Privacy Policy

Cyprus Telecommunications Authority (CYTA) is committed to protecting customers’ privacy. This Privacy Policy describes what information and Personal Data Cyta collects, uses and processes about its customers and/or the users of its services and how this information and Personal Data is used in the course of Cyta’s business.

CYTA and its sales agents collect customer data for providing and operating electronic communication services and/or products ordered by the customer. Customer’s data includes the subscriber’s (natural person) name, address, telephone number(s), id/passport number, date of birth, contact number, email address (where needed), direct debit details (where needed), billing address, credit check (for a possible guarantee), details of guarantors, the invoices issued per service per month, including payments made and disconnections, and customer’s preferences regarding inclusion in CYTA’s telephone directory service databases.
The abovementioned data is processed by CYTA throughout the validity period of the customer’s contract in order to deal with customers’ services and products, customer’s billing, customer’s complaints management and/or requests and/or enquiries, or fraud related matters.  

The following data is not erased: (a) Data maintained for law enforcement purposes when lawfully requested to do so by a Court of law (b) Data maintained for the purposes of taxation legislation (Law 95(I)/2000 and Law 4/1978), which are maintained for a period of six (6) years, (c) Data processed for the purposes of legitimate interest (e.g an action against a customer), which are maintained until the legitimate purpose is completed (d) Payment information referring to SEPA Direct Debit payments and information referring to the corresponding invoices settled which shall be maintained for a period of thirteen (13) months as per the SEPA rules.
In case a customer chooses to enter into a distance contract with Cyta, the customer shall be requested to proceed with digital identification through Cyta’s authorized partner.  In such a case the customer shall be requested to submit identification documents and his/her photograph, copies of which shall be retained only until the completion of his/her identification.

CYTA processes traffic and billing data for the purposes of providing electronic communications services and/or products to its customers, for billing purposes and for suggesting discounts, loyalty plans/programs, rewards or benefits on such services and/or products or to comply with Cyta’s legal obligations. This data includes numbers called, location data, date, time and period of a call, network faults, IP addresses, email addresses, internet browsing, applications and features usage of the customer. Furthermore, CYTA takes all necessary steps to  safeguard the confidentiality, integrity and availability of  its network and services, e.g to protect against  fraud, spam, security threats, attacks, viruses and/or unusually  high traffic usage etc.  Traffic and billing data is stored by CYTA for a period of six (6) months as provided by law. After the lapse of the six (6) month period this data is erased. The following data is not erased: (a) Data maintained for law enforcement purposes when lawfully requested to do so by a Court of law  (b) Data processed for the purposes of legitimate interest (e.g an action against a customer), which are maintained until the purpose is completed.

CYTA does not intercept or monitor the content of the customer’s telephone conversations or sms’s.

Should a customer contact CYTA via telephone (inbound call) or CYTA contact a customer via telephone (outbound call), the conversations are recorded according to Law 112(I)/2004, solely for the purposes of proving that the commercial transaction between CYTA and the customer took place. These recorded conversations are stored for a period of five (5) years unless there is a disputed transaction, in which case they shall be stored until the dispute is resolved.

CYTA uses customer data, traffic and billing data for communicating and/ or promoting:

a) Cyta’s products and services (including discounts, competitions and special promotions that may be of interest to the customer), which are similar to those ordered by the customer, with the use of an automated profiling process.
b) Personalised offers and recommendations based on how the customer uses Cyta’s products and services, location information and browsing information, with the use of an automated profiling process.
c) Third party products and services (including offers, discounts and/or social events that Cyta organises for its customers), in case the customer has consented to be contacted about these.

These communications and/or promotions shall be in the form of calls, post, fax and any form of electronic message (including, but not limited to, SMS, MMS, video, email, or apps).

Cyta customers may choose not to receive any marketing communications from Cyta, or have their information used for creating personalised suggestions and recommendations, by visiting Cyta’s privacy page or by using any other opt-out method provided by Cyta. If the customer has a multi-line account, he/she should indicate his/her opt out choice for each line. If he/she adds a line or changes a telephone number, he/she will need to update his/her privacy settings.

Additionally, the customers may separately opt-in to receiving third-party marketing, either through Cyta’s privacy page or through specific promotions or at any Cytashop.

CYTA processes information about the customers’ use of the Cytavision service. This information includes the channel package used, the number of allocated devices used by the customer from the Cytavision software applications, the TV programs and TV channels watched, the Video on Demand (VOD) and Pay Per View (PPV) events purchased. This information is used for managing the Cytavision service, for billing purposes and for making viewing recommendations on any new or existing Cytavision content including TV programs, TV channels or films. Additionally, CYTA stores customer’s pin codes for enforcing parental control policies and authorizing content purchases.

Cytavision customers are requested to maintain the confidentiality of their pin codes and they are obliged to immediately contact CYTA in case of loss of their pin codes.

CYTA customers or users who download any CYTA mobile or internet applications (“apps”) are requested to verify their account details (where applicable). In these cases, CYTA shall process their data usage, their IP numbers, any websites visited (where applicable) and the customers’ spending amount for billing purposes. Furthermore when a mobile or internet app creates a profile on customer’s preferences, customers shall be informed about it before downloading such an app and shall have the right to object to any future profiling.

In addition to Cyta’s Privacy Policy settings, specific privacy practices apply to Cyta apps, which are provided in the informational pages of each app in the relevant application Sites.

Cyta uses customer personal information (including access to information on device) so that apps function as expected and to eliminate errors and disruptions. Such information include which function you use within the app, for how long,  the apps’ functionality features etc.

CYTA’s websites collect information about customer’s browsing preferences and settings with the use of cookies (=small text files stored on a device) in order to show them adverts or similar products or services or provide them with a better experience during their interaction with CYTA’s products and services.
Browsing preferences are anonymous and are shared with CYTA’s content partners. on a contractual basis obligation.

7.1   Right of Access
The Customers may be informed in more detail about the Personal Data CYTA processes about them by submitting an application form to any Cytashop or by visiting CYTA’s page at  www.cyta.com.cy. The right of access is subject to the provisions of the applicable data protection legislation, and the prior authentication of the legal subscriber.

7.2   Right to Erasure (“Right to be Forgotten”)
The Customers may request the erasure any of their Personal Data that is no longer necessary for CYTA’s purposes by submitting an application form to any Cytashop or by visiting CYTA’s page at www.cyta.com.cy. The right to erasure is subject to the provisions of the applicable data protection legislation and the prior authentication of the legal subscriber.

7.3   Data Portability
The Customers may exercise the right to data portability by submitting an application form to any Cytashop. Data portability is subject to the provisions of the Cyprus  data  protection legislation and the prior authentication of the legal subscriber.

7.4   Right of Updating, Rectification or Minimization of Personal Data
The Customers may update their Personal Data or request the correction of any inaccurate Personal Data or data minimization, by submitting an application form at any Cytashop. These rights are subject to the provisions of the applicable data protection legislation and the prior authentication of the legal subscriber.

7.5   Right to Object
The Customers have the right to object to the processing of their personal data, including any automated profiling, by visiting Cyta’s page www.cyta.com.cy, or to any Cytashop.  The right to object is subject to the applicable data protection legislation and the prior authentication of the legal subscriber.

CYTA encourages parents to keep themselves informed about CYTA’s Parental Control services (safe internet for home and safe mobile) and inform CYTA should they wish any of their children under the age of 16, who is a CYTA service user, not to be contacted for any CYTA promotions (for more information you can contact any Cytashop or visit Cyta’s website, at www.cyta.com.cy.

Cyta maintains solid information security measures and procedures to safeguard customers’ Personal Data, in line with its legal and regulatory obligations.

To this end Cyta has adopted a  comprehensive approach for information and network security to ensure the confidentiality, integrity and availability of customers’ Personal Data. Cyta has in place a corporate Information Security Management System (ISMS) based on international standards ISO 27001 and ISO27002. The ISMS includes the implementation of a corporate information security policy and procedures and covers security governance, document protection, information management, operations and communications, personnel security, physical security, managedaccess  to  information  systems,  incident  management  etc.  Cyta has in place  the   necessary technical  and  procedural  measures  to  effectively  defend  itself against  cyber  threats   and other cyber threats, as well as a Security Operation Center (SOC) which monitors its networks and services and deals with security incidents on a 24 hour basis.

Personal Data is data related to a natural person. However, some of CYTA’s business products designed  for  business  customers  (companies,  enterprises,   public  authorities,  governmental departments etc), such as cloud services, may contractually (through the terms and conditions of the service) give CYTA the right to undertake the storing and/or otherwise the processing of Personal Data related to natural persons on behalf of the business customer and upon the business customer’s written instructions. In such a case the business customer remains the Data Controller of its Personal Data and CYTA acts only as a Processor of this Personal Data.  CYTA as a Processor is committed to maintain the confidentiality of this Personal Data subject to the business customers’ instructions, the terms and conditions of the service ordered, and CYTA’s Information Security Management   System (according to para.9 above).

CYTA stores customers’ Personal Data for as long as mandated by the laws of the Republic of Cyprus and/or throughout the validity period of the customer’s contract.  Certain Personal Data may be stored after the termination of the customer’s contract according to the provisions of the applicable legislation (as per paragraph 2 above).

In case of unsettled bills CYTA may contact customers via its authorized collection agents (natural persons and/or collection companies) in order to attempt to achieve an amicable out-of-Court settlement of such unsettled bills. In such a case CYTA will communicate to these authorized collection agents only the necessary data, such as name, address, identity number and the unsettled bill amount.  CYTA’s collection agents are bound by a confidentiality obligation.

Customers are informed that certain CYTA suppliers, subcontractors and partners are based outside the EU and/or the EEA. These partners are contractually committed to CYTA with adequate data transfer tools so as to provide appropriate security safeguards, to maintain the confidentiality of CYTA’s and CYTA’s customers’ Personal Data and are subject to the obligations of the European Regulation 2016/679 (Articles 44 and 45).

Customers can contact CYTA for any information on its Privacy Policy at tel. no. 132, at the website www.cyta.com.cy or by post at Telecommunications street, P.O Box 24929, CY-1396 Nicosia.  For any inquiry or complaint they may contact Cyta at www.cyta.com.cy/contact-form, or at:  dpo@cyta.com.cy.

15.1  “Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State Law.

15.2  “Personal Data”: means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

15.3  “Processing”: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

15.4  “Processor”: means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.