1. Introduction
We are GCC Computers Ltd (“GCC”, “we”) a company incorporated in Cyprus under company number HE 300449 with its registered address Timis 15, Latsia, 2220, Nicosia, Cyprus.
This Privacy Policy aims to provide important information to all data subjects (“you”) regarding how GCC processes their Personal Data (“Personal Data”) and safeguards their data subject rights in accordance with Data Protection Law, including but not limited to the General Data Protection Regulation 2016/679 (“GDPR”) and the Cyprus Data Protection Law 125(I)2018.
Scope:
This Policy therefore applies to the processing of Personal Data concerning physical persons that receive GCC’s services and with whom GCC is doing business, including but not limited to customers of GCC’s clients, GGC’s website users and visitors.
Our role:
Data processor:
GCC mainly acts as the data processor processing Personal Data concerning its clients’ customers. This means that the lawfulness and purpose of processing carried out by GCC is determined by our clients (legal entities) acting as your data controller who have the overall control over the purposes and means of the processing.
Data controller:
In other cases, we may also act as a data controller regarding the processing of Personal Data as described below in section 3.
1. What Personal Data we process and how?
The following types of Personal Data may be collected when you use our services:
Personal information collected from website users: technical information about the devices used (such as IP address, operating system, browser type) log-in information, traffic data, preferences etc.
Information directly provided by our clients: We collect information about you from our clients during the course of providing our services to them, such as contact information, device MAC address.
Personal information collected from visitors: We keep a visitors’ log for the purpose of managing and controlling the entrance and visits of people into GCC premises. A CCTV is also in operation for the security of our premises and processing of images of visitors is performed under the operation of this video surveillance system. We use the information collected to (including but not limited to):
- Create and manage accounts
- Provide customer service to you on the request of our clients
- Provide direct marketing to our clients
- Provide our services in accordance with GCC’s the clients’ terms and conditions
- Ensure the safety of our visitors and personnel
- Ensure the security of our premises, services, equipment and systems
3. Why do we process Personal Data?
As we mentioned above, we are acting as data processor since our processing is entirely concerned with Personal Data whose controller is our client (legal entity). Therefore, the legal basis of processing your Personal Data is decided by your data controller (GCC client). This means that we will provide our Services to you if are a customer of GCC client and either a) you have consented to the processing of your Personal Data, b) the data processing is necessary for the performance of a contract between you and the GCC client, or c) the processing is based on the legitimate interests pursued by the GCC client.
GCC is processing your Personal Data in accordance with our Client’s instructions as well as our contractual obligations.
When acting as data controller, GCC will rely either on your consent to process certain data sets such as cookies or other analytics through your use of our website or your contact details to provide you with direct marketing material vial email or social media platforms. Furthermore, GCC will process your Personal Data on the basis of our legitimate interests when collecting Personal Data of visitors for the purposes described in this ensuring the safety of the visitors, GCC personnel, and the security of GCC’s premises, equipment and systems.
4. Disclosure of Personal Data
GCC may share certain data with its subcontractors for maintenance purpose and other third parties such as national authorities or bodies. GCC is always assessing its partners and third parties before disclosing or otherwise transmitting Personal Data to them by putting in place contractual measures reinforcing specific obligations in accordance with Data Protection Law and in particular GDPR Article 28.
In addition, GCC may give access to or share Personal Data to external advisors/consultants:
- When instructed to do so by any authority/regulatory body under applicable law.
- In order to establish, exercise or defend our legal rights.
- With technical advisors who carry out regular assessments and checks on our systems, equipment and facilities.
- For fraud detection and other control purposes.
5. Disclosure of Personal Data
Personal Data will be retained for as long as the services are provided to our Client under whose instructions your Personal Data are subject to processing GCC. After that period has ceased, we will delete your Personal Data unless specific legislation/regulation requires to keep certain Personal Data. For Personal Data we collect directly from you, we maintain our internal retention policy, which is governed by our legal obligations or other criteria which comply with the principle of retention for as long as they are necessary for the purpose for which the Personal Data are processed and then they are disposed.
6. Data Transfers
GCC does not normally transfer your Personal Data outside of the European Economic Community. However, your Personal Data may be transferred to subcontractors or business partners located outside of the EU, provided that such transfers are authorized by our Client (the data controller of your Personal Data) and are carried out either a) on the basis of an adequacy decision by the EU Commission in accordance with GDPR Article 45, or b) on the basis of at least one of the other appropriate safeguards under GDPR Chapter V, such as Standard Contractual Clauses (GDPR Article 46). Where none of the appropriate safeguards are applicable, we may carry out the transfer on the basis of at least one of the specific situations as per GDPR Article 49, i.e. the data subject’s specific consent, necessity for the performance of a contract etc. In addition, we will always take into account the relevant provisions under Cyprus Data Protection Law. In any event, we always assess the possibility of transferring data anonymously.
7. Your data subject rights
You may make a request to exercise certain rights regarding your Personal Data processed by us as shown below.
Since we do not normally act as data controllers of your Personal Data, we will forward your request to our Client acting the data controller of your Personal Data. We will then assist our Client to facilitate and respond to the request. In cases where we act as data controller, we will be responsible to respond to your request.
With regard to the processing of your Personal Data by GCC you have the following rights:
- To withdraw your previously obtained consent, without invalidating any previous processing based on your consent
- To lodge a complaint with Office of the Commissioner for Personal Data Protection
- To access to your Personal Data that we process
- To correct any Personal Data that are incorrect or out of date
- To erase any Personal Data that we process
- To restrict the processing of your Personal Data in certain circumstances.
- To ask to provide you or another company you nominate with certain aspects of your Personal Data (right to portability)
- To object to the processing of your Personal Data
- To contest a decision made entirely by automated processing and to express your point of view
Please note that these rights are not absolute and subject to exceptions. These are therefore may be limited where we have an overriding interest or legal obligation to continue to process the data or where data may be exempt from disclosure due to, example, professional secrecy obligations or other exemptions provided under applicable law. The applicability of your rights depends on the legal basis on which we rely in each case.
If you want to exercise any of these rights, then please contact our DPO by e-mail at dpo@gcc.com.cy. We will take all appropriate steps to respond within the legal timeframe, that is 30 days from day we receive your request or additional 2 months in the case of receiving an excessive request in which case we will keep in touch and informed about the progress and status of your request.
If you wish to raise a complaint on how we have handled your Personal Data, you may contact us to have the matter investigated. Kindly email: dpo@gcc.com.cy
If you are not satisfied with our response or believe we are not processing your Personal Data in accordance with the law, you may lodge a complaint to:
Office of The Commissioner for Personal Data Protection
Office address: Iasonos 1, 1082 Nicosia, Cyprus
Postal address: P.O.Box 23378, 1682 Nicosia, Cyprus
Tel: +357 22818456
Fax: +357 22304565
Email: commissioner@dataprotection.gov.cy
8. Data security
At GCC we take security very seriously. We adopt, and continuously work towards improving, all appropriate and necessary technical and physical security measures to ensure a level of security appropriate to the risk, in order to prevent any Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise processed. This covers both Personal Data we collect directly from you and data which we process on behalf of our clients.
We are regularly revising and assessing the effectiveness and the security of our systems, equipment and facilities taking into account all the relevant security standards and legal requirements. We also work closely with our clients and advise them on how to maintain a security standard which safeguards your Personal Data when our clients act as the data controllers.
9. Changes to our Privacy Policy
We may update this policy from time to time, so please review it frequently. If any material changes are made to this Privacy Policy, we will use reasonable endeavors to inform you in advance by email, notice on the website or other agreed communications channels. We will communicate the changes to you in advance, giving an appropriate amount of time for you to consider and understand the changes before they become effective. If you decline to accept the changes to the Privacy Policy, or otherwise do not accept the changes within the time period, we may not be able to continue to provide some or all products and services.