HemaFAIR Data Privacy Policy
We have certain responsibilities we need to uphold in accordance with data protection laws. This Privacy Notice explains how and why the Cyprus Institute of Neurology and Genetics (“we”), as the HemaFAIR (Fostering F.A.I.R. Data and Standards in Rare Hematological Diseases, EC GA no. 101159589) Project Coordinator, processes personal data and what we do with it, the conditions under which we can at times disclose it to others and how we keep it secure. It also explains how we comply with the applicable data protection law(s), especially with the European General Data Protection Regulation 2016/679 (“GDPR”).
Who we are?
The Cyprus Institute of Neurology & Genetics (CING) is a private, non-profit, bi-communal, medical, research and academic center. The CING has its campus in Nicosia. CING as the Data Controller:
CING the Coordinator is the Data Controller as we determine the means and/or purposes of the processing of the personal data held by us. The personal data stored and processed within the Cyprus Institute of Neurology and Genetics follows the current policy.
The GDPR governs how we must ensure the safety and security of the data that we process about any data subject. The first principle of the Regulation is that the subjects’ personal data must be processed fairly and transparently. We have an obligation to let all data subjects know how we will take care of the data we hold about them and what we will use it for.
Why do we collect and use personal data?
CING, as the Coordinator of HemaFAIR, endeavors to enhance the innovative potential of Cyprus and promote scientific excellence through a European network. Bringing together top experts in rare haematological diseases (RHDs), biomedical informatics, ethics and regulatory issues, and patient-centred research, HemaFAIR aims to implement FAIR (Findable, Accessible, Interoperable, Reusable) principles to improve research and data in rare haematological diseases. As a reference centre for most rare diseases in Cyprus, CING seeks to elevate the scientific profile and competitiveness of Cyprus, while also strengthening research management and administrative skills.
In order to achieve the above research initiatives, we collect and use personal data under the following lawful bases:
- where we have the data subject’s consent
- where it is necessary for compliance with a legal obligation
For HemaFAIR training activity attendees:
We might need to retain information on HemaFAIR participants who have provided consent to conduct survey data analysis.
We might need to contact them to inform regarding HemaFAIR activities if they provided consent to be contacted for updates and future events.
The personal data that we process for this purpose may include:
- Basic details such as name, address, affiliation, sex, and date of birth.
- Contact information (phone number, e-mail, etc.).
- Curriculum vitae.
- Application forms.
- Pictures and videos of participants of HemaFAIR event attendees that provide the consent to share with us.
For HemaFAIR partners:
We might need to retain information on HemaFAIR partners staff who have provided consent, to conduct survey data analysis.
We might need to contact them to inform them regarding HemaFAIR activities and upcoming deliverable deadlines.
We may need to handle participants’ information for reporting to the European Commission.
We might also process images captured during HemaFAIR events for promotional purposes, after obtaining consent from participants.
The personal data that we process for this purpose may include:
- Basic details such as name, affiliation, and address.
- Contact information (phone number, e-mail, etc.).
- Curriculum vitae.
- IBAN number, and other financial information (for reimbursement claims purposes).
For research program participants:
- The necessary personal data as defined by the research program and indicated in the consent forms to be signed by research program participants.
For survey participants:
- The necessary personal data as defined by each survey and indicated in the consent forms to be signed by survey
How long are personal data retained?
We will hold the data for the duration of the project you have agreed for us to process them. Data subjects may withdraw their consent at any given time. Any personal data collected under the lawful basis of the consent will be deleted when and if the data subject withdraws his/her consent.
Any personal data collected because of a legal obligation will be retained for the period determined by the obligation itself.
Any personal data collected for any other reason will be retained only for the necessary period based on the purpose the data has been provided and not for any longer period.
We have set out an extensive policy as to the retention period of specific data. We regularly review the retention periods of personal data, and we will securely destroy data in line with our retention policy using secure and appropriate methods.
If you require more information, you may contact our Data Protection Officer through the email dpo@cing.ac.cy or our offices at +357 22392821, +357 22392725.
Who do we share personal data with?
We may transfer some of the personal data that we hold to financial institutions and/or auditors and/or legal representatives to execute payments or take other actions in order to execute a contract or to be in accordance with the Law.
In any event that we would be required to share personal data with third parties, we will ensure that we will comply with the provisions of the GDPR and ensure appropriate safeguards are in place. We will provide only the minimum amount of personal data necessary to fulfil the purpose for which we are required to share the data. We also take care to ensure that the third party is compliant with the provisions of the GDPR before sharing any personal data with them.
We do not share personal data about anyone without the necessary consent unless the law allows us to do so. Data subjects have the right to refuse/withdraw consent to personal data sharing at any time. Any possible consequences from such refusal will be fully explained to the data subjects which could include delays in receiving care.
Do we transfer your data internationally?
At times we may share personal data with third parties situated within the EU or even outside the EU. In any event that we should be required to share personal data with third parties within the EU or with countries outside the EU for which there is an adequacy decision by the European Commission, apart from the Public Authorities, we ensure that a Data Processing Agreement is in place. Such a Data Processing Agreement establishes the rules of such transfer and the security and privacy of the personal data being processed in compliance with the data protection laws of the concerned countries. We will only provide the minimum amount of personal data necessary to fulfil the purpose of which we are required to share the data.
In the event that we should share personal data with third parties within the countries outside the EU for which there is no adequacy decision as approved by the European Commission, we ensure that a signed set of Standard Contractual Clauses (SCC) accompanies our Data Processing Agreement between us and them or other appropriate safeguards will be determined in line with the law before initiating a transfer of data.
Data subject rights:
As a Data subject you have a number of rights in relation to the processing of your personal data, which you can exercise under certain circumstances. These rights are:
- the right to be informed about the collection and use of their personal data
- the right to access personal data and supplementary information – You have a right to obtain confirmation that your data is being processed lawfully and access your own personal data. There is no charge to exercise this right unless it is considered manifestly unfounded or excessive, particularly where it is repetitive
- the right to have inaccurate personal data rectified or completed if it is incomplete – The accuracy of your data is important for us. You can request to have any incomplete or inaccurate data we hold about you corrected.
- the right to erasure (to be forgotten) in certain circumstances – if you decide that you no longer wish for us to hold and process your data you can ask us to delete them where there is no other legitimate reason for us to process them. Please not that if there are legal reasons which require us to hold your data, we may not be able to satisfy this request
- the right to restrict processing in certain circumstances – you can ask us to suspend the processing of your personal data for the below reasons:
- You are challenging the accuracy of your data, and you don’t want us to curry on processing until the accuracy of the data is confirmed
- We no longer need your personal data, but you may require us to retain them in order to exercise or defend legal claims.
- the right to data portability, which allows the data subject to obtain and reuse personal data for their own purposes across different services – you can ask us to transfer your data to a third party. Please note that this right only applies to automated data which you initially provided with your consent for us to use or in cases where we used the data to perform a contract with you.
- the right to object to processing in certain circumstances – where we are relying on legitimate interests, you have a right to object to the processing of your personal data. You can also object for any processing in relation to direct marketing purposes
- the right to withdraw your consent – Where we are processing your data on the basis of consent, you have a right at any time to withdraw it.
Data subjects can exercise anyone and all of their rights by submitting a Data Subject Request form to:
- The Cyprus Institute of Neurology and Genetics P.O.Box 23462 1683 Nicosia For the attention of the Data Protection Officer.
Or
- By e-mail at: dpo@cing.ac.cy.
Or
- By fax at: +357 22358238 (for the attention of the Data Protection Officer)
Data Subject Request forms are available through the CING website or through the CING’s General Administration office. You may also file your request via a free form email at dpo@cing.ac.cy
For any concerns/complaints on the way that the CING is processing personal data, interested parties are urged to contact the CING General Administration office. Complaints can be also submitted directly to the office of the Commissioner for the Protection of Personal Data. Complaint forms for the office of the Commissioner are available through the web site: www.dataprotection.gov.cy.
If you need assistance with filing any Rights Request form, or for any other relevant queries, please contact us at +357 22392821 or +357 22392725.
This Privacy Notice may be updated to reflect changes to internal processes or legislative requirements at any time.