privacy
HELIOS Data Privacy Policy
We have certain responsibilities we need to uphold in accordance with data protection laws. This Privacy Notice explains how and why the Cyprus Institute of Neurology and Genetics (“we”), as the COST Action [CA22119] HELIOS [Haemoglobinopathies in European Liaison of Medicine and Science] Grant Holder, processes personal data and what we do with it, the conditions under which we can at times disclose it to others and how we keep it secure. It also explains how we comply with the applicable data protection law(s), especially with the European General Data Protection Regulation 2016/679 (“GDPR”).
Who we are?
The Cyprus Institute of Neurology & Genetics (CING) is a private, non-profit, bi-communal, medical, research and academic center. The CING has its campus in Nicosia. CING as the Data Controller:
CING the HELIOS Grant Holder is the Data Controller as we determine the means and/or purposes of the processing of the personal data held by us. The personal data stored and processed within the Cyprus Institute of Neurology and Genetics follows the current policy.
The GDPR governs how we must ensure the safety and security of the data that we process about any data subject. The first principle of the Regulation is that the subjects’ personal data must be processed fairly and transparently. We have an obligation to let all data subjects know how we will take care of the data we hold about them and what we will use it for.
Why do we collect and use personal data?
CING, as the grant holder of HELIOS COST Action, endeavours to establish a network of excellence, by bringing together experts in hemoglobinopathies from around the globe. Within the framework of HELIOS, CING aims to elevate the quality of life for individuals affected by hemoglobinopathies like sickle cell disease and thalassemia syndromes with a key focus on improving healthcare and influencing policymaking. To accomplish this goal, our objectives include standardizing global molecular and clinical methodologies, nurturing collaborations, promoting knowledge exchange, and improving access to research data collection and analysis.
In order to achieve the above research initiatives, we collect and use personal data under the following lawful bases:
- where we have the data subject’s consent
- where it is necessary for compliance with a legal obligation
- Where it is justified by the HELIOS legitimate interests or those of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
For members of the public:
We might need to retain information on members of the public who have provided consent, including records pertaining to HELIOS participants, to conduct survey data analysis.
We might hold data of members of the public who have consented to be contacted for events and conferences.
We might also process images captured during HELIOS events for HELIOS promotional purposes, after obtaining the consent from participants.
The personal data that we process for this purpose may include:
- Basic details such as name, address
- Contact information (phone number, e-mail, etc.)
For HELIOS members:
We might need to retain information on HELIOS members who have provided consent to conduct survey data analysis.
We might need to contact them to inform them regarding HELIOS activities and upcoming deliverable deadlines.
We might need to contact them and inform them regarding the COST Association change of regulations.
We might need to contact them and inform them regarding COST Association events.
We might hold data of candidates for recruitment for HELIOS events or deliverables tasks.
We might need to retain the financial information of HELIOS participants for reimbursement claims purposes.
We may need to handle participants’ information for reporting to the COST Association.We might also process images captured during HELIOS events for HELIOS promotional purposes, after obtaining consent from participants.
The personal data that we process for this purpose may include:
- Basic details such as name, address, affiliation, sex, and date of birth.
- Contact information (phone number, e-mail, etc.).
- Curriculum vitae.
- Application forms.
- IBAN number and other financial information submitted in e-COST.
- Pictures of participants of HELIOS members that provide the consent to share with us.
For HELIOS collaborators:
We might need to retain information on HELIOS collaborators who have provided consent, including records of HELIOS participants, to conduct survey data analysis.
We might need to contact them to inform them regarding HELIOS activities and upcoming deliverable deadlines.
We might need to contact them and inform them regarding the COST Association change of regulations.
We might need to contact them and inform them regarding COST Association events.
We might need to retain the financial information for reimbursement claims purposes.
We may need to handle participants’ information for reporting to the COST Association.
We might also process images captured during HELIOS events for HELIOS promotional purposes, after obtaining consent from participants.
The personal data that we process for this purpose may include:
- Basic details such as name, affiliation, and address.
- Contact information (phone number, e-mail, etc.).
- Curriculum vitae.
- IBAN number, and other financial information (for reimbursement claims purposes).
For HELIOS Grantees:
We might need to retain information on HELIOS Grantees who have provided consent, including records pertaining to HELIOS participants, to conduct survey data analysis.
We might need to contact them to inform them regarding HELIOS activities and upcoming deliverable deadlines.
We might need to contact them and inform them regarding the COST Association change of regulations.
We might need to contact them and inform them regarding COST Association events.
We might hold data of candidates for recruitment for events or deliverables tasks.
- Basic details such as name, affiliation, address, and date of birth.
- Contact information (phone number, e-mail, etc.).
- Curriculum vitae, application form.
- IBAN number and other financial information submitted in e-COST (for reimbursement claims purposes).
For research program participants:
- The necessary personal data as defined by each research program and indicated in the consent forms to be signed by research program participants.
For survey participants:
- The necessary personal data as defined by each survey and indicated in the consent forms to be signed by survey
How long are personal data retained?
We will hold the data for the duration of the project you have agreed for us to process them. Data subjects may withdraw their consent at any given time. Any personal data collected under the lawful basis of the consent will be deleted when and if the data subject withdraws his/her consent.
Any personal data collected because of a legal obligation will be retained for the period determined by the obligation itself.
Any personal data collected for any other reason will be retained only for the necessary period based on the purpose the data has been provided and not for any longer period.
We have set out an extensive policy as to the retention period of specific data. We regularly review the retention periods of personal data, and we will securely destroy data in line with our retention policy using secure and appropriate methods.
If you require more information you may contact our Data Protection Officer through the email [email protected] or our offices at 22392821, 22392725.
Who do we share personal data with?
We may transfer some of the personal data that we hold to financial institutions and/or auditors and/or legal representatives to execute payments or take other actions in order to execute a contract or to be in accordance with the Law.
In any event that we would be required to share personal data with third parties, we will ensure that we will comply with the provisions of the GDPR and ensure appropriate safeguards are in place. We will provide only the minimum amount of personal data necessary to fulfil the purpose for which we are required to share the data. We also take care to ensure that the third party is compliant with the provisions of the GDPR before sharing any personal data with them.
We do not share personal data about anyone without the necessary consent unless the law allows us to do so. Data subjects have the right to refuse/withdraw consent to personal data sharing at any time. Any possible consequences from such refusal will be fully explained to the data subjects which could include delays in receiving care.
Do we transfer your data internationally?
At times we may share personal data with third parties situated within the EU or even outside the EU. In any event that we should be required to share personal data with third parties within the EU or with countries outside the EU for which there is an adequacy decision by the European Commission, apart from the Public Authorities, we ensure that a Data Processing Agreement is in place. Such a Data Processing Agreement establishes the rules of such transfer and the security and privacy of the personal data being processed in compliance with the data protection laws of the concerned countries. We will only provide the minimum amount of personal data necessary to fulfil the purpose of which we are required to share the data.
In the event that we should share personal data with third parties within the countries outside the EU for which there is no adequacy decision as approved by the European Commission, we ensure that a signed set of Standard Contractual Clauses (SCC) accompanies our Data Processing Agreement between us and them or other appropriate safeguards will be determined in line with the law before initiating a transfer of data.
Data subject rights:
As a Data subject you have a number of rights in relation to the processing of your personal data, which you can exercise under certain circumstances. These rights are:
- the right to be informed about the collection and use of their personal data
- the right to access personal data and supplementary information – You have a right to obtain confirmation that your data is being processed lawfully and access your own personal data. There is no charge to exercise this right unless it is considered manifestly unfounded or excessive, particularly where it is repetitive
- the right to have inaccurate personal data rectified, or completed if it is incomplete – The accuracy of your data is important for us. You can request to have any incomplete or inaccurate data we hold about you corrected.
- the right to erasure (to be forgotten) in certain circumstances – if you deicide that you no longer wish for us to hold and process your data you can ask us to delete them where there is no other legitimate reason for us to process them. Please not that if there are legal reasons which require us to hold your data we may not be able to satisfy this request
- the right to restrict processing in certain circumstances – you can ask us to suspend the processing of your personal data for the below reasons:
- You are challenging the accuracy of your data, and you don’t want us to curry on processing until the accuracy of the data is confirmed
- We no longer need your personal data but you may require us to retain them in order to exercise or defend legal claims.
- the right to data portability, which allows the data subject to obtain and reuse personal data for their own purposes across different services – you can ask us to transfer your data to a third party. Please note that this right only applies to automated data which you initially provided consent for us to use or in cases where we used the data to perform a contract with yo.
- the right to object to processing in certain circumstances – where we are relying on legitimate interests, you have a right to object to the processing of your personal data. You can also object for any processing in relation to direct marketing purposes
- the right to withdraw your consent – Where we are processing your data on the basis of consent, you have a right at any time to withdraw it.
Data subjects can exercise anyone and all of their rights by submitting a Data Subject Request form to:
- The Cyprus Institute of Neurology and Genetics P.O.Box 23462 1683 Nicosia For the attention of the Data Protection Officer.
Or
- By e-mail at: [email protected].
Or
- By fax at: +35722358238 (for the attention of the Data Protection Officer)
Data Subject Request forms are available through the CING website or through the CING’s General Administration office. You may also file your request via a free form email at [email protected]
For any concerns/complaints on the way that the CING is processing personal data, interested parties are urged to contact the CING General Administration office. Complaints can be also submitted directly to the office of the Commissioner for the Protection of Personal Data. Complaint forms for the office of the Commissioner are available through the web site: www.dataprotection.gov.cy.
If you need assistance with filing any Rights Request form, or for any other relevant queries, please contact us at +35722392821 or +35722392725.
This Privacy Notice may be updated to reflect changes to internal processes or legislative requirements at any time.