Data Protection Policy
Mission Solidarity CY
1. Purpose
Mission Solidarity CY (hereafter referred to as “the Organization”) is committed to protecting the personal data of the individuals we support, our employees, volunteers, donors, and partners. This policy outlines the principles, responsibilities, and procedures that guide how the Organization collects, processes, stores, and shares personal data in compliance with the General Data Protection Regulation (GDPR) and other relevant data protection laws in Cyprus.
2. Scope
This policy applies to all personal data processed by the Organization, regardless of the medium in which it is stored (electronic or paper-based). It is applicable to all employees, volunteers, contractors, and any other parties who have access to personal data processed by the Organization.
3. Definitions
● Personal Data: Any information relating to an identied or identiable natural person (“data subject”).
● Processing: Any operation or set of operations performed on personal data, including collection, storage, use, sharing, and deletion.
● Data Controller: The entity that determines the purposes and means of processing personal data.
● Data Processor: The entity that processes personal data on behalf of the Data Controller.
4. Principles of Data Protection
The Organization adheres to the following principles when processing personal data:
Lawfulness, Fairness, and Transparency: Personal data shall be processed lawfully, fairly, and in a transparent manner.
● Purpose Limitation: Data shall be collected for specied, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
● Data Minimization: Only the personal data necessary for the purposes of processing shall be collected.
● Accuracy: Personal data shall be accurate and, where necessary, kept up to date.
● Storage Limitation: Personal data shall be kept only for as long as necessary for the purposes for which it is processed.
● Integrity and Condentiality: Appropriate security measures shall be applied to protect personal data against unauthorized or unlawful processing and accidental loss, destruction, or damage.
5. Responsibilities
● Data Protection Ocer (DPO): The Organization will appoint a DPO responsible for ensuring compliance with data protection laws and this policy.
● Employees and Volunteers: All personnel handling personal data are responsible for adhering to this policy and attending relevant training.
● Third Parties: Any third party processing data on behalf of the Organization must comply
with this policy and maintain condentiality. The Organization will enter into legally binding Data Processing Agreements (DPAs) with all third parties processing personal data to ensure compliance with GDPR and data protection standards.
6. Legal Basis for Processing
The Organization will process personal data only when one or more of the following conditions are met:
● The data subject has given consent for one or more specic purposes.
● Processing is necessary for the performance of a contract with the data subject.
● Processing is necessary for compliance with a legal obligation.
● Processing is necessary to protect the vital interests of the data subject or another person.
● Processing is necessary for the performance of a task carried out in the public interest or in the
exercise of ocial authority.
● Processing is necessary for the legitimate interests pursued by the Organization, provided such interests do not override the rights and freedoms of the data subject.
7. Data Collection and Use
Personal data collected will include only the information necessary for the purposes specied (e.g., service provision, donor management, or employee records).
The Organization will ensure that individuals are informed about how their data will be used at the time of collection.
7.1 Types of Personal Data Collected:
● Name
● E-mail address
● Phone number
● WhatsApp number
● Address
● Alien Registration Number
● Legal status
● Nationality
● Religion
● Ethnicity
● Marital status
● Education
● Profession
● Language(s)
● Date of Arrival
● Family Members
● Any information necessary to facilitate access to social rights, promote integration
opportunities, enhance service provision, and deliver tailored support based on individual needs
8. Data Sharing
Personal data will not be shared with third parties without the data subject’s consent unless required by law or necessary to fulll the Organization’s legitimate purposes. Any sharing will be conducted under strict condentiality agreements
10. Data Security
The Organization implements appropriate technical and organizational measures to protect personal data, including:
● Access controls to limit data access to authorized personnel only.
● Regular security checks
● An established incident response plan for handling security breaches.
10.1 Incident Response Plan for Handling Security Breaches
In case of a security breach involving personal data, the Organization will take the following steps:
1. Identify and contain the breach immediately.
2. Assess the scope and impact of the breach.
3. Notify the Data Protection Ocer (DPO) and relevant authorities within 72 hours if required by GDPR.
4. Inform aected individuals if the breach poses a high risk to their rights and freedoms.
5. Mitigate risks and take corrective actions to prevent future incidents.
6. Maintain a breach register to document all incidents and responses.
11. Data Retention
Personal data will be retained only for as long as necessary to fulll the purposes for which it was collected, in accordance with legal requirements and the needs of the Organization. Retention periods will be periodically reviewed to ensure they remain appropriate.
● Employee records will be retained for a reasonable period after employment ends, as required by law.
● Volunteer and donor records will be retained for as long as necessary to maintain engagement and comply with nancial or legal obligations.
● Service user data will be retained based on the nature of the support provided, ensuring continuity of care and access to services.
When data is no longer required, it will be securely deleted or anonymized.
12. Data Subject Rights
The Organization recognizes the following rights of data subjects:
● Right to Access: The right to obtain conrmation as to whether their personal data is being processed and access to that data.
● Right to Rectication: The right to request corrections to inaccurate or incomplete data.
● Right to Erasure: The right to request the deletion of personal data, subject to certain
conditions.
● Right to Restriction of Processing: The right to request limitations on how their data is processed.
● Right to Data Portability: The right to receive their personal data in a structured,
commonly used, and machine-readable format.
● Right to Object: The right to object to the processing of their personal data, including for direct marketing purposes.
Requests to exercise these rights can be made to the DPO at missionsolidaritycy@gmail.com.
13. Breach Notication
In the event of a personal data breach, the Organization will notify the relevant supervisory authority within 72 hours and, where necessary, the aected data subjects, in accordance with GDPR requirements.
14. Training and Awareness
The Organization will provide regular training and awareness programs to ensure that employees and volunteers understand their responsibilities under this policy.
15. Policy Review
This policy will be reviewed annually or whenever there are signicant changes in data protection laws or the Organization’s activities
16. Contact Information
For any questions, recommendations, or concerns regarding this policy or the Organization’s data protection practices, please contact the Organization’s Managing Director, Orestis Papamiltiades, who serves as the Data Protection Officer.
Mission Solidarity CY
info@missionsolidarity.org