CALL CENTER PRIVACY NOTICE

AUDIO RECORDINGS

______________________________________________________________________________

Last updated on August 28, 2024

This Privacy Notice sets out how CPT CYPRUS PUBLIC TRANSPORT SERVICES AND OPERATIONS LIMITED (“We” or the “Company” or “Us” or “CPT”) processes the personal data of its customers (“You” or the “Customer” or the “Data Subject”) collected during the incoming and/or outgoing calls  placed to and/or from its call center.

This Privacy Notice contains all the information that the Company, as a Data Controller, is required to provide you with in relation to the processing of your personal data, in accordance with the provisions of the EU General Data Protection Regulation 2016/679 (“GDPR”).


1.       What information we collect

The personal data that we collect from you, during the incoming and outgoing calls placed to and/or from our call center (at 1416) is the following:

1.       Name / Surname of the customer and of the call center officer;

2.       Telephone number of the customer;

3.       The audio recording;

4.       Time/Date of the call;

5.       Length of the call;

 

(hereinafter referred to as your “Personal Data”).



2.       Legal basis for processing your Personal Data and the purposes of the processing

Your Personal Data are being processed in a legal, equitable and transparent manner, based on the legal basis of the legitimate interests pursued by our Company, as per Article 6 (1) (f) of the GDPR.

The purposes for which We collect your personal data during the incoming and outgoing calls placed to and/or from our Company’s call center, are the following:

a.       To ensure the Company’s efficient assistance to its customers and secure the best possible experience for the customers;

b.       To promptly evaluate any complaints placed to our call center relating to the Company’s services in order to secure again, the best possible experience for the customers;

c.       To safeguard the Company’s legitimate interests, in cases needed, such as when a false or a misleading complaint is placed to the Company’s call center relating to the Company’s services; and

d.       For training purposes and service improvement.

We do not collect and we do not use any personal information other than those specifically mentioned above, without your explicit consent.

We do not use any form of automated processing of personal data or profiling during the processing of your Personal Data.


3.       How we keep your Personal Data

We process your Personal Data in our Head Offices in Nicosia, where they are also safely kept and stored with enhanced security measures.

For the storage and security of your Personal Data the Company takes all the necessary technical and organizational measures to ensure that the processing is carried out and in accordance with the provisions of local laws and the GDPR (controlled access, firewalls, antivirus, cryptography of data etc.).


4.       Data recipients

Within our Company, your Personal Data are only accessible by the strictly required personnel, burdened by duty of confidentiality and only for the purposes mentioned in paragraph 2 above.

Outside our Company, recipients of your personal data may be any subcontractors or third parties who cooperate and/or provide services to the Company in the context of its business, such as companies that provide information technology services including our CRM software providers, legal representatives, call center service providers etc. Some of our trusted third party / service providers who may be recipients of your personal data are:
•    F.C.G. First Choice Group Ltd (call center service provider);
•    Cyprus Government / Ministry of Transport, Communications and Works (under concession contract).

We choose our associates very carefully, after the necessary checks have been carried out and sufficient guarantees have been provided to implement appropriate technical and organizational measures in such manner that processing will meet the requirements of the GDPR and the relevant laws and ensure the protection of your rights. 

We may also need to:

-        disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations;

-        share some personal data with other parties, such as potential buyers of some or all of our business or during a restructuring. Your information in such cases will be anonymized, but this may not always be possible, however, the recipient of the information will be bound by confidentiality obligations.

If you would like more information about who we share our data with and why, please contact us (see ‘How to contact us’ below).


5.       Retention period

In accordance with our Company’s retention policy and in full compliance with the GDPR, your Personal Data will be kept only for as long as necessary to fulfil the purposes specified in paragraph 2 or – in the case of consent – until you withdraw your consent. 

Except in cases where we might need to keep your data to pursue our legal rights and interest, the retention period of your Personal Data will be no longer than 3 months since the date of the call. After this period of time, your Personal Data will be irreparably destroyed.

Any requests for further information in relation to the continued processing of specific data and requests for destruction of data please contact us (see ‘How to contact us’ below).

 

6.       Transfers of data outside the EU / EEA 

We will not transfer your Personal Data outside the EU/EEA. In case, your data will be transferred to entities or other third parties whose headquarters or place of data processing is not located in a member state of the European Union or the European Economic Area, we ensure before forwarding the data that, outside of legally permitted exceptional cases pertaining to the recipient, either an appropriate level of data protection exists (e.g. through an adequacy decision of the European Commission, through suitable guarantees, or through the agreement of EU standard contractual clauses between us and the recipient), or your sufficient consent exists.


7.       Security

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorized way. These measures include, but are not limited to, access control, internal audit etc. Furthermore, we limit access to your personal information to those who have a genuine business and need to know it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.


8.       Your rights

As a Data Subject, you can contact us at any time and exercise your rights, which are, the right to:

(a)    receive information about the data processing and a copy of the processed data;

(b)    demand the correction or rectification of inaccurate data or the completion of incomplete data;

(c)     demand the erasure of personal data;

(d)    demand the restriction of the data processing;

(e)    receive the personal data concerning the data subject in a structured, commonly used and machine-readable format and to request the transmittance of these data to another controller in certain situations;

(f)      object to the data processing;

(g)    withdraw a given consent at any time to stop a data processing that is based on your consent;

(h)    complain to a competent supervisory authority.

In response to such requests, we reserve the right to require the individual making the request to provide certain details about herself/himself so that the we can validate that the individual is indeed the person whom the data refers to. We are required to respond to the request of the individual within 30 days and it will endeavour to do so wherever possible. We reserve the right to charge a reasonable fee to cover any expenses that may arise from the request.

In cases a data subject chooses not to provide any personal data, or where any of the rights set out above are exercised to limit the processing of personal data, we may be unable to provide relevant services, or there may be restrictions on the services which can be provided.

Specifically, in the event that you do not wish your call placed to and/or from our call center to be recorded, you have the right, after being informed, to terminate the call immediately. In the event that you knowingly choose to continue the call placed to and/or from our call center, but inform our employee that you do not wish your call to be recorded, our employee will have the right to terminate the call.

In some case, as per the GDPR, your right to erasure may be lifted to the extent that processing is necessary:

(a)       for exercising the right of freedom of expression and information.

(b)       for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject;

(c)        for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) of the GDPR as well as Article 9(3) of the GDPR;

(d)       for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in paragraph 1 of Article 89 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(e)       for the establishment, exercise or defence of legal claims.

For further information on each of those rights, including the circumstances in which they apply, please contact us (see ‘How to contact us’ below).

Should you require to exercise any of your rights or in the event that you wish to complain about how we have handled your personal data please contact us (see ‘How to contact us’ below).

If you still feel that your personal data has not been handled appropriately according to the law, you can submit your complaint with the Office of the Commissioner for Personal Data Protection, at Kypranoros 15, 1061 Nicosia, Cyprus, tel. +357 22 818456, email address: commissioner@dataprotection.gov.cy.


9.       How to contact us

You can contact us by post or email, if you have any questions about this Privacy Notice or the information we hold about you, to exercise a right under data protection law or to make a complaint.

CPT CYPRUS PUBLIC TRANSPORT SERVICES AND OPERATIONS LIMITED

Postal address: Thali 4, 2200 Geri, Nicosia, Cyprus

Email address: dpo@publictransport.com.cy.


10.   Changes to this Privacy Notice

This Privacy Notice last updated on the 28th of August 2024.

We may change this Privacy Policy from time to time and when we do so, we will inform you via a notification on our Website or via other means of contact, when this considered necessary.