensure the safety and security of the data that we process about any data subject. The first principle of the Regulation is that the subjects’ personal data must be processed fairly and transparently. We have an obligation to let all data subjects know how we will take care of the data we hold about them and what we will use it for.

Why do we collect and use personal data?

CING, as the Coordinator of HemaFAIR, endeavors to enhance the innovative potential of Cyprus and promote scientific excellence through a European network. Bringing together top experts in rare haematological diseases (RHDs), biomedical informatics, ethics and regulatory issues, and patient-centred research, HemaFAIR aims to implement FAIR (Findable, Accessible, Interoperable, Reusable) principles to improve research and data in rare haematological diseases. As a reference centre for most rare diseases in Cyprus, CING seeks to elevate the scientific profile and competitiveness of Cyprus, while also strengthening research management and administrative skills. 

In order to achieve the above research initiatives, we collect and use personal data under the following lawful bases:

For HemaFAIR training activity attendees:

We might need to retain information on HemaFAIR participants who have provided consent to conduct survey data analysis.

We might need to contact them to inform regarding HemaFAIR activities if they provided consent to be contacted for updates and future events.

The personal data that we process for this purpose may include:

For HemaFAIR partners:

We might need to retain information on HemaFAIR partners staff who have provided consent, to conduct survey data analysis.

We might need to contact them to inform them regarding HemaFAIR activities and upcoming deliverable deadlines.

We may need to handle participants’ information for reporting to the European Commission.

We might also process images captured during HemaFAIR events for promotional purposes, after obtaining consent from participants.

The personal data that we process for this purpose may include:

For research program participants:

For survey participants:

How long are personal data retained?

We will hold the data for the duration of the project you have agreed for us to process them. Data subjects may withdraw their consent at any given time. Any personal data collected under the lawful basis of the consent will be deleted when and if the data subject withdraws his/her consent.

Any personal data collected because of a legal obligation will be retained for the period determined by the obligation itself.

Any personal data collected for any other reason will be retained only for the necessary period based on the purpose the data has been provided and not for any longer period.

We have set out an extensive policy as to the retention period of specific data. We regularly review the retention periods of personal data, and we will securely destroy data in line with our retention policy using secure and appropriate methods.

If you require more information, you may contact our Data Protection Officer through the email dpo@cing.ac.cy or our offices at +357 22392821, +357 22392725.

 

 

Who do we share personal data with?

We may transfer some of the personal data that we hold to financial institutions and/or auditors and/or legal representatives to execute payments or take other actions in order to execute a contract or to be in accordance with the Law.

In any event that we would be required to share personal data with third parties, we will ensure that we will comply with the provisions of the GDPR and ensure appropriate safeguards are in place. We will provide only the minimum amount of personal data necessary to fulfil the purpose for which we are required to share the data. We also take care to ensure that the third party is compliant with the provisions of the GDPR before sharing any personal data with them.

We do not share personal data about anyone without the necessary consent unless the law allows us to do so. Data subjects have the right to refuse/withdraw consent to personal data sharing at any time. Any possible consequences from such refusal will be fully explained to the data subjects which could include delays in receiving care.

Do we transfer your data internationally?

At times we may share personal data with third parties situated within the EU or even outside the EU. In any event that we should be required to share personal data with third parties within the EU or with countries outside the EU for which there is an adequacy decision by the European Commission, apart from the Public Authorities, we ensure that a Data Processing Agreement is in place. Such a Data Processing Agreement establishes the rules of such transfer and the security and privacy of the personal data being processed in compliance with the data protection laws of the concerned countries. We will only provide the minimum amount of personal data necessary to fulfil the purpose of which we are required to share the data.

In the event that we should share personal data with third parties within the countries outside the EU for which there is no adequacy decision as approved by the European Commission, we ensure that a signed set of Standard Contractual Clauses (SCC) accompanies our Data Processing Agreement between us and them or other appropriate safeguards will be determined in line with the law before initiating a transfer of data.  

Data subject rights:

As a Data subject you have a number of rights in relation to the processing of your personal data, which you can exercise under certain circumstances. These rights are:

Data subjects can exercise anyone and all of their rights by submitting a Data Subject Request form to:

  1. The Cyprus Institute of Neurology and Genetics P.O.Box 23462 1683 Nicosia For the attention of the Data Protection Officer.

Or

  1. By e-mail at: dpo@cing.ac.cy.

Or

  1. By fax at: +357 22358238 (for the attention of the Data Protection Officer)

Data Subject Request forms are available through the CING website or through the CING’s General Administration office. You may also file your request via a free form email at dpo@cing.ac.cy

For any concerns/complaints on the way that the CING is processing personal data, interested parties are urged to contact the CING General Administration office. Complaints can be also submitted directly to the office of the Commissioner for the Protection of Personal Data. Complaint forms for the office of the Commissioner are available through the web site: www.dataprotection.gov.cy.

If you need assistance with filing any Rights Request form, or for any other relevant queries, please contact us at +357 22392821 or +357 22392725.

This Privacy Notice may be updated to reflect changes to internal processes or legislative requirements at any time.