1. Customer Data
CYTA and its sales agents collect customer data for providing and operating electronic communication services and/or products ordered by the customer. Customer’s data includes the subscriber’s (natural person) name, address, telephone number(s), id/passport number, date of birth, contact number, email address (where needed), direct debit details (where needed), billing address, credit check (for a possible guarantee), details of guarantors, the invoices issued per service per month, including payments made and disconnections, and customer’s preferences regarding inclusion in CYTA’s telephone directory service databases. This data is processed by CYTA throughout the validity period of the customer’s contract in order to deal with customers’ services and products, customer’s billing, customer’s complaints and/or requests and/or enquiries, or fraud related matters.
The following data is not erased:
(a) Data maintained for law enforcement purposes when lawfully requested to do so by a Court of law (Law 183(I)/2007).
(b) Data maintained for the purposes of taxation legislation (Law 95(I)/2000 and Law 4/1978), which are maintained for a period of six (6) years.
(c) Data processed for the purposes of legitimate interest (e.g an action against a customer), which are maintained until the legitimate purpose is completed.
(d) Payment information referring to SEPA Direct Debit payments and information referring to the corresponding invoices settled which shall be maintained for a period of thirteen (13) months as per the SEPA rules.
2. Traffic and Billing Data
CYTA processes traffic and billing data for the purposes of providing electronic communications services and/or products to its customers, for billing purposes and for suggesting discounts, loyalty plans/programs, rewards or benefits on such services and/or products or to comply with Cyta’s legal obligations. This data includes numbers called, location data, date, time and period of a call, network faults, IP addresses, email addresses, internet browsing, applications and features usage of the customer. Furthermore, CYTA takes all necessary steps to safeguard the confidentiality, integrity and availability of its network and services, e.g to protect against fraud, spam, security threats, attacks, viruses and/or unusually high traffic usage etc. Traffic and billing data is stored by CYTA for a period of six (6) months as provided by law. After the lapse of the six (6) month period this data is erased.
The following data is not erased:
(a) Data maintained for law enforcement purposes when lawfully requested to do so by a Court of law (Law 183(I)/2007) and
(b) Data processed for the purposes of legitimate interest (e.g an action against a customer), which are maintained until the purpose is completed.
CYTA does not intercept or monitor the content of the customer’s telephone conversations or sms’s.
Should a customer contact CYTA via telephone (inbound call) or CYTA contact a customer via telephone (outbound call), the conversations are recorded according to Law 112(I)/2004, solely for the purposes of proving that the commercial transaction between CYTA and the customer took place. These recorded conversations are stored for a period of five (5) years unless there is a disputed transaction, in which case they shall be stored until the dispute is resolved.
CYTA uses customer data, traffic and billing data for communicating and/ or promoting:
(a) Cyta’s products and services (including discounts, competitions and special promotions that may be of interest to the customer), which are similar to those ordered by the customer, with the use of an automated profiling process.
(b) Personalised offers and recommendations based on how the customer uses Cyta’s products and services, location information and browsing information, with the use of an automated profiling process.
(c) Third party products and services (including offers, discounts and/or social events that Cyta organises for its customers), in case the customer has consented to be contacted about these.
These communications and/or promotions shall be in the form of calls, post, fax and any form of electronic message (including, but not limited to, SMS, MMS, video, email, or apps).
Cyta customers may choose not to receive any marketing communications from Cyta, or have their information used for creating personalised suggestions and recommendations, by visiting Cyta’s privacy page or by using any other opt-out method provided by Cyta. If the customer has a multi-line account, he/she should indicate his/her opt out choice for each line. If he/she adds a line or changes a telephone number, he/she will need to update his/her privacy settings.
Additionally, the customer may separately opt-in to receiving third-party marketing, either through Cyta’s privacy page or through specific promotions or at any Cytashop.
4. TV Data (Cytavision)
CYTA processes information about the customers’ use of the Cytavision service. This information includes the service used, the number of allocated Set Top Boxes, the TV programs and TV channels watched, the Video on Demand (VOD) and Pay Per View (PPV) events purchased. This information is used for maintaining the Cytavision service, for billing purposes and for making viewing recommendations on any new or existing Cytavision content including TV programs, TV channels or films. Additionally, CYTA stores customer’s pin codes for enforcing parental control policies and authorizing content purchases.
Cytavision customers are requested to maintain the confidentiality of their pin codes and they are obliged to immediately contact CYTA in case of loss of their pin codes.
5. Mobile Applications and Internet Applications
CYTA customers or users who download any CYTA mobile or internet applications (“apps”) are requested to verify their account details (where applicable). In these cases, CYTA shall process their data usage, their IP numbers, any websites visited (where applicable) and the customers’ spending amount for billing purposes. Furthermore when a mobile or internet app creates a profile on customer’s preferences, customers shall be informed about it before downloading such an app and shall have the right to object to any future profiling.
Cyta uses customer personal information so that apps function as expected and to eliminate errors and disruptions. Such information include which function you use within the app, for how long, the apps’ functionality features etc.
6. Cookies Policy
7. General Customers’ Rights According to European Regulation 2016/679, (“GDPR”) as from 25/5/2018
7.1 Right of Access
Customers may be informed in more detail about the Personal Data CYTA processes about them by submitting an application form to any Cytashop or by visiting CYTA’s Privacy page at www.cyta.com.cy/privacy-policy/en. The right of access is subject to the provisions of the Cyprus data protection legislation, and the authentication of the legal subscriber.
7.2 Right to Erasure (“Right to be Forgotten”)
Customers may request the erasure any of their Personal Data that is no longer necessary for CYTA’s purposes by submitting an application form to any Cytashop or by visiting CYTA’s Privacy page at www.cyta.com.cy/privacy-policy/en. The right to erasure is subject to the provisions of the Cyprus data protection legislation and the authentication of the legal subscriber.
7.3 Data Portability
Customers may exercise the right to data portability by submitting an application form to any Cytashop. Data portability is subject to the provisions of the Cyprus data protection legislation and the authentication of the legal subscriber.
7.4 Right of Updating, Rectification or Minimization of Personal Data
Customers may update their Personal Data or request the correction of any inaccurate Personal Data or data minimization, by submitting an application form at any Cytashop. These rights are subject to the provisions of the Cyprus data protection legislation and the authentication of the legal subscriber.
8. Children and Personal Data
CYTA encourages parents to keep themselves informed about CYTA’s Parental Control services (safe internet for home and safe mobile) and inform CYTA should they wish any of their children under the age of 16, who is a CYTA service user, not to be contacted for any CYTA promotions (for more information you can contact any Cytashop or visit Cyta’s website, at www.cyta.com.cy/privacy-policy/en.
9. Information Security Measures
Cyta maintains solid information security measures and procedures to safeguard customers’ Personal Data, in line with its legal obligations.
A comprehensive approach is considered for information security to effectively ensure the confidentiality, integrity and availability of customers’ Personal Data. Cyta has already implemented a corporate Information Security Management System (ISMS) based on international standards ISO 27001 and ISO27002. The ISMS includes amongst others the implementation of a corporate information security policy and procedures that cover e.g. security governance, document security, information management, operations and communications, personnel security, physical security, access to information systems, incident management etc. It also covers the necessary technical and procedural measures to effectively defend against cyber threats (hackers).
10. Business Products and Confidentiality
Personal Data is data related to a natural person. However, some of CYTA’s business products designed for business customers (companies, enterprises, public authorities, governmental departments etc), such as cloud services, may contractually (through the terms and conditions of the service) give CYTA the right to undertake the storing and/or otherwise the processing of Personal Data related to natural persons on behalf of the business customer and upon the business customer’s written instructions. In such a case the business customer remains the Data Controller of its Personal Data and CYTA acts only as a Processor of this Personal Data. CYTA as a Processor is committed to maintain the confidentiality of this Personal Data subject to the business customers’ instructions, the terms and conditions of the service ordered, and CYTA’s Information Security Management System (according to para.9 above).
11. Duration of Personal Data Storage
CYTA stores customers’ Personal Data for as long as mandated by the Laws of the Republic of Cyprus and/or throughout the validity period of the customer’s contract. Certain Personal Data may be stored after the termination of the customer’s contract according to the provisions of the applicable Cyprus legislation (paragraph 1 and 2 above).
12. Debt Collection Agents
In case of unsettled bills CYTA may contact customers via its authorized collection agents (natural persons and/or collection companies) in order to attempt to achieve an amicable out-of-Court settlement of such unsettled bills. In such a case CYTA will communicate to these authorized collection agents only the necessary customer information, such as name, address, identity number and the unsettled bill amount. CYTA’s collection agents are bound by a confidentiality obligation.
13. Transfers Outside the EU (European Union) and/or the EEA (European Economic Area)
Customers are informed that certain CYTA suppliers, subcontractors and product partners are based outside the EU and/or the EEA. These partners are contractually committed to CYTA to provide appropriate security safeguards, to maintain the confidentiality of CYTA’s and CYTA’s customers’ Personal Data and are subject to the obligations of the GDPR (Articles 44 and 45).
14. CYTA contact information / Complaints
CYTA’s appointed Data Protection Officer (DPO) is Ms Kristia Christou.
15.1 “Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State Law.
15.2 “Personal Data”: means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
15.3 “Processing”: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
15.4 “Processor”: means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.