Call Center Privacy Notice



Call Center Privacy Notice

Audio recordings — This Privacy Notice explains how CPT processes personal data collected during incoming and outgoing calls to and from its call center.

Last updated on August 28, 2024

This Privacy Notice sets out how CPT Cyprus Public Transport Services and Operations Limited, hereinafter referred to as “we”, the “Company”, “us” or “CPT”, processes the personal data of its customers, hereinafter referred to as “you”, the “Customer” or the “Data Subject”, collected during incoming and/or outgoing calls placed to and/or from its call center.

This Privacy Notice contains all the information that the Company, as a Data Controller, is required to provide to you in relation to the processing of your personal data, in accordance with the provisions of the EU General Data Protection Regulation 2016/679, hereinafter referred to as the “GDPR”.

1. What Information We Collect

The personal data that we collect from you during incoming and outgoing calls placed to and/or from our call center, at 1416, is the following:

Personal Data Collected
  1. Name and surname of the customer and of the call center officer.
  2. Telephone number of the customer.
  3. The audio recording.
  4. Time and date of the call.
  5. Length of the call.

The above are hereinafter referred to as your “Personal Data”.

2. Legal Basis and Purposes of Processing

Your Personal Data is processed in a legal, fair and transparent manner, based on the legitimate interests pursued by our Company, in accordance with Article 6(1)(f) of the GDPR.

The purposes for which we collect your Personal Data during incoming and outgoing calls placed to and/or from our Company’s call center are the following:

  • To ensure the Company’s efficient assistance to its customers and secure the best possible customer experience.
  • To promptly evaluate complaints placed to our call center relating to the Company’s services, in order to secure the best possible customer experience.
  • To safeguard the Company’s legitimate interests where needed, such as when a false or misleading complaint is placed to the Company’s call center relating to the Company’s services.
  • For training purposes and service improvement.

We do not collect or use any personal information other than that specifically mentioned above, without your explicit consent.

We do not use any form of automated processing of personal data or profiling during the processing of your Personal Data.

3. How We Keep Your Personal Data

We process your Personal Data at our Head Offices in Nicosia, where it is also safely kept and stored with enhanced security measures.

For the storage and security of your Personal Data, the Company takes all necessary technical and organizational measures to ensure that processing is carried out in accordance with local laws and the GDPR. These measures may include controlled access, firewalls, antivirus protection, cryptography of data and similar safeguards.

4. Data Recipients

Within our Company, your Personal Data is accessible only by strictly required personnel, who are bound by a duty of confidentiality and only for the purposes mentioned in section 2 above.

Outside our Company, recipients of your Personal Data may include subcontractors or third parties who cooperate with and/or provide services to the Company in the context of its business, such as information technology service providers, CRM software providers, legal representatives and call center service providers.

Trusted Third Parties / Service Providers
  • F.C.G. First Choice Group Ltd, call center service provider.
  • Cyprus Government / Ministry of Transport, Communications and Works, under concession contract.

We choose our associates very carefully, after the necessary checks have been carried out and sufficient guarantees have been provided to implement appropriate technical and organizational measures. This ensures that processing meets the requirements of the GDPR and relevant laws, and protects your rights.

We may also need to:

  • Disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
  • Share some personal data with other parties, such as potential buyers of some or all of our business or during a restructuring. Your information in such cases will be anonymized where possible, and the recipient of the information will be bound by confidentiality obligations.

If you would like more information about who we share data with and why, please contact us using the details in the “How to Contact Us” section below.

5. Retention Period

In accordance with our Company’s retention policy and in full compliance with the GDPR, your Personal Data will be kept only for as long as necessary to fulfil the purposes specified in section 2 or, in the case of consent, until you withdraw your consent.

Retention Period for Call Recordings

Except in cases where we may need to keep your data to pursue our legal rights and interests, the retention period of your Personal Data will be no longer than 3 months from the date of the call. After this period, your Personal Data will be irreparably destroyed.

For further information in relation to the continued processing of specific data, or to request the destruction of data, please contact us using the details below.

6. Transfers of Data Outside the EU / EEA

We will not transfer your Personal Data outside the EU/EEA.

In case your data is transferred to entities or other third parties whose headquarters or place of data processing is not located in a member state of the European Union or the European Economic Area, we ensure, before forwarding the data, that an appropriate level of data protection exists, except in legally permitted exceptional cases.

This may be ensured, for example, through an adequacy decision of the European Commission, suitable guarantees, the agreement of EU standard contractual clauses between us and the recipient, or your sufficient consent.

7. Security

We have appropriate security measures in place to prevent personal information from being accidentally lost, used or accessed in an unauthorized way. These measures include, but are not limited to, access control and internal audit.

We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality.

We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

8. Your Rights

As a Data Subject, you can contact us at any time and exercise your rights. These include the right to:

  • Receive information about the data processing and a copy of the processed data.
  • Request correction or rectification of inaccurate data, or completion of incomplete data.
  • Request erasure of personal data.
  • Request restriction of data processing.
  • Receive your personal data in a structured, commonly used and machine-readable format, and request transmission of this data to another controller in certain situations.
  • Object to data processing.
  • Withdraw consent at any time, where processing is based on your consent.
  • Complain to a competent supervisory authority.

In response to such requests, we reserve the right to require the individual making the request to provide certain details so that we can validate that the individual is indeed the person to whom the data relates.

We are required to respond to requests within 30 days and will endeavour to do so wherever possible. We reserve the right to charge a reasonable fee to cover any expenses that may arise from the request.

In cases where a data subject chooses not to provide any personal data, or where any of the rights set out above are exercised to limit the processing of personal data, we may be unable to provide relevant services, or there may be restrictions on the services that can be provided.

Call Recording Notice

If you do not wish your call placed to and/or from our call center to be recorded, you have the right, after being informed, to terminate the call immediately. If you knowingly choose to continue the call but inform our employee that you do not wish your call to be recorded, our employee will have the right to terminate the call.

In some cases, under the GDPR, your right to erasure may be lifted to the extent that processing is necessary:

  • For exercising the right of freedom of expression and information.
  • For compliance with a legal obligation requiring processing under Union or Member State law to which we are subject.
  • For reasons of public interest in the area of public health in accordance with the GDPR.
  • For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where applicable under the GDPR.
  • For the establishment, exercise or defence of legal claims.

For further information on each of those rights, including the circumstances in which they apply, please contact us using the details below.

Supervisory Authority

If you still feel that your personal data has not been handled appropriately according to the law, you can submit your complaint to the Office of the Commissioner for Personal Data Protection, at Kypranoros 15, 1061 Nicosia, Cyprus, telephone +357 22 818456, email address: commissioner@dataprotection.gov.cy .

9. How to Contact Us

You can contact us by post or email if you have any questions about this Privacy Notice or the information we hold about you, to exercise a right under data protection law, or to make a complaint.

Contact Details

CPT Cyprus Public Transport Services and Operations Limited
Postal address: Thali 4, 2200 Geri, Nicosia, Cyprus
Email: dpo@publictransport.com.cy

10. Changes to This Privacy Notice

This Privacy Notice was last updated on 28 August 2024.

We may change this Privacy Policy from time to time. When we do so, we will inform you via a notification on our website or by other means of contact, when this is considered necessary.